Apple released the newest versions of its operating systems on Monday, and macOS 11.3 patches a major security flaw.
Security Friday, Bad News All Around – TMO Daily Observations 2021-04-23
Andrew Orr joins host Kelly Guimont for the latest in Security Friday news, and this week there’s enough bad news for everyone to share!
AirDrop Flaw Still Not Fixed After Two years
A team of researchers at TU Darmstadt discovered a flaw in AirDrop that could leak personal data. They notified Apple in May 2019.
Here’s How Signal Broke Into Cellebrite’s Hacking Device
Moxie Marlinspike of Signal wrote on Wednesday how he was able hack into a Cellebrite device. These devices are used by entities like law enforcement to brute force their way into devices like iPhones.
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
A fascinating write-up. One can only imagine the thrill of taking a walk, seeing a package fall out of a truck, and finding out that it’s a Cellebrite device.
REvil Ransomware Crew Extorts Apple With Device Schematics
Timed with Apple’s spring event on Tuesday, the group behind REvil ransomware claims to have secret device schematics hacked from Quanta Computer.
Geico Data Breach Exposed Driver’s Licenses in Early 2021
Geico revealed a data breach that occurred on its systems and hackers accessed driver’s licenses.
The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver’s license numbers between January 21 and March 1. Companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident.
Geico said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”
Malvertising Campaign ‘Tag Barnakle’ Infected 120 Ad Servers
First discovered a year ago, malvertising campaign Tag Barnakle has infected over 120 ad servers to insert malicious code into ads.
Stein says that while last year Tag Barnakle had targeted users of desktop browsers with redirects to malware download sites, over the past year, the gang has switched to going after mobile users and redirecting them to online scams peddling various scammy products.
‘The New Oil’ Website is a Resource for Privacy
The creator of The New Oil shared his website that gives people resources on privacy. But it’s not just a list of private tools to use. Instead the goal is to give people context and explain concepts like data breaches, why strong passwords matter, encryption, and more.
Most of us are not strangers to the concept of surveillance capitalism and targeted advertising. Most of us don’t particularly care, either. After all, who wouldn’t want relevant ads for movies or products that might actually appeal to you or improve your life? The thing is, most of us don’t understand the aggressive measures these companies go to to create those marketing profiles, or the devastating effects they can have on people.
Investigative Report Reveals the Untold Story of the SolarWinds Cyberattack
We have a bit more news about the SolarWinds hack this week. NPR has wrapped up an investigation and reveals the “behind-the-scenes” story.
“Imagine those Reese’s Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese’s Peanut Butter Cup,” he said. Instead of a razor blade, the hackers swapped the files so “the package gets sealed and it goes out the door to the store.”
Security Friday and a Hitchhiker's Guide – TMO Daily Observations 2021-04-16
Andrew Orr joins host Kelly Guimont to discuss Security Friday news, and a very helpful Hitchhiker’s Guide (not that one).
Reddit Announces Public Bug Bounty Program
For the past three years Reddit has maintained a privacy bug bounty program for cybersecurity researchers with HackerOne. On Thursday the company announced a public program.
With our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on Reddit. As we scale the program, our priority will remain focused on protecting the privacy of our user data and identities. We know each security researcher has their own skills and perspective that they bring to the program, and we encourage anyone to submit a report that shows security impact. We’re super excited to hit this milestone and have prepared our team for what’s to come.
U.S. Sanctions Russia Over SolarWinds Cyberattack
The U.S. has imposed sanctions against Russia for election interference and its role in the devastating cyberattack known as SolarWinds.
Security Firm Behind iPhone Unlocking Finally Discovered
The security firm that unlocked the iPhone of the San Bernardino shooter has been unveiled, and it’s an Australian company called Azimuth.
Azimuth is a poster child for “white hat” hacking, experts say, which is good-guy cybersecurity research that aims to disclose flaws and disavows authoritarian governments. Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters.
An interesting story, especially with the connection to Corellium.
The Hitchhiker’s Guide to Online Anonymity Version 9
The Hitchhiker’s Guide to Online Anonymity is an open source, non-profit guide on how to be anonymous online. It covers multiple platforms like Windows, Linux, macOS, Whonix, TAILS, Qubes, and more. Its creator announced an update to the guide, version 9. This version adds bug fixes, more topics, and its own Tor Mirror. You can find the online guide here, and the PDF guide here. The creator’s post on Reddit includes many variations on these guides.
Clubhouse API Open to Scraping Public User Data
On Saturday, a SQL database containing data of 1.3 million Clubhouse users was posted on a hacker forum. The data included names, user IDs, social media profile names, and other details.
While the data associated with the Clubhouse user base was not acquired as a result of a breach, allowing ‘anyone with an API’ to download public Clubhouse profile information on a mass scale can backfire. For example, data scraping is often used by spammers and phishers to find new victims: they aggregate public contact details and use them for spam lists, robocalls, or social engineering attacks.
It’s not sensitive data but it can be combined with other data hoards that may have sensitive data. Every little scrap of data, while innocent on their own, can be potentially used against you, whether from advertisers or hackers.
Apple Publishes 2020 Transparency Report for Government Requests
Apple has published its transparency report from 2020. It gives information about what kinds of requests it receives from third parties.
Safari Exploit Revealed at Pwn2Own 2021
Jack Dates found an exploit in Safari which won him US$100,000 along with 10 Master of Pwn points at Pwn2Own 2021.
This Hacker Fights Back Against Phone Scammers
AARP recently published a fascinating investigative report of how one man, alias Jim Browning, fights back against phone scammers.
How to Clean Up Facebook (Data) Leakage – TMO Daily Observations 2021-04-06
Today Andrew Orr joins host Kelly Guimont to discuss why there’s new headlines about an old data leak, and what you can do to protect yourself.
LinkedIn Data Leak of 500 Million People Sold Online
Just days after a Facebook data leak was discovered, security researchers found another one, this time involving LinkedIn. It affects a similar amount of users, 500 million, with data being sold on a “popular hacker forum.”
The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.
