Category Archives: apple

WhatsApp fixes Face ID and Touch ID authentication bypass

WhatsApp recently implemented Face ID and Touch ID authentication for Apple iOS app, but unfortunately, it can be easily bypassed.

Earlier February, WhatsApp introduced Face ID and Touch ID authentication for its iOS app to allow users to lock the application using the Face ID facial recognition and Touch ID fingerprint systems.

The security feature can be enabled from Settings -> Account -> Privacy -> Screen Lock menu item. Users can choose the authentication method (Face ID or Touch ID) and set up the interval of time used by the device to lock itself (immediately, after 1 minute, after 15 minutes, or after 1 hour).

A Reddit user discovered that the authentication method chosen by the owner could be bypassed if the duration is not set to “immediately” and the owner is using the Share Sheet in iOS. The Share Sheet allows sharing items or contents through various media like Facebook, Twitter.

Below the step by step procedure to bypass the authentication.

“The latest FaceID and TouchID integration with WhatsApp has a privacy screen lock bypass bug for the WhatsApp application” wrote the Reddit user.

  1. Get to the iOS Share Sheet through any method, for example through the Photos app.
  2. Click on the WhatsApp icon in the iOS Share Sheet.
  3. While transitioning to the next screen, you observe that no FaceID or TouchID verification takes place if an option other than “Immediately” was set previously. Now just exit out to the iOS Home Screen. (If in some cases, it asks for FaceID or TouchID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).
  4. Try to open WhatsApp and voila, it simply lets you inside WhatsApp without FaceID or TouchID verification.
Face ID WhatsApp

The good news is that WhatsApp already addressed the bug with the release of the latest version of the iOS app.

Pierluigi Paganini

(SecurityAffairs – iOS Face ID, authentication bypass flaw)

The post WhatsApp fixes Face ID and Touch ID authentication bypass appeared first on Security Affairs.

Apple Plans To Launch an ‘All-New’ 16-inch MacBook Pro and 32-inch 6K Monitor This Year, Says Report

Apple is planning an "all-new" MacBook Pro design for this year, well-connected analyst Ming-Chi Kuo has said. From a report: The lineup is reportedly led by a model with a screen of between 16 and 16.5 inches, which would make it the biggest screen in a Mac notebook since the 17-inch models stopped being sold in 2012. Kuo says the lineup may also include a 13-inch model with support for 32GB of RAM; right now only the 15-inch MacBook Pro can be configured with that amount of memory. [...] More interestingly, Kuo has the first credible details of the external monitor that will mark Apple's return to the pro display market. It's said to be a 31.6-inch 6K display with a "Mini LED-like backlight design." Apple discontinued its last monitor, the Thunderbolt Display, back in 2016; right now the best option for owners of more modern Macs is the Apple-sanctioned but imperfect 27-inch LG UltraFine 5K.

Read more of this story at Slashdot.

Most & least radiation emitting smartphones in 2019

By Zehra Ali

Smartphones are a utility in our lives more than any other thing. The addiction has increased to a level that most of us keep our smartphones by our side whether we are at the office, home or even while we are on the bed. According to the research by Cellular Telecommunication and Internet Association, there […]

This is a post from HackRead.com Read the original post: Most & least radiation emitting smartphones in 2019

Lawsuit filed against Apple over lethal fire caused by defective iPad battery pack

Apple sued over defective iPad battery that caught fatal fire killing Parsippany Man

Apple has been sued by the children of a deceased Parsippany man who was killed in a fire in 2017 allegedly caused due to a faulty iPad battery. The civil lawsuit has been filed with the U.S. District Court for the District of New Jersey.

Bradley Ireland, 64, suffered severe injuries in the early morning fire that took place at his Colonial Heights apartment on February 22, 2017. The victim died later that day in a local hospital, says the lawsuit filed by Bradley’s daughter Julia Ireland Meo and son Benjamin Ireland.

“The fire was caused by a defect in the subject tablet, specifically affecting the tablet’s battery pack,” the lawsuit said. The fire started near an “electrical appliance” in the kitchen.

“The subject tablet was unreasonably dangerous and unsafe for its intended purpose by reasons of defects in its design and/or its manufacture and/or a lack of adequate warnings which existed when Defendant Apple placed the subject tablet into the stream of commerce and/or when Defendant distributed and/or sold ‘updates’ to the subject tablet,” Apple Insider reports, citing the lawsuit.

The lawsuit has been filed against Apple on three counts: “Strict Products Liability,” “Wrongful Death” and “Survival Action,” the time where Ireland “experienced significant pain and suffering” between receiving the burns and his death on the same day.

While the lawsuit asks for a jury trial, it doesn’t mention a specific figure. The Irelands are basically seeking compensatory damages, interest, costs, and attorney fees from Apple.

Apple has yet to comment on the lawsuit.

The post Lawsuit filed against Apple over lethal fire caused by defective iPad battery pack appeared first on TechWorm.

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Hacked versions of popular iOS games available on App Store

By Waqas

Software pirates are distributing hacked and infected versions of iPhone apps by hijacking Apple’s enterprise developer program. Reportedly, the hacked apps include versions of Minecraft, Spotify, Angry Birds, and Pokemon Go. These apps have been modified for making paid content/features available for free to deprive the original developers and Apple of their due revenue share […]

This is a post from HackRead.com Read the original post: Hacked versions of popular iOS games available on App Store

Smashing Security #115: Love, Nests, and is 2FA destroying the world?

Smashing Security #115: Love, Nests, and is 2FA destroying the world?

Is two factor authentication such a pain in the rear end that it’s costing the economy millions? Do you feel safe having a Google Nest in your home? And don’t get caught by a catfisher this Valentine’s Day.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by B J Mendelson.

Apple warns app developers over screen recording





Apple has given an ultimatum to all its app developers who secretly record the screens of the customers, to quit snooping or get kicked off the Apple store.

The company has taken this decision after TechCrunch reported about the apps like  Expedia, Hollister, and Hotels.com who are using third-party analytics software to record a user's taps and swipes on the screen.

The report also mentioned that none of the apps had prior explicit permission from the users to record screen activity or disclose that their apps use such software.

According to the report, most of these apps are using an analytics tool called Glassbox, which is also known as "session replaying,"  it records all the user's activity and they let snoopers replay how a user interacted with the apps. The tool is completely a violation of Apple's privacy policies.

In a statement, Apple said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store review guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging or otherwise making a record of user activity. We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”

However reacting to the claims,  Glassbox has said that they are not interested in 'spying' on customers, but their goal is to improve the online experiences.

“Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on websites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling. We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centres inform users that their calls are being recorded.”

An info stealer .exe malware is targeting Mac users around the globe

By Waqas

Cybercriminals have identified a unique method of attacking Mac devices, which involves exploiting executable or .EXE files. Those files that can be executed both on Mac and Windows devices have the potential of infecting Mac computers as these unload a .exe malware. Discovered by Trend Micro researchers, the new malware can bypass the macOS security […]

This is a post from HackRead.com Read the original post: An info stealer .exe malware is targeting Mac users around the globe

iPhone SE 2 concept video shows full glass rear and an edge-to-edge display

iPhone SE 2 featuring notch and full glass rear shown in latest concept video

Ever since Apple launched its popular budget handset, the iPhone SE in March 2016, there have been rumors and leaks of the Cupertino giant working on its successor, iPhone SE 2.

Now, an artist (Dr. Gunho Lee for ConceptsiPhone) has reimagined the iPhone SE 2 in a concept video (see below) showing what the modern smartphone could look like.

As we can see, the video showcases the iPhone SE 2 with an edge-to-edge display a screen cutout (notch) for Face ID camera. This means that the smartphone will not have the Home button and Touch ID from its predecessor, the iPhone SE. It also features the same 4-inch display as the iPhone SE.

Further, the concept video shows that the smartphone has a full glass rear, which means it could enable Qi wireless charging. It also shows a single rear camera with a bump that protrudes through the case. One can also notice the volume buttons (+/-) and alert slider on the left side of the smartphone, while the power on/off button on the right side.

The successor to the iPhone SE is also shown in a number of colors, namely, red, gold, silver, and blue. The video also hints that the iPhone SE 2 could launch in ‘coming spring’. In the past too, there were strong rumors that an iPhone SE 2 would come out in mid-2018; however, this never turned into reality.

Since this is just a concept video, we cannot depend completely on the above-mentioned information. Do let us know what do you think about this possible iPhone SE 2 concept in the comments section mentioned below.

The post iPhone SE 2 concept video shows full glass rear and an edge-to-edge display appeared first on TechWorm.

Wall Street Journal Columnist Challenges Ethical Hacker to Test the Security of Their Laptops

It is hard to find any device such as a phone, tablet or laptop, that isn’t fitted with a camera

Wall Street Journal Columnist Challenges Ethical Hacker to Test the Security of Their Laptops on Latest Hacking News.

A week in security (February 4 – 8)

Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave some of our best tips on how to safely browse the Internet at work, and detailed a unique spam campaign involving ebooks, the Amazon Kindle web store and… John Wick? Yep.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 4 – 8) appeared first on Malwarebytes Labs.

Apple bricked its own iPhone chargers, alleges class-action lawsuit

Apple accused of blocking its own iPhone chargers in 2016 through iOS updates

A California resident has filed a class-action lawsuit against Apple for allegedly ‘blocking support for old chargers’ in 2016 through iOS updates (via AppleInsider).

The main plaintiff identified as Monica Emerson in the lawsuit filed the suit via a law firm in the United States District Court for the Central District of California “on behalf of all other members of the public similarly situated.”

According to the lawsuit, around November 2016, “thousands” of iPhone owners in the U.S. and other countries began to experience problems with their older iPhones where their devices stopped recognizing or accepting their chargers.

The lawsuit note that the chargers were functioning normally before September 13, 2016. However, an iOS update that was released in October 2017 caused Emerson’s charger to stop working and started showing a pop-up, “this accessory may not be supported” when attempting to charge. The Apple iOS update also took place without Emerson’s approval, notes the suit.

“In or around October 2017, Plaintiff attempted to use her Apple Charger and received a message that read “This accessory may not be supported.” Thus, requiring that people buy a new charger for her iPhone. Upon learning this, Plaintiff felt ripped off, cheated, and violated by Defendant.”

The company is accused of releasing “forced updates to the iPhones which were specifically designed and programmed to reject old iPhone chargers.” Apple is said to have done this “in an effort to dominate the cellular telephone marketplace,” with an aim to force customers to purchase either new iPhones or new chargers.

