Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#iPhone’


iPhone X TrueDepth Camera Data Raises Privacy Concerns

December 5, 2017

The TrueDepth cameras in Apple’s iPhone X bring the power of facial recognition — and the convenience of its phone-unlocking Face ID — to its phones, but some believe the company isn’t doing enough to protect the data these tools collect. In a piece for the Washington Post, Geoffrey A. Fowler is pressing the question of whether and how Apple should be sharing this data with app makers, because of what they can do with that information. Using an app called MeasureKit, Fowler’s been able to see the face-scanning data Apple shares with developers.

For instance, he claims a wireframe map of your face, complete with “a live read-out of the 52-micro movements in your eyelids, mouth and other features” can be stored on the servers belonging to app-makers. This access is corroborated in a Reuters piece published about the cameras.
While iPhone users have been trained to tap a button to give camera access permissions to apps, the situation here goes a little deeper. Fowler claims his pursuits have already improved privacy for users, stating that after he “pressed executives this week, Apple made at least one change—retroactively requiring an app tapping into face data to publish a privacy policy.”
Apple’s rules forbid app developers from using this data for advertising or marketing, to identify anonymous users or sell said data to third parties, but that doesn’t exactly calm all fears down. While smaller companies would want to obey Apple’s rules to prevent the risk of getting kicked out of the app store, larger companies, such as Uber, have a record of breaking Apple’s rules.

But even if those rules are obeyed, realize that the data collected by these sensors can expose more of who you are to the apps you use. The tracking of facial movements can be used to monitor your mood, and Fowler claims this data could be used to derive a user profile, including “gender, race and even sexuality.”
If a rule breaker truly doesn’t care about angering Apple, they could use an app that tracks your location and uses your cameras — hi, Pokemon Go! — to figure out where you are and how you’re feeling.
In the end, iPhone X users concerned about their privacy might want to limit the settings for apps they don’t trust. Go into the Settings app, tap Privacy and tap Camera. There, disable the switch next to any apps you wouldn’t want to know more about you.

Tags: , ,


Warning! Your iPhone Can Get Hacked Just by Opening a JPEG Image, PDF or Font File

October 25, 2016

What’s worse than knowing that innocent looking JPEGs, PDFs and font files can hijack your iPhone, iPad, and iPod.
Yes, attackers can take over your vulnerable Apple’s iOS device remotely – all they have to do is trick you to view a maliciously-crafted JPEG graphic or PDF file through a website or an email, which could allow them to execute malicious code on your system.
That’s a terrible flaw (CVE-2016-4673), but the good news is that Apple has released the latest version of its mobile operating system, iOS 10.1, for iPhones and iPads to address this remote-code execution flaw, alongside an array of bug fixes. And now that the company has rolled out a security patch, some hackers would surely find vulnerable Apple devices to exploit the vulnerability and take full control of them.
So, users running older versions of iOS are advised to update their mobile devices to iOS 10.1 as soon as possible.
Besides this remote code execution flaw, the newest iOS 10.1 includes security updates to address 11 security flaws in the firmware for the iPhone, iPad, and iPod Touch.
Those flaws include local code execution vulnerabilities, a remote code execution bug in WebKit (CVE-2016-4677), a flaw in contacts (CVE-2016-4686) that would allow an application to pull Address Book details even when access has been revoked.
To update your iOS device go to Settings → General → Software Update.
Security Updates for Mac, Apple Watch, and AppleTV
Apple has also released security updates for Mac PCs, Apple Watches and Apple TVs. So, Mac users are advised to update their system to macOS Sierra (10.12.1), which includes security fixes for 16 CVE-listed vulnerabilities.
Those weaknesses include an image-handling bug (CVE-2016-4673), a denial of service (DoS) error in Nvidia graphics card drivers, a bug that exposed the length of user passwords and Remote Code Execution (RCE) flaws that could be triggered by font files and PDF files, among others.
Meanwhile, Apple Watch users are recommended to update their devices to watchOS 3.1, which includes fixes for 8 security flaws.
Those flaws include 2 vulnerabilities in sandbox profiles that could allow third-party apps to view image libraries and sound files without permission.
AppleTV users are also advised to update their devices to tvOS 10.0.1, which includes patches for 10 vulnerabilities, including the WebKit remote code execution flaw, the sandbox profiles flaws, and the CoreGraphics JPEG flaw.
So get your Apple device patched before getting caught by hackers.

