recentpopularlog in

rgl7194 : security   3630

« earlier  
iPhone Prototypes Find Their Way to Hackers and Researchers Alike - SecureMac
Have you ever wondered about how hackers or security researchers can figure out where the hidden flaws in iOS lay? For years, that’s been a big question, from concerns about how companies such as Cellebrite and GrayKey found their way into iOS to how researchers were able to examine how the Secure Enclave works. Thanks to a report by Motherboard picked up by Cult of Mac; we now have a better idea of what’s behind it all: internal prototypes somehow stolen from Apple and then re-sold on the gray market.
What are these prototypes? Called “dev-fused” devices, these are iPhones used by Apple employees and developers within the company to test features, hunt for bugs, and otherwise prepare the next iteration of hardware or software for the public. To allow the developers to do all these things, dev-fused units typically have many of iOS’s built-in security features disabled. Most notable, according to the report, is the word that dev-fused devices do not have system-level encryption running on the Secure Enclave, the processor which handles all the phone’s fingerprint and facial recognition processing. 
iphone  security  privacy  hack  research  prototype 
7 days ago by rgl7194
App to no good: everything you need to know about Telegram — The Calvert Journal
One of the most successful messaging apps to have emerged in recent years, Telegram is currently engaged in a bitter battle with the Russian authorities. As a Moscow court orders the app to be banned, Katie Davies takes a look at how Telegram works, its iconoclastic founder and why its fate is important
Messaging app Telegram has become the latest online battleground in Russia as fears rise that the Kremlin is heading towards China-like censorship of an entire Internet platform. Similar in design to other messaging apps like WhatsApp or Viber, Telegram, which launched in 2013, is a popular way to send texts, photos, videos and links to other phones or devices. The service has an estimated 9 million users in Russia and many millions more across the world.
Amid a court fight in Moscow, Telegram has taken a principled stance on privacy. If a ban on the platform goes ahead, however, it could set an important precedent for Russia, which has never blocked online resources before in this way. The Calvert Journal explains what Telegram is and why this conflict is so important for the future of the Russian Internet.
messaging  telegram  privacy  security  encryption  russia 
7 days ago by rgl7194
Google, Microsoft work together for a year to figure out new type of Windows flaw | Ars Technica
Researcher finds building blocks for privilege escalation: Can they be assembled to create a flaw?
One of the more notable features of Google Project Zero's (GPZ) security research has been its 90-day disclosure policy. In general, vendors are given 90 days to address issues found by GPZ, after which the flaws will be publicly disclosed. But sometimes understanding a flaw and developing fixes for it takes longer than 90 days—sometimes, much longer, such as when a new class of vulnerability is found. That's what happened last year with the Spectre and Meltdown processor issues, and it has happened again with a new Windows issue.
Google researcher James Forshaw first grasped that there might be a problem a couple of years ago when he was investigating the exploitability of another Windows issue published three years ago. In so doing, he discovered the complicated way in which Windows performs permissions checks when opening files or other secured objects. A closer look at the involved parts showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so. The big question was, could these elements be assembled in just the right way to cause a problem, or would good fortune render the issue merely theoretical?
The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file.
google  security  microsoft  windows  bug  research 
7 days ago by rgl7194
Why Phone Numbers Stink As Identity Proof — Krebs on Security
Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.
How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.
Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.
Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.
“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”
telephone  security  privacy  ID  krebs  authentication  cellphones 
7 days ago by rgl7194
Ad Network Sizmek Probes Account Breach — Krebs on Security
BRUTE-FORCE LIGHT
If anything, password spraying is a fairly crude, if sometimes marginally effective attack tool. But what we’ve started to see more of over the past year has been what one might call “brute-force light” attacks on accounts. A source who has visibility into a botnet of Internet of Things devices that is being mostly used for credential stuffing attacks said he’s seeing the attackers use distributed, hacked systems like routers, security cameras and digital video recorders to anonymize their repeated queries.
This source noticed that the automated system used by the IoT botmasters typically will try several dozen variations on a password that each target had previously used at another site — adding a “1” or an exclamation point at the end of a password, or capitalizing the first letter of whole words in previous passwords, and so on.
The idea behind this method to snare not only users who are wholesale re-using the same password across multiple sites, but to also catch users who may just be re-using slight variations on the same password.
This form of credential stuffing is brilliant from the attacker’s perspective because it probably nets him quite a few more correct guesses than normal password spraying techniques.
It’s also smart because it borrows from human nature. Let’s say your average password re-user is in the habit of recycling the password “monkeybutt.” But then he gets to a site that wants him to use capitalization in his password to create an account. So what does this user pick? Yes, “Monkeybutt.” Or “Monkeybutt1”. You get the picture.
There’s an old saying in security: “Everyone gets penetration tested, whether or not they pay someone for the pleasure.” It’s kind of like that with companies and their users and passwords. How would your organization hold up to a password spraying or brute-force light attack? If you don’t know, you should probably find out, and then act on the results accordingly. I guarantee you the bad guys are going to find out even if you don’t.
security  privacy  passwords  automation  krebs 
7 days ago by rgl7194
Mozilla launches Firefox Send for private file sharing - Malwarebytes Labs | Malwarebytes Labs
Mozilla look to reclaim some ground from the all-powerful Chrome with a new way to send and receive files securely from inside the browser. Firefox Send first emerged in 2017, promising an easy way to send documents without fuss. The training wheels have now come off and Send is ready to go primetime. Will it catch on with the masses, or will only a small, niche group use it to play document tennis?
How does it work?
Firefox Send allows for files up to 1GB to be sent to others via any web browser (2.5GB if you sign in with a Firefox account). The files are encrypted after a key is generated, at which point a URL is created containing said key. You send this URL to the recipient, who is able to then download and access the file securely. Mozilla can’t access the key, as the JavaScript code powering things only runs locally.
Before sending, a number of security settings come into play. You can set the link expiration to include number of downloads, from one to 200, or number of days the link is live (up to seven). Passwords are also available for additional security.
firefox  encryption  security 
9 days ago by rgl7194
Firefox Send lets you send files up to 2.5GB with time and download limits | Ars Technica
It was in "Test Pilot" before. Now it's live and offers more control.
Mozilla has publicly launched its Firefox Send file-sharing service after a lengthy testing period. It allows you to send files via a link to anyone and set conditions for access like a time period or number of downloads before the file expires.
Firefox Send can handle files as large as 2.5GB. When the Test Pilot period for the service began in August of 2017, the limit was 1GB; that limit still applies until you sign in with your Firefox account (opening an account is free).
firefox  encryption  security 
9 days ago by rgl7194
Firefox Send — Free Encrypted File Transfer Service Now Available For All
Mozilla has made it easy for you to share large files securely and privately with whomever you want, eliminating the need to depend upon less secure free third-party services or file upload tools that burn a hole in your pocket.
Mozilla has finally launched its free, end-to-end encrypted file-transfer service, called Firefox Send, to the public, allowing users to securely share large files like video, audio or photo files that can be too big to fit into an email attachment.
Firefox Send was initially rolled out by Mozilla to test users way back in August 2017 as part of the company's now-defunct "Test Pilot" experimental program.
firefox  encryption  security 
9 days ago by rgl7194
Firefox Send — An Easy Way To Send Encrypted Files - GreyCoder
Firefox Send is new encrypted file transfer service from Mozilla. It allows you to share files from any browser.
It works like this — you upload the file to send.firefox.com, and the file is encrypted. Your recipient receives an email, and clicks the link, and the file and decrypted and downloaded.
Overall, the service provides end-to-end encryption. Here are technical details of how this works:
The client encrypts the file that is uploaded, along with some metadata. The key is appended to the shared URL in the fragment/hash, and is never sent to the remote server. Only people having the URL including the secret will be able to download and decrypt your shared file. See https://github.com/mozilla/send/blob/master/docs/encryption….
firefox  encryption  security 
9 days ago by rgl7194
Facebook Doubles Down On Misusing Your Phone Number | Electronic Frontier Foundation
When we publicly demanded that Facebook stop messing with users’ phone numbers last week, we weren’t expecting the social network to double down quite like this: By default, anyone can use the phone number that a user provides for two-factor authentication (2FA) to find that user’s profile. For people who need 2FA to protect their account and stay safe, Facebook is forcing them into unnecessarily choosing between security and privacy.
While settings are available to choose whether “everyone,” “friends of friends,” or “friends” can use your phone number this way, there is no way to opt out completely.
The problems with Facebook’s phone number look-up feature are not entirely new. Facebook even promised to disable the functionality last April in the wake of the Cambridge Analytica scandal. Now, others can no longer enter your phone number directly into the Facebook search bar to find your profile. Instead, they can still use your phone number “in other ways, such as when someone uploads your contact info to Facebook from their mobile phone,” a Facebook spokesperson told USA Today. Those "other ways" are what the settings shown above control. But whether they have to type it into Facebook’s search bar or into their phone contacts, the result is the same: others can use your phone number to find your Facebook profile.
facebook  privacy  security  telephone  2FA  search  EFF 
12 days ago by rgl7194
Now Facebook is allowing anyone to look you up using your security pho
And I mean, geez, stuff like this with Facebook just isn’t a surprise anymore, is it? For years social media Big Brother had been pestering its users to secure their account with two-factor authentication (2FA) by prompting them to enter their phone number so they could get a text with a security code login when logging into their account from a new device for the first time.
On the surface, Facebook prompting people to enable 2FA was a good thing–if you have 2FA enabled it’s much harder for someone who isn’t you to log in to your account. But this being Facebook, they’re not just going to do something that is only good for the user, are they?
