Security

The British government has backed a call by the country’s security services for client-side scanning for child sexual abuse material – aka Apple’s CSAM approach.

Home Secretary Priti Patel has written an op-ed in which she indicates government support for the stance, while also attacking Facebook’s plans to make all Messenger chats end-to-end encrypted by default …

Spyware company NSO, whose Pegasus app can be used to give attackers almost full remote access to an iPhone, has announced that it is downsizing, and losing its CEO.

Bizarrely, the company argues that this is in order to prepare for growth …

One of the more annoying things some apps do is incorporate their own in-app browser, opening that for web links instead of respecting your chosen default browser.

This has long been a nuisance, but a developer has now explained the security risks of doing so, especially when dealing with companies not noted for their privacy standards – like Facebook …

Update: Twitter has rather belatedly confirmed that a hacker was able to expose the account details, though the company has not commented on the 5.4M number. See statement at the end of the piece.

A Twitter data breach has allowed an attacker to get access to the contact details of 5.4M accounts. Twitter has confirmed the security vulnerability which allowed the data to be extracted.

The data – which ties Twitter handles to phone numbers and email addresses – has been offered for sale on a hacking forum, for $30,000 …

Security researchers have discovered a developer error in more than 3,200 mobile apps, which make possible full or partial Twitter account hijacks.

In the worst examples, affecting around 320 apps, it enables an attacker to gain complete control of a Twitter account …

Congress is set to vote on The Intelligence Authorization Act, intended to further punish spyware makers like NSO. It follows evidence that the company’s Pegasus spyware was used to hack iPhones used by American diplomats.

The Commerce Department had already named NSO as a threat to US national security, and banned the import and use of Pegasus, but the bill would take things further …

A nasty piece of Mac malware is being actively used in the wild to capture personal data from Macs. Security researchers say that CloudMensis spyware can allow an attacker to download files, capture keystrokes, take screengrabs, and more.

Cybersecurity firm ESET says that the spyware has been in active use since February, and appears to be targeting specific individuals …

The latest Pegasus iPhone hack to come to light targeted more than 30 pro-democracy protestors. Apple detected that their phones had been infected by NSO’s spyware, and alerted them.

Thailand has been the subject of multiple military coups over the years, the most recent of which was in 2014, with an army-backed leader still in power today after elections widely believed to have been fraudulent …

Update: The vote on the bill is now expected to be delayed until the fall – see end for more details.

A proposed new CSAM law in the UK could force all messaging companies to use the type of client-side scanning approach that Apple planned to launch to detect child sexual abuse material (CSAM) on iPhones.

An amendment to the Online Safety Bill has been put forward that would require tech companies to identify and remove CSAM, even in end-to-end encrypted private messages …

Apple had big security news yesterday, announcing that iOS 16 will introduce a new iPhone Lockdown Mode designed to protect users from even the most sophisticated cyber attacks like those carried out by NSO’s Pegasus spyware.

Apple says that the mode offers an “extreme” level of security that will be needed only by the tiny percentage of people who might be targeted by state-sponsored attacks. But it’s been argued that although most of us will never use it, we may still benefit from it …

Back in March, we warned of the risk of Apple’s disaster scenario: Chinese takeover of Taiwan. Yesterday, the heads of both US and UK security services gave an “unprecedented” warning that this is not only possible but that China has been taking steps to prepare for this.

If it happened, it would lead to the almost total disruption to the vast bulk of Apple’s manufacturing resources …

Apple filed a lawsuit against ‘Pegasus’ spyware creator NSO Group last fall and announced it would be donating $10 million+ to organizations pursuing cyber-surveillance research and advocacy. Now taking the next step in combatting sophisticated spyware, Apple has announced a brand new “extreme” security feature called iPhone Lockdown Mode – coming to iPad and Mac as well – to help protect against targeted cyber attacks.

An FCC commissioner has called on both Apple and Google to delete TikTok from their respective app stores, giving the companies until July 8 to respond. It is not clear what measures the Federal Communications Commission might take if the companies do not comply.

The lengthy four-page letter says that TikTok is not a video-sharing app, but a “sophisticated surveillance tool” for the Chinese government …

Google’s Threat Analysis Group (TAG), a group that specializes in tracking and analyzing government-backed hacking and attacks, recently published research on “Hermit” – a spyware that can compromise Android and iOS devices. Luckily, Apple has already found a way to stop the spread of this specific spyware on its devices.

We’ve seen some baby steps towards using our iPhone for proving our identity. But a couple of recent developments point to a future in which an iPhone – plus biometrics – could let us use our phone as a single means of verifying our identity, both online and in face-to-face interactions.

In all, Apple provides support for four initiatives which I think provide a clear pointer to a future in which the iPhone will be our one-stop device for ID …

iPhone hacks developed by Italian company RCS Lab have been used by law enforcement agencies in Europe, according to a new Google report. The hacking tool used a variety of exploits to allow the firm’s customers to spy on private messages, contacts, and passwords.

However, Apple has patched all six of the exploits used in different versions of iOS (see below), so keeping your iPhone up to date will protect it from the hacking tools …

NSO Pegasus spyware has been used by at least five EU countries, admits the company. The admission was made as part of a European investigation into the impact of Pegasus, with an interim report now published.

It’s likely that the true number is higher, with the company promising to provide a ‘more concrete number’ …

A study shows that Apple can pay up to 5x more than Samsung per exposed vulnerability on its bug bounty program. That said, the Cupertino company still faces complaints from researchers, with some saying Apple didn’t give them credit for the zero-day flaw reported.

A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the last line of security” on Apple Silicon.

When designing the M1 chip, Apple created various layers of security, each designed to protect against an attacker who succeeded in penetrating the previous ones. Its final layer is a security feature known as PAC – and this has now been defeated …

The financial problems of iPhone spyware maker NSO were so bad by the end of last year that it struggled to make payroll – after the company failed to make a single sale over a period of several months.

The company, which sells software to remotely carry out zero-click hacks of both iPhones and Android smartphones, has been in deep trouble ever since it was blacklisted by the US government. However, its plan to overcome its woes could make Pegasus an even nastier threat …