The lawsuit further notes that the chargers were produced by the iPhone-maker, and not a third-party company.

Demanding a jury trial, the suit wants class-action status, for Apple to inform class members of its “unlawful and deceptive conduct,” and that Apple must engage in corrective advertising, actual and punitive damages, any and all statutory enhanced damages, attorneys’ fees, interest, and any other available relief, in order to rectify the malpractice.

Meanwhile, Apple’s own support advises if you see the “Accessory may not be supported” alert, could be either due to defective, damaged accessory, or it is not Apple-certified, or the accessory isn’t supported by the device or the iOS device has a dirty or damaged connector. It could also possibly mean that users need to update to a newer version of iOS for certain kinds of accessories.

Apple has yet to officially respond to the lawsuit.

In December last year, two Apple users had jointly filed a lawsuit in the U.S. District Court of California accusing Apple of making fraudulent claims regarding the screen sizes and pixel counts of the displays in its new iPhone X series (iPhone X, XS, and XS Max) smartphones.

The post Apple bricked its own iPhone chargers, alleges class-action lawsuit appeared first on TechWorm.

Apple Security updates released for Facetime bugs

A recently reported bug in Facetime, caused privacy concerns last month as individuals were able to eavesdrop on users.  The

Apple Security updates released for Facetime bugs on Latest Hacking News.

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone

Most people will get pictures of cute animals and other funny memes sent to them throughout the day. In many

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone on Latest Hacking News.

These iOS apps have been secretly recording your screen activities

By Waqas

Apple has vowed to remove iOS apps that record screen data. User data recording has become an issue of concern among the cyber-security community as the data is used to launch a variety of scams, identify customer demographics, and targeted marketing gimmicks. Mobile phone manufacturers are trying to ensure that apps that indulge in sneaky […]

This is a post from HackRead.com Read the original post: These iOS apps have been secretly recording your screen activities

Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild

Security experts at Google discovered that two of the zero-day vulnerabilities patched by Apple with the release of iOS 12.1.4 were exploited in the wild.

Security researchers at Google revealed that two of the zero-day flaws addressed by Apple with the release of iOS 12.1.4 were exploited in the wild.

Apple iOS 12.1.4 version addresses four vulnerabilities, two issues associated with the FaceTime bug and two memory corruption flaws that could be exploited by attackers to elevate privileges and execute arbitrary code.

The CVE-2019-7287 vulnerability affects the IOKit and it can be exploited by a malicious app to execute arbitrary code with kernel privileges.

“An application may be able to execute arbitrary code with kernel privileges.” reads the security advisory.

“A memory corruption issue was addressed with improved input validation.”

The CVE-2019-7286 vulnerability impacts the Foundation component in iOS, it could allow a malicious application to gain elevated privileges.

“An application may be able to gain elevated privileges” continues the advisory. “A memory corruption issue was addressed with improved input validation.”

The flaws were discovered by Clement Lecigne of Google Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero. Apple also credited an anonymous researcher for the discovery of the vulnerabilities.

Project Zero Team Lead Ben Hawkes revealed that both CVE-2019-7286 and CVE-2019-7287 have been exploited in the wild. Google experts did not reveal technical details on the attacks they observed in the wild.

The popular Google Project white hat hacker Tavis Ormandy confirmed that three of the four vulnerabilities addressed by Apple were exploited by attackers in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, iOS 12.1.4)

The post Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild appeared first on Security Affairs.

Apple fixes FaceTime eavesdropping bug, two iOS zero-days

Apple has pushed out critical security updates for iOS and macOS, which fix the “Facepalm” FaceTime eavesdropping bug but also two zero-day flaws that, according to Google researchers, have been exploited in the wild. Fixed vulnerabilities The Facepalm bug (CVE-2019-6223) affects FaceTime Groups both on iOS and macOS, and was discovered by Grant Thompson, a high schooler from Arizona. After the existence of the flaw and demontration videos of its exploitation were made public, Apple … More

The post Apple fixes FaceTime eavesdropping bug, two iOS zero-days appeared first on Help Net Security.

Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle

Secure messaging is supposed to be just that—secure. That means no backdoors, strong encryption, private messages staying private, and, for some users, the ability to securely communicate without giving up tons of personal data.

So, when news broke that scandal-ridden, online privacy pariah Facebook would expand secure messaging across its Messenger, WhatsApp, and Instagram apps, a broad community of cryptographers, lawmakers, and users asked: Wait, what?

Not only is the technology difficult to implement, the company implementing it has a poor track record with both user privacy and online security.

On January 25, the New York Times reported that Facebook CEO Mark Zuckerberg had begun plans to integrate the company’s three messaging platforms into one service, allowing users to potentially communicate with one another across its separate mobile apps. According to the New York Times, Zuckerberg “ordered that the apps all incorporate end-to-end encryption.”

The initial response was harsh.

Abroad, Ireland’s Data Protection Commission, which regulates Facebook in the European Union, immediately asked for an “urgent briefing” from the company, warning that previous data-sharing proposals raised “significant data protection concerns.”

In the United States, Democratic Senator Ed Markey for Massachusetts said in a statement: “We cannot allow platform integration to become privacy disintegration.”

Cybersecurity technologists swayed between cautious optimism and just plain caution.

Some professionals focused on the clear benefits of enabling end-to-end encryption across Facebook’s messaging platforms, emphasizing that any end-to-end encryption is better than none.

Former Facebook software engineer Alec Muffet, who led the team that added end-to-end encryption to Facebook Messenger, said on Twitter that the integration plan “clearly maximises the privacy afforded to the greatest [number] of people and is a good idea.”

Others questioned Facebook’s motives and reputation, scrutinizing the company’s established business model of hoovering up mass quantities of user data to deliver targeted ads.

John Hopkins University Associate Professor and cryptographer Matthew Green said on Twitter that “this move could potentially be good or bad for security/privacy. But given recent history and financial motivations of Facebook, I wouldn’t bet my lunch money on ‘good.’”

On January 30, Zuckerberg confirmed the integration plan during a quarterly earnings call. The company hopes to complete the project either this year or in early 2020.

It’s going to be an uphill battle.

Three applications, one bad reputation

Merging three separate messaging apps is easier said than done.

In a phone interview, Green said Facebook’s immediate technological hurdle will be integrating “three different systems—one that doesn’t have any end-to-end encryption, one where it’s default, and one with an optional feature.”

Currently, the messaging services across WhatsApp, Facebook Messenger, and Instagram have varying degrees of end-to-end encryption. WhatsApp provides default end-to-end encryption, whereas Facebook Messenger provides optional end-to-end encryption if users turn on “Secret Conversations.” Instagram provides no end-to-end encryption in its messaging service.

Further, Facebook Messenger, WhatsApp, and Instagram all have separate features—like Facebook Messenger’s ability to support more than one device and WhatsApp’s support for group conversations—along with separate desktop or web clients.

Green said to imagine someone using Facebook Messenger’s web client—which doesn’t currently support end-to-end encryption—starting a conversation with a WhatsApp user, where encryption is set by default. These lapses in default encryption, Green said, could create vulnerabilities. The challenge is in pulling together all those systems with all those variables.

“First, Facebook will have to likely make one platform, then move all those different systems into one somewhat compatible system, which, as far as I can tell, would include centralizing key servers, using the same protocol, and a bunch of technical development that has to happen,” Green said. “It’s not impossible. Just hard.”

But there’s more to Facebook’s success than the technical know-how of its engineers. There’s also its reputation, which, as of late, portrays the company as a modern-day data baron, faceplanting into privacy failure after privacy failure.

After the 2016 US presidential election, Facebook refused to call the surreptitious collection of 50 million users’ personal information a “breach.” When brought before Congress to testify about his company’s role in a potential international disinformation campaign, Zuckerberg deflected difficult questions and repeatedly claimed the company does not “sell” user data to advertisers. But less than one year later, a British parliamentary committee released documents that showed how Facebook gave some companies, including Airbnb and Netflix, access to its platform in exchange for favors—no selling required.

Five months ago, Facebook’s Onavo app was booted from the Apple App Store for gathering app data, and early this year, Facebook reportedly paid users as young as 13-years-old to install the “Facebook Research” app on their own devices, an app intended strictly for Facebook employee use. Facebook pulled the app, but Apple had extra repercussions in mind: It removed Facebook’s enterprise certificate, which the company relied on to run its internal developer apps.

These repeated privacy failures are enough for some users to avoid Facebook’s end-to-end encryption experiment entirely.

“If you don’t trust Facebook, the place to worry is not about them screwing up the encryption,” Green said. “They want to know who’s talking to who and when. Encryption doesn’t protect that at all.”

If not Facebook, then who?

Reputationally, there are at least two companies that users look to for both strong end-to-end encryption and strong support of user privacy and security—Apple and Signal, which respectively run the iMessage and Signal Messenger apps.

In 2013, Open Whisper Systems developed the Signal Protocol. This encryption protocol provides end-to-end encryption for voice calls, video calls, and instant messaging, and is implemented by WhatsApp, Facebook Messenger, Google’s Allo, and Microsoft’s Skype to varying degrees. Journalists, privacy advocates, cryptographers, and cybersecurity researchers routinely praise Signal Messenger, the Signal Protocol, and Open Whisper Systems.

“Use anything by Open Whisper Systems,” said former NSA defense contractor and government whistleblower Edward Snowden.

“[Signal is] my first choice for an encrypted conversation,” said cybersecurity researcher and digital privacy advocate Bruce Schneier.

Separately, Apple has proved its commitment to user privacy and security through statements made by company executives, updates pushed to fix vulnerabilities, and legal action taken in US courts.

In 2016, Apple fought back against a government request that the company design an operating system capable of allowing the FBI to crack an individual iPhone. Such an exploit, Apple argued, would be too dangerous to create. Earlier last year, when an American startup began selling iPhone-cracking devices—called GrayKey—Apple fixed the vulnerability through an iOS update.

Repeatedly, Apple CEO Tim Cook has supported user security and privacy, saying in 2015: “We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”

But even with these sterling reputations, the truth is, cybersecurity is hard to get right.

Last year, cybersecurity researchers found a critical vulnerability in Signal’s desktop app that allowed threat actors to obtain users’ plaintext messages. Signal’s developers fixed the vulnerability within a reported five hours.

Last week, Apple’s FaceTime app, which encrypts video calls between users, suffered a privacy bug that allowed threat actors to briefly spy on victims. Apple fixed the bug after news of the vulnerability spread.

