A new form of malware has been discovered that explicitly targets Apple developers. It’s called “XcodeSpy.”
Security
Facebook Introduces Security Keys for Two-Factor Authentication
Facebook announced on Thursday that it now supports two-factor authentication authentication for security keys on its mobile apps.
Physical security keys — which can be small enough to fit on your keychain — notify you each time someone tries accessing your Facebook account from a browser or mobile device we don’t recognize. We ask you to confirm it’s you with your key, which attackers don’t have.
Twitter Announces Multiple Security Key Support for Accounts
Twitter announced an update to its two-factor authentication security feature. Users can now enroll and log in with multiple security keys.
The Ulysses Group Wants to Sell Location Data to US Military
A contractor with the U.S. military called The Ulysses Group wants to start selling vehicle location data to the military.
Ulysses can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis. Currently, we can access over 15 billion vehicle locations around the world every month.
iOS Could Soon Separate Security Updates and Software Updates
Apple recently released the fourth beta of iOS 14.5 to developers, and code suggests that updates to the platform could change in the future.
Avira Security Updates Mac App With New Code
Avira Security released the latest version of its software suite on Tuesday. It’s been rewritten with Apple’s Swift, SwiftUI, and Combine frameworks.
Dropbox Passwords Rolls Out to All Users in April
Dropbox Passwords launched in 2020 for paid users to manage their passwords. Now the company has announced it will be available to free users in April. You can sign up here to be notified of its release.
Dropbox Basic users will be able to store up to 50 passwords in Dropbox Passwords and have them automatically sync with up to three devices. It will also be possible to share passwords securely with anyone eventually, but this is a feature Dropbox is still working on and isn’t available yet.
I think it’s interesting that Dropbox came out with a password manager, but you can find far better ones for free with less limitations, like Bitwarden.
Bitwarden Announces Data Sharing Feature ‘Bitwarden Send’
Password manager Bitwarden announced on Monday the introduction of a new feature called Bitwarden Send.
Molson Coors Production Grinds to Halt From Cyberattack
Molson Coors has revealed in its regulatory filing it suffered a cyberattack, and production has come to a halt.
Molson Coors experienced a systems outage that was caused by a cybersecurity incident. We have engaged a leading forensic IT firm to assist our investigation into the incident and are working around the clock to get our systems back up as quickly as possible.
Not even our beer is safe. One likely candidate is some kind of ransomware.
Dashlane Reveals New Password Changer and Autofill Engine
Dashlane announced on Thursday a redesign of its Password Changer, as well as a new autofill engine powered by machine learning.
Password Changer seamlessly logs users into compatible websites, generates strong, unique passwords, then changes the passwords for those sites on the user’s behalf in one-click.
Interested persons can sign up to test the beta versions of Dashlane with these new features using this website.
Verkada Security Breach Exposes 150,000 Surveillance Cameras
Hackers have breached the systems of Verkada, a startup that sells security cameras. The group says it was done to expose how widespread video surveillance is.
A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.
iPhone ‘Call Recorder’ App Leaked User Conversations
An iPhone app called Call Recorder lets users record their phone call conversations. But a recently discovered bug leaked those calls.
But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.
A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”
Cryptee Adds DOCX Support for File Editing
Hot on the heels of its big 3.0 update, the next announcement for Cryptee is support for DOCX uploading and editing. You can also export documents as DOCX, making Cryptee a viable cloud-based private alternative to Microsoft Word and Google Docs. However, there is an extra security bonus to Cryptee:
A little known fact about docx files is that, due to the fact that they support macros, and other ways to execute code in them, they are commonly used by malicious third parties to distribute and spread malware viruses. Cryptee does not run / execute macros while opening docx files, allowing you to open / edit / save DOCX files safely, without having to worry about your computer getting infected.
Mac App Electrum Wallet With Backdoor Spotted in Wild
An Electrum wallet with a backdoor has been spotted in the wild by ConfiantIntel. They noticed that it’s another example of a piece of malware notarized by Apple. Link to tweet thread below.
These fake wallets were introduced during a Malvertising attack our security team discovered early this week, involving the hacking of a Major SSP. The hackers redirected the victims to https://electrum-4.github[.]io/ asking them to install an update of the electrum wallet.
In a separate tweet, it looks like one of Patrick Wardle’s tools can detect it.
Security Friday! Search Engines and Support - TMO Daily Observations 2021-03-04
Andrew Orr joins host Kelly Guimont for Security Friday news, including updates on cookies and iOS released and some tech support help from Apple.
47,000 iOS Apps Have Misconfigured Cloud Servers
Researchers at Zimperium analyzed 1.3 million Android and iOS apps to detect common cloud misconfigurations. They found that nearly 84,000 Android apps and 47,000 iOS apps have errors.
The researchers found almost 84,000 Android apps and nearly 47,000 iOS apps using public cloud services—like Amazon Web Services, Google Cloud, or Microsoft Azure—in their backend as opposed to running their own servers. Of those, the researchers found misconfigurations in 14 percent of those totals—11,877 Android apps and 6,608 iOS apps—exposing users’ personal information, passwords, and even medical information.
iOS 14.3 Jailbreak Released This Weekend by Unc0ver
Over the weekend the Unc0ver team released a new jailbreak that works from iOS 11 to iOS 14.3.
How Apple’s Walled Garden is a Double-Edged Security Sword
Patrick Howell O’Neill shared an interesting argument for MIT Technology Review: Apple’s locked-down ecosystem is both good and bad for security.
He argues that while the iPhone’s security is getting tighter as Apple invests millions to raise the wall, the best hackers have their own millions to buy or develop zero-click exploits that let them take over iPhones invisibly. These allow attackers to burrow into the restricted parts of the phone without ever giving the target any indication of having been compromised. And once they’re that deep inside, the security becomes a barrier that keeps investigators from spotting or understanding nefarious behavior.
Put another way: Apple’s locked down systems naturally select for the best hackers. And the best hackers have the skill to create the most devastating hacks. “This means that even to know you’re under attack, you may have to rely on luck or vague suspicion rather than clear evidence.”
How to Find Out if Your Mac has ‘Silver Sparrow’ Malware
Right now we know that Malwarebytes can detect it, and other anti-malware vendors will likely be updated soon.
iCloud XSS Bug Discovery Earned Researcher $5,000
Security researcher Vishal Bharad wrote about a stored XSS bug he discovered in iCloud. He told Apple about it on August 7, 2020.
Silver Sparrow and You – TMO Daily Observations 2021-02-22
Andrew Orr join host Kelly Guimont to discuss Silver Sparrow malware, including what it’s actually doing and how concerned you should be.
Mysterious ‘Silver Sparrow’ Malware Confuses Researchers
Over the weekend we got news of a mysterious piece of malware called Silver Sparrow. It has infected 30,000 machines so far and there is a version of it built for M1 Macs. But security researchers can’t figure out its purpose.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Security Friday: Malware, Passwords, Security Guides – TMO Daily Observations 2021-02-19
Security Friday! Andrew Orr joins host Kelly Guimont to discuss security news and tips, including some new malware for the new M1 Mac.
The 2021 Apple Platform Security Guide is Here
Apple regularly shares security guides for each of its systems, and today it shared its 2021 Platform Security guide for all of its systems.
