A security researcher disclosed a passcode bypass just a week before Apple has planned to release the new iOS 13 operating system, on September 19.
Apple users are thrilled for the release of the iOS 13 mobile operating system planned for September 19, but a security expert could mess up the party.
The security researcher Jose Rodriguez discovered a passcode bypass issue that could be exploited by attackers to gain access to iPhones contacts and other information even on locked devices.
Below the step by step procedure to exploit the passcode bypass:
- Reply to an incoming call with a custom message.
- Enable the
- Disable the
- Add a new contact to the custom message
- Click on the contacts image to open options menu and select “Add to existing contact”.
- When the list of contacts appears, tap on the other contact to view its info.
Below the video PoC published by Rodriguez that shows how to see a device’s contact information.
Rodriguez reported the flaw to Apple on July 17th, 2019, at the time the new
Experts hope that Apple will be able to fix the bug
Rodriguez discovered many other passcode bypass issues in the past, in October 2018, a few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez found a new passcode bypass issue that could have been exploited to see all contacts’ private information on a locked iPhone.
A few weeks before, he discovered another passcode bypass vulnerability in Apple’s iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.
The researcher also disclosed a new passcode bypass flaw that could have been exploited to access photos and contacts on a locked iPhone XS.
(SecurityAffairs – iOS 13, passcode bypass)
The post Expert disclosed passcode bypass bug in iOS 13 a week before its release appeared first on Security Affairs.
Apple’s furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist John Leyden.
iPhone hacks have often been considered by some to be a rare occurrence. However, a group of Google researchers recently discovered that someone has been exploiting multiple iPhone vulnerabilities for the last two years. How? Simply by getting users to visit a website.
How exactly does this exploitation campaign work? According to WIRED, researchers revealed a handful of websites that had assembled five exploit chains. These exploit chains are tools that link security vulnerabilities together and allow a hacker to penetrate each layer of iOS digital protections. This campaign took advantage of 14 security flaws, resulting in the attacker gaining complete control over a user’s phone. Researchers state that these malicious sites were programmed to assess the Apple devices that loaded them and compromise the devices with powerful monitoring malware if possible. Once the malware was installed, it could monitor live location data, grab photos, contacts, passwords, or other sensitive information from the iOS Keychain.
So, what makes this attack unique? For starters, this exploitation campaign hides in plain sight, uploading information without any encryption. If a user monitored their network traffic, they would notice activity as their data was being uploaded to the hacker’s server. Additionally, a user would be able to see suspicious activity if they connected their device to their computer and reviewed console logs. Console logs show the codes for the programs being run on the device. However, since this method would require a user to take the extra step of plugging their iPhone into a computer, it’s highly unlikely that they would notice the suspicious activity.
Although iOS exploits usually require a variety of complexities to be successful, this exploitation campaign proves that iOS hacking is very much alive and kicking. So, what can Apple users do to help ward off these kinds of attacks? Here’s how you can help keep your device secure:
- Install automatic updates. In your device settings, choose to have automatic updates installed on your device. This will ensure that you have the latest security patches for vulnerabilities like the ones leveraged in these exploit chains as soon as they’re available.
The post iPhone Users: Here’s What You Need to Know About the Latest iOS Hacks appeared first on McAfee Blogs.
Android and Windows devices also targeted in campaign believed to be state-backed
Chinese Uighurs were the target of an iOS malware attack lasting more than two years that was revealed last week, according to multiple reports.
Android and Windows devices were also targeted in the campaign, which took the form of “watering hole attacks”: taking over commonly visited websites or redirecting their visitors to clones in order to indiscriminately attack each member of a community.Continue reading...
Researchers at Google announced the discovery of a hacking campaign that used hacked websites to deliver malware to iPhones.
Project Zero, Google’s security research team, discovered fourteen previously unknown vulnerabilities, called zero day exploits, that were capable of compromising iPhones. Further research revealed a small collection of hacked websites capable of delivering malware to iPhone users visiting those sites.
“There was no target discrimination; simply visiting the hacked site was enough for the exploited server to attack your device, and if it was successful, installing a monitoring implant. We estimate that these sites receive thousands of visitors per week,” wrote Project Zero member Ian Beer in a blog post announcing their findings.
