security

Major FaceTime Bug Lets You Hear the Audio of the Person You Are Calling Before They Pick Up →

January 29, 2019 · 10:49

Benjamin Mayo, for 9to5Mac:

A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

In the meantime, Tim Cook tweeted:

We must keep fighting for the kind of world we want to live in. On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.

Twitter user MGT7500 claims to have reported the bug days ago:

My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport…waiting to hear back to provide details. Scary stuff!

At this point it’s not even the bug itself that irritates me, but the manner in which apple handles such reports. It’s unacceptable to call “all hands on deck” only after news of the bug goes public.

Bypassing 2FA With ‘Modlishka’ Reverse Proxy Tool →

January 19, 2019 · 12:26

Piotr Duszyński:

This blog post is an introduction to the reverse proxy “Modlishka” tool, that I have just released. I hope that this software will reinforce the fact that social engineering is a serious threat, and cannot be treated lightly.

On the page below I will shortly describe how this tool can be used to bypass most of the currently used 2FA authentication schemes.

Amazon’s Ring Has Access to All of It’s Customer’s Live Video Feeds and Recordings →

January 11, 2019 · 10:36

Sam Biddle, for The Intercept:

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click […]

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs.

Trust takes a long time to earn, but it can be lost in a heartbeat. I still cannot believe that companies don’t take this topic more seriously, especially after all of the Uber and Facebook fiascos.

More Lies from Facebook — Users’ Private Data Disclosed to Other Companies →

December 19, 2018 · 13:23

Gabriel J.X. Dance, Michael LaForgia and Nicholas Confessore, for The New York Times:

For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews […]

Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

There’s a lesson to be learned here for other tech companies, which I’m sure they’ll completely ignore. Lying to users and toying with the privacy should not be taken lightly and I keep on wondering when most will realise they don’t need Facebook anymore.

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret →

December 12, 2018 · 10:07

Jennifer Valentino-Devries, Natasha Singer, Michael H. Keller and Aaron Krolik, for The New York Times:

More than 1,000 popular apps contain location-sharing code from such companies, according to 2018 data from MightySignal, a mobile analysis firm. Google’s Android system was found to have about 1,200 apps with such code, compared with about 200 on Apple’s iOS.

The most prolific company was Reveal Mobile, based in North Carolina, which had location-gathering code in more than 500 apps, including many that provide local news. A Reveal spokesman said that the popularity of its code showed that it helped app developers make ad money and consumers get free services.

Apple is a better proprietor than Google in this regard, but a lot more can and should be done to protect users.

Facebook Filed a Patent to Calculate Your Future Location →

December 12, 2018 · 10:03

Nicole Nguyen, for Buzzfeed:

Facebook has filed several patent applications with the US Patent and Trademark Office for technology that uses your location data to predict where you’re going and when you’re going to be offline.

Have you deleted your Facebook account yet?

In a statement, Facebook spokesperson Anthony Harrison said, “We often seek patents for technology we never implement, and patent applications — such as this one — should not be taken as an indication of future plans.”

Yeah… it really should in Facebook’s case.

Apple Security Expert Jon Callas Moves to ACLU →

December 5, 2018 · 03:28

Joseph Menn for Reuters:

A senior Apple Inc security expert left for a much lower-paying job at the American Civil Liberties Union this week, the latest sign of increasing activity on policy issues by Silicon Valley privacy specialists and other engineers.

Jon Callas, who led a team of hackers breaking into pre-release Apple products to test their security, started Monday in a two-year role as technology fellow at the ACLU. Prior to his latest stint at Apple, Callas designed an encryption system to protect data on Macs and co-founded communications companies Silent Circle, Blackphone and PGP Corp. […]

Callas said he felt particular kinship with Google employees pressing to have more of a say in the company’s prospective deal to return to mainland China with a censored search engine.

“A bunch of people have in fact woken up and said ‘Where are we, where are we going?’” Callas said. “These employees are wanting more discussion and access to what’s going on.”

Callas said phone makers had improved security and he wanted to see progress continue and widen without companies succumbing to pressure to install back doors.

There could be a simple explanation for his choice but the elephant in the room is Apple in China.

Facebook Portal — Who You Call and What Apps You Use Could Determine What Ads You See →

October 17, 2018 · 11:00

Kurt Wagner, reporting for Recode:

Last Monday, we wrote: “No data collected through Portal — even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook.”