Last year it came to light that Facebook was using the phone numbers people submitted to the company solely so they could protect their accounts with 2FA for targeted advertising. And now, as security researcher and New York Times columnist Zeynep Tufekci pointed out, Facebook is allowing anyone to look up a user by their phone number, the same phone number that was supposed to be for security purposes only.
facebook  privacy  security  telephone  2FA  search 
12 days ago by rgl7194
Facebook won’t let you opt out of its phone number ‘look up’ setting | TechCrunch
Users are complaining that the phone number Facebook hassled them to use to secure their account with two-factor authentication has also been associated with their user profile — which anyone can use to “look up” their profile.
Worse, Facebook doesn’t give you an option to opt-out.
Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.
The recent hubbub began today after a tweet by Jeremy Burge blew up, criticizing Facebook’s collection and use of phone numbers, which he likened to “a unique ID that is used to link your identity across every platform on the internet.”
facebook  privacy  security  telephone  2FA  search 
12 days ago by rgl7194
Daring Fireball: Facebook Is Allowing Anyone to Look You Up Using Your Two-Factor Authentication Phone Number
Michael Grothaus, writing for Fast Company:
On the surface, Facebook prompting people to enable 2FA was a good thing — if you have 2FA enabled it’s much harder for someone who isn’t you to log in to your account. But this being Facebook, they’re not just going to do something that is only good for the user, are they?
Last year it came to light that Facebook was using the phone numbers people submitted to the company solely so they could protect their accounts with 2FA for targeted advertising. And now, as security researcher and New York Times columnist Zeynep Tufekci pointed out, Facebook is allowing anyone to look up a user by their phone number, the same phone number that was supposed to be for security purposes only.
This is surely the least surprising thing you’ll read all day, but in addition to being an abuse of users’ privacy, it’s pernicious in terms of security practices. The lesson some people are going to take from this is that enabling two-factor authentication is for suckers.
UPDATE: A friend messaged me: “My takeaway from the Mat Honan debacle was that 2FA that involves SMS or a phone number is absolutely for suckers and/or chumps. (The 2FA implementation in 1Password, using the same TOTP protocol as Google Authenticator or Authy, is glorious.)”
That’s a good point, and I agree. I spent an afternoon last year decoupling my phone as second factor from every account I could. But it’s depressing how many services — like my bank — only support SMS as a second factor.
facebook  privacy  security  telephone  2FA  search  daring_fireball 
12 days ago by rgl7194
FFS, Facebook is abusing 2FA... again
Facebook's continued abuses aren't just damaging Facebook, they're damaging our trust in all technology.
I get it. With all the abuses being discovered about Facebook, week after week, sometimes day after day or even hour after hour, it's hard to be surprised any more, much less outraged. But, those continued abuses remain and must remain outrageous.
From Fast Company:
On the surface, Facebook prompting people to enable 2FA was a good thing–if you have 2FA enabled it's much harder for someone who isn't you to log in to your account. But this being Facebook, they're not just going to do something that is only good for the user, are they?
Last year it came to light that Facebook was using the phone numbers people submitted to the company solely so they could protect their accounts with 2FA for targeted advertising. And now, as security researcher and New York Times columnist Zeynep Tufekci pointed out, Facebook is allowing anyone to look up a user by their phone number, the same phone number that was supposed to be for security purposes only.
Convinced a friend to turn on Google 2-factor authentication this weekend. Now they read Facebook is abusing the phone numbers collected through its 2FA, and my friend no longer trusts anyone.
Facebook doesn't just damage itself, it damages trust in technology.
facebook  privacy  security  telephone  2FA  search 
12 days ago by rgl7194
Daring Fireball: Facebook Won’t Let You Opt Out of Its Phone Number ‘Look Up’ Setting
Zack Whittaker, writing for TechCrunch:
Others criticized Facebook’s move to expose phone numbers to “look ups,” calling it “unconscionable.”
Alex Stamos, former chief security officer and now adjunct professor at Stanford University, also called out the practice in a tweet. “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads,” he said.
Since Stamos left Facebook in August, Facebook has not hired a replacement chief security officer.
I’m sure they’ll get right on that.
facebook  privacy  security  telephone  2FA  daring_fireball  search 
12 days ago by rgl7194
Unsecured API Leads to 'Yelp for Conservatives' App Data Leak
French security researcher Robert Baptiste found the API of the 63Red Safe mobile application known as "Yelp for conservatives" wide open, with no authentication needed to access and view the data stored within the app's database.
According to its official description, 63Red Safe is an iOS and Android mobile app designed for "keeping conservatives safe," and to help its users "Find great restaurants nearby, and see how expensive, how far away, and best of all, whether they are safe for conservatives."
To be more specific, the 63Red Safe app will allow its users to know beforehand if it's safe to wear Make America Great Again (MAGA) apparel when dining at a particular restaurant or when shopping at various locations.
politics  gov2.0  apps  security  privacy  trump  API  business  leak  data 
12 days ago by rgl7194
“Yelp, but for MAGA” turns red over security disclosure, threatens researcher | Ars Technica
63Red Safe app—a "Green Book" for conservatives—left APIs exposed.
A new application from the "conservative news" site 63red, called 63Red Safe, is advertised as a sort of "Green Book" for the MAGA set. It lets users rate local businesses "from a conservative perspective," according to the app's Google Play listing, "helping insure[sic] you're safe when you shop and eat!" And in this case, "safe" means freedom to wear "Make America Great Again" clothing without having to bear verbal challenge.
The app rates the safety of a business based on user's input on four factors:
—Does this business serve persons of every political belief?
—Will this business protect its customers if they are attacked for political reasons?
—Does this business allow legal concealed carry under this state's laws?
—Does this business avoid politics in its ads and social media postings?
But the safe space for 63red founder Scott Wallace was violated quickly when French security researcher Elliot Alderson discovered some fundamental security flaws in Safe's architecture—making it not so safe.
Because the application is build in React Native, a JavaScript- and JSX-based scripting language that basically turns Web apps into "native" Apple iOS and Android applications, the entire architecture of the application is available to anyone who downloads and unpacks it. And in that code, Alderson discovered a few things...
politics  gov2.0  apps  security  privacy  trump  API  business  data  leak 
12 days ago by rgl7194
Keyless Entry Systems Are Convenient, But Come With Risks | AAA Western & Central New York
THEFT
Smart key technology uses radio signals to communicate with your car. Unfortunately, criminals have learned how to hijack and repeat that radio signal by using signal boosting relay boxes. These inexpensive scamming devices can trick your car into recognizing the key fob within the required proximity, even if the smart key fob is actually indoors or with the owner.
With the doors unlocked and the car believing that the driver is in possession of the key fob, a criminal simply needs to press the ignition button and drive away to steal a vehicle.
Owners of smart key enabled cars should store their smart key fobs in a signal blocking metal box or shielded pouch and away from their front door to stay out of range of any prying relay box devices.
cars  technology  security  privacy  theft 
12 days ago by rgl7194
500px Hacked: Personal Data Exposed for All 14.8 Million Users
The popular photo-sharing service 500px has announced that it was the victim of a hack back in 2018 and that personal data was exposed for all the roughly 14.8 million accounts that existed at the time.
In an email sent out to users and an announcement posted to its website, 500px states that it was only on February 8th, 2019, that its team learned of an unauthorized intrusion to its system that occurred on or around July 5th, 2018.
The personal data that may have been stolen by the intruder includes first and last names, usernames, email addresses, password hashes (i.e. not plaintext passwords), location (i.e. city, state, country), birth date, and gender.
“At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information,” 500px says.
photography  photo  sharing  services  hack  data  breach  security  privacy 
12 days ago by rgl7194
How to Get and Set Up a Free Windows VM for Malware Analysis
If you’d like to start experimenting with malware analysis in your own lab, here’s how to download and set up a free Windows virtual machine:
Step 1: Install Virtualization Software
Step 2: Get a Windows Virtual Machine
Step 3: Update the VM and Install Malware Analysis Tools
Step 4: Isolate the Analysis VM and Disable Windows Defender AV
Step 5: Analyze Some Malware
windows  mac  virtualization  malware  security  privacy 
12 days ago by rgl7194
A brief history of Wi-Fi security protocols from “oh my, that’s bad” to WPA3 | Ars Technica
Enjoy our primer on the ups and downs of Wi-Fi protocols since the mid-1990s.
Thanks to upcoming developments in Wi-Fi, all of us connectivity-heads out there can look forward to getting familiar with new 802.11 protocols in the near future. Ars took a deep look at what's on the horizon last fall, but readers seemed to have a clear request in response—the time had come to specifically discuss the new Wi-Fi security protocol, WPA3.
Before anyone can understand WPA3, it's helpful to take a look at what came before it during The Dark Ages (of Internet)—a time with no Wi-Fi and unswitched networks. Swaths of the Internet today may be built upon "back in my day" ranting, but those of you in your 20s or early 30s may genuinely not remember or realize how bad things used to be. In the mid-to-late 1990s, any given machine could "sniff" (read "traffic not destined for it") any other given machine's traffic at will even on wired networks. Ethernet back then was largely connected with a hub rather than a switch, and anybody with a technical bent could (and frequently did) watch everything from passwords to Web traffic to emails wing across the network without a care.
Closer to the turn of the century, wired Ethernet had largely moved on from hubs (and worse, the old coax thinnet) to switches. A network hub forwards every packet it receives to every machine connected to it, which is what made widespread sniffing so easy and dangerous. A switch, by contrast, only forwards packets to the MAC address for which they're destined—so when computer B wants to send a packet to router A, the switch doesn't give a copy to that sketchy user at computer C. This subtle change made wired networks far more trustworthy than they had been before. And when the original 802.11 Wi-Fi standard released in 1997, it included WEP—the Wireless Encryption Protocol—which supposedly offered the same expectations of confidentiality that users today now expect from wired networks.
In retrospect, WPA3's early predecessor missed the mark. Badly.
wi-fi  security  privacy  history 
14 days ago by rgl7194
Google Discloses Unpatched 'High-Severity' Flaw in Apple macOS Kernel
Cybersecurity researcher at Google's Project Zero division has publicly disclosed details and proof-of-concept exploit of a high-severity security vulnerability in macOS operating system after Apple failed to release a patch within 90 days of being notified.