In fact, several secure messaging apps, including Telegram, Viber, Confide, Allo, and WhatsApp have all reportedly experienced security vulnerabilities, while several others, including Wire, have previously drawn ire because of data storage practices.

But vulnerabilities should not scare people from using end-to-end encryption altogether. On the contrary, they should spur people into finding the right end-to-end encrypted messaging app for themselves.

No one-size-fits-all, and that’s okay

There is no such thing as a perfect, one-size-fits-all secure messaging app, said Electronic Frontier Foundation Associate Director of Research Gennie Gebhart, because there’s no such thing as a perfect, one-size-fits-all definition of secure.

“In practice, for some people, secure means the government cannot intercept their messages,” Gebhart said. “For others, secure means a partner in their physical space can’t grab their device and read their messages. Those are two completely different tasks for one app to accomplish.”

In choosing the right secure messaging app for themselves, Gebhart said people should ask what they need and what they want. Are they worried about governments or service providers intercepting their messages? Are they worried about people in their physical environment gaining access to their messages? Are they worried about giving up their phone number and losing some anonymity?

In addition, it’s worth asking: What are the risks of an accident, like, say, mistakenly sending an unencrypted message that should have been encrypted? And, of course, what app are friends and family using?

As for the constant news of vulnerabilities in secure messaging apps, Gebhart advised not to overreact. The good news is, if you’re reading about a vulnerability in a secure messaging tool, then the people building that tool know about the vulnerability, too. (Indeed, developers fixed the majority of the security vulnerabilities listed above.) The best advice in that situation, Gebhart said, is to update your software.

“That’s number one,” Gebhart said, explaining that, though this line of defense is “tedious and maybe boring,” sometimes boring advice just works. “Brush your teeth, lock your door, update your software.”

Cybersecurity is many things. It’s difficult, it’s complex, and it’s a team sport. That team includes you, the user. Before you use a messenger service, or go online at all, remember to follow the boring advice. You’ll better secure yourself and your privacy.

The post Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle appeared first on Malwarebytes Labs.

Congress Wants Written Answers from Apple on FaceTime Privacy Glitch

Apple is not getting off so easily with the FaceTime privacy violation incident. Two members of the US Congress are “deeply troubled” that the company didn’t immediately address the software glitch end demand further explanations for an issue they think could easily create “ultimate spying machines,” writes Reuters.

House Energy and Commerce Committee Chairman  Frank Pallone and Representative Jan Schakowsky, both Democrats, wrote a letter to Apple CEO Tim Cook demanding to know when the company was first made aware of the privacy intrusion, how consumer privacy may have been affected and “whether there are other undisclosed bugs that currently exist and have not been addressed.” They are calling for transparency with the outcome of the investigation and a written response to their questions.

The FaceTime privacy violation was detected by a 14-year-old and his mom who were trying to use the group call feature, but found that strangers could easily eavesdrop on their conversation even before the call officially started. Once the two came across the flaw, they repeatedly contacted Apple to fix it.

“Your company and others must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified and address any harm caused when you fail to meet your obligations to consumers,” reads the letter. “We do not believe Apple has been as transparent as this serious issue requires.”

Once the software bug was publicly disclosed, Apple disabled the feature and is working on software updates to fix the issue in the near future.

The issue doesn’t seem to have affected Apple’s business strength and stock price, as it has regained its title of “most valuable public company in the world,” ahead of Amazon and Microsoft, writes CNBC.

Cyber Security Roundup for January 2019

The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


BLOG
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

IBM Discovers Malicious Use of Apple Siri Shortcuts App

In iOS 12, Apple implemented the use of Shortcuts App into its voice assistant Siri. These shortcuts are designed to help

IBM Discovers Malicious Use of Apple Siri Shortcuts App on Latest Hacking News.

Apple revokes Google’s enterprise certificate for running user data collection program on iOS

Apple restores Google’s revoked enterprise certificate within hours

Earlier this week, Apple had revoked Facebook’s Enterprise Certificate for violating terms of its developer agreement by having an app on its App Store that extensively collected user’s data. It is now learned that Google too had a similar app that monitored users’ data and traffic usage on iPhones, according to TechCrunch.

Launched in 2012, Google’s data collecting app called Screenwise Meter allows users to earn gift cards, such as a $5 credit on Amazon, “for sideloading an Enterprise Certificate-based VPN app that allows Google to monitor and analyze their traffic and data.” It invites users aged 18 and above (or 13 and above in a family group) to participate in Google’s Opinion Rewards program.

Similar to the Facebook Research app that offers up to $20 per month to users to sideload a VPN app on iOS, the VPN app installed by Screenwise Meter also used an Enterprise Certificate. This certificate indicates that an app is only meant for distributing internally to employees, and not to the public.

Following the revelation, Google decided to shut down the Screenwise Meter iOS app. However, before Google could do so, Apple blocked the search giant from running its internal iOS apps.

Apologizing for using its iOS Enterprise Certificate, Google told TechCrunch that “The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”

The revoking of Enterprise Certificates by Apple created problems for both Facebook and Google, as it could no longer run or execute internal apps on iOS devices, as it all depended on the enterprise program, which enables the distribution of internal apps within a company.

However, the Cupertino giant restored Facebook’s Enterprise Certificate on Thursday after revoking it on Wednesday. “We have had our Enterprise Certification, which enables our internal employee applications, restored,” a company spokesperson said in an email to The Register. “We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.”

Apple late Thursday restored functionality to Google’s apps within five hours of revoking its Enterprise Certificate.

The post Apple revokes Google’s enterprise certificate for running user data collection program on iOS appeared first on TechWorm.

IBM experts warn of malicious abuses of Apple Siri Shortcuts

IBM’s security researchers demonstrated that the Siri Shortcuts introduced in the Apple iOS 12 can be abused by attackers.

Apple implemented Siri Shortcuts in the iOS 12 to allow users to rapidly access to applications and features, they can automate common tasks and can be integrated by third-party developers in their software.

Researchers at IBM Managed Security Services discovered that
Siri Shortcuts can be abused by hackers to perform malicious activities.

“This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.” reads the analysis published by IBM.

“But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team.”

Experts pointed out that Siri Shortcuts improve interactions between users and the device, it allows the implementation of access directly from the lock screen or through existing apps. Users can also share the Shortcuts from the apps via iCloud.

The shortcuts can be presented by developers on the lock screen or in ‘search’ field, based on time, location and context.

“The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context.” continues the analysis.

“For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.”

siri shortcuts

Experts at IBM explained that the new feature could be used to create for malicious purposes such as scareware, a pseudo ransom campaign that attempts to scare victims and trick them into paying attackers by making them believe their data were stolen by hackers.

The attackers can use native shortcut functionality, they can develop a script to provide the ransom demands to the device’s owner by using Siri’s voice. Attackers can also automate data collection from the device (user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more) and send them to the victims to scare them.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” continues the post.

What’s making this attack scenario more scaring is that the attacker could configure the malicious Shortcut to spread to the victim’s contact list, with this trick they prompt potential victims to download and install the malicious Shortcut.

Below a video PoC of the hack that shows how a Shortcut can change the device’s brightness and volume, can speak a ransom note that includes convincing personal details, can turn the flashlight on and off while vibrating at the same time, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” explained John Kuhn, senior threat researcher at IBM Managed Security Services.

Siri Shortcuts open the door to a broad range of social engineering attacks, they could be abused to trick victims into installing any kind of malware on their devices.

Below some recommendations shared by the experts:

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
  3. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Pierluigi Paganini

(SecurityAffairs – Siri Shortcuts, hacking)

The post IBM experts warn of malicious abuses of Apple Siri Shortcuts appeared first on Security Affairs.

Security Affairs: IBM experts warn of malicious abuses of Apple Siri Shortcuts

IBM’s security researchers demonstrated that the Siri Shortcuts introduced in the Apple iOS 12 can be abused by attackers.

Apple implemented Siri Shortcuts in the iOS 12 to allow users to rapidly access to applications and features, they can automate common tasks and can be integrated by third-party developers in their software.

Researchers at IBM Managed Security Services discovered that
Siri Shortcuts can be abused by hackers to perform malicious activities.

“This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.” reads the analysis published by IBM.

“But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team.”

Experts pointed out that Siri Shortcuts improve interactions between users and the device, it allows the implementation of access directly from the lock screen or through existing apps. Users can also share the Shortcuts from the apps via iCloud.

The shortcuts can be presented by developers on the lock screen or in ‘search’ field, based on time, location and context.

“The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context.” continues the analysis.

“For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.”

siri shortcuts

Experts at IBM explained that the new feature could be used to create for malicious purposes such as scareware, a pseudo ransom campaign that attempts to scare victims and trick them into paying attackers by making them believe their data were stolen by hackers.

The attackers can use native shortcut functionality, they can develop a script to provide the ransom demands to the device’s owner by using Siri’s voice. Attackers can also automate data collection from the device (user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more) and send them to the victims to scare them.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” continues the post.

What’s making this attack scenario more scaring is that the attacker could configure the malicious Shortcut to spread to the victim’s contact list, with this trick they prompt potential victims to download and install the malicious Shortcut.

Below a video PoC of the hack that shows how a Shortcut can change the device’s brightness and volume, can speak a ransom note that includes convincing personal details, can turn the flashlight on and off while vibrating at the same time, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” explained John Kuhn, senior threat researcher at IBM Managed Security Services.

Siri Shortcuts open the door to a broad range of social engineering attacks, they could be abused to trick victims into installing any kind of malware on their devices.

Below some recommendations shared by the experts:

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
  3. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Pierluigi Paganini

(SecurityAffairs – Siri Shortcuts, hacking)

The post IBM experts warn of malicious abuses of Apple Siri Shortcuts appeared first on Security Affairs.



Security Affairs

Apple Restores Facebook And Google Internal iOS Apps After Brief Punishment

The clashes between Facebook and Apple, and Google and Apple have made it to the news recently. Due to violations

Apple Restores Facebook And Google Internal iOS Apps After Brief Punishment on Latest Hacking News.