We wrote that because that’s what we were told by Facebook executives. 

But Facebook has since reached out to change its answer: Portal doesn’t have ads, but data about who you call and data about which apps you use on Portal can be used to target you with ads on other Facebook-owned properties.

Of course it can. And over time it’ll probably do other nasty stuff to its users.

Google Discloses Privacy Security Flaw Kept Quiet Since March →

October 9, 2018 · 17:30

Gerrit de Vynck, for Bloomberg:

Alphabet Inc.’s Google said it found a “software glitch” in its Google+ social network in March that could have exposed the personal data of as many as half a million users, but decided not to tell the public until Monday.

Google chose not to disclose the flaw out of concern it would trigger regulatory backlash, especially in the wake of criticism against Facebook Inc. for its privacy failures, according to the Wall Street Journal, which initially reported the news Monday. In a statement posted to its blog minutes after the report, Google said it plans to shut down Google+ for consumers and introduce new privacy tools restricting how developers can use information on products ranging from email to file storage.

Unsurprising.

Facebook Portal →

October 9, 2018 · 11:18

Portal was created with privacy, safety and security in mind. And it has clear and simple settings, so you always stay in control.

Having all of Facebooks privacy scandals in mind, this product feels like the perfect companion device to their portfolio… if it was released on April Fool’s.

Do not buy this product. You probably shouldn’t be using Google’s Home or Amazon’s Alexa either.

Problems With Gmail’s “Confidential Mode” →

August 2, 2018 · 09:50

Gennie Gebhart and Cory Doctorow, for the EFF:

While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security […]

Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode “confidential” is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new “Confidential Mode” in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.

The one thing I trust Google with is their uncanny ability to try to create an illusion of privacy and security, while in reality doing the exact opposite.

Revolut Typeform Breach: What Happened and Is My Data Safe? →

July 5, 2018 · 10:16

We have been alerted that Typeform, a company that we frequently use to survey our customers, has been compromised in a data breach […]

We would like to assure our customers that no sensitive data, such as personal account details or passwords, have been compromised in this breach. Upon reviewing previous surveys, we have only ever asked for details such as your email address and Twitter handle […]

Our focus right now is to contact everyone who has been affected, letting them know exactly what kind of data of theirs was breached, what they should do and how we will stop something like this from happening again.

If you don’t get an email from us on this matter, that means that none of your data was compromised and you have nothing to worry about.

Samsung Phones Are Spontaneously Texting Users’ Photos to Random Contacts Without Their Permission →

July 3, 2018 · 10:17

Ashley Carman, writing for The Verge:

Bad news for Samsung phone owners: some devices are randomly sending your camera roll photos to your contacts without permission. As first spotted by Gizmodo, users are complaining about the issue on Reddit and the company’s official forums. One user says his phone sent all his photos to his girlfriend. The messages are being sent through Samsung’s default texting app Samsung Messages. According to reports, the Messages app does not even show users that files have been sent; many just find out after they get a response from the recipient of the random photos sent to them.

I wonder how many people actually received “dick pics” (as in nudes). This sounds funny at first, but it could really be catastrophic, depending on the people involved.

Teslas – (In)Secure by Design →

June 13, 2018 · 14:47

Tomasz Konieczny, on XSolve’s blog:

Tesla has become synonymous for a new trend in the automotive industry. Elon Musk’s electric car is on the lips of the whole world – or even the whole solar system after SpaceX shot it into space. That’s why it’s so shocking that a more “earthly” matter – the security of Tesla software – is far below modern standards.

While I have driven Teslas before, I never owned one, so I didn’t have a reason to bother with the security of the app, the website account or anything related. Quite frankly, I expected much more from Elon’s company, especially since cars from “traditional” manufacturers are known to be insecure for years now and his background would suggest that Tesla would be best equipped to handle security in a satisfactory manner.

P.S. I can’t even play enjoy the full functionality of my Steam games if they’re not secured by 2FA.

Locked Out of My FastMail Account (Sort Of)

June 9, 2018 · 19:43

I finally got around to setting up 2FA for my FastMail account on Wednesday, preferring to switch over to 1Password, to an authenticator instead of SMS. I forgot I would need to create an app password for my iPhone to continue receiving emails on it. FastMail was nice enough to notify me of this via email, as a reminder, but I did not receive this email, because I was locked out, because I didn’t create an app password, because I completely forgot about it.

