Here’s How Signal Broke Into Cellebrite’s Hacking Device

Moxie Marlinspike of Signal wrote on Wednesday how he was able hack into a Cellebrite device. These devices are used by entities like law enforcement to brute force their way into devices like iPhones.

Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

A fascinating write-up. One can only imagine the thrill of taking a walk, seeing a package fall out of a truck, and finding out that it’s a Cellebrite device.

Authoritarian Governments May Not Like Satellite Internet

An interesting report today examines how authoritarian governments will handle the challenge of satellite internet like Starlink.

Russia’s space chief Dmitry Rogozin, in August of 2020, said that Starlink is “a rather predatory, clever, powerful, high-technology policy of the USA, which uses Shock and Awe in order to advance, before all, their military interests.” Rogozin publicly stated the more humanitarian aspects of Starlink, in that it would provide internet access to people living in remote areas, “nonsense.”

Digital Rights Group Calls on Congress to Abolish the App Store

The Senate Judiciary Committee is preparing to hear testimony from app developers regarding the App Store. In preparation, Fight For The Future has created AbolishTheAppStore.org.

By centralizing software distribution through the App Store, Apple is upholding the unjust laws of authoritarian regimes and restricting innovation in the mobile software industry. We believe that iOS should work like every other general purpose computing system, including Apple’s own MacOS. Developers should be free to create — and users should be free to install — software directly onto the devices that they own without asking for Apple’s permission.

Geico Data Breach Exposed Driver’s Licenses in Early 2021

Geico revealed a data breach that occurred on its systems and hackers accessed driver’s licenses.

The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver’s license numbers between January 21 and March 1. Companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident.

Geico said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Malvertising Campaign ‘Tag Barnakle’ Infected 120 Ad Servers

First discovered a year ago, malvertising campaign Tag Barnakle has infected over 120 ad servers to insert malicious code into ads.

Stein says that while last year Tag Barnakle had targeted users of desktop browsers with redirects to malware download sites, over the past year, the gang has switched to going after mobile users and redirecting them to online scams peddling various scammy products.

Memo Reveals How Lawmakers Want to Reform Section 230

A new proposal from lawmakers reveals how Congress wants to take steps to reform Section 230 of the Communications Decency Act.

A new proposal by Republican lawmakers to overhaul a critical law that protects online platforms already looks dead in the water, according to one legal expert, though another prominent legal scholar believes it could fuel bipartisan reform for tech regulation.

The Republican members’ proposal submitted Thursday calls for, among other things, modifying 230 to strip liability protection for Big Tech if their content moderation practices discriminate against political affiliations or viewpoints, a frequent conservative talking point.

‘The New Oil’ Website is a Resource for Privacy

The creator of The New Oil shared his website that gives people resources on privacy. But it’s not just a list of private tools to use. Instead the goal is to give people context and explain concepts like data breaches, why strong passwords matter, encryption, and more.

Most of us are not strangers to the concept of surveillance capitalism and targeted advertising. Most of us don’t particularly care, either. After all, who wouldn’t want relevant ads for movies or products that might actually appeal to you or improve your life? The thing is, most of us don’t understand the aggressive measures these companies go to to create those marketing profiles, or the devastating effects they can have on people.

Investigative Report Reveals the Untold Story of the SolarWinds Cyberattack

We have a bit more news about the SolarWinds hack this week. NPR has wrapped up an investigation and reveals the “behind-the-scenes” story.

“Imagine those Reese’s Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese’s Peanut Butter Cup,” he said. Instead of a razor blade, the hackers swapped the files so “the package gets sealed and it goes out the door to the store.”

Alaskan Senate Bill Proposes Statewide Blockchain Voting System

Under Senate Bill 39, Wasilla Republican Sen. Mike Shower proposes using blockchain technology to support the state voting system.

Furthermore, the bill seeks to increase voter participation by allowing people to use their tribal IDs for voter identification. At the same time, the technology would help in fixing errors that would bar people from voting.

However, the bill’s first version was a center of controversy for ending automatic voter registration through the permanent fund dividend application. The new bill has eliminated the clause.

I think using tribal IDs for voting identification is great. I’m not sure if blockchain voting will make it though.

Reddit Announces Public Bug Bounty Program

For the past three years Reddit has maintained a privacy bug bounty program for cybersecurity researchers with HackerOne. On Thursday the company announced a public program.

With our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on Reddit. As we scale the program, our priority will remain focused on protecting the privacy of our user data and identities. We know each security researcher has their own skills and perspective that they bring to the program, and we encourage anyone to submit a report that shows security impact. We’re super excited to hit this milestone and have prepared our team for what’s to come.

Adobe Releases Global Emoji Diversity & Inclusion Report

On Thursday Adobe released the Global Emoji Diversity & Inclusion Report. It surveyed 7,000 emoji users from around the world on how they use diverse and inclusive emojis.

Only half of global emoji users feel their identity is adequately reflected in current emoji options. More representative emoji, inclusive of different cultures, age groups, and ethnicities, are key in helping emoji users better express themselves. This goes a lot deeper than personal identification — it helps people accurately express how they are feeling.

Security Firm Behind iPhone Unlocking Finally Discovered

The security firm that unlocked the iPhone of the San Bernardino shooter has been unveiled, and it’s an Australian company called Azimuth.

Azimuth is a poster child for “white hat” hacking, experts say, which is good-guy cybersecurity research that aims to disclose flaws and disavows authoritarian governments. Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters.

An interesting story, especially with the connection to Corellium.

