Security

Link

500M iOS Users Affected by Cyberattack via Chrome Bug

Andrew Orr ·

Roughly 500 million iOS users have been affected by a cyberattack that takes advantage of an iOS Chrome bug.

The attacks are the work of the eGobbler gang, researchers said, which has a track record of mounting large-scale malvertising attacks ahead of major holiday weekends. Easter is coming up, and the crooks are banking on consumers spending a lot more time than usual browsing the web on their phones.

Another research firm says this attack can also affect Safari users. Be careful this weekend.

Link

Two Students Accused of Jamming School Wi-Fi to Avoid Tests

Andrew Orr ·

Two high school students in New Jersey successfully jammed their school’s Wi-Fi network in order to avoid taking exams.

Secaucus Schools Superintendent Jennifer Montesano says the school’s Wi-Fi network has been restored and is now fully operational. But she declined further comment. Since much of the school’s curriculum is internet-based, the lack of Wi-Fi connection disrupted the students’ daily assignments.

As Redditor u/AdvancedAdvance quipped: “Although their slowing down the network to unusable speeds will land them in a lot of trouble at school, they can now expect to get full-time, high-paying job offers from AT&T and Verizon.”

Link

Eva Galperin Wants to Eliminate Stalkerware

Andrew Orr ·

Eva Galperin is the head of the Electronic Frontier Foundation’s (EFF) Threat Lab. Her latest project? Ending stalkerware once and for all.

In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she’s calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She’ll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn’t allow antivirus apps into its App Store.

News

An Inside Look Into a Recent Spam Operation

Andrew Orr ·

Millions of people were affected for 10 days in March by a spam email operation. But the spammer didn’t set a password for their server (via TechCrunch). [Apple Support Scam is a new Voice Phishing Trick] Email Spam It’s a fascinating story. Security researcher Bob Diachenko found the server after the operation. The spammer had…

Link

Which Browser is the Most Private and Secure?

Andrew Orr ·

Zubair Khan put together a list of popular web browsers and tested them to figure out which was the most private and secure.

To decide which browser is the best for privacy and security, we will evaluate them using two criteria: Available security features [and ]embedded Privacy Tools. Each browser will be rated out of five and will be ranked accordingly.

The browsers he tested: Chrome, Internet Explorer (Not Edge?), Safari, Firefox, Chromium, Opera, and Tor browser.

Link

Updated Apple Devices Display 'Not Secure' in Safari

Andrew Orr ·

If you’ve updated to iOS 12.2 and/or macOS 14.4, you’ve probably seen a ‘Not Secure’ message in the Safari address bar. OSXDaily explains.

By seeing the ‘Not Secure” Safari message on an iPhone, iPad, or Mac you are simply being informed by Safari that the website or webpage being visited is using HTTP rather than HTTPS, or perhaps that HTTPS is misconfigured at some technical level.

Ironically, as the article points out OSXDaily is itself not secure.

Link

An HTTPS Site Could Have a Green Padlock and Still be Insecure

Andrew Orr ·

If a website uses HTTPS, Safari will display a green padlock next to the domain in the address bar. But in some cases it could still be insecure.

In analysis of the web’s top 10,000 HTTPS sites—as ranked by Amazon-owned analytics company Alexa—the researchers found that 5.5 percent had potentially exploitable TLS vulnerabilities. These flaws were caused by a combination of issues in how sites implemented TLS encryption schemes and failures to patch known bugs (of which there are many) in TLS and its predecessor Secure Sockets Layer. But the worst thing about these flaws is they are subtle enough that the green padlock will still appear.

Link

iOS 12.2 Fixes 51 Security Vulnerabilities

Andrew Orr ·

iOS 12.2 patches 51 security vulnerabilities, which is a huge incentive to update if nothing else announced yesterday was enticing.

The list of patches covers a wide variety of bugs an adversary could potentially manipulate to obtain effects like denial-of-service, privilege escalation, and information disclosure to gaining root privileges, overwriting arbitrary files, or executing code of the attacker’s choice.

Link

Your Phone Number Shouldn't Be Your Identity

Andrew Orr ·

Brian Krebs wrote a good article on how our phone numbers have become security and authentication tools, and thus closely tied to our identity. But there’s a problem with that.

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

Link

Security Expert Talks iPhones and Viruses

Andrew Orr ·

Security expert Maik Morgenstern talks about iPhones and viruses and how in theory an iPhone could get one.

“In theory, yes,” Maik Morgenstern, chief technology officer for AV-Test, told Digital Trends. “However, the practical hurdles are quite high, and it is unlikely for a normal user to get affected. But vulnerabilities exist that can be exploited by attackers.”

Link

Firefox Send Lets You Share Big Encrypted Files

Andrew Orr ·

Firefox Send is a free tool that lets you send encrypted files up to 1GB in size, or 2.5GB if you sign in with a Firefox account.

What sets Send apart is its ease of use. It works in any browser; just go to send.firefox.com. Upload or drag and drop files, and Send will generate a link that you can set to expire after a certain number of downloads—up to 100—or a certain amount of time, ranging from five minutes to seven days.

Being able to use any browser is probably the best part about this tool.

SXSW: CLEAR Expands Identity Verification from AirPort Security Lines to Point of Sale
Cool Stuff Found

SXSW: CLEAR Expands Identity Verification from AirPort Security Lines to Point of Sale

Dave Hamilton ·

CLEAR, the company whose members we all enviously gaze upon at the airport as they breeze past those of us in the TSA Pre-Check lines, is expanding their identity verification technology to point of sale. Testing in some Seattle sports stadiums, CLEAR’s ability to use biometrics to confirm that you are definitively you is helpful for age verification for alcohol sales, but could also just make point of sale simpler, in general. Part of their mission all along, they figured if they could get approval for their tech to be used to confirm identity at airports, it was certainly going to work to add convenience to point-of-sale while also increasing the security of the transactions. Of course, Apple’s introduction Touch ID at point of sale with Apple Pay starting in 2014 has helped the masses understand the usefulness of this technology. That rising tide lifts all boats, including CLEAR’s. Look for CLEAR to roll out more instances of this tech in the coming year.

Link

Be Sure to Properly Remove Data from Devices

Andrew Orr ·

David Nield implores us to make sure we properly remove data from our devices before we get rid of them.

Your personal data—be it financial spreadsheets or web searches—is not something you want to be leaving behind for other people to find, and totally wiping your activity off devices or the web takes a few more steps than you might have realized. Don’t worry though, as we’re going to walk you through the process.