Yeah, my bad.

The upside was that I was happy for two days because I barely got any email (a few slipped by on my other accounts). The downside? It’s the weekend and I am calling email bankruptcy.

PGP and S/MIME Vulnerable to Hacks That Can Reveal the Plaintext of Encrypted Messages →

May 14, 2018 · 15:29

Dan Goodin, writing for Ars Technica:

The Internet’s two most widely used methods for encrypting email—PGP and S/MIME—are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from email clients.

The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

You can find an “EFAIL” paper discussing the vulnerabilities here.

Apple Took 8 Days to Give Jefferson the Data It Had Collected on Him →

May 5, 2018 · 11:53

Jefferson Graham:

The zip file I eventually received from Apple was tiny, only 9 megabytes, compared to 243 MB from Google and 881 MB from Facebook. And there’s not much there, because Apple says the information is primarily kept on your device, not its servers. The one sentence highlight: a list of my downloads, purchases and repairs, but not my search histories through the Siri personal assistant or the Safari browser.

This approach by Apple makes me trust them more with my data than any other company.

Unsecured IP Video Cameras Directory →

May 3, 2018 · 23:20

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password. Mozilla Firefox browser is recommended to watch network cameras.

These cameras have no passwords set. Some on purpose, others not so much.

Marco Arment’s Stellar Privacy Update →

April 28, 2018 · 08:46

Marco Arment, on his blog:

One of the ways publishers try to get around the limitations of the current model is by embedding remote images or invisible “tracking pixels” in each episode’s HTML show notes. When displayed in most apps, the images are automatically loaded from an analytics server, which can then record and track more information about you.

In Overcast 4.2, much like Mail (and for the same reason), remote images don’t load by default. A tappable placeholder shows you where each image will load from, and you can decide whether to load it or not.

This is one developer I would trust with my data without hesitation. I’m keeping my email-based login for Overcast, even though he’ll probably hate me for burdening him with it.

1Blocker X for iOS — New App, More Rules

April 25, 2018 · 12:15

The guys behind 1Blocker for iOS and macOS are launching 1Blocker X tomorrow, with support for many more rules by combining several content blockers into one app — this rewrite took them 6 months, which is why I completely understand their need to make back their investment. Salavat Khanov wrote up all the new features of 1Blocker X on their blog — it’s an interesting read — and now that I finally understand how it works under the hood, I’m upgrading tomorrow, when the app goes live. You can pre-order it today though…

1Blocker X — $4.99 / €5,49 / 23,49 PLN

Google Has More of Your Personal Data Than Facebook →

April 23, 2018 · 11:04

Christopher Mims, for The Washington Post:

As justifiable as the focus on Facebook has been, though, it isn’t the full picture. If the concern is that companies might be collecting some personal data without our knowledge or explicit consent, Alphabet’s Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps […]

It’s likely that Google has shadow profiles on at least as many people as Facebook does, says Chandler Givens, chief executive of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting. Yet, like Facebook, it continues to gather your data […]

Google also is the biggest enabler of data harvesting, through the world’s two billion active Android mobile devices. Because Google’s Android OS helps companies gather data on us, then Google is also partly to blame when troves of that data are later used improperly, says Woodrow Hartzog, a professor of law and computer science at Northeastern University.

A good example of this is the way Facebook has continuously harvested Android users’ call and text history. Facebook never got this level of access from Apple ’s iPhone, whose operating system is designed to permit less under-the-hood data collection. Android OS often allows apps to request rich data from users without accompanying warnings about how the data might be used.

Meanwhile, we still don’t have the tools or means to protect ourselves from being targeted by Google, Facebook, and others, or to block their tracking practices completely.

End-to-End Encryption Does Not Prevent Facebook From Accessing WhatsApp Chats →

April 13, 2018 · 11:49

Gregorio Zanon, posting on Medium:

Facebook could potentially access your WhatApp chats. In fact, it could easily acces your entire chat history and every single attachment. Now, I am not saying it does and have no evidence it did. But after Android users have recently been finding out that their call history and SMS data had been collected by Facebook, I believe it is important to go over the means by which Facebook is already in a position to collect our WhatsApp data, from any iPhone running iOS 8 and above.

