Security

In an interview with the Guardian, the WhatsApp CEO talks about NSO malware and says Apple should “be loud, join in” rather than saying this won’t affect many of its users.

iOS security researcher Will Strafach agrees with a recent claim that Apple can do more when it comes to combating NSO and others who exploit combat zero-day vulnerabilities in iOS.

It follows a report by Amnesty International that said that NSO spyware Pegasus was being used to mount zero-click attacks against human rights activists, lawyers, and journalists …

Along with macOS 11.5 being released, security updates have arrived for both macOS Catalina and Mojave. Fixes included are for flaws that could lead to malicious applications gaining root access, arbitrary code being executed with kernel privileges, and more.

XLoader malware has now migrated from Windows machines to attack Macs too. An evolution of the malware known as Formbook, it lets an attacker log keystrokes, take screenshots, and access other private information.

Worryingly, the malware is sold on the dark web for $49, enabling anyone to deploy it against both Windows and Mac users …

An associate professor at the Johns Hopkins Information Security Institute has said that Apple can and must do more to prevent NSO attacks.

He argues that while it’s true that it is impossible to completely prevent exploits based on zero-day vulnerabilities, there are two steps that the iPhone maker can take to make NSO’s job much harder …

It’s extremely unlikely that your phone has been hacked using NSO software, but there is now a way to check your iPhone for Pegasus spyware – or, at least, some tell-tale signs.

The spyware was used to target human rights activists, lawyers, journalists, and politicians, and has been linked to assaults and murder of dissidents, so the chances of a random iPhone user being impacted are exceedingly low …

Over the weekend, an explosive report from Amnesty International detailed targeted attacks towards target human rights activists, lawyers, and journalists using Apple’s iMessage system as a vector by which to deliver the zero-click attacks. In a new statement provided to the Washington Post, Apple defended its security practices and said it leads the industry in security innovation.

An explosive report from Amnesty International interpreted device logs to reveal the scope of targeted malware attacks in active use targeting Android and iPhone devices, since July 2014 and as recently as July 2021. Exploited devices can secretly transmit messages and photos stored on the phone, as well as record phone calls and secretly record from the microphone. The attack is sold by Israeli firm NSO Group as ‘Pegasus’.

Whilst the company claims to only sell the spyware software for legit counterterrorism purposes, the report indicates it has actually been used to target human rights activists, lawyers and journalists around the world (as many have long suspected).

While Apple constantly works to improve the security of its devices, hackers are always looking for new ways to crack the security systems found in the iPhone, iPad, Mac, and other devices. Earlier this year, an exploit found in Apple’s WebKit (which is the Safari engine) allowed hackers to extract login information from iOS devices.

A couple of disturbing reports revealed the comparative ease with which criminal gangs were able to use stolen iPhones to access the owner’s bank accounts. The initial report didn’t explain the method used, but a subsequent one did: swapping the SIM to a new device in order to reset the Apple ID password.

Apple is already working on one security measure – making it easier for users to remotely wipe data from a stolen iPhone – but the reports also highlight a security weakness that seems worryingly common among non-techies: using the Notes app to store passwords …

Android and iPhone spyware sold by NSO Group enables state terror attacks in multiple countries, according to a new database released by Amnesty International and partner organizations.

NSO uses zero-day exploits to develop spyware for both iPhones and Android smartphones, allowing users to read text messages and emails, monitor contacts and calls, track locations, collect passwords, and even switch on the smartphone’s microphone to record meetings …

I’ve argued for years that moving beyond passwords is something that urgently needs to happen from both a security and usability perspective.

The technical framework to make it possible to abandon passwords – WebAuthn – was agreed back in 2018, and Apple added support for it in Safari last year. Adoption is as yet close to zero, but all that looks set to change, thanks to the latest move by Apple …