Security researcher Jeff Johnson is going public with a flaw found in a macOS privacy protection system. Apple is still investigating the issue.
A new piece of macOS ransomware has been spotted in the wild within multiple pirated Mac software, and it’s called OSX.EvilQuest.
A WWDC20 presentation shows how Apple is adding support for encrypted DNS to iOS 14 and macOS 11. It will support HTTPS and TLS.
A feature coming to Safari 14 later this year involves logging into websites with Face ID and Touch ID through the Web Authentication API.
Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) introduced the Lawful Access to Encrypted Data Act yesterday. It seeks to bring back the Crypto Wars of the 1990s by crippling encryption with the introduction of backdoors.
Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.
”Adds little to the security of the communications of the ordinary user.” That’s the level of contempt these people have for the rest of us.
TDashlane Family Plans are here, the company announced today. Two offerings provide password management for up to six family members. Premium Family is US$7.49/month and gives you features like dark web monitoring, VPN service, two-factor authentication, personalize security alerts, and more. Premium Plus Family is US$14.99 and gives you the features of Premium Family with three additions: Credit monitoring, identity restoration support, and identity theft insurance.
An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.
Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.
The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.
Team Telcom is calling on the FCC to cancel part of an undersea cable that links Los Angeles to Hong Kong over Chinese spying fears.
A report from Sophos today reveals a wave of adware belonging to the Bundlore family that targets macOS. Bundlore is one of the most common bundlware installers for macOS, accounting for almost 7% of attacks detected by Sophos.
This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.
After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.
The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.
Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”
Good to see Zoom do this.
The objective of this project is to develop an extensible, modern approach to security guidance that can be used by any organization to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads
A report today from Motherboard details how Facebook and the FBI used a zero-day exploit for privacy OS Tails to catch a child predator. The reason I’m specifically linking to it is because of this paragraph:
Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.
That is a slippery slope argument that will be used by politicians, like how Apple does what it can to help the FBI get into terrorists’ iPhones. “But you helped them before, why not again?” More fuel on the EARN IT fire.
IBM has released a toolkit for iOS and macOS to help developers to easily add homomorphic encryption into their programs.
While the technology holds great potential, it does require a significant shift in the security paradigm. Typically, inside the business logic of an application, data remains decrypted, Bergamaschi explained. But with the implementation of FHE, that’s no longer the case — meaning some functions and operations will change.
In other words, “There will be a need to rewrite parts of the business logic,” Bergamaschi said. “But the security that you gain with that, where the data is encrypted all the time, is very high.”
If you haven’t added homomorphic encryption to your technology watch list, be sure to do so. As I wrote in the past, this type of encryption lets a company perform computations on data while still keeping that data encrypted.
Apple recently created an open source project to help developers of password managers collaborate with websites to create strong passwords for users.
The Dropbox password manager can be found on the App Store, offering zero-knowledge encryption to paid Dropbox subscribers.
Google is adding security features for people who use Google accounts on Apple devices to give you more options for physical security keys.
Mac security researcher Jaron Bradley says he believes hackers are still using an open source macOS backdoor called “Tiny SHell.”
Tinyshell is an open source tool that operates like a shady version of SSH. It’s been a while since I’ve encountered a new sample, but I fully believe attackers are still out there using it. If you watched the Macdoored talk then you’ve seen what attackers are doing “post mortem” with this tool. However, no technical details have been discussed about the malware itself.
Discovered on April 16, 2020, Amtrak suffered a data breach that affects its Amtrak Guest Rewards accounts.
The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.
Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.
Today Apple released a 13.5.1 OS update for iPhones and iPads. It contains important security patches although details aren’t yet known about what was patched.
Security researcher Bhavuk Jain found a zero day vulnerability with Sign In with Apple in April. Apple has already patched it.