Tags: , , , , ,


Government Hackers Caught Using Unprecedented iPhone Spy Tool

August 26, 2016

On the morning of August 10, Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognize on his iPhone.
“New secrets about torture of Emiratis in state prisons,” read the tantalizing message, which came accompanied by a link.
Mansoor, who had already been the victim of government hackers using commercial spyware products from FinFisher and Hacking Team, was suspicious and didn’t click on the link. Instead, he sent the message to Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs.
As it turned out, the message wasn’t what it purported to be. The link didn’t lead to any secrets, but to a sophisticated piece of malware that exploited three different unknown vulnerabilities in Apple’s iOS operating system that would have allowed the attackers to get full control of Mansoor’s iPhone, according to new joint reports released on Thursday by Citizen Lab and mobile security company Lookout.
This is the first time that anyone has uncovered such an attack in the wild. Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars. After the researchers alerted Apple, the company worked quickly to fix them in an update released on Thursday.
The question is, who was behind the attack and what did they use to pull it off?
It appears that the company that provided the spyware and the zero-day exploits to the hackers targeting Mansoor is a little-known Israeli surveillance vendor called NSO Group, which Lookout’s vice president of research Mike Murray labeled as “basically a cyber arms dealer.”
Read more: Meet NSO Group, The New Big Player In The Government Spyware Business
The researchers at Citizen Lab and Lookout were impressed by this new, never-seen-before, type of malware.
“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” Murray told Motherboard. “One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Since its founding in 2010, NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations, although the use of its tools has never been documented before. The company claims that its products are completely stealthy, like a “ghost.” The company has been so guarded about its wares that it’s never had a website, and has rarely given interviews or any comments to the press. But some information has leaked out, including an investment for $120 million by a US-based venture capital firm in 2014 and a subsequent reported valuation of $1 billion.
NSO’s malware, which the company codenamed Pegasus, is designed to quietly infect an iPhone and be able to steal and intercept all data inside of it, as well as any communication going through it.
“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”
Citizen Lab’s Marczak and John Scott-Railton, who caught the malware first, analyzed it with the help of Murray and his colleagues at Lookout. The researchers clicked on the link that Mansoor shared on their own guinea-pig iPhone, and infected it with Pegasus, which gave them the ability to see exactly what the malware was designed to do.
This attack on Mansoor, as well as another one Citizen Lab was able to trace back to a journalist in Mexico, shows that the well-known Hacking Team and FinFisher are not the only players in the growing business of private companies providing hacking services to governments. It also shows that those companies’ customers, which are often authoritarian governments with proven records of human rights abuses and targeting of dissidents and activists, aren’t afraid to use them, no matter the cost.
“This indicates the incredible power of the voices of journalists and activists who attract this kind of extremely expensive spyware,” Railton said.
Ultimately, this could be a sign of things to come.
“The people that we see being targeted by these texts today—dissidents, activists—these are kind of the people on the frontlines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine,” Marczak said. “The threats that they are facing today are threats that perhaps ordinary users will face tomorrow.”
A spokesperson for NSO declined to answer any specific questions about the report, saying in a prepared statement that “the company has no knowledge of and cannot confirm the specific cases mentioned in your inquiry.“
Earlier this year, in May, Citizen Lab revealed a new, sophisticated hacking group it dubbed Stealth Falcon. The researchers couldn’t confirm it, but they suspected Stealth Falcon had a link to the UAE government, and targeted dissidents inside and outside of the country.
As part of its research into Stealth Falcon, Citizen Lab was able to map large parts of the group’s infrastructure, including servers and domains that Stealth Falcon used to steal data and siphon it out of its victims in its hacking campaigns. But the researchers couldn’t find any actual samples of the malware the hackers used. That changed on August 10, when Mansoor sent Marczak the suspicious text message.
Once Marczak and Scott-Railton were able to look into it, they followed a convoluted online trail and realized the spyware communicated with a server, and an IP address, that they had fingerprinted in the past as being part of Stealth Falcon’s infrastructure. Then they found that a server registered to an NSO employee pointed to the same IP address.