Cyber Security Week in Review (Feb. 1)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week

  • Apple revoked a set of developer tools from Facebook. The two tech companies got into a tug-of-war this week over a Facebook program that came to light where they paid users to install a VPN on their mobile devices. Facebook would then track users’ habits via the VPN. Facebook has now ended that program.
  • Apple temporarily disabled its group FaceTime service as it fixes a vulnerability. If exploited, an attacker could potentially listen in on conversations via Apple devices’ microphones even if the user doesn’t answer a FaceTime call. Apple’s slow response to this bug has prompted New York’s attorney general to launch an investigation.
  • The U.S. filed several criminal charges against Chinese tech company Huawei. One indictment accused Huawei of attempting to steal trade secrets from mobile company T-Mobile, while another says the company worked to bypass American sanctions against Iran.

From Talos

  • Attackers are utilizing a fake job posting from Cisco Korea to infect users. Based on our research, we believe this is the latest in a long string of attacks from the same threat actor.
  • There are multiple vulnerabilities in ACD Systems' Canvas Draw 5. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. Snort rules 39593 - 39596, 39599 - 39632, 47336, 47337 can help protect you from the exploitation of these vulnerabilities.
  • Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer to dereference, resulting in a denial of service. Snort rules 48854 and 48855 can protect you from the exploitation of this vulnerability. 
  • Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. Snort rules 47750 and 47751 can protect you from the exploitation of these vulnerabilities. 

Malware roundup

  • The FormBook malware is back, this time targeting retail and hospitality companies. The information-stealer first appeared in 2016, and its use has recently risen through a new malware-hosting service.
  • The FBI and Air Force are working together to dismantle a North Korean botnet. Joanap is a remote access tool believed to be associated with the Lazarus Group APT. Snort rule 46885 can prevent Joanap from making an outbound connection.
  • A new cryptocurrency malware is targeting Macs. A variant of OSX.DarthMiner, the malware steals browser cookies and saved passwords in the Google Chrome web browser. 
  • American and Belgian authorities shut down an illegal online marketplace. xDedic, a website that concealed the location of its servers and was often used to sell personal information stolen in cyber attacks, is responsible for roughly $68 million of fraud.

The rest of the news

  • Google removed several data collection apps from the iOS App Store. The apps collected data from users’ phones, browsers and routers with their consent. In exchange, Google sent gift cards to the users. However, they did not properly operate under Apple’s developer enterprise program.
  • The United Arab Emirates has gathered a group of hackers to track adversaries of their government. Many of the members are former U.S. National Security Agency hackers. 
  • A group of 2.2 billion login credentials is circulating among hacking groups. This trove of information is part of a smaller collection that was uncovered by a security researcher earlier this year.
  • A distributed denial-of-service attack recently broke the record for packets sent per second. Security firm Imperva says they recently stopped an attack against their client that crossed the 500 million packets per second mark. 
  • Airbus employees’ data was accessed as the result of a recent data breach. The airline says there was no impact to their commercial operations or intellectual property.
  • Chrome and Firefox fixed several security flaws in the latest versions of their browsers. Chrome 72 fixed 58 CVEs, including one that was rated “critical,” while Firefox patched seven CVEs, including three “critical” ones. 

New Mac Malware steals iPhone text messages from iTunes backups

By Waqas

The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a dangerous new Mac malware capable of targeting devices for multi-purposes including stealing cryptocurrency. Dubbed CookieMiner by researchers; the Mac malware is a variant of OSX.DarthMiner, another nasty piece of malware known for targeting MacOS. But, CookieMiner aims at much more than its predecessor. See: 400% increase in […]

This is a post from HackRead.com Read the original post: New Mac Malware steals iPhone text messages from iTunes backups

Apple revokes Facebook’s enterprise certificate due to misuse of customers’ personal data

Reports surfaced revealing Facebook were paying individuals to permit it to watch everything they were doing. This action was allowing

Apple revokes Facebook’s enterprise certificate due to misuse of customers’ personal data on Latest Hacking News.

Apple pulls Facebook enterprise certificate

It’s been an astonishing few days for Facebook. They’ve seen both an app and their enterprise certificate removed and revoked with big consequences.

What happened?

Apple issue enterprise certificates to organizations with which they can create internal apps. Those apps don’t end up released on the Apple store, because the terms of service don’t allow it. Anything storefront-bound must go through the mandatory app checks by Apple before being loaded up for sale.

What went wrong?

Facebook put together a “Facebook research” market research app using the internal process. However, they then went on to distribute it externally to non-Facebook employees. And by “non Facebook employees” we mean “people between the ages of 13 to 35.” In return for access to large swathes of user data, the participants received monthly $20 gift cards.

The program was managed via various Beta testing services, and within hours of news breaking, Facebook stated they’d pulled the app.

Problem solved?

Not exactly. Apple has, in fact, revoked Facebook’s certificate, essentially breaking all of their internal apps and causing major disruptions for their 33,000 or so employees in the process. As per the Apple statement:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers…a clear breach of their agreement.

Whoops

Yes, whoops. Now the race is on to get things back up and running over at Facebook HQ. Things may be a little tense behind the scenes due to, uh, something similar involving a VPN-themed app collecting data it shouldn’t have been earlier this year. That one didn’t use the developer certificate, but it took some 33 million downloads before Apple noticed and decided to pull the plug.

Could things get any worse for Facebook?

Cue Senator Ed Markey, with a statement on this particular subject:

It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding of how much data they’re handing over and how sensitive it is,” said Senator Markey. “I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens.

But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.

Well, that definitely sounds like a slide towards “worse” instead of “better.”

A one-two punch?

Facebook is already drawing heavy criticism this past week for the wonderfully-named “friendly fraud” practice of kids making dubious purchases, and chargebacks being made. It happens, sure, but perhaps not quite like this. From the linked Register article:

Facebook, according to the full lawsuit, was encouraging game devs to build Facebook-hosted games that allowed children to input parents’ credit card details, save those details, and then bill over and over without further authorisation.

While large amounts of money were being spent, some refunds proved to be problematic. Employees were querying why most apps with child-related issues are “defaulting to the highest-cost setting in the purchase flows.” You’d better believe there may be further issues worth addressing.

What next?

The Facebook research program app will continue to run on Android, which is unaffected by the certificate antics. There’s also this app from Google in Apple land which has since been pulled due to also operating under Apple’s developer enterprise program. No word yet as to whether or not Apple will revoke Google’s certificate, too. It could be a bumpy few days for some organizations as we wait to see what Apple does next. Facebook, too, could certainly do with a lot less bad publicity as it struggles to regain positive momentum. Whether that happens or not remains to be seen.

The post Apple pulls Facebook enterprise certificate appeared first on Malwarebytes Labs.

Google also abused its Apple developer certificate to collect iOS user data

It turns out that Google, like Facebook, abused its Apple Enterprise Developer Certificate to distribute a data collection app to iOS users, in direct contravention of Apple’s rules for the distribution program. Unlike Facebook, though, the company did not wait for Apple to revoke their certificate. Instead, they quickly to disabled the app on iOS devices, admitted their mistake and extended a public apology to Apple. Google’s app Google’s Screenwise Meter app is very similar … More

The post Google also abused its Apple developer certificate to collect iOS user data appeared first on Help Net Security.

Hey Siri, Get My Coffee, Hold the Malware

With Apple’s introduction of iOS 12 for all their supported mobile devices came a powerful new utility for automation of common tasks called Siri Shortcuts. This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.

But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team. This post gives some insight into potential attack scenarios using Shortcuts and reminds users that keeping a tight lid on app permissions is a critical step to upping security on devices and the way we use them.

Shortcuts Make Life Easier, Right?

Want to turn all your lights to disco, play your favorite soundtrack, and text your friends to come over? Or maybe perform complex mathematical computations with a single voice command? Siri Shortcuts can help do that and facilitate much more in user interaction with their devices, directly from the lock screen or via existing apps they use. These shortcuts can also be shared between users, using the app itself via iCloud, which means they can be passed around rather easily.

Beyond users wishing to automate daily activities, app developers can create shortcuts and present them to their user base from within their apps. The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context. For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.

These shortcuts are a nifty addition to Siri’s functionality, but while allowing extended functionality and personalization of the use of Siri, there are some less favorable scenarios to consider.

Siri Shortcuts Can Also Be Abused by Attackers

Siri Shortcuts can be a useful tool for both users and app developers who wish to enhance the level of interaction users have with their apps. But this access can potentially also be abused by malicious third parties. According to X-Force IRIS research, there are security concerns that should be taken into consideration in using Siri Shortcuts.

Siri Demanding Ransom?

Using Siri for malicious purposes, Shortcuts could be created for scareware, a pseudo ransom campaign to try to scare victims into paying a criminal by making them believe their data is in the hands of a remote attacker.

Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice. To lend more credibility to the scheme, attackers can automate data collection from the device and have it send back the user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more. This data can be displayed to the user to convince them that an attacker can make use of it unless they pay a ransom.

To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet.

The More the Merrier

To add to this scenario, the malicious shortcut can also be configured to spread to other devices by messaging everyone on the victim’s contact list, prompting them to download and install the same shortcut. This would be a cost effective and hard to detect distribution method, coming from a trusted contact.

In a video we created we show how native functionality can be used to make convincing ransom threats to someone running a malicious Siri Shortcut.

Pay attention to the following steps taking place in the video:

  1. The shortcut is configured to gather personal data from the device:
  • It can collect photos from the camera roll.
  • Grab the contents of the clipboard.
  • Get the physical address of the device’s location.
  • Find the external IP address.
  • Get the device’s model.
  • Get the device’s current mobile carrier
  1. The Siri Shortcut can message the information to an external party; this data can also be sent over SSH to the attacker’s server using native functionality.
  2. The Shortcut can set the brightness and volume of the device to 100%
  3. It can turn the device’s flashlight on and off while vibrating at the same time to get the user’s attention and make them believe their device has been taken over.
  4. The Shortcut can be made to speak a ransom note which can include convincing personal details to make the user believe the attacker. For example, it can indicate the IP address and physical address of the person and demand payment.
  5. The Shortcut can be further programmed to then display the spoken note in a written alert format on the device.
  6. To nudge the user to pay up, the Shortcut can be configured to open a webpage, accessing a URL that contains payment information to a cryptocurrency wallet, or a phishing page demanding payment card/account information[1].
  7. To spread around, and since Siri Shortcuts can be shared among users, the malicious Shortcut could also send a link to everyone in the user’s contact list giving it a “worm like” capability[2] that’s easy to deploy but harder to detect.

Not Only Ransom

In our security research labs, we tested the ransom attack scenario. The shortcut we created was named “Ransom” in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads.

From our researchers’ experience, users may fall prey to social engineering and end up installing and running malicious code or apps on their devices.

