This week, Apple The product’s spring launch was marred by a ransomware attack against one of its vendors, Quanta Computer. The incident is notable because it involves Apple – and the publication of confidential diagrams – but also because it represents an intersection of multiple disturbing trends in digital extortion.
In other hacking news adjacent to Apple, Facebook researchers have Palestine-linked group created custom malware to attack iOS, hidden in a working messaging app. Victims had to go to a third-party app store to install the malware, but hackers used social engineering techniques to trick them into doing so. And speaking of Facebook, the social media giant has been involved in yet another data exposure, this time. e-mail addresses of millions of users who had defined this information as “private” in their settings. This comes on the heels of a flaw that allowed the scraping of 500 million Facebook user phone numbers this was revealed earlier this month.
We also looked at a since fixed bug in Clubhouse that would have allowed people to linger invisibly in rooms like ghosts and even provoke a racquet, with the moderator unable to cut them or kick them out.
And there’s more! Each week, we collect all the news that WIRED hasn’t covered in depth. Click on the titles to read the full stories. And stay safe there.
In December, forensics firm Cellebrite, which helps authorities penetrate and extract data from iPhones and Android devices –claims it could access data from the Signal application. It was a bit of a bad direction; he had not mined Signal’s renowned robust encryption rather, additional support for the file types Signal uses for its Physical Analyzer tool. The distinction matters a bit. Cellebrite could basically access Signal messages once they already had your phone in their hands and unlocked it, which is going to be a risk with any encrypted messaging app.
Fast forward to this week, when the founder of Signal Moxie marlinspike published a blog post which details his seemingly successful efforts to hack a Cellebrite’s phone cracking device. What it found: Lots of vulnerabilities, as an application could compromise a Cellebrite machine simply by including a specially formatted file on a scanned phone. Marlinspike suggests that corrupting the Cellebrite hardware could interfere with the data in an untraceable way, casting a shadow over the company’s forensic reports in the future.
It was already the short version, but the even shorter version is that Signal figured out how to play with one of the most used phone hacking companies – and didn’t suggest so subtly that it might. Moments of fun!
Apple’s iOS App Store security has taken center stage in recent months as a video game developer Epic challenges the company’s business model and Congress continues to explore antitrust implications. Something he’s clearly not so good at? Identify and stop obvious scams. A developer named Kosta Eleftheriou has taken it upon himself to do this work, reporting several multi-million dollar projects over the past few months. The Verge did some spying on its own and found unraveling the scams to be as easy as browsing the top grossing apps on the App Store. Scams are hiding in plain sight.
It’s healthy to treat LinkedIn requests with suspicion in general, just on a personal level. But MI5 warned this week that British nationals should also be wary of foreign spies masquerading as friendly relations. They suggest 10,000 examples over the past few years in which fake profiles have targeted people in government and sensitive industries, using social engineering techniques to pump them up for inside information. The activity is not confined to the UK either; the United States, Canada, Australia and New Zealand have all experienced some version of this surge. Grow your network, of course, but with due caution.
The extent to which facial recognition technology like Clearview AI and location data generated by applications on your smartphone have fueled law enforcement efforts in recent years has spiraled out of control. A new bill with broad bipartisan support introduced this week seeks to address this problem. The Fourth Amendment Not For Sale law would deal with both, requiring a court order to obtain location data from brokers and prohibiting agencies from entering into contracts with companies that have obtained their data unlawfully. (Clearview AI, for example, built its image database by scraping social media companies, a clear violation of the terms of service.) And yes, the most surprising part may be that these practices are not only legal. , but common.
More WIRED stories