Security Stories December 2

Facebook 2FA to be mandatory for accounts likely to be targeted by hackers

Facebook 2FA (two-factor authentication) will become mandatory for accounts likely to be targeted by hackers. The move is one of a range of protections offered to high-risk accounts in order to reduce the likelihood of interference in elections.

Security Stories November 26

As part of hitting back at spyware company NSO, Apple alerted a Polish prosecutor that her iPhone appears to have been compromised by Pegasus. This also gives us our first look at the text of Apple’s security alerts.

Although Poland has not admitted purchasing and using the spyware, there is significant evidence that it has done so …

expand full story

Security Stories November 24

Journalists, lawyers, politicians, and human rights activists have all been targeted by NSO’s Pegasus software, and Apple has now said that it will send security alerts to customers whose devices may be been compromised. It has already done so for at least five Thai activists and researchers.

It follows Apple’s announcement yesterday that it is suing NSO for attacking iOS users …

expand full story

Security Stories November 23

Apple on Tuesday announced that it has filed a lawsuit against NSO Group, which is known for developing the advanced spyware “Pegasus” to attack and surveil users of iOS and Android devices. The company claims that it is suing the creators of the spyware to “prevent further abuse and harm to its users.”

expand full story

Security Stories November 9

An alleged member of the REvil ransom group has been charged, with $6.1M in funds seized from another suspect, according to the US Department of Justice.

Back in April, we learned that the REvil group accessed systems belonging to Mac assembler Quanta and obtained schematics of the upcoming MacBook Pro models, which accurately revealed the HDMI, MagSafe, and SD card slot …

expand full story

Security Stories November 3

The NSO group, whose Pegasus spyware is used to hack iPhones and Android smartphones, has been officially named by the US government as a threat to national security.

The Commerce Department’s Bureau of Industry and Security (BIS) has added the Israeli company to the Entity List, which bans the company’s products from being imported, exported or passed from one organization to another within the US.

expand full story

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive, requiring federal agencies to apply 24 Apple security patches.

The deadline for some of these is November 17, less than two weeks from now.

expand full story

Security Stories October 28

Here are 10 tips for an Apple device security checkup for Cybersecurity Awareness Month

October is Cybersecurity Awareness Month and whether you’re an expert or are new to iPhone, iPad, Mac, and more, it can be useful to audit your security settings. Let’s look at 10 tips for an Apple device security checkup.

Security Stories October 25

A New York Times journalist covering the Middle East has described the experience of his iPhone being hacked, and the security precautions he now takes as a result.

Ben Hubbard says there were four attempts to hack his iPhone, and that two of them succeeded, with all the signs pointing to the use of NSO’s Pegasus spyware.

expand full story

Security Stories October 22

Back in April, the REvil ransomware group hacked into Mac assembler Quanta to reveal 2021 MacBook Pro designs ahead of the launch. Now REvil has itself been hacked in an FBI-led operation, in partnership with the Secret Service and law enforcement agencies in multiple countries.

Law enforcement gained control of a number of REvil servers in an operation designed to prevent further attacks, and to pursue individuals involved in running the ransomware group …

expand full story

Security Stories October 13

Last month security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with specific criticism around how the company is slow to respond, act, and didn’t give him credit for one of the three flaws that were patched. Now it appears Apple has fixed another zero-day flaw, this one in iOS 15 that Tokarev found earlier this year, without giving him credit.

expand full story

Amid growing pressure from private companies and governments to allow sideloading on iOS, Apple is out today with a new security paper diving into real-world data on how malware is impacting mobile devices. Along with statistics like Android having between 15 and 47 times more malware than iPhone, Apple is making its latest case against sideloading with data and recommendations from the US Department of Homeland Security, European Agency for Cybersecurity, NIST, Norton, and more.

expand full story

Update: Statement from Visible added below

Multiple reports of an apparent Verizon Visible hack, with attackers changing shipping addresses, then ordering phones that are charged to payment details held for customers. Visible is a Verizon sub-brand that operates entirely online, meaning that customers cannot seek assistance in-store.

“My account got hacked and they shipped out an iPhone 13 worth $1k that was taken from my PayPal,” wrote one customer …

expand full story

Security Stories October 7

It’s Cybersecurity Awareness Month – a good time to help family and friends

Cybersecurity Awareness Month is mostly geared toward businesses rather than individuals, encouraging them to ensure they carry out risk assessments and follow best practices to protect their IT systems. (There appear to be one or two companies who could use a little work there…)

But it’s also a worthwhile reminder to individuals to check their own cybersecurity, and for us to offer some advice to less-techie friends and family members.

Facebook and Twitch messes both caused by configuration errors

Both the Facebook and Twitch messes were caused by configuration errors, admit the companies. A mistake by Facebook led to a prolonged global outage of all the company’s services, while a similar error by Twitch left all its files exposed to a hacker …

Security Stories October 6

PSA: was hacked, everything leaked, including creator payouts

It appears that the entirety of was hacked, so if you have an account there, you’ll probably want to change your password …

Security Stories October 1

The Federal Communications Commission (FCC) is calling on carriers to implement better security protections against SIM-swap and port-out attacks.

These attacks are a common way for criminals to carry out identity theft, and take over anything from an Apple ID to a bank account …

expand full story

Security Stories September 29

A security researcher has shown that AirTags can be weaponized by injecting code into the phone number field before placing it into Lost mode and dropping it in strategic places. Apple has confirmed the finding.

When someone finds the AirTag and scans it, they will be redirected to the website of the attacker’s choice, which could include a fake iCloud login to report the find …

expand full story

Security Stories September 27

Apple overhauled its security bounty program back in 2019 by making it open to anyone, increasing payouts, and more. However, the program has seen a good amount of criticism from the infosec community. Now another security researcher has shared their experience claiming that Apple didn’t give them credit for one zero-day flaw they reported which was fixed and that there are three more zero-day vulnerabilities in iOS 15.

Update 9/27: After sharing his experience publicly, Apple has responded to security researcher illusionofchaos, aka Denis Tokarev.

expand full story

Security Stories September 22

A Mac shortcut bug can enable an attacker to take over your machine when you open an email, using nothing more than a standard internet shortcut file.

Apple claims to have patched the bug in Big Sur and Monterey, but the security researcher who discovered the issue says that this is only partly true.

expand full story

Security Stories September 17

Apple giving into Russia twice this week on key civil liberties issues proves that the company’s CSAM misuse assurances cannot be trusted, argues a high-profile security expert.

Apple today pulled from the App Store an opposition tactical voting app after the Russian government threatened specific local company employees with “punishment” if they refused. It turns out that Apple also turned off its Private Relay service in Russia just yesterday, likely also in response to government pressure…

expand full story

Security Stories September 16

iPhone exploit sold to United Arab Emirates by mercenaries working for US firm

An iPhone exploit sold to the United Arab Emirates for $1.3M was developed by a US company that used American mercenaries to facilitate the sale, according to the Department of Justice …

Security Stories September 13

CloudKit is an Apple framework integrated into iOS and macOS that works as a backend for apps. Developer Frans Rosén has found a way to use Apple’s cloud platform to delete public Siri Shortcuts and even content from other Apple apps such as Apple News.

expand full story

While Apple continues beta testing of macOS 12 Monterey, a new macOS Big Sur update has landed for all Mac users with 11.6. The new software hasn’t been beta tested and brings two important security updates that may have been actively exploited. There’s also an update for those running macOS Catalina.

expand full story

Powered by WordPress VIP