Discovered by Project Zero researcher Jann Horn and demonstrated by Ian Beer, the vulnerability resides in the way macOS XNU kernel allows an attacker to manipulate filesystem images without informing the operating system.
The flaw could eventually allow an attacker or a malicious program to bypass the copy-on-write (COW) functionality to cause unexpected changes in the memory shared between processes, leading to memory corruption attacks.
google  bug  mac  security  privacy 
19 days ago by rgl7194
Daring Fireball: 5 Percent, 18 Percent, What’s the Difference?
Kieren McCarthy, writing for The Register:
In just the latest in a seemingly endless stream of half-truths, Facebook has admitted it misled the public when it claimed that only 5 per cent of the users of its banned tracking app were teenagers.
The real figure, the Silicon Valley wunderkind has since confirmed to US Senator Mark Warner (D-VA), was nearly four times higher: 18 per cent.
Every single time Facebook puts a number on something, the truth turns out to be worse.
daring_fireball  facebook  privacy  security  tracking  apps  teenager 
20 days ago by rgl7194
Why Facebook Still Seems to Spy on You - WSJ
The company says we’re in charge of our personal data, but it remains difficult to control ad tracking
Facebook Inc. has spent the better part of a year telling its users, Congress and the readers of this paper that we’re in charge of our personal data and the ads we see. The network has streamlined its privacy settings, shared more details about how data is used and highlighted how its ad controls work.
If we take advantage of all these privacy controls, it shouldn’t still feel as if Facebook is spying on us, right? We shouldn’t see so many ads that seem so closely tied to our activity on our phones, on the internet or in real life.
The reality? I took all those steps months ago, from turning off location services to opting out of Facebook and Instagram ads tied to off-site behavior. I told my iPhone to “limit ad tracking.” Yet I continue to see eerily relevant ads.
I tested my suspicion by downloading the What to Expect pregnancy app. I didn’t so much as share an email address, yet in less than 12 hours, I got a maternity-wear ad in my Instagram feed. I’m not pregnant, nor otherwise in a target market for maternity-wear. When I tried to retrace the pathway, discussing the issue with the app’s publisher, its data partners, the advertiser and Facebook itself—dozens of emails and phone calls—not one would draw a connection between the two events. Often, they suggested I ask one of the other parties.
Within 12 hours of downloading a pregnancy app, this maternity-brand ad appeared on Instagram.Photo: Katherine Bindley/The Wall Street Journal
Everyday Health Group, which owns What to Expect, said it has no business relationship with Hatch, the maternity brand whose ad I received. Facebook initially said there could be any number of reasons I might have seen the ad—but that downloading the app couldn’t be one of them.
What I’ve learned is that our ability to control ad tracking is limited and that much of what Facebook claims should come with lengthy footnotes. As my colleague Sam Schechner demonstrated, app developers aren’t doing us any favors. They share personal data with Facebook—down to when a woman is ovulating—without adequately disclosing they’re doing so.
Facebook and others call this “industry standard practice.” But does anyone outside of the industry know that? And why does the standard have to mean someone telling Facebook every time I tap or click anything? I never opted in, and in some cases, data is shared before you can even click Accept on a privacy policy.
“We want people to understand how ads work and use our controls, which we’re simplifying and making clearer. We also believe the transparency and controls we offer lead in the ad industry,” said Joe Osborne, a Facebook spokesperson.
There are too many moving parts and players in the data-sharing game for ordinary people to have much say in—or even an understanding of—how we’re targeted. Here’s what you might not know about Facebook’s targeting practices.
I. Turning off location services doesn’t stop Facebook from targeting your location.
The day after I stepped into a San Francisco clothing boutique called Reformation—and didn’t buy anything—Instagram showed me an ad for that store. I confirmed in iPhone settings that location sharing for Instagram was off.
A Facebook spokeswoman looked into why I saw the ad and said that location wasn’t a factor. (The retailer told me it doesn’t use location targeting at its stores.) I fell into a “look-alike” audience that the advertiser was trying to reach, meaning I share similarities with its existing customers. But the spokeswoman did confirm Facebook and Instagram still show location-based ads to users who have location services turned off. And it isn’t something you can opt out of. (Gizmodo and others have previously reported this.)
The What to Expect app prompts a user to enter a due date before she can agree to the app?s privacy policy and terms of use.Photo: Katherine Bindley/The Wall Street Journal
Turning off location services on your phone stops your device from sending Facebook your “precise” location, says a support tutorial. Facebook says it “may still understand your location using things like check-ins, events and information about your internet connection.”
Facebook says it doesn’t use Wi-Fi or Bluetooth to target people with location services turned off, but it will use their IP (aka internet protocol) addresses.
Anytime you’re connected to the internet, there’s an IP address associated with you, and it’s also loosely tied to some geographic location. Sometimes it’s wrong: If I’m on my San Francisco office network, Facebook might guess that I’m in New Jersey, where the domain is registered. But if Facebook picks up an IP address from your home network or local coffee shop, it could map you fairly accurately.
Facebook also confirmed that data from other users enhances its understanding of an IP address location. If someone connected to the same coffee-shop network as me has location services turned on, for instance, Facebook could pinpoint us both. A spokeswoman said that when users have location services turned off, the company limits the location information it infers about them to the zip-code level. There’s nothing in its privacy policy saying it won’t use more specific IP-based location data in the future, however.
II. ‘Why I’m Seeing an Ad’ doesn’t explain why you’re seeing an ad.
Facebook has for years had a tool that’s supposed to tell you more about why you’re seeing an ad. Unfortunately, clicking “More information” often produces vague, unsatisfying results. An ad from CB2 said the furniture and home décor retailer wants to reach “people ages 25 to 54 who live or were recently in the United States.”
Some companies do run campaigns targeting a broad swath of people. But when you’re regularly seeing highly relevant ads, it’s clear that Facebook isn’t being specific enough about how the ad was actually targeted. And on Instagram, no such feature exists—you can hide ads but there’s no information about why you’re receiving them. Facebook says the company is working on building ad-transparency features for Instagram. It’s also planning to share more details about why someone is seeing an ad on Facebook.
You might be told you’re seeing a Facebook ad because you’re in a certain age group and/or city, because you’re on an advertiser’s customer list or because you resemble an advertiser’s existing customers. Photo: Katherine Bindley/The Wall Street Journal
III. You might see ads based on activity outside of Facebook, even if you opt out of seeing ads based on activity outside of Facebook.
Facebook’s Pixel web tracker and SDK tool for apps allow independent developers to track visitors to their sites and apps and retarget them with ads on Facebook and Instagram, among other things.
Ten months ago, the company announced its Clear History tool, to “enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward.” A Facebook spokeswoman said, “The data a person clears will not be used to personalize their ads.” Facebook says it will be tested in the coming months.
You can tell Facebook you don’t want to be shown ads influenced by your behavior off its platform. To enable it, go to ad settings. Where it says “Ads based on data from partners,” set the toggle to “not allowed.”
It doesn’t just stop ads based on Pixel or SDK data. If an advertiser is trying to reach users who bought something from one of its stores, for instance, and it tries to target them using its uploaded sales data, Facebook will prevent that ad from appearing in the feeds of anyone with the setting enabled. If an advertiser has its own list of customers who recently purchased something, however, it can still use that to target Facebook users who have opted out.
I asked Facebook why I was still seeing ads that seemed tied to my browsing history. A spokesman confirmed that the setting only covers data that Facebook itself handles. Facebook can’t guarantee that users won’t see ads influenced by browsing data that comes from a source other than Facebook. (To no longer see ads from companies who have your information, go the Ad Preferences page.)
None of this really explains what happened when I downloaded the What to Expect app and ended up almost immediately being pitched maternity-wear. I’m single, I long ago permanently hid the parenting ad topic and none of my Facebook “interests” relates to children. I don’t get pregnancy ads on Facebook or Instagram.
The What to Expect app was among those The Wall Street Journal found was sharing data with Facebook as recently as November, but the company said it stopped using Facebook’s SDK prior to January.
Two analytics firms that still do handle data for the app told me they didn’t have anything to do with my seeing the ad.
Everyday Health, the app’s maker, said it might have been my browsing history.
The clothing brand, Hatch, declined to share specifics about its targeting criteria.
And Facebook, upon looking into the ad, said I was targeted because I was part of a look-alike audience that resembles customers, uploaded by the advertiser, who apparently are in need of maternity-wear. The company reiterated I did not see that ad because I downloaded the pregnancy app. Must have been a coincidence.
—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter. And don’t forget to subscribe to our Instant Message podcast.
facebook  security  privacy  tracking  spying  data  wsj 
22 days ago by rgl7194
Daring Fireball: Turnaround Time on Facebook's Spying: 12 Hours
Katherine Bindley, writing for The Wall Street Journal:
If we take advantage of all these privacy controls, it shouldn’t still feel as if Facebook is spying on us, right? We shouldn’t see so many ads that seem so closely tied to our activity on our phones, on the internet or in real life.
The reality? I took those steps months ago, from turning off location services to opting out of ads on Facebook and its sibling Instagram tied to off-site behavior. I told my iPhone to “limit ad tracking.” Yet I continue to see eerily relevant ads.
I tested my suspicion by downloading the What to Expect pregnancy app. I didn’t so much as share an email address, yet in less than 12 hours, I got a maternity-wear ad in my Instagram feed. I’m not pregnant, nor otherwise in a target market for maternity-wear. When I tried to retrace the pathway, discussing the issue with the app’s publisher, its data partners, the advertiser and Facebook itself — dozens of emails and phone calls — not one would draw a connection between the two events. Often, they suggested I ask one of the other parties.