The data accessible on the compromised phones included the user’s location, their passwords, chat histories, contact lists, and full access to their Gmail accounts.
“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services… even after they lose access to the device,” said Beer.
The hacking campaign was active for at least two years before it was discovered by Project Zero. The research team informed Apple of their findings, and the targeted vulnerabilities were patched in an update in February 2019.
Because I really don’t want to rile up all you wonderful Mac users, I’ve decided to do a follow-up on the whole hiding your folders in plain view dilemma.
If haven’t done so already, be sure to check out my article on how to hide your files, folders, and disk drives; it may not apply to Mojave or whatever else OS you’re running, but at least you’ll get an idea of what you’re up against. So, how do you hide folders on Mac?
Get yourself acquainted with the Terminal (Mac’s version of Windows’ command prompt) because, as it happens, it’s the only way to hide folders on Mac without resorting to third-party tools. Let’s dig in.
How to Hide Folders on Mac – Quick and Painless Version
If you really don’t want to trouble yourself with code, there’s a very easy and extremely fast way to hide your folders on Mac -by using the FileVault.
Basically, it turns your hard-drive in a Fort Knox-like vault which cannot be opened without the proper cipher, which in this case is the username and password associated with your admin account.
Yes, I know it’s like curing the disease by killing the patient, but I did say that it’s the easiest way to go about hiding your folders. Anyway, here’s what you’ll need to do, should you choose to use FileVault for masking your files, folders, and everything in between.
Step 1. Click on the Apple icon located in the upper-left corner of your screen.
Step 2. Click on System Preferences.
Step 3. Click on Security & Privacy.
Step 4. Head to the FileVault tab (it’s right next to the General tab).
Step 5. Click on the padlock icon to make changes.
Step 6. Click on the Turn On FileVault button.
Step 7. In the next dialog box, select the recovery method. You can choose between iCloud and generating a local recovery key. I, for one, would go with the later version since it’s more secure (no use compromising two accounts if your password gets stolen).
Here’s what’s going to happen if you use the local recovery key method: you will be taken to another dialog box where you will be going to see a system-generated code.
It looks very much like a Windows or antivirus activation key. Put this code in a new document or something. That the recovery key you’ll be using in case you don’t remember the password.
Step 8. Click on Continue.
Step 9. Click again on the Continue button to finish the process.
That’s it! Now FileVault will begin encrypting all the data on your drive. Depending on your specs, this process can take anywhere from a couple of hours to a few days.
Don’t worry too much about ending up with a potato computer; you’ll still be able to surf the web, watch movies, or play games because everything happens in the background.
One more thing: don’t forget to hook up your Mac to the power outlet. You really wouldn’t want to run out of juice in the middle of a procedure involving the drive on which your entire data is stored.
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
How to hide folders on Mac using Terminal
There’s also a way to hide folders on Mac, but it involves using the Terminal. Don’t worry; it’s just a couple of command lines. Nothing too fancy or complicated. So, here’s how to hide files/folders using Terminal.
Step 1. Click on Finder.
Step 2. From the left panel, select Applications.
Step 3. Scroll down until you see Utilities. Double-click to enter the Utilities menu.
Step 4. Double-click on Terminal.
Step 5. Type in the following line:
Step 6. Create a new folder on your desktop. Fill it with stuff that you want to hide.
Step 7. Drag-and-drop the folder on to the Terminal window. If you look closely, you’ll see that the folder’s path has appeared.
Step 8. Press Return to hide the folder.
Great! Now that your folder’s out of sight, out of mind, let’s see how we go about accessing it. There are three ways to access hidden files and folders.
Method 1 – Using the Go to Folder function
From the Go menu, select Go to Folder. In the dialog box that appears on your screen, type in the path of your hidden folder. Don’t forget to include the “~” sign before the path.
It should look something like this: “~/Desktop/MyHiddenFiles”
Method 2 – Using the Open/Dialog function
Double-click on Finder and select Desktop from Favorites. Press the Show items as icons, in a list, in columns, or in the library (the pictogram looks like a rectangle divided by to straight lines). You may need to perform this operation a couple of times before the folder becomes visible.