Clubhouse API Open to Scraping Public User Data

On Saturday, a SQL database containing data of 1.3 million Clubhouse users was posted on a hacker forum. The data included names, user IDs, social media profile names, and other details.

While the data associated with the Clubhouse user base was not acquired as a result of a breach, allowing ‘anyone with an API’ to download public Clubhouse profile information on a mass scale can backfire. For example, data scraping is often used by spammers and phishers to find new victims: they aggregate public contact details and use them for spam lists, robocalls, or social engineering attacks.

It’s not sensitive data but it can be combined with other data hoards that may have sensitive data. Every little scrap of data, while innocent on their own, can be potentially used against you, whether from advertisers or hackers.

Samsung’s ‘iTest’ Puts Android on Your iPhone

Samsung has created a web app called iTest that puts a simulation of Android on your iPhone to convince you to switch.

When you’re in the Samsung iTest app on your iPhone, you’ll even receive a variety of simulated text notifications and phone calls highlighting different things to try out and different ways of communicating with friends. And of course, Samsung is also using this as an opportunity to promote its other Galaxy products, such as Galaxy Buds Pro, Galaxy Watch3, and Galaxy Buds Live.

I think it’s really cool and creative.

Adobe Releases Update to ‘Source Han Sans’ Open Source Font

Adobe and Google partnered to create an open source font for East Asian languages called Source Han Sans. Adobe on Thursday released the latest iteration called Source Han Sans Variable.

The existing seven weights of Source Han Sans now come in a single file that encompasses the entire design space. This affords typographers more granular control: rather than seven static weights ranging from ExtraLight to Heavy, weight exists on a continuum and is expressed through minimum and maximum numeric values.

Lawmakers Call YouTube Kids ‘Wasteland of Vapid, Consumerist Content’

The US sub-committee on economic and consumer policy sent a letter [PDF] to YouTube CEO Susan Wojcicki about its app for kids, saying it’s full of “inappropriate… highly commercial content”.

According to the letter, some videos appeared to be “smuggling in hidden marketing and advertising with product placements by children’s influencers”.

The letter claimed that one research team, which it did not name, found only about 4% of videos had a high educational value. Much of the rest was low quality content such as toy unboxing and videos of people playing video games.

Chat App ‘Signal’ Beta Tests Crypto Payments With MobileCoin

For Signal users in the United Kingdom, the company is releasing a new feature for beta testing that lets people send payments to each other using the cryptocurrency MobileCoin (MOB).

There’s a palpable difference in the feeling of what it’s like to communicate over Signal, knowing you’re not being watched or listened to, versus other communication platforms. I would like to get to a world where not only can you feel that when you talk to your therapist over Signal, but also when you pay your therapist for the session over Signal.

The limitation is because MobileCoin is listed for purchase on only one exchange, FTX, which doesn’t allow trades from U.S. residents. I’ve never heard of MobileCoin before but I’d say it’s something to keep an eye on.

 

LinkedIn Data Leak of 500 Million People Sold Online

Just days after a Facebook data leak was discovered, security researchers found another one, this time involving LinkedIn. It affects a similar amount of users, 500 million, with data being sold on a “popular hacker forum.”

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.

Facebook Leaks Data of 553 Million People Like Phone Numbers

The personal data of 553 million Facebook users was posted in a hacking forum over the weekend. Data includes phone numbers, full names, locations, email addresses, and other information.

While it’s a couple of years old, the leaked data could prove valuable to cybercriminals who use people’s personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock, who discovered the trough of leaked data on Saturday.

Facebook PR has been downplaying the leak, saying it’s “only” two years old. But for most people, their phone number, email addresses, and full names probably haven’t changed in that time.

Supreme Court Sides With Google in Legal Battle Over APIs

Google and Oracle have been fighting for a decade over the copyright status of APIs, or application programming interfaces. But Google just won [PDF].

The high court punted on whether APIs can be copyrighted in the first place. But the court’s fair use reasoning was broad enough that it should provide a strong defense for most API copying, making the question of API copyrights much less important.

The Singularity: Can Computers Make Themselves Smarter?

Writing for The New Yorker, Ted Chiang believes that the concept of a technological singularity, in which computers / AI would be able to make themselves ever smarter, is similar to an ontological argument. In other words, it probably won’t happen.

How much can you optimize for generality? To what extent can you simultaneously optimize a system for every possible situation, including situations never encountered before? Presumably, some improvement is possible, but the idea of an intelligence explosion implies that there is essentially no limit to the extent of optimization that can be achieved.

NSA Wants to Spy on Americans Because Reasons

U.S. government servers have been getting hacked left and right. In response, the NSA wants us to think that approval of domestic spying will solve the problem, despite suffering an egregious hack in 2016 where its zero-day exploits were stolen.

“We truly need to look at the ability for us to see ourselves and right now it’s difficult for us to see ourselves,” Nakasone testified on Thursday to the Senate Armed Services Committee. Adversaries like China and Russia “are operating with increased sophistication, scope [and] scale, including operations that can end “before a warrant can be issued,” he warned.

Google Bravely Blocks Apps From Scanning Your Other Apps

Google announced that it will stop Android apps from scanning the list of your other apps in Android 11. Why this behavior was accepted before is beyond me.

Google has another page that lists allowable use cases for Play Store apps querying your app list, including “device search, antivirus apps, file managers, and browsers.” The page adds that “apps that must discover any and all installed apps on the device, for awareness or interoperability purposes may have eligibility for the permission.”

Time to make a fake antivirus app which queries your list of apps to sell to other companies.