Bindley’s piece ran under the headline “Why Facebook Still Seems to Spy on You”. I get that the Journal wants to be cautious, but there’s no “seems to” about it. They spy on us.
facebook  security  privacy  tracking  spying  daring_fireball  iphone  data 
22 days ago by rgl7194
Researcher Declines to Share Zero-Day macOS Keychain Exploit with Apple
Security researcher Linus Henze demoed a zero-day macOS exploit impacting the Keychain password management system which can store passwords for applications, servers, and websites, as well as sensitive information related to banking accounts.
All the data stored in the macOS Keychain app is encrypted by default, blocking other users or third-party apps from gaining access to it without proper permissions.
The vulnerability found by Henze in Apple's macOS operating system last week is present "in the keychain's access control" and it could allow a potential attacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges nor the keychain master password.
According to the researcher, the zero-day he found works "as long as the keychain is unlocked (which it usually is as long as you’re logged in), except for the System keychain - containing WiFi passwords etc. - which may be locked."
Additionally, the exploit impacts all macOS version up to the latest one, 10.14.3 Mojave, and will extract the passwords without displaying any user prompts while doing it. 
Henze also built a Proof-of-Concept application named KeySteal to demonstrate how his zero-day exploit works, which you can see demoed in the video below.
security  privacy  0day  bug  passwords  mac  research  video 
4 weeks ago by rgl7194
Behold, the Facebook phishing scam that could dupe even vigilant users | Ars Technica
HTML block almost perfectly reproduces Facebook single sign-on Window.
Phishers are deploying what appears to be a clever new trick to snag people’s Facebook passwords by presenting convincing replicas of single sign-on login windows on malicious sites, researchers said this week.
Single sign-on, or SSO, is a feature that allows people to use their accounts on other sites—typically Facebook, Google, LinkedIn, or Twitter—to log in to third-party websites. SSO is designed to make things easier for both end users and websites. Rather than having to create and remember a password for hundreds or even thousands of third-party sites, people can log in using the credentials for a single site. Websites that don’t want to bother creating and securing password-based authentication systems need only access an easy-to-use programming interface. Security and cryptographic mechanisms under the hood allow the the login to happen without the third party site ever seeing the username password.
Researchers with password manager service Myki recently found a site that purported to offer SSO from Facebook. As the video below shows, the login window looked almost identical to the real Facebook SSO. This one, however, didn’t run on the Facebook API and didn’t interface with the social network in any way. Instead, it phished the username and password.
security  facebook  privacy  phishing 
5 weeks ago by rgl7194
WARNING – New Phishing Attack That Even Most Vigilant Users Could Fall For
How do you check if a website asking for your credentials is fake or legit to log in?
By checking if the URL is correct?
By checking if the website address is not a homograph?
By checking if the site is using HTTPS?
Or using software or browser extensions that detect phishing domains?
Well, if you, like most Internet users, are also relying on above basic security practices to spot if that "Facebook.com" or "Google.com" you have been served with is fake or not, you may still fall victim to a newly discovered creative phishing attack and end up in giving away your passwords to hackers.
security  privacy  phishing  facebook 
5 weeks ago by rgl7194
Rachel Maddow’s U.S. cold weather concern over Russia and China was not baseless
WikiLeaks
“U.S. largest audience TV host, MSNBC’s Rachel Maddow (Democratic party aligned) this evening: Russia will freeze you and your family to death.”
Source: RIA Novosti, February 1, 2019
FALSE
Maddow did not say what WikiLeaks implied she said.
In the midst of extreme cold weather in the U.S. on February 1, Russia’s main state media outlet RIA Novosti published an article headlined “The MSNBC host stated, that Russia may cut off the heating in the U.S. during the freeze.”
Here is what Maddow actually said: “What would happen if Russia killed the power in Fargo today? What would you do if you lost heat indefinitely as the act of a foreign power on the same day the temperature in your backyard matched the temperature in Antarctica?”
The RIA Novosti article went on to describe Maddow as “known for her anti-Russian position,” and concluding that her questions were baseless and merely a fraction of the U.S. media’s “ambiguous statements demonizing Russia.”
RIA Novosti is wrong – the MSNBC host’s concerns are based on U.S. government warnings.
news  usa  russia  politics  hack  utilities  electric  security  tv 
5 weeks ago by rgl7194
New Offensive USB Cable Allows Remote Attacks over WiFi
Like a scene from a James Bond or Mission Impossible movie, a new offensive USB cable plugged into a computer could allow attackers to execute commands over WiFi as if they were using the computer's keyboard.
When plugged into a Linux, Mac, or Windows computer, this cable is detected by the operating system as a HID or human interface device. As HID devices are considered input devices by an operating system, they can be used to input commands as if they are being typed on a keyboard.
Created by security researcher Mike Grover, who goes by the alias _MG_, the cable includes an integrated WiFi PCB that was created by the researcher. This WiFi chip allows an attacker to connect to the cable remotely to execute command on the computer or manipulate the mouse cursor.
In a video demonstration by Grover, you can see how the researcher simply plugs a cable into the PC and is able to connect to it remotely to issue commands through an app on his mobile phone.
security  privacy  USB  cables  wi-fi  hack 
5 weeks ago by rgl7194
Armored Cadillac Escalade Is the Mobile Safe Room of Your Dreams
Hear some rumors about a violent coup brewing among the commoners? Cut a little too deep with your latest diss track? Worried that your former "business partner" might make an early parole? If so, the AddArmor Executive Cadillac Escalade is for you. The latest high-tech example from the Jackson, Wyoming, AddArmor company, the Executive Escalade is built to the stringent European B6 ballistic armoring standard (rated to withstand hand grenades, a 12-pound land mine, and rifle fire from an AR-15 or similar) and includes a laundry list of counterattack measures comprehensive enough to try the patience of even the most persistent infidels.
At the core of the Escalade's defenses is its extensive use of carbon-composite panels that are claimed to be 10 times stronger than ballistic steel yet weigh 60 percent less. So equipped, AddArmor claims the vehicle can withstand high-velocity rounds from 30-06, 7.62, and .556-caliber munitions. Specially designed cases ensconce the dual batteries and ECU to ensure electrical integrity even in dire situations. The lightweight carbon-composite panels put less strain on the vehicle's ability to accelerate, stop, and steer, although the AddArmor Escalade does feature beefed-up suspension and braking components of unspecified content. Run-flat tires are capable of running up to 30 miles even after being pierced by multiple rounds from a high-powered rifle.
caddy  cars  safety  security  SUV 
5 weeks ago by rgl7194
I'm Confused, Are You All Not Already Rolling Around in Armored Cadillac Escalades?
As I have outlined to you multiple times before, traveling in cars really isn’t my speed. Oh, I like owning them just fine, don’t get me wrong. Especially when they are covered in diamond dust—but I much prefer transit by submarines and planes. It’s gotten to the point where if I absolutely have to use a car to get to places, thanks to those bullshit FAA regulations or there’s no body of water nearby, I do so in this armored Cadillac Escalade. Doesn’t everybody do that already?
Take just last week. I was in [LOCATION REDACTED] for a lunch meeting with [REDACTED]. I was seated calmly in the back seat of my AddArmor Escalade, pouring myself a third flute of Dom, when three smart taps sounded from the door.
“Come in!” I chirped.
The door opened and my driver shoved [REDACTED] in before climbing back into the driver’s seat himself. [REDACTED] sprawled across the quilted leather seats, his suit very rumpled and his expression petulant.
“When my father finds out you’ve kidnapped me—” he snarled.
“Do you have it?” I cut in.
cars  SUV  caddy  safety  security 
5 weeks ago by rgl7194
This $350,000 Armored Cadillac Escalade Has Gun Ports, Electric-Shock Doors, Smokescreen Systems - The Drive
Two-inch-thick ballistic glass, counter-attack sound cannon, night vision, and an anti-jamming satellite system make this Escalade a rolling vault.
Have you ever found yourself cruising down the highway in your Cadillac Escalade wishing your luxury SUV was a bit...safer? I'm not talking about having more airbags or blind-spot monitoring kind of safer, but features like hidden gun ports, ballistic glass, smokescreen systems, and door handles that'll shock the crap out of anyone who tries to invite themselves in. If you have, then Wyoming-based vehicle armoring company AddArmor can help you with that—and all you're going to need is approximately $350,000.
Called the "Executive Protection Escalade," the blacked-out Caddie combines some of the most advanced security and anti-ballistic technology with luxurious and private jet-like interior finishes. The end result is a nearly stock-looking exterior that's anything but in terms of performance, capabilities, and...price.
cars  SUV  caddy  safety  security  the_drive 
5 weeks ago by rgl7194
Researchers use Intel SGX to put malware beyond the reach of antivirus software | Ars Technica
Processor protects malware from attempts to inspect and analyze it.
Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks.
The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.
security  privacy  chip  firmware  malware  research  RAM 
5 weeks ago by rgl7194
What is phishing, and how can you protect yourself? | 1Password
Phishing scams trick people into sending sensitive information like bank details or login credentials to a fake copy of a real site. Luckily, it’s pretty easy to stay safe. We’ll show you how.
What is phishing?
Phishing is a fraudulent attempt to trick people into providing sensitive information, like passwords and credit card numbers by pretending to be someone trustworthy. The scammer uses the claim to legitimacy as bait to catch their victims. For example, an email that claims to be from your bank and asks you to confirm your card details would be a phishing scam.
Phishing isn’t always done via email. Vishing (voice phishing) is an attempt to collect sensitive information over the phone. Smishing (SMS phishing) uses text messaging. But the goal of the attacker is always the same: to get personal information that could be used maliciously.
privacy  security  phishing  1password 
5 weeks ago by rgl7194
SMS phishing - a cautionary tale | 1Password
Scams that try to extract personal information via phishing sites, phone calls, or SMS are on the rise. It’s something we covered in detail in What is phishing, and how can you protect yourself?