Using Siri Shortcuts More Safely

Siri Shortcuts has its merits and some security concerns to be aware of. Yet, it is possible to use this functionality in a safer manner.

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.

Siri Shortcut on iOS12

  1. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Checking permissions for Siri Shortcut

Apple Controls Centralized Patch Control

Siri Shortcuts is a native feature of iOS12; however, in order to utilize custom shortcuts, one must download the Shortcuts app from Apple’s app store. This gives Apple the ability to patch/update the functionality of the Shortcuts app without having to update the entire OS version.

Users Should Be Very Selective with App Permissions

It’s also important to note that using the shortcuts is designed for, and therefore requires, a lot of user interaction. First, users must download and install the shortcut from a shared source, and then manually tap it to run. Users must also grant access to photos, contacts or any sensitive data the shortcut wants access too.

A sharp reminder to validate anything you install on your mobile device as Shortcuts allows you to see everything the script is capable of before installing. As tempting as it might be to just scroll past that text and hit accept, users must be more aware of good security practices, which includes reading and understanding anything they authorize to run on their device.

[1] Not shown in this video

[2] Not shown in this video

The post Hey Siri, Get My Coffee, Hold the Malware appeared first on Security Intelligence.

Kaspersky Lab official blog: Transatlantic Cable podcast, episode 76

The 76th edition of the Kaspersky Lab Transatlantic Cable Podcast, David and I cover a number of stories pertaining to privacy and, surprisingly, browsers. To start things off, we look at the issue that Apple faced earlier in the week where a bug in FaceTime that was reported by a kid wound up in the public eye.

Following that tale, we jump into a stranger-than-fiction story about Facebook and their controversial tactic to have users install a VPN to share their data with Facebook. The kicker is that the target audience included kids.

Following Facebook, we stay on the privacy bandwagon and look at the work that Mozilla did to improve the latest version of Firefox. We close out the podcast bidding happy trails to Internet Explorer 10. If you like the podcast, please consider sharing with your friends or subscribing below; if you are interested in the full text of the articles, please click the links below.



Kaspersky Lab official blog

Grave fallo de seguridad en FaceTime de Apple

Apple se está apresurando a solucionar un problema vergonzoso que permite espiar con su popular FaceTime. Mientras tanto Apple aparentemente ha desactivado las llamadas grupales en FaceTime, prefiriendo eliminar una funcionalidad de su app antes que dejar abierto un agujero de seguridad. La popular web de noticias sobre Mac 9to5Mac informó del fallo y se […]

Smashing Security #113: FaceTime, Facebook, faceplant

Smashing Security #113: FaceTime, Facebook, faceplant

FaceTime bug allows callers to see and hear you *before* you answer the phone, Facebook’s Nick Clegg tries to convince us the social network is changing its ways, and IoT hacking is big in Japan.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

Facebook to shut down iOS app that allowed for near total data access

When Apple banned its Onavo VPN app from its App Store last summer, Facebook took repackaged the app, named it “Facebook Research” and offered it for download through three app beta testing services, TechCrunch has discovered. About the Facebook Research app Facebook used the Onavo app to collect the aforementioned data of both Android and iOS users and, based on the information gleaned from it, made decisions to acquire competing apps and add popular features … More

The post Facebook to shut down iOS app that allowed for near total data access appeared first on Help Net Security.

iPhone FaceTime Vulnerability

This is kind of a crazy iPhone vulnerability: it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call.

This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it's fixed. But it's hard to imagine how an adversary can operationalize this in any useful way.

New York governor Andrew M. Cuomo wrote: "The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk." Kinda, I guess.

EDITED TO ADD (1/30): This bug/vulnerability was first discovered by a 14-year-old, whose mother tried to alert Apple with no success.

Apple Users: Here’s What to Do About the Major FaceTime Bug

FaceTime is a popular way for people of all ages to connect with long-distance loved ones. The feature permits Apple users to video chat with other device owners from essentially anywhere at any time. And now, a bug in the software takes that connection a step further – as it permits users calling via FaceTime to hear the audio coming from the recipient’s phone, even before they’ve accepted or denied the call.

Let’s start with how the eavesdropping bug actually works. First, a user would have to start a FaceTime video call with an iPhone contact and while the call is dialing, they must swipe up from the bottom of the screen and tap “Add Person.” Then, they can add their own phone number to the “Add Person” screen. From there, the user can start a group FaceTime call between themselves and the original person dialed, even if that person hasn’t accepted the call. What’s more – if the user presses the volume up or down, the victim’s front-face camera is exposed too.

This bug acts as a reminder that these days your smartphone is just as data rich as your computer. So, as we adopt new technology into our everyday lives, we all must consider how these emerging technology trends could create security risks if we don’t take steps to protect our data.

Therefore, it’s crucial all iOS users that are running iOS 12.1 or later take the right steps now to protect their device and their data. If you’re an Apple user affected by this bug, be sure to follow these helpful security steps:

  • Update, update, update. Speaking of fixes – patches for bugs are included in software updates that come from the provider. Therefore, make sure you always update your device as soon as one is available. Apple has already confirmed that a fix is underway as we speak.
  • Be sure to disable FaceTime in iOS settings now. Until this bug is fixed, it is best to just disable the feature entirely to be sure no one is listening in on you. When a fix does emerge from Apple, you can look into enabling the service again.
  • Apply additional security to your phone. Though the bug will hopefully be patched within the next software update, it doesn’t hurt to always cover your device with an extra layer of security. To protect your phone from any additional mobile threats coming its way, be sure to use a security solution such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Apple Users: Here’s What to Do About the Major FaceTime Bug appeared first on McAfee Blogs.

Apple’s FaceTime privacy bug allowed possible spying

Social media caught fire yesterday as the news of a new Apple bug spread. It seemed that there was a flaw in FaceTime that allowed you to place a call to someone, but listen in on their microphone if they didn’t pick up. Worse, as the news spread, it turned out that there was also a way to capture video from the camera on the target device, and that this issue was affecting not just iPhones and iPads, but Macs as well.

The result was a chorus of voices all saying the same thing: turn off FaceTime. The good news, though, if you’re just tuning in now, is that this is completely unnecessary, as Apple has disabled the service that allowed this bug to work.

How did the bug work?

The bug relied entirely on a feature of iOS 12.1 and macOS 10.14.1 called Group FaceTime. If you are using an older version of iOS or macOS, you have nothing to fear.

The bug involved doing something a bit unusual with Group FaceTime. First, you would have to place a FaceTime call to your intended victim. Next, while the call is still ringing, you would need to bring up the Add Person screen and add yourself to the call. Doing this would invoke Group FaceTime, and the microphone of the intended target would be activated, even if they didn’t answer.

Capturing video from the target phone’s camera required one of two known techniques. One would be to hope that the recipient pressed the power button on the phone to “decline” the call, in which case the camera would turn on as well. (Of course, if they pressed it twice, as some have become accustomed to doing on iPhones in these days of scam calls, that would cut the video off again. But you’d still see a flash of video.)

Alternately, you could apparently join the call from another device, which would also turn on the recipient’s camera. (Although I was able to test and verify everything else, I didn’t know about this trick until after Apple disabled Group FaceTime, so I can’t verify this one from personal experience.)

What were the dangers?

To make this work, you would need to rely on the target not answering, which could potentially be orchestrated if the target’s activities were known and it was likely that he or she would both be disinclined to answer at the time of the call, and be doing or saying something of interest. (I think we can all think of at least one such activity!)

Fortunately, this did pretty much rule out generalized surveillance, though nonetheless, there were some valiant efforts (most likely pranks) in the brief time the bug was known.

This also didn’t open up an open-ended wiretap. FaceTime rings for a while, but not forever. At most, you might get about a minute or so of spying. It’s also not the stealthiest of attacks, since you’d literally be announcing yourself in the process.

All this means that the risks were fairly low for anything beyond a prank. I personally did not feel it necessary to turn off FaceTime on my devices. Once I was aware, I could have simply covered the camera and ended the call—or had a little fun with the caller by playing Rick Astley into the phone’s mic!

How was this resolved?

Apple temporarily solved the problem by disabling Group FaceTime on their servers. This means that you can no longer add people to a FaceTime call, so the bug currently cannot be triggered. Apple will undoubtedly release iOS and macOS updates with a fix for this bug.

It’s unknown how soon Apple will re-enable Group FaceTime after that update is released, so if you’re on iOS 12.1 or macOS 10.14.1, it will be of great importance to install the next update in a timely fashion! You don’t want to be caught with your pants down (possibly literally) on a vulnerable system after the Group FaceTime switch is turned back on.

How did this happen?

Apple has had an unusually large number of high-profile and embarrassing bugs of late, which has led many people to ask what has happened to Apple’s quality assurance process. This bug is no exception.

Worse, it appears that at least one person knew about the bug almost two weeks before the news broke, and had been trying to alert Apple.

It’s unknown at this point exactly which points of contact for Apple this person was using, so it’s entirely possible that the right people at Apple didn’t learn about it until they saw it on the news. Since Apple didn’t disable Group FaceTime until after the news broke, I would hope that this is the case. It would be far more concerning if the right people at Apple knew about the bug, but didn’t make the call to disable Group FaceTime.

What’s the takeaway?

Bottom line, at this point, there’s absolutely no reason to panic or to turn off FaceTime. If you turned off FaceTime, and you want to turn it back on, it’s safe to do so, as long as you don’t delay installing the next update. There’s no indication that FaceTime can be abused without having Group FaceTime available.

There will be some who cite this as a reason to delay installing system updates. They will say that you should wait and let others work out the bugs. However, this is questionable advice. If you stay on an old version of iOS or macOS, you are using a system that has known security issues. That’s a far riskier proposition than updating to a newer version of the system where there aren’t (yet) any known security issues. From a security perspective, you should always install updates in a timely fashion.

The post Apple’s FaceTime privacy bug allowed possible spying appeared first on Malwarebytes Labs.

High Risk, High Yield

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets After Donald Trump became President he told investors it was he who made the stock market rise. When the market went down, however, most blamed Trump again. In 2018, the indices reached their highs and started correcting, which meant the ascending trend faded out and the market needed […]

The post High Risk, High Yield appeared first on Hacked: Hacking Finance.

