An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.
Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.
The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.
Team Telcom is calling on the FCC to cancel part of an undersea cable that links Los Angeles to Hong Kong over Chinese spying fears.
A report from Sophos today reveals a wave of adware belonging to the Bundlore family that targets macOS. Bundlore is one of the most common bundlware installers for macOS, accounting for almost 7% of attacks detected by Sophos.
This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.
After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.
The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.
Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”
Good to see Zoom do this.
The objective of this project is to develop an extensible, modern approach to security guidance that can be used by any organization to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads
A report today from Motherboard details how Facebook and the FBI used a zero-day exploit for privacy OS Tails to catch a child predator. The reason I’m specifically linking to it is because of this paragraph:
Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.
That is a slippery slope argument that will be used by politicians, like how Apple does what it can to help the FBI get into terrorists’ iPhones. “But you helped them before, why not again?” More fuel on the EARN IT fire.
IBM has released a toolkit for iOS and macOS to help developers to easily add homomorphic encryption into their programs.
While the technology holds great potential, it does require a significant shift in the security paradigm. Typically, inside the business logic of an application, data remains decrypted, Bergamaschi explained. But with the implementation of FHE, that’s no longer the case — meaning some functions and operations will change.
In other words, “There will be a need to rewrite parts of the business logic,” Bergamaschi said. “But the security that you gain with that, where the data is encrypted all the time, is very high.”
If you haven’t added homomorphic encryption to your technology watch list, be sure to do so. As I wrote in the past, this type of encryption lets a company perform computations on data while still keeping that data encrypted.
Apple recently created an open source project to help developers of password managers collaborate with websites to create strong passwords for users.
The Dropbox password manager can be found on the App Store, offering zero-knowledge encryption to paid Dropbox subscribers.
Google is adding security features for people who use Google accounts on Apple devices to give you more options for physical security keys.
Mac security researcher Jaron Bradley says he believes hackers are still using an open source macOS backdoor called “Tiny SHell.”
Tinyshell is an open source tool that operates like a shady version of SSH. It’s been a while since I’ve encountered a new sample, but I fully believe attackers are still out there using it. If you watched the Macdoored talk then you’ve seen what attackers are doing “post mortem” with this tool. However, no technical details have been discussed about the malware itself.
Discovered on April 16, 2020, Amtrak suffered a data breach that affects its Amtrak Guest Rewards accounts.
The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.
Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.
Today Apple released a 13.5.1 OS update for iPhones and iPads. It contains important security patches although details aren’t yet known about what was patched.
Security researcher Bhavuk Jain found a zero day vulnerability with Sign In with Apple in April. Apple has already patched it.
Andrew Orr joins host Kelly Guimont to discuss Security Friday news and some updates to Apple Card data in the Wallet app.
Roberto Escobar, brother of Pablo Escobar, is suing Apple for US$2.6 billion. He claims someone hacked his iPhone and found his email through FaceTime. As a way to fight the company he’s also launching a limited edition iPhone 11 Pro 256GB, gold plated, for US$499.
According to the lawsuit, obtained by TMZ, Pablo’s brother bought an iPhone X back in April 2018, and he claims the security promise fell horribly flat. One year after buying the X, Roberto claims he got a life-threatening letter from someone named Diego, who said he found Roberto’s address through FaceTime.
In the suit, Roberto says he conducted his own investigation after receiving the letter, and found his iPhone had been compromised due to a FaceTime vulnerability.
Go to Settings > FaceTime. You can choose which address and phone number you let people contact you with, if you have multiple numbers and emails associated with your Apple ID. This won’t stop people from obtaining your address elsewhere.
Today Jamf is adding new capabilities to its Jamf Protect product. The update adds malware prevention and unified log forwarding.
The Bluetooth Special Interest Group reported today an update to the Bluetooth Core Specification to stop Bluetooth BIAS attacks.
Zerodium is temporarily suspending its purchasing of iOS exploits due to a high number of submissions, with the CEO saying ”iOS security is f**ked.”
Zerodium is an exploit acquisition platform that pays researchers for zero-day security vulnerabilities and then sells them to institutional customers like government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities, normally offering between $100,000 and $2 million per fully functional iOS exploit.
Adobe Acrobat Reader DC patched three serious vulnerabilities today for macOS. Update as soon as possible by going to the menu bar.