As someone who works for 1Password, security is a big focus of mine. I’m happy to admit that this job has made me far more paranoid than I used to be, and naturally I use 1Password to make sure all my passwords are strong, unique, and have never been included in any breach. I’ve read our internal security guide many times over, and I took part in a company-wide security training session just recently at our annual company get-together.
You’d think all this preparation would keep me safe from phishing – but last week, I was nearly caught out. If I can be caught out, so can you, and so I write this post in the hope that my experience will encourage others to be cautious.
messaging  phishing  1password  security  privacy 
5 weeks ago by rgl7194
Troy Hunt: The Race to the Bottom of Credential Stuffing Lists; Collections #2 Through #5 (and More)
A race to the bottom is a market condition in which there is a surplus of a commodity relative to the demand for it. Often the term is used to describe labour conditions (workers versus jobs), and in simple supply and demand terms, once there's so much of something all vying for the attention of those consuming it, the value of it plummets.
On reflecting over the last 3 and a half weeks, this is where we seem to be with credential stuffing lists today and I want to use this blog post to explain the thinking whilst also addressing specific questions I've had regarding Collections #2 through #5.
The 773 Million Record "Collection #1" Data Breach
On Thursday 17 Jan, I loaded 773M records into Have I Been Pwned (HIBP) which I titled "Collection #1". I explained how this data originated from multiple different sources and was likely obtained over a period of many years before being amalgamated together and passed around as one massive stash. There were 2.7B rows of email addresses and passwords in total, but only 1.6B them were unique (my own identical record appeared half a dozen times). In other words, there was a huge amount of redundancy.
I made the call to load the data into HIBP based primarily on 3 facts:
The data was sufficiently unique: more than 18% of the email addresses had not been seen in HIBP before
The data was in broad circulation: multiple parties had contacted me and passed on Collection #1
There was a large number of previously unseen passwords: of the 21M unique ones, half of them weren't already in HIBP's Pwned Passwords
breach  collection_#1  data  email  passwords  privacy  pwn  security  credential_stuffing 
5 weeks ago by rgl7194
Cameras and Microphones — MacSparky
I enjoyed John Gruber’s response to the Wall Street Journal piece on the risks posed by webcams. In the article, Joanna Stern for the WSJ found a white hat hacker to try and break into her webcam on a Mac an Windows PC. On the Mac, getting access to the webcam required her to download an app outside of the App Store, turn off some of its security features, and then click OK on a dialog asking for camera access. That doesn’t sound like getting hacked to me as much as just being dumb.
Most interesting to me was John’s concern about microphones.
“I’ve never understood … the complete lack of similar paranoia over microphones, which cannot be blocked by a piece of tape and which have no in-use indicator lights.”
I agree with this 100%. If there is going to be a privacy breach through your Mac that does not include you doing something silly (like clicking OK to camera access), it is going to be through the microphone. I'd love to get some indication from Apple that they are addressing this vector as well as they’ve addressed the video camera.
camera  daring_fireball  mac  privacy  security  social_engineering  windows  audio 
5 weeks ago by rgl7194
Too few cybersecurity professionals is a gigantic problem for 2019 | TechCrunch
As the new year begins gaining steam, there is ostensibly a piece of good news on the cyber front. Major cyberattacks have been in a lull in recent months, and still are.
The good tidings are fleeting, however. Attacks typically come in waves. The next one is due, and 2019 will be the worst year yet — a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of cyberattacks.
This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.
The technology industry has never seen anything quite like it. Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate for help.
Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros. If they could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40 percent, according to the National Initiative for Cybersecurity Education. In light of the need, this is still the equivalent of pocket change.
security  cyber  career  jobs 
5 weeks ago by rgl7194
Daring Fireball: On Covering Webcams
I’m a big fan of Joanna Stern — she was in fact just on my podcast and it was one of my favorite episodes in a while. At the end of the episode, she mentioned that she was working on a piece about webcam security for her Personal Tech column at The Wall Street Journal. That column dropped yesterday, and I found it half enlightening, half maddening.
How secure are these tiny eyes into our private lives? The bad news is, it was possible for Mr. Heid to get into my Windows 10 laptop’s webcam and, from there, my entire home network. He also eventually cracked my MacBook Air. The good news is that both operating systems were initially able to thwart the hacker. It took me performing some intentionally careless things for him to “succeed.”
Key words there: intentionally careless.
security  privacy  windows  mac  camera  social_engineering  daring_fireball  audio 
6 weeks ago by rgl7194
Apple to Remove “Do Not Track” Feature from Safari | The Mac Security Blog
Apple is planning to remove the Do Not Track feature from the Safari web browser with the next major updates of macOS Mojave and iOS. With versions 10.14.4 and 12.2 of these operating systems, respectively, the Do Not Track feature will no longer be available.
Introduced in 2014, Do Not Track was added to Apple's browsers and told websites that you didn't want to be tracked, or have your web browsing followed across multiple sites. According to Apple, "it’s up to the website to honor this request."
Do Not Track has proved to be essentially useless, as most websites simply ignore it. And, the existence of this feature can help trackers create a fingerprint of your web browser. This fingerprinting uses a number of variables in your browser and operating system to create what can be a unique profile capable of identifying you.
You can test this on the website Am I Unique? It looks at a set of data provided to websites by your browser, including which app you use, which operating system and version, the language of your operating system, your time zone, screen resolution, which plugins you have installed, and more.
Apple claims that its Intelligent Tracking Prevention (ITP), which it launched in 2017, is more efficient than Do Not Track, which has always been optional. It "keeps embedded content such as social media Like buttons, Share buttons and comment widgets from tracking you without your permission."
safari  browser  privacy  do_not_track  security  macOS  10.14  ios12  tracking 
6 weeks ago by rgl7194
Two-Factor Authorization Apps for iOS | The Mac Security Blog
We've written many times about two-factor authentication (2FA) on this blog, and why it's essential to protect your accounts in this way. When you set up 2FA, most services send you a code by SMS by default, but many services also allow you to use a 2FA app, which you can run on your Mac, your iOS device, or even your Apple Watch. In this article, I'm going to explain why you should use an app like this, and I'm going to discuss three such iOS apps: Google Authenticator, Authy, and 1Password.
Why should you use a two-factor authentication app?
Two-factor authentication is a way of adding an extra layer of security to your accounts. It combines something you know: your user name and password, with something you have: a code that is sent to you by the service, or generated by an app. Since data breaches are so common, and, let's admit it, many people re-use passwords because good passwords are difficult to remember, the "something you know" may also be in the hands of miscreants.
However, the something you have—the authorization code—cannot be leaked and reused at a later time, because these codes have a very short lifespan (usually a matter of minutes or seconds). However, when codes are sent via SMS, they could be intercepted, which is why using an app provides assurance that on one can get at the code you use to confirm your identity. They are easy to set up and use, and they're quicker to use, since you don't have to wait for codes to be sent to you. They can even provide you with access when you can't receive SMSes.
security  privacy  ios  2FA  apps 
6 weeks ago by rgl7194
How to download and install iOS 12.1.4 on your iPhone or iPad | iMore
Update: Apple sent iMore the following statement regarding the iOS 12.1.4 patch:
"Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS."
audio  bug  facetime  ios12  privacy  security  video 
6 weeks ago by rgl7194
Apple Releases iOS Software Update Fixing The Group FaceTime Security Flaw
Today, Apple released a software update, iOS 12.1.4, that includes an important fix for a bug in the Group FaceTime video chat feature.
The security flaw gave callers access to the call recipient's microphone and front-facing camera. "We again apologize to our customers and we thank them for their patience," an Apple spokesperson said in a statement.
After performing a security audit, the company also discovered a previously unreported vulnerability in a separate feature that allows participants to capture Live Photos during a FaceTime call. "To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS," the spokesperson said.
audio  bug  facetime  ios12  privacy  security  video 
6 weeks ago by rgl7194
Apple Releases Fix for Group FaceTime Snooping Bug in iOS and macOS
Apple has released security updates for iOS and macOS that fix a severe bug in FaceTime that allowed callers to listen in, and potentially view, the people they were calling without the call being answered.
At the end of January, videos started circulating on social media about a serious bug in iOS and macOS that allowed users to initiate a Group FaceTime call and listen in on those they were calling without that person answering the call or even knowing that their microphone was activated. To make matters worse, if the person receiving the call pressed the power button to mute the ringing, their front-facing camera would turn on allowing the caller to see what was happening in the room.
As you can imagine, this bug had serious privacy ramifications and could be used by people to listen in on rooms or potentially get images of people in very private situations.
Apple stated that they would create a security update and release it the following week. While they were fixing the bug, they disabled Group FaceTime, so that the bug could not be abused.
Today, Apple has released iOS 12.1.4 and a macOS Mojave 10.14.3 Supplemental Update that fixes this FaceTime bug. According to the release notes, this bug was caused by a logic issue in how Group FaceTime calls were handled.
"A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management."
audio  bug  facetime  ios12  privacy  security  video 
6 weeks ago by rgl7194
Apple Releases iOS Update to Fix FaceTime Bug and Compensates Teen Who Discovered the Problem – MacStories
Today, Apple issued an update to iOS that fixes the serious bug that we reported on last week, which could be exploited to eavesdrop on someone using FaceTime. With iOS 12.1.4 in place, Apple has turned Group FaceTime back on server-side too, but it will only work with the updated version of iOS and later releases.
In a statement to MacRumors, BuzzFeed, and other media outlets Apple said:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.
audio  bug  facetime  ios12  privacy  security  video 
6 weeks ago by rgl7194
Apple pushes fix for “FacePalm,” possibly its creepiest vulnerability ever | Ars Technica
Bug in FaceTime Group feature allowed people to eavesdrop on users' audio and video.
Apple has patched one of its creepiest vulnerabilities ever—a flaw in its FaceTime messenger app that made it possible for people to eavesdrop on audio and video captured by iPhones and Macs.
