Security

Security researchers have discovered a developer error in more than 3,200 mobile apps, which make possible full or partial Twitter account hijacks.

In the worst examples, affecting around 320 apps, it enables an attacker to gain complete control of a Twitter account …

Congress is set to vote on The Intelligence Authorization Act, intended to further punish spyware makers like NSO. It follows evidence that the company’s Pegasus spyware was used to hack iPhones used by American diplomats.

The Commerce Department had already named NSO as a threat to US national security, and banned the import and use of Pegasus, but the bill would take things further …

A nasty piece of Mac malware is being actively used in the wild to capture personal data from Macs. Security researchers say that CloudMensis spyware can allow an attacker to download files, capture keystrokes, take screengrabs, and more.

Cybersecurity firm ESET says that the spyware has been in active use since February, and appears to be targeting specific individuals …

The latest Pegasus iPhone hack to come to light targeted more than 30 pro-democracy protestors. Apple detected that their phones had been infected by NSO’s spyware, and alerted them.

Thailand has been the subject of multiple military coups over the years, the most recent of which was in 2014, with an army-backed leader still in power today after elections widely believed to have been fraudulent …

Update: The vote on the bill is now expected to be delayed until the fall – see end for more details.

A proposed new CSAM law in the UK could force all messaging companies to use the type of client-side scanning approach that Apple planned to launch to detect child sexual abuse material (CSAM) on iPhones.

An amendment to the Online Safety Bill has been put forward that would require tech companies to identify and remove CSAM, even in end-to-end encrypted private messages …

Apple had big security news yesterday, announcing that iOS 16 will introduce a new iPhone Lockdown Mode designed to protect users from even the most sophisticated cyber attacks like those carried out by NSO’s Pegasus spyware.

Apple says that the mode offers an “extreme” level of security that will be needed only by the tiny percentage of people who might be targeted by state-sponsored attacks. But it’s been argued that although most of us will never use it, we may still benefit from it …

Back in March, we warned of the risk of Apple’s disaster scenario: Chinese takeover of Taiwan. Yesterday, the heads of both US and UK security services gave an “unprecedented” warning that this is not only possible but that China has been taking steps to prepare for this.

If it happened, it would lead to the almost total disruption to the vast bulk of Apple’s manufacturing resources …

Apple filed a lawsuit against ‘Pegasus’ spyware creator NSO Group last fall and announced it would be donating $10 million+ to organizations pursuing cyber-surveillance research and advocacy. Now taking the next step in combatting sophisticated spyware, Apple has announced a brand new “extreme” security feature called iPhone Lockdown Mode – coming to iPad and Mac as well – to help protect against targeted cyber attacks.

An FCC commissioner has called on both Apple and Google to delete TikTok from their respective app stores, giving the companies until July 8 to respond. It is not clear what measures the Federal Communications Commission might take if the companies do not comply.

The lengthy four-page letter says that TikTok is not a video-sharing app, but a “sophisticated surveillance tool” for the Chinese government …

Google’s Threat Analysis Group (TAG), a group that specializes in tracking and analyzing government-backed hacking and attacks, recently published research on “Hermit” – a spyware that can compromise Android and iOS devices. Luckily, Apple has already found a way to stop the spread of this specific spyware on its devices.

We’ve seen some baby steps towards using our iPhone for proving our identity. But a couple of recent developments point to a future in which an iPhone – plus biometrics – could let us use our phone as a single means of verifying our identity, both online and in face-to-face interactions.

In all, Apple provides support for four initiatives which I think provide a clear pointer to a future in which the iPhone will be our one-stop device for ID …

iPhone hacks developed by Italian company RCS Lab have been used by law enforcement agencies in Europe, according to a new Google report. The hacking tool used a variety of exploits to allow the firm’s customers to spy on private messages, contacts, and passwords.

However, Apple has patched all six of the exploits used in different versions of iOS (see below), so keeping your iPhone up to date will protect it from the hacking tools …

NSO Pegasus spyware has been used by at least five EU countries, admits the company. The admission was made as part of a European investigation into the impact of Pegasus, with an interim report now published.

It’s likely that the true number is higher, with the company promising to provide a ‘more concrete number’ …

A study shows that Apple can pay up to 5x more than Samsung per exposed vulnerability on its bug bounty program. That said, the Cupertino company still faces complaints from researchers, with some saying Apple didn’t give them credit for the zero-day flaw reported.

A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the last line of security” on Apple Silicon.

When designing the M1 chip, Apple created various layers of security, each designed to protect against an attacker who succeeded in penetrating the previous ones. Its final layer is a security feature known as PAC – and this has now been defeated …

The financial problems of iPhone spyware maker NSO were so bad by the end of last year that it struggled to make payroll – after the company failed to make a single sale over a period of several months.

The company, which sells software to remotely carry out zero-click hacks of both iPhones and Android smartphones, has been in deep trouble ever since it was blacklisted by the US government. However, its plan to overcome its woes could make Pegasus an even nastier threat …

The prospect of a world without passwords can’t come soon enough for me, but a problem has been raised with the FIDO standard designed to eliminate the need for them. Namely, that abandoning passwords could make it harder to switch between ecosystems.

If you have your passkeys setup for Apple devices, there is nothing in the standard allowing you to transfer them to an Android device, or vice versa …

A Verizon employee database was recently compromised with the hacker holding it for a $250,000 ransom. Verizon says it doesn’t believe it contains “any sensitive information” and stopped communication with the hacker. However, the list of details including employee email addresses, phone numbers, and more could present a risk for future attacks.

Way back in 2017, a security researcher created a fake apple.com website where the URL looked completely correct. The trick was that the domain he registered used a unicode character that looks like an “a” but is in fact a Cyrillic character.

Browsers were updated to detect this kind of fakery, but it’s far from a simple process – as a new video (below) illustrates …

Apple has released iOS 15.5, macOS 12.4, and more today with updates like new features for Apple Cash, the Podcasts app, and the Studio Display webcam fix. However, a bigger reason to update your devices is the security patches with today’s releases. iOS 15.5 includes almost 30 security fixes while macOS 12.4 features over 50.

In early 2020, Apple joined the FIDO Alliance, an open industry association created to increase the interoperability of authentication methods and reduce reliance on traditional passwords. Now Apple, Google, and Microsoft have committed to expanding support for the FIDO Standard, moving toward a universal “passwordless” sign-in method.