Method 3 – Show hidden files in Finder
It’s possible to see a hidden file in Finder, but you will need to tinker a bit with Terminal. So, fire up your Terminal, and type in the following line:
defaults write com.apple.finder AppleShowAllFiles TRUE
Press Return to continue. After that, please type in or paste the following line:
Again, press return, go to Finder, and there you are – what was once hidden, can now be seen. Enjoy!
How to hide folders on your Mac by using Terminal Aliases
Aliases are macros or shortcuts to various commands. Albeit temporary, we can easily turn this into a more permanent solution. Again, you will need to fiddle around with the Terminal. So, here’s what you’ll need to do:
Step 1. Open the Terminal.
Step 2. Type in or paste the following line:
sudo nano ~/.bash_profile
Step 3. When prompted, type in the username and password associated with your active admin account.
Step 4. Press Return to continue.
Step 5. Scroll down to the end of the open .bash_profile.
Step 6. Type in or paste the following line:
alias showFiles=’defaults write com.apple.finder AppleShowAllFiles YES; killall Finder /System/Library/CoreServices/Finder.app
Step 7. Navigate to the following line and type in or paste the following:
alias hideFiles=’defaults write com.apple.finder AppleShowAllFiles NO; killall Finder /System/Library/CoreServices/Finder.app.
Step 8. Save the file.
Step 9. Exit Terminal.
That’s about it. Now, the next time you will launch Finder, all desired folders will be hidden.
Even more ways to hide files and folders on your Mac
As they say, there’s more than one way to skin something (please don’t say “cat”). So, if you found that the methods described are much too difficult, here are a couple of more ways to hide folders on Mac.
Using the “mv” command
The “mv” command in Terminal moves a file or folder from one place to another. How does this help you? Here’s the trick: the “mv” command moves the folder from its original location to a period folder.
Now, by default, period folders are hidden because they contain system-critical information. Basically, it’s the same thing as moving files or folders to your System32 folder in Windows.
To make files invisible in this manner, open Terminal and type in mv filename .filename. Replace “filename” with the name of the file you want to hide and the “.filename” parameter with the name of the system-protect file.
Deploy Apple’s Developer Tools
If you’re in the mood to do a bit of tweaking, download and deploy one of Apple’s Dev Tools and enter the following command in Terminal: setfile -a V <name of the file you want to hide>. The name of the file should follow the “V” parameter without the “<>”. This command will set the file’s attribute to invisible.
Dump everything in the Library folder
When everything else fails, try the Library folder. It’s hidden by default, making it the ideal place to store top-secret stuff. Just fire up your Finder, navigate to Finder, right-click, create a new folder, and drag all the files in there.
Use third-party file-hiding software
You can also use special software to keep your folders away from prying eyes. The best ones are Altomac and Hide Folders. However, there are also open-source alternatives such as AES Crypt, Axcrypt, or File Lock PE. Give them a try if you’re looking to beef up your account’s privacy.
That’s it on how to hide folders on Mac computer. Know any more methods? Hit the comments section and let me know.
Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.
The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.
What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.
While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:
- Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
- Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
- Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.
The post Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks appeared first on McAfee Blogs.
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions being asked and uncertainties being raised around accessibility, as well as cybersecurity. The introduction of this next-generation network could bring more avenues for potential cyberthreats, potentially increasing the likelihood of denial-of-service, or DDoS, attacks due to the sheer number of connected devices. However, as valid as these concerns may be, we may be getting a bit ahead of ourselves here. While 5G has gone from an idea to a reality in a short amount of time for a handful of cities, these advancements haven’t happened without a series of setbacks and speedbumps.
In April 2019, Verizon was the first to launch a next-generation network, with other cellular carriers following closely behind. While a technological milestone in and of itself, some 5G networks are only available in select cities, even limited to just specific parts of the city. Beyond the not-so widespread availability of 5G, internet speeds of the network have performed at a multitude of levels depending on the cellular carrier. Even if users are located in a 5G-enabled area, if they are without a 5G-enabled phone they will not be able to access all the benefits the network provides. These three factors – user location, network limitation of certain wireless carriers, and availability of 5G-enabled smartphones – must align for users to take full advantage of this exciting innovation.
