An Apple-Hacking Teen, SIM-Swap Indictments, and More Security News This Week
Credit to Author: Brian Barrett| Date: Sat, 09 Feb 2019 14:00:00 +0000
It's frankly hard, at the end of this long week, to devote much mental energy to any news that's not Jeff Bezos going to war with the National Enquirer, but stay with us! There's a lot going on—including some intriguing developments in special counsel Robert Mueller's probe.
Before we get too far into it, though, please take a moment to update to iOS 12.1.4, which fixes that very bad FaceTime group chat bug and a few more previously undisclosed vulnerabilities as well. Got it? Good, thank you! Now consider this new Chrome extension, from Google, which will help keep you from using passwords that have been exposed in data breaches. And for those of you who prefer cheaper Android devices, you'll be happy to know that Google has also found a way to bring full disk encryption to underpowered hardware.
We also took a look at the US Census, which will be here before you know it, but hopefully after the risks of going digital for the first time have been ironed out. And in other political news, Congress wants to hear from Facebook, Google, and Apple about Facebook's effort to monitor the iPhone activity of kids as young as 13 behind Apple's back.
Elsewhere, Twitter still can't keep up with its abusive bot problem—but two researchers think they have a better solution. And venerable security technologist Bruce Schneier argues that whatever trust you've put in the blockchain is misplaced.
But wait, there's more! Each week we round up all the news we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there.
As it turns out, Apple had multiple run-ins with teens this week! In the second instance, an 18-year-old German hacker demonstrated a vulnerability in macOS that lets an attacker steal passwords that are stored in the keychain. Perhaps more importantly, he has also pointedly decided not to share how he did it. That's not out of malice (hopefully) but in protest of Apple's lack of a macOS bug bounty program, a system that pays out hackers for finding and disclosing bugs. Apple does have an invite-only bug bounty set up for iOS, but not its desktop counterpart.
Zcash is a promising cryptocurrency with a privacy focus. It was also home to a pretty hilarious, potentially devastating vulnerability until a small team of engineers quietly patched it in October. The trouble traces back to a flaw in a cryptographic paper that details the "zero knowledge proofs" that enable Zcash's privacy features. The Zcash team says they saw no evidence that anyone exploited the error, though they can't be certain. At the very least, no one seems to have printed themselves an infinite amount of digital money.
SIM swap attacks, in which hackers take over phone numbers to override two-factor authentication and break into your online accounts, have become a scourge. There finally seems to be some traction in finding the perpetrators, though. Last week, Joel Ortiz took a plea deal to become the first person convicted of SIM-swapping, and more recently unsealed indictments in California show that the feds have built a case against two more alleged hackers. With any luck, the increased law enforcement action will serve as a broader deterrent.
The location data scandal continues to unfurl, as Motherboard showed that around 250 bounty hunter types could pay to access location data from AT&T, Sprint, and T-Mobile, including super-precise GPS information intended for emergency responders. All of those carriers swore they'd stop sharing location data with third parties, and then didn't, and then promised again. In records obtained by Motherboard, a single company put in over 18,000 individual smartphone location requests in a single year.