The bug in Group FaceTime, a feature that allows conference-call-style chats, made it trivial for someone to eavesdrop on someone else simply by initiating a FaceTime call, swiping up and choosing “add person,” and entering their own number to add themselves as a participant in a Group FaceTime call. While people on the receiving end would see a call was coming through, they would have no idea that the person trying to connect could already hear nearby audio and, in many cases, see video.
Two other potentially serious iOS security bugs Apple fixed Thursday have been under active attack in the wild, security researchers with Google's Project Zero said. One bug indexed as CVE-2019-7287, is a memory corruption flaw in the IOKit. Apple said it may allow apps to execute arbitrary code with kernel privileges. Another memory corruption bug in Foundation, CVE-2019-7286 may allow an application to gain elevated privileges.
The in-the-wild exploits could be severe because based on Apple's vulnerability description, they fundamentally subvert Apple's security model, which prevents apps from accessing other apps and from interacting with the security of iOS itself. A Google spokesman declined to provide details about the attacks. An Apple representatives also declined comment.
audio  bug  facetime  ios12  privacy  security  video 
6 weeks ago by rgl7194
Daring Fireball: Purported Exploit Exposes Keychain Passwords on MacOS
Thomas Brewster, Forbes:
Just last week it emerged that a 14-year-old uncovered a bug that allowed snooping on iPhone and Mac users thanks to a problem in FaceTime. Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.
To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.
Henze hasn’t released code (thankfully), only a video purporting to show his exploit in action. I’d be skeptical except that Patrick Wardle has tested the exploit and vouches for it, telling Sergiu Gatlan at the website Bleeping Computer:
Yes, I was able to test it on a fully patched system and it worked lovely… It’s a really nice bug inspiringly so… If I’m a hacker or piece of malware this would be the first thing I do once I gain access to the system… Dump various keychains to extract passwords private keys signing certificates and sensitive tokens. It’s unfortunate that there is yet another bug in the keychain access… One would hope something like a keychain which is supposed to be secure would, in fact, be secure but unfortunately, that’s not the case.
This looks like a really bad vulnerability — especially so since Henze isn’t sharing details with Apple.
Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.
bug  0day  macOS  10.14  security  privacy  passwords  daring_fireball 
6 weeks ago by rgl7194
Daring Fireball: Apple Is Compensating the 14-Year-Old Who Discovered Major FaceTime Security Bug
Tom Warren, reporting for The Verge:
Apple released iOS 12.1.4 today to fix a major security flaw in FaceTime that allowed people to eavesdrop on iPhone users. The bug was originally reported to Apple by Michele Thompson after her 14-year-old son, Grant, discovered that you could add yourself to a Group FaceTime call and force recipients to answer immediately. Apple was initially slow to respond, but the company has now credited the discovery to Grant Thompson of Catalina Foothills High School.
Apple also tells The Verge that it’s compensating the Thompson family for discovering the vulnerability, and providing an additional gift to fund Grant Thompson’s tuition. Apple hasn’t revealed exactly how much it’s paying the Thompson family.
facetime  audio  bug  ios12  legal  privacy  security  video  daring_fireball 
6 weeks ago by rgl7194
Daring Fireball: Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years
Joseph Cox, reporting for Motherboard:
Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017. The documents list not only the companies that had access to the data, but specific phone numbers that were pinged by those companies.
In some cases, the data sold is more sensitive than that offered by the service used by Motherboard last month, which estimated a location based on the cell phone towers that a phone connected to. CerCareOne sold cell phone tower data, but also sold highly sensitive and accurate GPS data to bounty hunters; an unprecedented move that means users could locate someone so accurately so as to see where they are inside a building. This company operated in near-total secrecy for over 5 years by making its customers agree to “keep the existence of CerCareOne.com confidential,” according to a terms of use document obtained by Motherboard.
This story from January — also broken by Cox — just got a whole lot worse.
telco  wireless  security  privacy  data  sharing  location_services  cellphones  daring_fireball 
6 weeks ago by rgl7194
Daring Fireball: Apple Apologizes for Group FaceTime Bug, Software Update With Fix Delayed Until Next Week
Apple:
We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.
We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
Good on Apple for thanking the Thompson family, and for acknowledging that something is wrong with their process for escalating critical bugs reported by regular customers.
In the meantime, regular 1:1 FaceTime works and is safe to use. But Group FaceTime is unavailable until the software update rolls out next week.
audio  bug  facetime  ios12  legal  privacy  security  video  daring_fireball 
6 weeks ago by rgl7194
Daring Fireball: Apple Revokes Google's Enterprise Certificates for iOS Apps
What’s good for the goose is good for the Google.
As soon as I saw this yesterday, I thought it was pretty much the exact same thing Facebook had been doing. Only fair they’d face the same result.
UPDATE: BuzzFeed has statements:
In a statement, Google told BuzzFeed News, “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon.” Apple told BuzzFeed News, “We are working together with Google to help them reinstate their enterprise certificates very quickly.”
Apple has issued no such statement regarding Facebook.
google  security  privacy  data  ios  daring_fireball  location_services  apps  developer 
6 weeks ago by rgl7194
Daring Fireball: Google Had a Similar Data Collection VPN App Distributed to iPhones as an Enterprise Beta
TechCrunch:
After we asked Google whether its app violated Apple policy, Google announced it will remove Screenwise Meter from Apple’s Enterprise Certificate program and disable it on iOS devices.
The company said in a statement to TechCrunch:
“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”
Makes you wonder how many companies are abusing the enterprise beta stuff to effectively side-load apps onto iPhones that would never pass muster in the App Store.
google  security  privacy  data  ios  daring_fireball  location_services  apps  developer 
6 weeks ago by rgl7194
Apple says it’s banning Facebook’s research app that collects users’ personal information - Recode
Facebook will stop its “market research” program that was paying users in exchange for their mobile data.
Facebook is at the center of another privacy scandal — and this time it hasn’t just angered users. It has also angered Apple.
The short version: Apple says Facebook broke an agreement it made with Apple by publishing a “research” app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users’ app history, their private messages, and their location data. Facebook’s research effort reportedly targeted users as young as 13 years old.
As of last summer, apps that collect that kind of data are against Apple’s privacy guidelines. That means Facebook couldn’t make this research app available through the App Store, which would have required Apple approval.
Instead, Facebook apparently took advantage of Apple’s “Developer Enterprise Program,” which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren’t available to the general public.
Apple doesn’t review and approve these apps the way it does for the App Store because they’re only supposed to be downloaded by employees who work for the app’s creator.
Facebook, though, used this program to pay non-employees as much as $20 per month to download the research app without Apple’s knowledge.
facebook  vpn  security  privacy  data  teenager  ios  location_services  apps  developer 
6 weeks ago by rgl7194
Daring Fireball: Apple Revoked Facebook's Enterprise Developer Certificates
Kurt Wagner, reporting for Recode:
Apple’s response, via a PR rep this morning: “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
Translation: Apple won’t let Facebook distribute the app anymore — a fact that Apple likely communicated to Facebook on Tuesday evening. Apple’s statement also mentions that Facebook’s “certificates” — plural — have been revoked. That implies Facebook cannot distribute other apps to employees through this developer program right now, not just the research app.
Alex Heath:
This is incredible: None of Facebook’s internal iOS apps/betas (used by thousands of employees) are working right now because Apple just revoked the company’s certificate. They won’t open.
For employees to use Facebook products on iOS they have to go download from the App Store.
Someone is (rightly) pissed.
facebook  vpn  security  privacy  data  teenager  ios  daring_fireball  location_services  apps  developer 
6 weeks ago by rgl7194
Apple bans Facebook’s Research app that paid users for data | TechCrunch
In the wake of TechCrunch’s investigation yesterday, Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down. The Research app asked users for root network access to all data passing through their phone in exchange for $20 per month. Apple tells TechCrunch that yesterday evening it revoked the Enterprise Certificate that allows Facebook to distribute the Research app without going through the App Store. This not only breaks the Research app, but all of Facebook’s internal-use employee apps for collaboration and logistics too, from workplace chat to the lunch menu.
TechCrunch had reported that Facebook was breaking Apple’s policy that the Enterprise system is only for distributing internal corporate apps to employees, not paid external testers. That was actually before Facebook released a statement last night saying that it had shut down the iOS version of the Research program without mentioning that it was forced by Apple to do so.
facebook  vpn  security  privacy  data  teenager  ios  location_services  apps  developer 
6 weeks ago by rgl7194
Facebook pays teens to install VPN that spies on them | TechCrunch
Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.
Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits.
Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.
Seven hours after this story was published, Facebook told TechCrunch it would shut down the iOS version of its Research app in the wake of our report. But on Wednesday morning, an Apple spokesperson confirmed that Facebook violated its policies, and it had blocked Facebook’s Research app on Tuesday before the social network seemingly pulled it voluntarily (without mentioning it was forced to do so). You can read our full report on the development here.
facebook  vpn  security  privacy  data  teenager  ios  location_services  apps  developer 
6 weeks ago by rgl7194
Daring Fireball: TechCrunch: Facebook Pays Teenagers to Install VPN That Spies on Them
...What apps you’re using, all of your network data, your location — Facebook takes all of it with this app. (Strafach is tweeting up a storm tonight on this story.)
Genuinely interested to see how Apple responds to this. To my eyes, this action constitutes Facebook declaring war on Apple’s iOS privacy protections. I don’t think it would be out of line for Apple to revoke Facebook’s developer certificate, maybe even pull their apps from the App Store. No regular developer would get away with this. Facebook is betting that their apps are too popular, that they can do what they want and Apple has to sit back and take it. I keep saying Facebook is a criminal enterprise, and I’m not exaggerating. Sometimes a bully needs to be punched in the face, not just told to knock it off.
facebook  vpn  security  privacy  data  teenager  ios  daring_fireball  location_services  apps  developer 
6 weeks ago by rgl7194
Verizon and AT&T will stop selling your phone’s location to data brokers | Ars Technica
Carriers forced to make changes after leak of real-time phone location data.
Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users.
Sen. Ron Wyden (D-Ore.) recently urged all four major carriers to stop the practice, and today he published responses he received from Verizon, AT&T, T-Mobile USA, and Sprint.
Wyden's statement praised Verizon for "taking quick action to protect its customers' privacy and security," but he criticized the other carriers for not making the same promise.
"After my investigation and follow-up reports revealed that middlemen are selling Americans' location to the highest bidder without their consent or making it available on insecure Web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off," Wyden said. "In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers' private information to these shady middle men, Americans' privacy be damned."
AT&T changed its stance shortly after Wyden's statement. "Our top priority is to protect our customers' information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance," AT&T said in a statement to Ars.
Sen. Wyden recognized AT&T's change on Twitter and called on T-Mobile and Sprint to follow suit.
Sprint told Ars that it has "nothing additional to share." We also asked T-Mobile for a response to Wyden's statement and will update this story if the carrier answers. T-Mobile told Wyden that it will continue the data aggregation program but that it has "appropriate controls" in place.
(UPDATE: Sprint announced that it is changing their data sharing practices about two hours after this story published. "Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data," Sprint told Ars. "This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services." Sprint said that it previously "suspended all data sharing" with LocationSmart, a data broker involved in the controversy. Sprint said that it stopped providing data to LocationSmart on May 25.)
telco  wireless  security  privacy  data  sharing  location_services  cellphones 
6 weeks ago by rgl7194
Newly-Discovered Bug in Group FaceTime Inadvertently Allows Eavesdropping - SecureMac
When Apple debuted iOS 12.1 late last year, one of the flagship additions to the system was Group FaceTime. This long-requested feature allows multiple users to enjoy simultaneous face-to-face video chat through FaceTime. However, in the wake of a serious flaw in Group FaceTime that was disclosed this past week, the feature is currently inaccessible on all iOS devices.
At issue is the potential risk for spying on the audio (and in some cases, video) feeds from a phone targeted through the flaw. Unlike many iOS bugs, this one does not require a convoluted series of steps or an awkward sequence of button presses. In fact, all signs point to a teenager making the original discovery of the flaw about a week before its widespread recognition.
To exploit the bug, all one has to do is initiate a FaceTime call and, before the recipient answers, add oneself to the call as an additional user. This step provides the user’s own phone with the option to accept the call. If they do, the user will now be able to hear everything being said near the microphone of the target device.
The good news is that this is not (initially) a silent bug; that is, it is not possible to trigger the flaw and eavesdrop through the target phone without also triggering that device’s ringer. However, that does little to mitigate the privacy and security risks posed by the ability to overhear someone without their consent, even for a few seconds at a time. Worse, if the user dismisses the FaceTime call request, it appears their phone begins transmitting the phone’s camera video feed — all while the user believes they are not in a call at all.
This is not the first time privacy flaws have been discovered in Group FaceTime. A previous issue patched in November allowed users to bypass the lock screen to explore a target’s address book without authorization. For now, Apple has chosen to shutter Group FaceTime temporarily, disabling server access for all users.
Although an extreme step, the effort demonstrates a clear commitment to minimizing risk and reducing the number of users potentially affected by individuals attempting to exploit the bug. The Cupertino tech giant has said a fix, which should close this loophole for good, will be available for download within approximately the next week. Users should take care to watch for this upcoming patch.
Check back here for updates on this story as they become available.
audio  bug  facetime  ios12  privacy  security  video 
6 weeks ago by rgl7194
#135 Robocall: Bang Bang by Reply All from Gimlet Media
Show Notes
This week, Alex investigates the rise of one of the most hated businesses: Robocalls. And Damiano tries to figure out if a robocaller is tracking his every move.
reply_all  podcast  transcript  robocalls  scam  telemarketing  privacy  security  tracking  apps  location_services 
6 weeks ago by rgl7194
UAE intel unit used iPhone exploit to spy on rivals - Six Colors
Reuters has a pretty sobering story about an intelligence unit inside the United Arab Emirates that apparently utilized an iMessage exploit to compromise targets’ iPhones without any action on the users parts:
Three former operatives said they understood Karma to rely, at least in part, on a flaw in Apple’s messaging system, iMessage. They said the flaw allowed for the implantation of malware on the phone through iMessage, even if the phone’s owner didn’t use the iMessage program, enabling the hackers to establish a connection with the device.
To initiate the compromise, Karma needed only to send the target a text message — the hack then required no action on the part of the recipient. The operatives could not determine how the vulnerability worked.
The story suggests that Apple software updates made the exploit “far less effective” after 2017, though it notably doesn’t say that security hole was completely closed.
The hack allowed access to a broad range of data on the targets’ phones, including messages, location data, and photos, and was used on diplomats, activists, and foreign leaders. The provenance of the tool was unknown, even to those using it.
(I expect this piece to elicit some comparisons to the Bloomberg server piece from last fall, but note that the Reuters piece includes at least one named former operative.)
Security services are, of course, always going to be on the cutting edge of these kinds of vulnerabilities, but coming as it does on the heels of Apple’s FaceTime bug, this is an unpleasant one-two punch for Apple’s prominent stance on data privacy.
[hat tip James Thomson]
privacy  security  spying  middle_east  messaging  hack  bug  iphone 
7 weeks ago by rgl7194
Lawyer sues Apple, claims FaceTime bug “allowed” recording of deposition | Ars Technica
Texas attorney: I didn't update my iPhone to enable "unsolicited eavesdropping."
A Houston attorney has sued Apple over the recently disclosed FaceTime bug, which can allow third parties to surreptitiously listen to FaceTime calls via an iPhone microphone.
In a lawsuit filed Monday evening in Harris County District Court, Larry Williams claimed the company was negligent when it allowed the microphone to be used in this way.
"Plaintiff was undergoing a private deposition with a client when this defective product breach allowed for the recording of a private deposition," he wrote.
"The Product was used for its intended purposes because Plaintiff updated their phone for the purpose of group Facetime calls but not unsolicited eavesdropping. Plaintiff suffered injuries."
Williams also alleged strict products liability and breach of express warranty, among other counts.
The case was first reported Tuesday by Courthouse News.
Apple is expected to release a fix to the bug later this week.
audio  bug  facetime  ios12  privacy  security  video  legal 
7 weeks ago by rgl7194
How to turn off and restrict FaceTime on iPhone or iPad | iMore
How do you turn off FaceTime?
FaceTime is automatically activated as part of the overall setup process you go through the first time you turn on a new iPhone, iPod touch, iPad, or Mac. If, for some reason, it isn't activated, or if you want to restrict access for your children, or even turn it off entirely, you can do that too.
How to turn on FaceTime
How to turn off FaceTime
How to disable FaceTime over cellular
How to use parental controls to restrict FaceTime in iOS 11 and earlier
How to use parental controls to restrict FaceTime in iOS 12
audio  bug  facetime  ios12  privacy  security  video 
7 weeks ago by rgl7194
Interview with a malware hunter: Jérôme Segura - Malwarebytes Labs | Malwarebytes Labs
In our series “Interview with a malware hunter,” our feature role today goes to Jérôme Segura, Malwarebytes’ Head of Threat Intelligence and world-renowned exploit kits researcher. The goal of this series is to introduce our readers to our malware intelligence crew by involving them in these Q&A sessions. So, let’s get started.
Where are you from, and where do you live now?
I was born and raised in France. After graduating from university, I moved over to North America, where I currently reside.
You are most famous for your exploit kit research. How did you get involved in that field?
I think I first got into exploit kits around 2007. I was working for a small company, and my job was to find new malware samples. I recall learning about drive-by downloads and reading an important book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.
After reading this book, I wrote a very basic prototype for a honeypot that would capture payloads from drive-by attacks.
This is also around the same time that I discovered the Fiddler web debugger tool that I have used on almost a daily basis ever since.
security  privacy  malware  interview 
7 weeks ago by rgl7194
Discover Card Users Affected by Data Breach, New Credit Cards Issued
A data breach incident impacting Discover cards has potentially provided attackers with access to an undisclosed amount of customer information, although anything from account numbers and expiration dates to security codes might have been stolen.
Although these types of data breaches are not uncommon for financial institutions, this is only the second time a data breach involving customers' cards has been reported during 2018 by Discover Financial Services to the California Attorney General.
According to California's law, companies who conduct business with California residents are required to file security notices with the Attorney General's office in the event of a data breach or a cybersecurity incident impacting customer data. Moreover, firms have to send and submit a sample of the data breach notice that is sent if more than 500 California residents are affected.
Discover Financial Services learned that on August 13, 2018, an undisclosed number of Discover card accounts might have been part of a data breach according to sample notices filed on January 25, 2019, with the California Attorney General's office. However, according to the same notices, "Please know, this breach did not involve Discover card systems."
data  breach  credit_cards  security  privacy 
7 weeks ago by rgl7194
The Biggest Data Breach Ever; Is Your Data Included? – Intego Mac Podcast, Episode 67 | The Mac Security Blog
The Intego Mac Podcast episode 67 is now available!
In this episode, Intego's experts discuss "Collection #1"—the biggest e-mail address and password leak to date—as well as the Australian government’s accidental war on global smartphone security… and a "teachable parasite" you can install on your Amazon Echo or Google Home. Join veteran Mac journalist Kirk McElhearn (@mcelhearn) and Intego's Chief Security Analyst Josh Long (@theJoshMeister) as they dive into these stories and more! You can find the complete show notes and links to the stories we discussed here.
breach  collection_#1  data  email  passwords  privacy  pwn  security  podcast 
7 weeks ago by rgl7194
Apple Disabled Group FaceTime While Working on Bug Fix
In order to prevent people from abusing a serious FaceTime bug that was discovered yesterday, Apple appears to have disabled the Group FaceTime feature while they work on a security update.
