NSO Group Tools Used to Hack Journalist Omar Radi’s iPhone

· Andrew Orr · Link

Generic image displaying the word hacked.

An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.

Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.

The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.

‘Bundlore’ Adware Targets Macs With Updated Safari Extensions

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

A report from Sophos today reveals a wave of adware belonging to the Bundlore family that targets macOS. Bundlore is one of the most common bundlware installers for macOS, accounting for almost 7% of attacks detected by Sophos.

This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.

Zoom Backtracks, Will Give Free Users Encryption Protection

· Andrew Orr · Link

Zoom logo

After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.

The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.

Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”

Good to see Zoom do this.

New: The macOS Security Compliance Project

· John Martellaro · Product News

macOS Catalina

The objective of this project is to develop an extensible, modern approach to security guidance that can be used by any organization to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads

Facebook Helped Hack ‘Tails’ OS to Catch a Child Predator

· Andrew Orr · Link

Generic image displaying the word hacked.

A report today from Motherboard details how Facebook and the FBI used a zero-day exploit for privacy OS Tails to catch a child predator. The reason I’m specifically linking to it is because of this paragraph:

Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.

That is a slippery slope argument that will be used by politicians, like how Apple does what it can to help the FBI get into terrorists’ iPhones. “But you helped them before, why not again?” More fuel on the EARN IT fire.

IBM Releases Homomorphic Encryption Toolkit for iOS, macOS

· Andrew Orr · Link

Generic image of data

IBM has released a toolkit for iOS and macOS to help developers to easily add homomorphic encryption into their programs.

While the technology holds great potential, it does require a significant shift in the security paradigm. Typically, inside the business logic of an application, data remains decrypted, Bergamaschi explained. But with the implementation of FHE, that’s no longer the case — meaning some functions and operations will change.

In other words, “There will be a need to rewrite parts of the business logic,” Bergamaschi said. “But the security that you gain with that, where the data is encrypted all the time, is very high.”

If you haven’t added homomorphic encryption to your technology watch list, be sure to do so. As I wrote in the past, this type of encryption lets a company perform computations on data while still keeping that data encrypted.

Apple Launches Open Source Password Project

· Andrew Orr · Product News

Apple key icon

Apple recently created an open source project to help developers of password managers collaborate with websites to create strong passwords for users.

Security Researcher Believes Mac Backdoor ‘Tiny Shell” Still Being Used

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

Mac security researcher Jaron Bradley says he believes hackers are still using an open source macOS backdoor called “Tiny SHell.”

Tinyshell is an open source tool that operates like a shady version of SSH. It’s been a while since I’ve encountered a new sample, but I fully believe attackers are still out there using it. If you watched the Macdoored talk then you’ve seen what attackers are doing “post mortem” with this tool. However, no technical details have been discussed about the malware itself.

Amtrak Data Breach Affects Guest Rewards Accounts

· Andrew Orr · Link

Image containing the words “data breach”

Discovered on April 16, 2020, Amtrak suffered a data breach that affects its Amtrak Guest Rewards accounts.

The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.

Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.

iOS 13.5.1 is Out Today With Security Patches

· Andrew Orr · Product News

Image of apple’s settings app

Today Apple released a 13.5.1 OS update for iPhones and iPads. It contains important security patches although details aren’t yet known about what was patched.

Roberto Escobar Sues Apple for $2.6B Over iPhone Security

· Andrew Orr · Link

Generic image of lawsuit

Roberto Escobar, brother of Pablo Escobar, is suing Apple for US$2.6 billion. He claims someone hacked his iPhone and found his email through FaceTime. As a way to fight the company he’s also launching a limited edition iPhone 11 Pro 256GB, gold plated, for US$499.

According to the lawsuit, obtained by TMZ, Pablo’s brother bought an iPhone X back in April 2018, and he claims the security promise fell horribly flat. One year after buying the X, Roberto claims he got a life-threatening letter from someone named Diego, who said he found Roberto’s address through FaceTime.

In the suit, Roberto says he conducted his own investigation after receiving the letter, and found his iPhone had been compromised due to a FaceTime vulnerability.

Go to Settings > FaceTime. You can choose which address and phone number you let people contact you with, if you have multiple numbers and emails associated with your Apple ID. This won’t stop people from obtaining your address elsewhere.

Zerodium Pauses Purchases of iOS Exploits

· Andrew Orr · Link

Image of locks to suggest security and encryption

Zerodium is temporarily suspending its purchasing of iOS exploits due to a high number of submissions, with the CEO saying ”iOS security is f**ked.”

Zerodium is an exploit acquisition platform that pays researchers for zero-day security vulnerabilities and then sells them to institutional customers like government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities, normally offering between $100,000 and $2 million per fully functional iOS exploit.