Along with iOS 12.4.2 Apple is releasing macOS Mojave 10.14.6, a second supplemental update with security fixes.
If you’re running an earlier version of macOS then you will instead find Security Update 2019-005 for macOS High Sierra and Security Update for macOS Sierra available as system software updates.
The security issue as shared here fixes CVE-2019-8641: A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
There are reports of an alternative App Store that doesn’t require jailbreaking. It’s called AltStore, and it lets you download these alternative apps via a server you install on your Mac. While the developer says that the code for AltStore is open source, that doesn’t mean the apps within are. I urge caution about installing unknown apps outside of the App Store. If they can’t make it through the app review team, there’s probably a reason for that. For example, this quote from the blog:
From the beginning, AltStore was intended to serve as a way for developers to distribute entirely new apps that push the boundaries of iOS in ways not possible with Apple’s app review system.
Hopefully, “pushing the boundaries” doesn’t include apps full of malware.
The White House is blocking an audit by Congress for its offensive hacking policy it has already used for cyberattacks against Russia and Iran.
The policy, which loosened the reins on military strikes against U.S. adversaries, has been withheld for more than a year from lawmakers — even those who regularly review classified material. Lawmakers from both parties are concerned the Trump administration could plunge the country into a cyberwar without congressional approval or oversight, or at the very least, provoke retaliation that causes serious damage at home.
The White House hacking strategy is: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.“
Andrew Orr and John Martellaro join host Kelly Guimont to discuss sharing photos (but not their location data), and Apple’s OS security.
You can add a second person to Face ID on iOS devices. This is great for people who share their devices. Here’s how to do it.
Cloudflare announced its Warp VPN earlier this year and created a waiting list for it to be rolled out. Although the company had technical difficulties, the list is gone and Warp VPN is available for everyone today.
Let me start with the apology. We are sorry making WARP available took far longer than we ever intended. As a way of hopefully making amends, for everyone who was on the waitlist before today, we’re giving 10 GB of WARP Plus — the even faster version of WARP that uses Cloudflare’s Argo network — to those of you who have been patiently waiting.
This Friday I intend to publish a list of five VPN apps for iOS, and Warp will be included.
Russian national Adrei Tyurin confessed to the 2014 hacking of JPMorgan Chase which stole the data of over 80 million customers.
Tyurin carried out the hacks at the direction of co-conspirator Gery Shalon, who used the stolen data to further a variety of schemes, including securities fraud. One scheme involved artificially inflating the price of certain publicly traded stocks by marketing them in a deceptive and misleading manner to customers of companies Tyurin had hacked.
Andrew Orr and Bryan Chaffin join host Kelly Guimont to discuss tech and legislation colliding in unfortunate ways, and iPhone battery life.
A ProPublica investigation revealed that medical images and health data are often stored in insecure servers that are easily accessible to anyone with a bit of computer knowledge.
We identified 187 servers — computers that are used to store and retrieve medical data — in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers and mobile X-ray services.
All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates and, in some cases, Social Security numbers.
Google’s Project Zero security team found a LastPass bug that exposed user credentials on a website they previously visited.
Apple is expanding NFC capabilities with iOS 13, and you’ll be able to use Yubico NFC keys or other brands with your iPhone.
SimJacker is a newly-discovered vulnerability in SIM cards that lets an attacker hack your smartphone just by sending an SMS message.
Andrew Orr and Bryan Chaffin join host Kelly Guimont to discuss the latest 3% back offers on Apple Card, & a letter from the NSA in the NYT.
A contacts exploit was discovered in iOS 13 that lets a person bypass Face ID / Touch ID to see an iPhone’s contacts.
Relatively little is at stake with this exploit. Beyond the inherent danger of an assailant having your iPhone, this method only allows someone to view the contacts within the target iPhone, provided that they have physical access to the target phone and can complete the VoiceOver exploit.
Little is at stake, but there have been so my iOS exploits in the news lately that we might as well go straight to iOS 13.1.
According to an investigation of President Trump’s Twitter security, his account might be vulnerable to being hacked, although some disagree.
The source who shared information about Trump’s Twitter security said they don’t believe the account will be hacked, but that the risk should be kept in perspective. “Remember we are talking about access to a Twitter account, not access to the nuclear launch codes,” they said. “While the optics would be bad if the account were ever hacked, it would not be a national crisis.”
Andy Greenberg writes about security problems in iMessage and Safari, saying that these products make iPhone less secure.
“If you want to compromise an iPhone, these are the best ways to do it,” says independent security researcher Linus Henze of the two apps…He and other iOS researchers argue that when it comes to the security of both iMessage and WebKit—the browser engine that serves as the foundation not just of Safari but all iOS browsers—iOS suffers from Apple’s preference for its own code above that of other companies.
Apple is in a tough position. If a company isn’t great at security, they could get a third-party to audit its software. But that would create a huge target.
Charlotte Henry and Bryan Chaffin join host Kelly Guimont to discuss iOS vulnerabilities as weapons, and the slow success of Watch.
Researchers put an iPhone and a Samsung phone into a room, playing cat and dog food advertising for 30 minutes.
The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform…They repeated the experiment at the same time for three days, and noted no relevant pet food adverts on the “audio room” phones and no significant spike in data or battery usage.
The results won’t surprise those in the information security industry who’ve known for years that the truth is that tech giants know so much about us that they don’t actually need to listen to our conversations to serve us targeted adverts.
For some people, maybe the belief that phones secretly spy on us is less terrifying than learning how much data these corporations actually have on us.
A server found without a password contained over 419 million database records of Facebook users in the U.S., U.K. and Vietnam.
Bryan Chaffin and Andrew Orr join host Kelly Guimont to discuss the latest botnet takedown and the new wave of Apple “headset” speculation.
French police have defeated a botnet that infected over 850,000 computers. It was created with the Retadup malware. With the help of a web host, they cloned the command & control server and used it to disinfect the zombie computers.
“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
Launched last week, the Yubico 5Ci is the first security key with a Lightning connector. The company sent Andrew one for review.
John Martellaro and Andrew Orr join host Kelly Guimont to discuss an iOS vulnerability, the future of Python on macOS, and Particle Debris.
Google’s Project Zero security team recently announced that some malicious websites have been hacking iPhones.