While there is still a lot of uncertainty surrounding the future of 5G, as well as what cyberthreats may emerge as a result of its rollout, there are a few things users can do to prepare for the transition. To get your cybersecurity priorities in order, take a look at our 5G preparedness toolkit to ensure you’re prepared when the nationwide roll-out happens:
- Follow the news. Since the announcement of a 5G enabled network, stories surrounding the network’s development and updates have been at the forefront of the technology conversation. Be sure to read up on all the latest to ensure you are well-informed to make decisions about whether 5G is something you want to be a part of now or in the future.
- Do your research. With new 5G-enabled smartphones about to hit the market, ensure you pick the right one for you, as well as one that aligns with your cybersecurity priorities. The right decision for you might be to keep your 4G-enabled phone while the kinks and vulnerabilities of 5G get worked out. Just be sure that you are fully informed before making the switch and that all of your devices are protected.
- Be sure to update your IoT devices factory settings. 5G will enable more and more IoT products to come online, and most of these connected products aren’t necessarily designed to be “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you can instantly upgrade your device’s security and ensure your home network is secure.
- Add an extra layer of security.As mentioned, with 5G creating more avenues for potential cyberthreats, it is a good idea to invest in comprehensive mobile security to apply to all of your devices to stay secure while on-the-go or at home.
If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to add decades onto their photos. While many folks have participated in the fun, there are some concerns about the way that the app operates when it comes to users’ personal privacy.
According to Forbes, over 100,000 million people have reportedly downloaded FaceApp from the Google Play Store and the app is the number one downloaded app on the Apple App Store in 121 different countries. But what many of these users are unaware of is that when they download the app, they are granting FaceApp full access to the photos they have uploaded. The company can then use these photos for their benefit, such as training their AI facial recognition algorithm. And while there is currently nothing to indicate that the app is taking photos for malicious intent, it is important for users to be aware that their personal photos may be used for other purposes beyond the original intent.
So, how can users enjoy the entertainment of apps like FaceApp without sacrificing their privacy? Follow these tips to help keep your personal information secure:
- Think before you upload. It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.
- Update your settings. If you’re concerned about FaceApp having permission to access your photos, it’s time to assess the tools on your smartphone. Check which apps have access to information like your photos and location data. Change permissions by either deleting the app or changing your settings on your device.
The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blogs.
Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security vulnerability that exposes both iOS and Android devices to malicious spyware.
So, how does this cyberthreat work, exactly? Leveraging the new WhatsApp bug, hackers first begin the scheme by calling an innocent user via the app. Regardless of whether the user picks up or not, the attacker can use that phone call to infect the device with malicious spyware. From there, crooks can potentially snoop around the user’s device, likely without the victim’s knowledge.
Fortunately, WhatsApp has already issued a patch that solves for the problem – which means users will fix the bug if they update their app immediately. But that doesn’t mean users shouldn’t still keep security top of mind now and in the future when it comes to messaging apps and the crucial data they contain. With that said, here are a few security steps to follow:
- Flip on automatic updates. No matter the type of application or platform, it’s always crucial to keep your software up-to-date, as fixes for vulnerabilities are usually included in each new version. Turning on automatic updates will ensure that you are always equipped with the latest security patches.
- Be selective about what information you share. When chatting with fellow users on WhatsApp and other messaging platforms, it’s important you’re always careful of sharing personal data. Never exchange financial information or crucial personal details over the app, as they can possibly be stolen in the chance your device does become compromised with spyware or other malware.
- Protect your mobile phones from spyware. To help prevent your device from becoming compromised by malicious software, such as this WhatsApp spyware, be sure to add an extra layer of security to it by leveraging a mobile security solution. With McAfee Mobile Security being available for both iOS and Android, devices of all types will remain protected from cyberthreats.
The post 3 Tips for Protecting Against the New WhatsApp Bug appeared first on McAfee Blogs.