Security

Use of the Chinese Olympics app, MY2022, is mandatory for everyone attending this year’s Olympic Games in Beijing, whether as an athlete or simply watching from the stadium.

The app collects sensitive personal data – like passport details, medical data, and travel history – and analysis by security researchers reveals that the code has two security holes that could expose this information …

Apple, Google, Amazon, Meta, and IBM will attend a meeting at the White House to discuss software security after the US suffered several major cyberattacks in 2021. As reported by Reuters, this meeting will take place today and will be hosted by deputy national security advisor for cyber and emerging technology Anne Neuberger.

Another suspected NSO phone hack has come to light, this of journalists and activists in El Salvador. Most of the journalists were working for an online news service that has been reporting extensively on alleged government corruption.

Two journalists contacted Citizen Lab after suspecting that their phones had been compromised, and an investigation confirmed their suspicions, and found that they weren’t the only ones …

We learned earlier this month that NSO’s Pegasus spyware was used to hack US State Department iPhones in Uganda, with no clue at the time who the attacker was.

A new report strongly suggests that the Ugandan government was behind the attacks, as the country – which has an appalling human rights record – is now known to have purchased the spyware. It also appears that this was, indirectly, the tipping point that led to NSO’s downfall…

Pegasus spyware maker NSO Group is reportedly running out of cash following actions by both the US government and Apple. This has led the company to explore options to put itself up for sale.

Two US funds have expressed an interest, claiming that they would change the company’s mission from offensive to defensive, though skepticism has been expressed about this …

Apple has patched the Log4Shell iCloud vulnerability, after it was last week revealed that a security hole in the open-source tool log4j put millions of apps at risk.

Cybersecurity experts described the vulnerability as “setting the internet on fire,” and “the most critical security vulnerability in a decade” …

A new exploit called “Log4Shell” has been giving security teams at large technology companies a headache. When exploited, the vulnerability lets hackers run malicious code on vulnerable servers, and it can reportedly affect platforms such as iCloud and Steam.

As part of hitting back at spyware company NSO, Apple alerted a Polish prosecutor that her iPhone appears to have been compromised by Pegasus. This also gives us our first look at the text of Apple’s security alerts.

Although Poland has not admitted purchasing and using the spyware, there is significant evidence that it has done so …

Journalists, lawyers, politicians, and human rights activists have all been targeted by NSO’s Pegasus software, and Apple has now said that it will send security alerts to customers whose devices may be been compromised. It has already done so for at least five Thai activists and researchers.

It follows Apple’s announcement yesterday that it is suing NSO for attacking iOS users …

Apple on Tuesday announced that it has filed a lawsuit against NSO Group, which is known for developing the advanced spyware “Pegasus” to attack and surveil users of iOS and Android devices. The company claims that it is suing the creators of the spyware to “prevent further abuse and harm to its users.”

An alleged member of the REvil ransom group has been charged, with $6.1M in funds seized from another suspect, according to the US Department of Justice.

Back in April, we learned that the REvil group accessed systems belonging to Mac assembler Quanta and obtained schematics of the upcoming MacBook Pro models, which accurately revealed the HDMI, MagSafe, and SD card slot …

The NSO group, whose Pegasus spyware is used to hack iPhones and Android smartphones, has been officially named by the US government as a threat to national security.

The Commerce Department’s Bureau of Industry and Security (BIS) has added the Israeli company to the Entity List, which bans the company’s products from being imported, exported or passed from one organization to another within the US.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive, requiring federal agencies to apply 24 Apple security patches.

The deadline for some of these is November 17, less than two weeks from now.

A New York Times journalist covering the Middle East has described the experience of his iPhone being hacked, and the security precautions he now takes as a result.

Ben Hubbard says there were four attempts to hack his iPhone, and that two of them succeeded, with all the signs pointing to the use of NSO’s Pegasus spyware.

Back in April, the REvil ransomware group hacked into Mac assembler Quanta to reveal 2021 MacBook Pro designs ahead of the launch. Now REvil has itself been hacked in an FBI-led operation, in partnership with the Secret Service and law enforcement agencies in multiple countries.

Law enforcement gained control of a number of REvil servers in an operation designed to prevent further attacks, and to pursue individuals involved in running the ransomware group …

Last month security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with specific criticism around how the company is slow to respond, act, and didn’t give him credit for one of the three flaws that were patched. Now it appears Apple has fixed another zero-day flaw, this one in iOS 15 that Tokarev found earlier this year, without giving him credit.

Amid growing pressure from private companies and governments to allow sideloading on iOS, Apple is out today with a new security paper diving into real-world data on how malware is impacting mobile devices. Along with statistics like Android having between 15 and 47 times more malware than iPhone, Apple is making its latest case against sideloading with data and recommendations from the US Department of Homeland Security, European Agency for Cybersecurity, NIST, Norton, and more.

Update: Statement from Visible added below

Multiple reports of an apparent Verizon Visible hack, with attackers changing shipping addresses, then ordering phones that are charged to payment details held for customers. Visible is a Verizon sub-brand that operates entirely online, meaning that customers cannot seek assistance in-store.

“My account got hacked and they shipped out an iPhone 13 worth $1k that was taken from my PayPal,” wrote one customer …