FaceTime bug exposes live audio & video before recipient picks call

By Waqas

FaceTime bug is exposing calls and videos – Here’s how to disable FaceTime until this issue is fixed. According to reports, there is a major bug in iPhone FaceTime’s video calling function that lets users hear audio from the call even before the recipient has accepted the video call. Moreover, the flaw also lets people see […]

This is a post from HackRead.com Read the original post: FaceTime bug exposes live audio & video before recipient picks call

Major Apple Security Bug Lets You Spy on Your Buddies

Earlier today Apple users from all over the world, including US citizens and permanent residents, realized that they could spy on each other by taking advantage of a FaceTime exploit that allows eavesdropping. First reported by 9 to 5 Mac, the bug in Apple’s videotelephony app allowed users without any technical skills to eavesdrop on virtually anyone in the world who uses FaceTime. By simply making a FaceTime video call users were able to listen through the callee’s device, even if the call recipient was not picking up. All users had to do was to create a “group call” by adding themselves to a standard two-way video call. The self-addition was tricking the system into thinking that all participants have picked up the phone. This ended up resulting in eavesdropping on the callee’s device. Here’s a video that shows the exploit in action:

What made the bug even worse was the fact that the caller was able to see a video stream directly from the recipient’s device should the recipient hit the power button to “reject” the video call. In response to the major privacy breach, Apple decided to turn off the group FaceTime feature, until they figure out how to get it fixed.

The FaceTime bug is currently one of the trending stories on all social media platforms. Dozens of users have already uploaded videos replicating the exploit. Some users even reported that they have managed to reproduce the FaceTime bug with an iPhone calling a Mac.

After the bug was discovered Apple issued a statement acknowledging it and stated that they plan to issue a fix later this week. New York City governor Andrew Cuomo called the FaceTime bug an “egregious breach of privacy that puts New Yorkers at risk.” Governor Cuomo added that he is “deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes.” It is currently unknown for long has the exploit been active.

The bug comes only weeks after Apple started using the following slogan “What happens on your iPhone, stays in on your iPhone.”, a wordplay from the famous Las Vegas slogan “What happens in Vegas, stays in Vegas.” Coincidently, the bug was also discovered on the national Data Privacy Day.  Unaware of the exploit, and hours after the bug was discovered, Apple’s CEO Tim Cook tweeted that people “must keep fighting for the kind of world we want to live in. On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real, and the consequences are too important.”

What has Apple done to stop the bug?

Apple managed to anger the crowds by stating that they will patch the bug “later this week” but failed to take any immediate action to prevent people from spying on each other. However, hours after they realized the seriousness of the issue, they completely turned off the group FaceTime feature on all Apple devices and issued an update to patch the exploit. The group FaceTime feature is still temporarily unavailable.

What should you do?

First and foremost, you can delete the FaceTime app from your iPhone or Mac and reinstall it after Apple confirms that the issue has been officially fixed. If you do not wish to remove the app, you can disable the app through the settings of your iPhone or Mac.

This is a yet another great example why keeping your OS fully up-to-date is vital. Apple just issued a patch that fixes the exploit so if you are an Apple user, now is a good time to go and update your OS if you haven’t done so already.

Last but not least, install antivirus software on all your connected devices. Having another layer of protection on all your Apple products will prevent hackers from obtaining any missing pieces they may need from you to commit cybercrimes.

The post Major Apple Security Bug Lets You Spy on Your Buddies appeared first on Panda Security Mediacenter.

Critical FaceTime bug turns iPhones, Macs into eavesdropping tools

A shocking and easily exploitable FaceTime bug allows people to listen in on other users of Apple devices by simply calling them through the service. The bug apparently affects Group FaceTime and Apple has reacted by making the service unavailable until they can push out a fix. Exploitation of the FaceTime bug The bug was first reported by 9to5Mac and then replicated and confirmed by others. The gist of it is this: it allows the … More

The post Critical FaceTime bug turns iPhones, Macs into eavesdropping tools appeared first on Help Net Security.

Disable FaceTime, a bug lets you hear a person’s audio before he answers

A major vulnerability in the Apple FaceTime lets you hear the audio of the person you are calling … before they pick up the call.

iPhone, iPad, or Mac users might disable FaceTime to avoid being spied through their devices.

Experts warn that it is possible to call someone via FaceTime and listen via the microphone of their devices before they accept or reject the call.

“There’s a major bug in FaceTime right now that lets you connect to someone and hear their audio without the person even accepting the call.” reads a thread published on MacRumors.  

“This bug is making the rounds on social media, and as 9to5Mac points out, there are major privacy concerns involved. You can force a FaceTime call with someone and hear what they’re saying, perhaps even without their knowledge. 

We tested the bug at MacRumors and were able to initiate a FaceTime call with each other where we could hear the person on the other end without ever having pressed the button to accept the call.”

The flaw affected iOS 12.1 and 12.2 versions, and macOS Mojave.

The procedure to exploit this vulnerability is: 

  • Initiate a FaceTime call with someone. 
  • While the call is ringing, swipe up from the bottom of the display. 
  • Tap on the “Add Person” button. 
  • Add your own phone number when it asks for the number of the person to add. 

When a connection is started, the screen of the caller appears like a standard Group FaceTime call sans video, while on the other person’s screen, it still looks like the call hasn’t been accepted.

The experts pointed out that if the callee press the power button, the front-facing camera feed is also secretly shown to the caller.

Below a video showing the issue:

“The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.”reported 9to5mac.com.

“As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.”

Apple will release a security patch to address the vulnerability later this week.

In you want to disable FaceTime follow these instructions. 

“Apple says the issue will be addressed in a software update “later this week”. (Update: Apple has taken Group FaceTime offline in an attempt to address the issue in the interim).” continues 9to5mac.com.

Pierluigi Paganini

(SecurityAffairs – FaceTime, hacking)

The post Disable FaceTime, a bug lets you hear a person’s audio before he answers appeared first on Security Affairs.

Security Affairs: Disable FaceTime, a bug lets you hear a person’s audio before he answers

A major vulnerability in the Apple FaceTime lets you hear the audio of the person you are calling … before they pick up the call.

iPhone, iPad, or Mac users might disable FaceTime to avoid being spied through their devices.

Experts warn that it is possible to call someone via FaceTime and listen via the microphone of their devices before they accept or reject the call.

“There’s a major bug in FaceTime right now that lets you connect to someone and hear their audio without the person even accepting the call.” reads a thread published on MacRumors.  

“This bug is making the rounds on social media, and as 9to5Mac points out, there are major privacy concerns involved. You can force a FaceTime call with someone and hear what they’re saying, perhaps even without their knowledge. 

We tested the bug at MacRumors and were able to initiate a FaceTime call with each other where we could hear the person on the other end without ever having pressed the button to accept the call.”

The flaw affected iOS 12.1 and 12.2 versions, and macOS Mojave.

The procedure to exploit this vulnerability is: 

  • Initiate a FaceTime call with someone. 
  • While the call is ringing, swipe up from the bottom of the display. 
  • Tap on the “Add Person” button. 
  • Add your own phone number when it asks for the number of the person to add. 

When a connection is started, the screen of the caller appears like a standard Group FaceTime call sans video, while on the other person’s screen, it still looks like the call hasn’t been accepted.

The experts pointed out that if the callee press the power button, the front-facing camera feed is also secretly shown to the caller.

Below a video showing the issue:

“The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.”reported 9to5mac.com.

“As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.”

Apple will release a security patch to address the vulnerability later this week.

In you want to disable FaceTime follow these instructions. 

“Apple says the issue will be addressed in a software update “later this week”. (Update: Apple has taken Group FaceTime offline in an attempt to address the issue in the interim).” continues 9to5mac.com.

Pierluigi Paganini

(SecurityAffairs – FaceTime, hacking)

The post Disable FaceTime, a bug lets you hear a person’s audio before he answers appeared first on Security Affairs.



Security Affairs

Apple Might Soon Add “Poisonous Gas Sensor” On iPhone And Apple Watch

Apple produces some of the best health-related technology that helps users in one or the other way. Products like (PRODUCT)RED and Apple Watch have helped millions of users across the globe to stay healthy and fight deadly diseases.

A recent patent suggests that Apple may add miniature gas sensors in the future iPhone and Apple Watch models. So here’s everything you need to know about the “Poisonous Gas Sensor.”

ALSO READ: Apple Sending Out Promotional iPhone XR Emails To Older iPhone Owners

Poisonous Gas Sensor On iPhone And Apple Watch

Recently Apple has been granted a patent for small-sized sensors that could detect the presence of harmful gases like carbon monoxide. These sensors could be installed on future Apple products like iPhone, iPad, and Apple Watch.

This small-sized sensor can detect major harmful gases like Carbon Monoxide (CO), Ozone (O3), Nitrogen Dioxide (NO2), Nitrogen Monoxide (NO), Sulphur Dioxide (SO2), Methane (CH4) and volatile organic compounds (VOCs).

According to some reliable sources, this poisonous gas sensors will also be deployed in smart home and Internet of Things devices.


Poisonous Gas Sensor: The Benefits

According to a recent report from Centers For Diseases, Carbon Monoxide poisoning results in the death of around 400 Americans every year and around 20,000 injuries. It is worth noting that, Carbon Monoxide is an odourless and colourless gas. Consequently, it becomes fairly difficult to identify the gas.

The Poisonous Gas Sensor on Apple devices is a life-saving technology that will help prevent deaths from poisonous gases like Carbon Monoxide. With features like ECG on Apple Watch Series 4, it’s clear that Apple is working hard to protect the lives of people with innovation in day to day technology.

Do share your thoughts and opinions on the addition of Poisonous Gas Sensor on iPhone and Apple Watch in the comments section below.

The post Apple Might Soon Add “Poisonous Gas Sensor” On iPhone And Apple Watch appeared first on TechWorm.

Attackers successfully hide Mac malware in ad images

By Waqas

Malware campaigns have become quite regular on Apple devices and as per the new report from Confiant, a cyber-security firm, there’s a new group on the block called that is specifically targeting Apple users through malvertising. The group called VeryMal has employed steganography technique this time to prevent detection and hide the malicious code in […]

This is a post from HackRead.com Read the original post: Attackers successfully hide Mac malware in ad images

Apple publica la primera actualización del año para iOS y macOS ¡Actualiza ya!