In case you did not know about this for some reason…

Aleksandr Kogan Collected Facebook Users’ Direct Messages →

April 13, 2018 · 11:45

Alex Hern and Carole Cadwalladr, writing for The Guardian:

Aleksandr Kogan collected direct messages sent to and from Facebook users who installed his This Is Your Digital Life app, the Guardian can reveal. It follows Facebook’s admission that the company “may” have handed over the direct messages of some users to the Cambridge Analytica contractor without their express permission. The revelation is the most severe breach of privacy yet in the Cambridge Analytica scandal.

This just gets better and better. I wonder what else we don’t know yet.

For the record, I deleted my Facebook account on March 22, a day after my last post on the subject.

MyFitnessPal Hacked →

April 10, 2018 · 00:42

From their FAQ:

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts […]

The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

I still have an account over there which I don’t use. Time to get rid of it.

US Social Media Screening Proposal →

April 5, 2018 · 16:38

Sewell Chan, for The New York Times:

Nearly all applicants for a visa to enter the United States — an estimated 14.7 million people a year — will be asked to submit their social media user names for the past five years, under proposed rules that the State Department issued on Friday […]

Along with the social media information, visa applicants will be asked for past passport numbers, phone numbers and email addresses; for records of international travel; whether they have been deported or removed, or violated immigration law, in the past; and whether relatives have been involved in terrorist activities.

We have been planning to travel to USA, to spend a few weeks visiting all the major national parks, but since Trump happened we’re putting it off indefinitely. Social Media screening isn’t helping and I refuse to submit to something I consider a violation of my privacy.

Of all the countries in the world, USA is one of the few I would not want to live in.

iPhone iBoot Source Code Gets Posted On Github →

February 8, 2018 · 15:22

Lorenzo Franceschi-Bicchierai, writing for Motherboard:

Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.

The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.

Apple has already filed a copyright takedown request with GitHub, which resulted in the code being removed, but that won’t help much — the code is out in the wild.

FBI Hacker Says Apple Are ‘Jerks’ and ‘Evil Geniuses’ for Encrypting iPhones →

January 12, 2018 · 10:29

Lorenzo Franceschi-Bicchierai, writing for Motherboard:

On Wednesday, at the the International Conference on Cyber Security in Manhattan, FBI forensic expert Stephen Flatley lashed out at Apple, calling the company “jerks,” and “evil geniuses” for making his and his colleagues’ investigative work harder. For example, Flatley complained that Apple recently made password guesses slower, changing the hash iterations from 10,000 to 10,000,000.

I’m glad his work is made harder and I can’t help but wonder what smartphone he uses privately and if he would want it to be unencrypted.

Safari’s Privacy Feature Costs Ad Companies Millions →

January 10, 2018 · 16:02

Alex Hern, writing for The Guardian:

Advertising technology firm Criteo, one of the largest in the industry, says that the Intelligent Tracking Prevention (ITP) feature for Safari, which holds 15% of the global browser market, is likely to cut its 2018 revenue by more than a fifth compared to projections made before ITP was announced […]

In response, Apple noted that: “Ad tracking technology has become so pervasive that it is possible for ad tracking companies to recreate the majority of a person’s web browsing history. This information is collected without permission and is used for ad re-targeting, which is how ads follow people around the internet.”

This is great news (!) and means that Apple is on point with the implementation details of their new feature. The practices of the ad industry are horrific and should have been addressed years ago. I strongly believe their shady practices have basically killed their own business — people basically hate most web ads — which is in stark contrast to podcast ads.

Measuring macOS Meltdown Patches Performance →

January 10, 2018 · 15:57

fG, writing for Reverse Engineering Mac OS X:

My tests demonstrate that the syscall interface is definitely much slower in High Sierra 10.13.2. This could lead to some drama, that in most cases, is not justified (I witnessed some minor drama because I released an early chart to see what happened). What my tests appear to point to is that some workloads will be slower but they are probably not relevant unless you are doing millions of iterations. Maybe a 10% impact on your build times is not reasonable at all or you don’t even notice it. The most important thing that users and systems administrators need to do is to measure their specific situation. It’s the only way to be sure if this patch is a problem or not, and build their threat case under this new assumption. One thing is sure, this appears to be here to stay in the medium to long term until all hardware is replaced.

Interesting and varying results, depending on the workload, tested on a MacBook Pro and Mac Pro, running Sierra and High Sierra.