Yesterday, a bug was discovered that allow anyone to listen to in on a person's iPhone microphone simply by placing a FaceTime call. The bug worked by calling a person via FaceTime, and before the person answers, add yourself as an additional Group FaceTime participant. 
Doing this would cause the microphone of the person you are calling to turn on and you could listen through their microphone without them even answering your call. Even worse, if the person you called pressed the power button to mute the incoming FaceTime call, it would also enable the front facing camera so you could see what is happening in the room.
A demonstration of this bug can be seen in this video posted to Twitter.
As you can imagine, this bug allows for some pretty scary scenarios ranging from listening in on conversations to being able to see people in compromising situations.
According to the Apple System Status page, Apple has disabled Group FaceTime as of yesterday night at 10:16 PM. As this bug relied on the Group FaceTime feature, it was most likely disabled to prevent people abusing this bug.
While disabling Group FaceTime may have made it safe to use FaceTime again, there has been no public announcement from Apple indicating that this is the case. Therefore, I suggest all iOS and macOS users continue to keep FaceTime disabled until Apple formally releases a security update for this bug.
BleepingComputer has reached out to Apple for confirmation, but had not heard back at the time of this publication.
audio  bug  facetime  ios12  privacy  security  video 
7 weeks ago by rgl7194
Apple's FaceTime privacy bug allowed possible spying - Malwarebytes Labs | Malwarebytes Labs
Social media caught fire yesterday as the news of a new Apple bug spread. It seemed that there was a flaw in FaceTime that allowed you to place a call to someone, but listen in on their microphone if they didn’t pick up. Worse, as the news spread, it turned out that there was also a way to capture video from the camera on the target device, and that this issue was affecting not just iPhones and iPads, but Macs as well.
The result was a chorus of voices all saying the same thing: turn off FaceTime. The good news, though, if you’re just tuning in now, is that this is completely unnecessary, as Apple has disabled the service that allowed this bug to work.
audio  bug  facetime  ios12  privacy  security  video 
7 weeks ago by rgl7194
iPhone FaceTime Vulnerability - Schneier on Security
This is kind of a crazy iPhone vulnerability: it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call.
This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it's fixed. But it's hard to imagine how an adversary can operationalize this in any useful way.
New York governor Andrew M. Cuomo wrote: "The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk." Kinda, I guess.
audio  bug  facetime  ios12  privacy  security  video 
7 weeks ago by rgl7194
Apple’s Group FaceTime: A place for spies? | Computerworld
Apple has disabled Group FaceTime following discovery of a flaw that could potentially let people hear audio from other people’s devices without permission. What’s going on and what can you do about it?
The Group FaceTime bug, in brief
A 9to5Mac report based on a video published to Twitter by @BmManski that revealed this flaw lets a user listen to audio captured using another person’s device before they accept or reject the call requesting a FaceTime chat. The problem affects only iOS devices running iOS 12.1 or later (pending an update).
What Apple said
In a statement, Apple said it is “Aware of this issue… we have identified a fix that will be released in a software update later this week."
audio  bug  facetime  ios12  privacy  security  video 
7 weeks ago by rgl7194
Turn FaceTime off now - Six Colors
There’s a major bug in FaceTime that gives callers access to your microphone and/or video camera without granting permission. Rene Ritchie has the details, and Apple has issued a statement that this bug will be addressed “later this week.”
In the meantime I’d recommend going to your Settings app and turning off FaceTime altogether. This is really about as bad as it gets.
Update: Looks like Apple has turned off Group FaceTime? Good call.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
New FaceTime Bug Lets Callers Hear and See You Without You Picking Up
If you own an Apple device, you should immediately turn OFF FaceTime app for a few days.
A jaw-dropping unpatched privacy bug has been uncovered in Apple's popular video and audio call app FaceTime that could let someone hear or see you before you even pick up their call.
The bug is going viral on Twitter and other social media platforms with multiple users complaining of this privacy issue that can turn any iPhone into an eavesdropping device without the user's knowledge.
The Hacker News has tested the bug on iPhone X running the latest iOS 12.1.2 and can independently confirm that it works, as flagged by 9to5Mac on Monday. We were also able to replicate the bug by making a FaceTime call to a MacBook running macOS Mojave.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
Everything You Need To Know About the FaceTime Spying Bug | The Mac Security Blog
On Monday, a serious flaw in FaceTime came to light that could allow a FaceTime caller to spy on a call recipient, even if the recipient ignored or declined the call. Apple has taken temporary measures to mitigate the flaw and has promised a complete fix "later this week."
The flaw affects all devices running iOS 12.1 or later, and all devices running macOS Mojave 10.14.1 or later—in other words, devices capable of participating in Group FaceTime calls. It is unclear whether Apple Watch or HomePod, which also support Group FaceTime, are affected.
As seen in various videos demonstrating the flaw, an attacker using an iPhone could initiate a FaceTime call with a victim, and while the call was still ringing, the attacker could swipe up, tap "Add Person" and select themself as a recipient, and FaceTime would immediately begin streaming audio from the victim's device. No user interaction was required on the victim's side.
But this attack isn't limited to just audio; it was also possible to spy on the victim's camera.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
Disable FaceTime Now! Bug Lets Callers Snoop On You Without Permission
A serious Apple iOS bug has been discovered that allows FaceTime users to access the microphone and front facing camera of who they are calling even if the person does not answer the call.
To use this bug, a caller would FaceTime another person who has an iOS device and before the recipient answers, add themselves as an additional contact to Group FaceTime. This will cause the microphone of the person you are calling to turn on and allow the caller to listen to what is happening in the room. Even worse, if the person that is being called presses the power button to mute the FaceTime call, the front facing camera would turn on as well.
What this means, is if someone is calling you on FaceTime, they could be listening and seeing what you are doing without you even knowing.
BleepingComputer has tested and confirmed that this bug works in iOS 12.1.2 and we were able to hear and see the person. When testing it against an Apple Watch, though, we were not able to get the audio portion of the bug to work.
While it is not known who first discovered this bug, numerous people have been posting about it on social media and making video demonstrations as shown below.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
FaceTime bug allows instant audio, potential video access — fix on the way | iMore
FaceTime Group Call bug allows remote microphone, potentially remote video access on iPhone, iPad, and Mac. Apple is planning a fix ASAP.
A serious FaceTime Group Call bug has been discovered that lets you instantly access audio from the microphone and potentially the video of the person you called on FaceTime.
I asked Apple about the bug and they provided the following statement.
"We're aware of this issue and we have identified a fix that will be released in a software update later this week."
UPDATE: Apple has taken down FaceTime Group Calls to prevent anyone from abusing the bug before the fix is pushed out.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
FaceTime bug lets callers hear you before you answer (really) | Ars Technica
The method is a little cumbersome, but it works.
Users have discovered a bug in Apple's FaceTime video-calling application that allows you to hear audio from a person you're calling before they accept the call—a critical bug that could potentially be used as a tool by malicious users to invade the privacy of others.
When Ars reached out to Apple for a statement, the company replied, "We're aware of this issue, and we have identified a fix that will be released in a software update later this week." An hour or two after this post went live, Apple disabled Group FaceTime to mitigate the bug.
The bug requires you to perform a few actions while the phone is ringing, so if the person on the other end picks up quickly, they might not be affected. Knowledge of how to use the bug is already widespread. The steps include:
Tap on a contact on your iPhone to start a FaceTime call with them.
Swipe up and tap "Add Person."
Instead of adding a new person, enter your own number and add yourself as another participant in the Group FaceTime call.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
Major iPhone FaceTime bug lets you hear the audio of the person you are calling ... before they pick up - 9to5Mac
A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”. (Update: Apple has taken Group FaceTime offline in an attempt to address the issue in the interim).
Naturally, this poses a pretty privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio.
Update: There’s a second part to this which can expose video too …
9to5Mac has reproduced the FaceTime bug with an iPhone X calling an iPhone XR, but it is believed to affect any pair of iOS devices running iOS 12.1 or later.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
Major FaceTime Bug Allows Any Caller Access to Your iPhone’s Microphone Feed, Potentially Your Camera – MacStories
Benjamin Mayo of 9to5Mac, reporting on a serious iOS bug just discovered for FaceTime...
Mayo continues by listing the details of how to reproduce the bug yourself when calling someone else, which involves a few very simple steps that anyone can perform. The simplicity of reproduction makes this bug especially dangerous.
Following up on Mayo's report, Dieter Bohn of The Verge shared that things get even worse...
To recap: due to this FaceTime bug, which appears to affect all devices running iOS 12.1 or later, any caller can gain access to another user's microphone feed while the call is ringing. And if the person receiving the call in that scenario tries to dismiss the call, it may unintentionally be answered, activating the device's camera as well.
Apple gave the following statement to John Paczkowski of BuzzFeed...
Hopefully 'later this week' ends up translating to the next day or two, as some serious havoc could be wrought by this bug on unsuspecting users. Until that software update is released, we strongly recommend disabling FaceTime from Settings ⇾ FaceTime on your devices, or at the very least be aware that incoming calls you receive could be tapping into your microphone without your consent.
facetime  bug  security  privacy  audio  video  ios12 
7 weeks ago by rgl7194
2019 State of Malware report: Trojans and cryptominers dominate threat landscape - Malwarebytes Labs | Malwarebytes Labs
Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.
Our 2019 State of Malware report is here, and it’s a doozy.
In our research, which covers January to November 2018 and compares it against the previous period in 2017, we found that two major malware categories dominated the scene, with cryptominers positively drenching users at the back end of 2017 and into the first half of 2018, and information-stealers in the form of Trojans taking over for the second half of the year.
But that’s not all we discovered.
report  malware  security  privacy 
7 weeks ago by rgl7194
« earlier      
per page:    204080120160

Copy this bookmark:





to read