Apple ha publicado las actualizaciones de enero que solucionan la mayoría de las CVE que afectan iOS y macOS con unas pocas que afectan a Safari, watchOS, tvOS e iCloud para Windows. iOS v12.1.3 Esta última versión arregla una lista de CVEs para el iPhone 5 y posteriores, iPad e iPod Touch 6th Generation. Casi […]

Hacker demonstrates how to remotely Jailbreak iPhone X

By Waqas

A China-based security researcher associated with the Qihoo 360 Vulcan Team has published a proof-of-concept exploit for a kernel vulnerability, which he claims to be the second stage of an exploit chain that he was successfully able to jailbreak iPhone X remotely. The researcher Qixun Zhao posted the PoC on Twitter from his Twitter handle […]

This is a post from HackRead.com Read the original post: Hacker demonstrates how to remotely Jailbreak iPhone X

Apple Has Dismissed More Than 200 Employees From Project Titan, its Autonomous Vehicle Group

Apple has dismissed just over 200 employees this week from Project Titan, its stealthy autonomous vehicle group, CNBC reports. From the report: An Apple spokesperson acknowledged the layoffs and said the company still sees opportunity in the space: "We have an incredibly talented team working on autonomous systems and associated technologies at Apple. As the team focuses their work on several key areas for 2019, some groups are being moved to projects in other parts of the company, where they will support machine learning and other initiatives, across all of Apple," the spokesperson said. "We continue to believe there is a huge opportunity with autonomous systems, that Apple has unique capabilities to contribute, and that this is the most ambitious machine learning project ever."

Read more of this story at Slashdot.

Apple delivers security patches, plugs an RCE achievable via FaceTime

Apple has released a new set of updates for its various products, plugging a wide variety of vulnerabilities. WatchOS, tvOS, Safari and iCloud Let’s start with “lightest” security updates: iCloud for Windows 7.10 brings fixes for memory corruption, logic and type confusion issues in the WebKit browser engine, all of which can be triggered via maliciously crafted web content and most of which may lead to arbitrary code execution. The update also carries patches for … More

The post Apple delivers security patches, plugs an RCE achievable via FaceTime appeared first on Help Net Security.

Apple Sending Out Promotional iPhone XR Emails To Older iPhone Owners

Apple asking owners of older iPhones to upgrade to iPhone XR

Apple has chosen a unique way to market its new iPhone XR smartphones. Apparently, the tech giant is targeting owners of older iPhones with customized emails urging them to upgrade to an iPhone XR.

The emails that are specifically targeted to owners of particular iPhone models in the United States explains the advantages of upgrading to the iPhone XR. Apparently, Apple has been sending out these emails to owners of older iPhones since late last year.

According to a report from Reddit (via MacRumors), one iPhone 6 Plus owner mentioned how the email directly compared his device to the iPhone XR. The promotional email also pointed out the iPhone XR’s larger display, more durable glass, longer battery life, up to 3 times faster performance, and water resistance. It also says the iPhone XR has more storage for photos and apps, can take studio-quality photos and 4K video, and has a secure Face ID. It also included a $200 limited-time trade-in offer.

The iPhone 6 Plus owner said that he has not upgraded his iPhone model from the time it has been bought. He, however, did mention that he had opted for last year’s special $29 battery replacement offer ending December 31, which is why he could have received the email.

Apple had launched its 2018 line of iPhones – the iPhone XS, iPhone XS Max, and iPhone XR for $999, $1,099 and $750 respectively. However, the steep prices, particularly that of iPhone XS and XS Max, has resulted in weak sales of these smartphones. Also, the cheap battery replacement program running last year saw many customers opt for the offer, which also could have dampened the sales of the newer iPhones.

Now, with the battery replacement program ending on December 31, 2018, Apple is hoping to make some revenue from the sale of its iPhone XR units through trade-in offer and recover from the setback caused by poor sales of iPhone XS and XS Max.

The post Apple Sending Out Promotional iPhone XR Emails To Older iPhone Owners appeared first on TechWorm.

Chinese man who sold kidney to buy iPhone now bedridden for life

Chinese man suffers organ failure after selling his kidney to buy an iPhone

We have heard crazy stories about Chinese people going to the extent of selling their sperms to kidneys to newborn kids to own Apple’s latest gadgets. Well, this obsession to own an iPad and iPhone has now rendered this Chinese man bedridden for life!

Wang Shangkun, now 25, had sold his right kidney as a teenager (17 years) in 2011 to the black-market organ harvesters to buy Apple’s latest devices, as his family was too poor to afford it. Back then, he received 22,000 yuan for his kidney, which he used to purchase an iPhone 4 and iPad 2, reports News.com.au.

“Why do I need a second kidney? One is enough,” he had asked at the time.

According to CNTV, Wang who dreamt of owning Apple’s iPad 2 was approached by human organ harvesters online, who offered him hard cash for his kidney.

“At the time, I wanted to buy an iPad2, but I didn’t have any money. When I was on the internet, I had a kidney agent send a message, saying that selling a kidney can give me 20,000,” he explained.

Without informing his family, Wang secretly traveled from his home in the eastern Anhui Province to the southern Hunan Province. After the operation was carried out, Wang was sent back home.

Wang’s health started deteriorating immediately after the operation. Unsanitary conditions at the time of surgery and lack of postoperative care are believed to be the reasons behind the development of infection that eventually led to renal failure in his second kidney. Wang’s health condition also forced him to give up on his studies.

According to local China media reports, Wang now spends his days in bed and depends on the dialysis machine to clear his blood of toxins to survive his kidney failure. He is now dependent on social benefits.

In 2012, nine individuals were arrested in connection with the sale, including five surgeons, and were jailed for their involvement. Wang’s family reportedly received $225,000 in compensation the same year.

The post Chinese man who sold kidney to buy iPhone now bedridden for life appeared first on TechWorm.

Vulnerability Spotlight: Multiple Apple IntelHD5000 privilege escalation vulnerabilities


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive Summary

A memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of Apple OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.

Vulnerability Details

IntelHD5000 use-after-free vulnerability (TALOS-2018-0614/CVE-2018-XXXX)

Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between user space and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. Therefore, this kernel extension is used in graphics rendering and processing throughout and is subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox creating a larger potential attack surface.

A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits class from a UserClient and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.

For additional information, please see the advisory here.

IntelHD5000 use-after-free vulnerability (TALOS-2018-0615/CVE-2018-XXXX)

Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between userspace and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. This kernel extension is used in graphics rendering and processing throughout and is the subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox, creating a larger potential attack surface.

A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits from a UserClient class and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.

For additional information, please see the advisory here.

Versions Tested

OS X 10.13.4 - MacBookPro11.4

Conclusion

As this vulnerability can be triggered potentially via the Safari web browser, it’s always important for users to understand that impacted software, drivers and libraries are widely used throughout an operating system’s own ecosystem. Privilege escalations can allow an attacker to move from an untrusted user account to a trusted system account within the operating system, which can allow for administrative access and therefore allows adversaries to carry out malicious actions.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 46858 - 46859

More Questions as Expert Recreates Chinese Super Micro Hardware Hack

Though the companies named in a blockbuster Bloomberg story have denied that China hacked into Supermicro hardware that shipped to Amazon, Apple and nearly 30 other firms, a recent demonstration at hacking conference in Germany proves the plausibility of the alleged hack.  

The post More Questions as Expert Recreates Chinese Super Micro Hardware...

Read the whole entry... »

Related Stories

A week in security (December 31, 2018 – January 6, 2019)

Last week on Labs, we looked back at 2018 as the year of data breaches, homed in on pre-installed malware on mobile devices, and profiled a malicious duo, Vidar and GandCrab.

Other cybersecurity news

  • 2019’s first data breach: It took less than 24 hours. An unauthorized third-party downloaded 30,000 details of Australian public servants in Victoria. It was believed that a government employee was phished prior to the breach. (Source: CBR Online)
  • Dark Overlord hackers release alleged 9/11 lawsuit documents. The hacker group known as The Dark Overlord (TDO) targeted law firms and banks related to the 9/11 attack. TDO has a history of releasing stolen information after receiving payment for its extortions. (Source: Sophos’ Naked Security Blog)
  • Data of 2.4 million Blur password manager users left exposed online. 2.4 million users of the password manager, Blur, were affected by a data breach that happened in mid-December of last year and publicly revealed on New Year’s Eve. No passwords stored in the managers were exposed. (Source: ZDNet)
  • Hacker leaked data on Angela Merkel and hundreds of German lawmakers. A hacker leaked sensitive information, which includes email addresses and phone numbers, of Angela Merkel, senior German lawmakers, and other political figures on Twitter. The account was suspended following this incident. (Source: TechCrunch)
  • Hackers seize dormant Twitter accounts to push terrorist propaganda. Dormant Twitter accounts are being hacked and used to further push terrorist propaganda via the platform. It’s easy for these hackers to guess the email addresses of these accounts since Twitter, by default, reveals partly-concealed addresses which clue them in. (Source: Engadget)
  • MobSTSPY spyware weaseled its way into Google Play. Another spyware app made its way into Google Play and onto the mobile devices of thousands of users. The malware steals SMS messages, call logs, contact lists, and other files. (Source: SC Magazine UK)
  • Apple phone phishing scams getting better. A new phone-based scam targeting iPhone users was perceived to likely fool many because the scammer’s fake call is lumped together with a record of legitimate calls from Apple Support. (Source: KrebsOnSecurity)
  • Staying relevant in an increasingly cyber world. Small- to medium-sized businesses may not have the upper hand when it comes to hiring people with talent in cybersecurity, but this shouldn’t be an organization’s main focus. Dr. Kevin Harris, program director of cybersecurity for the American Military University, advised that employers must focus on giving all their employees “cyber skills.” (Source: Federal News Network)
  • Adobe issues emergency patch following December miss. Adobe released an out-of-band patch to address critical vulnerabilities in Acrobat and Reader. (Source: Dark Reading)

Stay safe, everyone!

The post A week in security (December 31, 2018 – January 6, 2019) appeared first on Malwarebytes Labs.

Phone-Based Phishing Scam Reveals the Growing Sophistication of Attacks Against Apple Users

A new phone-based phishing scam reveals how fraudsters are devising more sophisticated schemes to prey on Apple device users.

According to KrebsOnSecurity, the phishing scam began for Global Cyber Risk LLC CEO Jody Westby when she received an automated call that displayed Apple’s logo, physical address, company domain and customer support phone number. The call warned Westby that unknown attackers had compromised multiple servers containing users’ Apple IDs. It then urged her to ring a 1-866 number immediately.

