Charlotte Henry and Bryan Chaffin join host Kelly Guimont to discuss iOS vulnerabilities as weapons, and the slow success of Watch.
Security
Researchers Test Phones to See if They're Secretly Listening
Researchers put an iPhone and a Samsung phone into a room, playing cat and dog food advertising for 30 minutes.
The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform…They repeated the experiment at the same time for three days, and noted no relevant pet food adverts on the “audio room” phones and no significant spike in data or battery usage.
The results won’t surprise those in the information security industry who’ve known for years that the truth is that tech giants know so much about us that they don’t actually need to listen to our conversations to serve us targeted adverts.
For some people, maybe the belief that phones secretly spy on us is less terrifying than learning how much data these corporations actually have on us.
Password-Less Server Leaked Facebook IDs and Phone Numbers
A server found without a password contained over 419 million database records of Facebook users in the U.S., U.K. and Vietnam.
Botnet Takedown, Apple's AR Plans – TMO Daily Observations 2019-09-03
Bryan Chaffin and Andrew Orr join host Kelly Guimont to discuss the latest botnet takedown and the new wave of Apple “headset” speculation.
French Police Defeat Retadup Botnet Infecting 850,000 Computers
French police have defeated a botnet that infected over 850,000 computers. It was created with the Retadup malware. With the help of a web host, they cloned the command & control server and used it to disinfect the zombie computers.
“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
Review: Yubico 5Ci is the iPhone's First Security Key
Launched last week, the Yubico 5Ci is the first security key with a Lightning connector. The company sent Andrew one for review.
iPhone Hacks, Python, Particle Debris – TMO Daily Observations 2019-08-30
John Martellaro and Andrew Orr join host Kelly Guimont to discuss an iOS vulnerability, the future of Python on macOS, and Particle Debris.
Malicious Websites Have Been Hacking iPhones
Google’s Project Zero security team recently announced that some malicious websites have been hacking iPhones.
Ruby 11 Libraries Found to Contain Backdoors
The RubyGems package repository removed 18 backdoors from Ruby 11 software libraries meant to launch secret cryptocurrency mining.
MoviePass Breach Exposed Unencrypted Credit Card Numbers
Movie ticket subscription service MoviePass store customer credit card numbers in plain text on an exposed server.
Apple Accident iPhone Leads to iOS 12.4 Jailbreak
Apple accidentally unpatched a vulnerability first patched in iOS 12.3, and researchers used it to create an iOS 12.4 jailbreak.
Apple Sues Corellium Over Virtual iOS Copies
Corellium is a mobile device virtualization company that offers iOS and Apple’s apps in the cloud. Apple is suing the company for damages.
Using Two-Factor Authentication on Old Apple Devices
Glenn Fleishman has a good tip on how to use Apple’s two-factor authentication on older devices that don’t support it.
But 2FA and outdated versions of Apple TV, iOS, and macOS don’t mix. You try to log in on those devices with your Apple ID and popups with codes may appear on other devices, but there’s no way to enter it on the piece of equipment from which you’re trying to log in. Fortunately, there’s a simple workaround.
I always forget about the manual method.
Battery/Email PSAs, Siri Spotify Teamup – TMO Daily Observations 2019-08-14
Andrew Orr and Charlotte Henry join host Kelly Guimont to talk about a couple of PSAs for Apple folks and how Siri and Spotify might team up.
Def Con 2019: Lightning Cables That Can Hack Your Computer
Security researcher “MG” presented some special Lightning cables at Def Con 2019 that can hack your computer.
News+: Don't Give Money to Ransomware Scammers
In the latest issue of PCMag, Max Eddy writes that you shouldn’t give money to ransomware attackers when they ask.
First, most cyberattacks—including ransomware—don’t last long. The command and control servers that issue the unlock commands and receive payment can be found and taken offline…In either case, anyone who has been infected and not paid the ransom can no longer get their system unlocked, even if they pay.
This is why keeping several backups is important, one online, one offline. And keep your operating system up to date with the latest security patches and improvements.
This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.
Online Payment Integrations Can Introduce Vulnerabilities
At Black Hat 2019, researcher Joshua Maddux found that security vulnerabilities can arise when websites add online payment integrations like Apple Pay. To be clear, he says it’s not an issue with Apple Pay itself, but rather how websites add it. And other third-party integrations can be similarly affected.
The flaws fit into a well-known type of vulnerability called “server side request forgery,” which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month’s massive Capital One breach. Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access.
Researchers Spoof Face ID Using Tape and Glasses
During the Black Hat 2019 conference, researchers demonstrated a way to spoof Face ID using nothing more than glasses and tape.
To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.
Apple Laptop Ports, Bug Bounty Program – TMO Daily Observations 2019-08-07
John Martellaro and Charlotte Henry join host Kelly Guimont to talk about port differentials on MacBook models and Apple’s macOS bug bounty.
Microsoft Launches Azure Security Lab and Doubles Bug Bounty
Announced at Black Hat 2019 today, Microsoft launched the Azure Security Lab, as well as doubling its top Azure bug bounty to US$40,000.
The Azure Security Lab takes the idea to the next level. It’s essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.
The Azure Security Lab isn’t open to the public — you have to apply. Microsoft is promising quarterly campaigns for targeted scenarios with added incentives, including exclusive swag. Security researchers will also be able to engage directly with Azure security experts.
Jamf Gets Native Mac Security With Digita Security
Enterprise Mac company Jamf has acquired Digita Security, bringing native Mac security to its platform.
Digita, a two-year old startup, was founded by a team of security experts led by Patrick Wardle, whose background includes a decade as a Mac security researcher, seeking out vulnerabilities on the Mac, and time at the NSA where he honed his security research skills.
Patrick makes a lot of great Mac tools with Objective See that I recommend.
Capital One Hack: What We Know and What You Can Do
A Capital One hack was recently discovered, affecting over 100 million people. Here’s what we know, and what you can do to stay protected.
Google's Project Zero Finds 6 iOS 'Interactionless' Bugs
Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.
The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.
Capital One Hack Affects Credit Card Customers
On July 19 Capital One found it had gotten hacked. The FBI arrested the hacker but 100 million U.S. customers are affected.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
What angers me the most about this is the fact that I had to read the news to learn what happened. As a Capital One customer I feel I should’ve been notified by email. Customers affected by this will get an email but I want a notification email as well. Maybe I’ll get five bucks like those affected by Equifax.