Suspicious of the call, Westby contacted Apple’s support number directly and requested a callback from a support representative. The agent who called back reassured Westby that Apple had not placed the original call. But when she looked at her phone, Westby observed that her iPhone had lumped together both the scam call and the official callback under Apple’s contact profile on her device. Not surprisingly, this failure of Apple’s own devices to spot a spoof call could potentially fool many users.

The Prevalence of Phishing Attacks Targeting Apple Users

This phony call scam stands out for its extensive use of Apple branding. But by no means is it the only phone-related phishing scam targeting Apple users in recent history. For example, in July 2018, Ars Technica identified an India-based tech support scam using a fake Apple website that popped up a system dialog box with a prompt to call the fraudsters.

These phishing instances come after enterprise mobile security and data management provider Wandera found in 2017 that nearly two-thirds of mobile phishing attacks occur on iOS devices. This rate means that Apple users are twice as likely to experience phishing on their devices than Android users.

Help Your Employees Defend Against Phishing Scams

Security professionals can help employees defend against phishing scams by creating a security awareness training program that uses clear, concise policies based around business requirements. Organizations should also take a layered approach to email security — requiring a mix of both technology and education — to better defend against email-borne phishing campaigns.

The post Phone-Based Phishing Scam Reveals the Growing Sophistication of Attacks Against Apple Users appeared first on Security Intelligence.

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cybercriminals Disguised as Apple Are After Users’ Personal Data: Insights on This Threat

With the holidays rapidly approaching, many consumers are receiving order confirmation emails updating them on their online purchases for friends and family. What they don’t expect to see is an email that appears to be a purchase confirmation from the Apple App Store containing a PDF attachment of a receipt for a $30 app. This is actually a stealthy phishing email, which has been circulating the internet, prompting users to click on a link if the transaction was unauthorized.

So how exactly does this phishing campaign work? In this case, the cybercriminals rely on the victim to be thrown off by the email stating that they purchased an app when they know that they didn’t. When the user clicks on the link in the receipt stating that the transaction was unauthorized, they are redirected to a page that looks almost identical to Apple’s legitimate Apple Account management portal. The user is prompted to enter their login credentials, only to receive a message claiming that their account has been locked for security reasons. If the user attempts to unlock their account, they are directed to a page prompting them to fill out personal details including their name, date of birth, and social security number for “account verification.”

Once the victim enters their personal and financial information, they are directed to a temporary page stating that they have been logged out to restore access to their account. The user is then directed to the legitimate Apple ID account management site, stating “this session was timed out for your security,” which only helps this attack seem extra convincing. The victim is led to believe that this process was completely normal, while the cybercriminals now have enough information to perform complete identity theft.

Although this attack does have some sneaky behaviors, there are a number of steps users can take to protect themselves from phishing scams like this one:

  • Be wary of suspicious emails. If you receive an email from an unknown source or notice that the “from” address itself seems peculiar, avoid interacting with the message altogether.
  • Go directly to the source. Be skeptical of emails claiming to be from companies asking to confirm a purchase that you don’t recognize. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Use a comprehensive security solution. It can be difficult to determine if a website, link, or file is risky or contains malicious content. Add an extra layer of security with a product like McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Cybercriminals Disguised as Apple Are After Users’ Personal Data: Insights on This Threat appeared first on McAfee Blogs.

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

US intelligence chief says ‘no evidence’ of Chinese spy chips

Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."

Via: The Verge

Source: Cyberscoop

Apple CEO calls on Bloomberg to retract China surveillance report

Earlier this month, Bloomberg reported that San Jose-based server company Super Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed News.

Source: BuzzFeed News

The Dangers of Linking Your Apple ID to Financial Accounts

The digital wallets of Chinese citizens are under attack thanks to a few bad apples. A recent string of cyberattacks in China utilized stolen Apple IDs to break into customers’ accounts and steal an undisclosed amount of money, according to a Bloomberg report. Almost immediately, Chinese e-transaction giants Tencent Holdings and Alipay warned their customers to monitor their accounts carefully, especially those who have linked their Apple IDs to Alipay accounts, WeChat Pay or their digital wallets and credit cards.

While Alipay works with Apple to figure out how this rare security breach happened and how hackers were able to hijack Apple IDs, they’re urging customers to lower their transaction limits to prevent any further losses while this investigation remains ongoing. Because Apple has yet to resolve this issue, any users who have linked their Apple IDs to payment methods including WeChat Pay — the popular digital wallet of WeChat which boasts over a billion users worldwide and can be used to pay for almost anything in China — remain vulnerable to theft. Apple also advises users to change their passwords immediately.

This security breach represents a large-scale example of a trend that continues to rise: the targeting of digital payment services by cybercriminals, who are capitalizing on the growing popularity of these services. Apple IDs represent an easy entry point of attack considering they connect Apple users to all the information, devices and products they care about. That interconnectivity of personal data is a veritable goldmine for cybercriminals if they get their hands on something like an Apple ID. With so much at stake for something as seemingly small as an Apple ID, it’s important for consumers to know how to safeguard their digital identifiers against potential financial theft. Here are some ways they can go about doing so:

  • Make a strong password. Your password is your first line of defense against attack, so you should make it as hard as possible for any potential cybercriminals to penetrate it. Including a combination of uppercase and lowercase letters, numbers, and symbols will help you craft a stronger, more complex password that’s difficult for cybercriminals to crack. Avoid easy to guess passwords like “1234” or “password” at all costs.
  • Change login information for different accounts. An easy trap is using the same email and password across a wide variety of accounts, including Apple IDs. To better protect your Apple ID, especially if it’s linked to your financial accounts, it’s best to create a wholly original and complex password for it.
  • Enable two-factor authentication. While Apple works on identifying how these hackers hijacked Apple IDs, do yourself a favor and add an extra layer of security to your account by enabling two-factor authentication. By having to provide two or more pieces of information to verify your identity before you can log into your account, you place yourself in a better position to avoid attacks.
  • Monitor your financial accounts. When linking credentials like Apple IDs to your financial accounts, it’s important to regularly check your online bank statements and credit card accounts for any suspicious activity or transactions. Most banks and credit cards offer free credit monitoring as well. You could also invest in an identity protection service, which will reimburse you in the case of identity fraud or financial theft.

Stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listening to our podcast Hackable?, and ‘Liking’ us on Facebook.

The post The Dangers of Linking Your Apple ID to Financial Accounts appeared first on McAfee Blogs.

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Airplay Annoyance

I’ve never used Apple Airplay before.   I have an AppleTV that was free for paying  for a 3 month subscription with DirecTV Now.  But I hadn’t intentionally fired it up since cancelling that subscription.

This week I bought a new TV.   While watching The Dark Knight on Netflix, suddenly the TV changes inputs to the AppleTV and Katherines Ipad is requesting to perform remote control, and a PIN is displayed to be typed into the iPad.

Generally, I like to think I have a tight reign on my computer devices, but Apple has snuck this one up on me.

Apparently by default, via Bluetooth, my neighbors can connect to my AppleTV.   I’m guessing that with my old TV this would occur, and I just wouldn’t notice the AppleTV turn on, but the new TV is smart enough to switch to the new input.    So essentially Apple and Samsung have conspired to have my neighbor denial of service my movie watching.

First steps

  1.  Make sure the apple TV is on my wifi.   Pretty sure the neighbor hasn’t guessed my 100+ character pre-shared key.
  2. Disable Bluetooth.  Of course my generation of AppleTV cant do that.
  3. change the name of the AppleTV.  If everyone in the neighborhood is named the default “AppleTV”, no wonder people are accidentally clicking on the wrong device.   On my AppleTV, this was under Settings -> General -> About.  On newer models it is found under Settings -> Airplay.
  4. Under Settings -> Airplay -> Airplay, set Allow Access to “Anyone on the same network”.  The default is “everyone”.  I guess “it just works” trumps security.   Unfortunately I cant find good documentation if bluetooth users are considered on the same network.
    Set “Also Allow Nearby to Airplay” to off.  Again, having trouble finding description of this setting.  But it seems safe.
    Enable requiring a password for airplay.

    I then turned off wifi on my phone, and verified that no airplay devices were visible over Bluetooth

    And now that I”m looking further it seems my new Samsung is in perpetual discovery mode.   So any rando nearby can request to pair, and on the TV, I’ll be prompted to allow, deny or close.  Haven’t found a way to disable that yet.   Lovely.

The post Airplay Annoyance appeared first on Roger's Information Security Blog.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Introducing Monitor.app for macOS

UPDATE 2 (Oct. 24, 2018): Monitor.app now supports macOS 10.14.

UPDATE (April 4, 2018): Monitor.app now supports macOS 10.13.

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the legendary Sysinternals Suite from Microsoft. Those tools only work on Windows though and we love macOS.

macOS has some fantastic dynamic instrumentation software included with the operating system and Xcode. In the past, we have used dynamic instrumentation tools such as Dtrace, a very powerful tracing subsystem built into the core of macOS. While it is very powerful and efficient, it commonly required us to write D scripts to get the interesting bits. We wanted something simpler.

Today, the Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host. Monitor.app captures the following event types:

  • Process execution with command line arguments
  • File creates (if data is written)
  • File renames
  • Network activity
  • DNS requests and replies
  • Dynamic library loads
  • TTY Events

Monitor.app identifies system activities using a kernel extension (kext). Its focus is on capturing data that matters, with context. These events are presented in the UI with a rich search capability allowing users to hunt through event data for areas of interest.

The goal of Monitor is simplicity. When launching Monitor, the user is prompted for root credentials to launch a process and load our kext (don’t worry, the main UI process doesn’t run as root). From there, the user can click on the start button and watch the events roll in!

The UI is sparse with a few key features. There is the start/stop button, filter buttons, and a search bar. The search bar allows us to set simple filters on types of data we may want to filter or search for over all events. The event table is a listing of all the events Monitor is capable of presenting to the user. The filter buttons allow the user to turn off some classes of events. For example, if a TimeMachine backup were to kick off when the user was trying to analyze a piece of malware, the user can click the file system filter button and the file write events won’t clutter the display.

As an example, perhaps we were interested in seeing any processes that communicated with xkcd.com. We can simply use an “Any” filter and enter xkcd into the search bar, as seen in Figure 1.

Figure 1: Monitor.app User Interface

We think you will be surprised how useful Monitor can be when trying to figure out how components of macOS or even malware work under the hood, all without firing up a debugger or D script.

Click here to download Monitor.app. Please send any feature requests/bugs to monitorapp-bugs@fireeye.com.

Apple, Mac and MacOS are registered trademarks or trademarks of Apple Inc.