Moreover, inside the actual malware, its developers left a revealing string of code: “PegasusProtocol,” an apparent reference to NSO’s spyware codename, Pegasus. The researchers were able to find yet more domains associated with NSO or its customers’ infrastructure, noting that “alarmingly“ some of them appeared designed to impersonate humanitarian organizations like the Red Cross, and news media organizations.
For the first time, the researchers were able to finally have a real glimpse into the features of the company’s malware. Since its founding in 2010, NSO has gained an almost-legendary aura, with unconfirmed rumors about its powers, while remaining essentially unknown to the general public. Its executives have rarely spoken to the press, and the few articles written about the company are full of vague descriptions and unconfirmed rumors.
“We’re a complete ghost,” NSO co-founder Omri Lavie told Defense News, a military trade publication, in 2013.
A short profile in 2014, published in The Wall Street Journal, reported that NSO had peddled its product to the Mexican government, and got the interest of even the CIA. Its spyware, according to the article, was sold all over the world.
Now that its spyware has been exposed, and its zero-days have been burned, NSO perhaps can’t claim to be a ghost anymore, although the company could very well have other zero-days and tools up its sleeves. That’s why the researchers don’t expect their reports, and Apple’s patch, to hit the brakes on the activities of NSO for long.
“We’re not going to put NSO out of business by patching these vulnerabilities,” Murray said.
Moreover, the malware is programmed with settings that go all the way back to iOS 7, which indicates that NSO has likely been able to hack iPhone devices since the iPhone 5.
NSO’s spokesperson Zamir Dahbash said in a statement that the company’s “mission is to help make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.“
“The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company,“ the statement read. “The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes.“
The researchers at Citizen Lab and Lookout reached out to Apple as soon as they found out about the zero-days, which they dubbed Trident. It took about 10 days for Apple to develop and release a patch. The patch is now live as part of the iOS 9.3.5 update, which every iPhone user should download and install as soon as possible.
”We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” an Apple spokesperson said in a statement, declining to provide more comments.
Dan Guido, the CEO of cybersecurity firm Trail Of Bits, which does a lot of work with Apple systems, said that these attacks, while rarely seen in the open, are to be expected. Ultimately, despite the three zero-days caught in the wild, Guido still believes the iPhone is a much safer choice than Android, for example.
“Apple has raised the cost of exploiting their devices higher than any other vendor out there. But this highlights the need for better compromise detection for iOS,” Guido said, adding that in any case, “iOS is still the single most secure consumer device available.”
“The problem is that it takes a paranoid mentality and friends at Citizen Lab to identify whether you have malware,” he added.
The researchers haven’t been able to find any other samples of Pegasus spyware yet. But while searching for similar links and domains to the ones associated with the attack on Mansoor and the infrastructure of a hacking group they dubbed Stealth Falcon, they were able to find a tweet that appears to target unknown victims in Kenya, as well as an attack on Mexican investigative journalist Rafael Cabrera.
Cabrera was targeted with NSO malware last year for the first time, and again as recently as May of this year. In the latest round of attacks, hackers tried to lure him to click on a series of messages offering government corruption revelations, warning of a charge of $500 on his phone bill, and even promising an adult video that would prove his wife cheated on him. He said he never clicked on any of the links the hackers sent him.
“It’s clear that they wanted me to click,” Cabrera told Motherboard. “You could even say they were desperate.”
Cabrera didn’t want to speculate as to who the hackers really were, saying it could be the government, or someone else. Mexico is among the suspected customers of NSO, but it’s unclear if a police or intelligence agency there are actually using the company’s malware. Mexico was also the largest customer of Hacking Team in the world, and some of its agencies allegedly used the spyware to target journalists and dissidents, rather than criminals.
In the end, Cabrera and Mansoor did not get hacked, as they were savvy enough not to fall for the hackers’ tricks. In a way, they got lucky. By having been targeted before with government hacking attempts, they were more vigilant than usual.
But their stories, as Marczak said, might just be yet another warning of things to come. If governments want hacking tools and have deep pockets to pay for them, companies like Hacking Team and NSO will continue to provide them. In the past, Citizen Lab has documented several attacks against dissidents, journalists, and human rights workers by governments worldwide using spyware similar to the one NSO produces. And despite publicizing and warning about these attacks, the malware hunters at Citizen Lab keep finding new attacks, sometimes performed by the same governments, and even against the same targets.
“The incentives just aren’t there for these companies like NSO to keep these tools out of the hands of serial abusers like the UAE,” Marczak said.
This is also the first sign of the rise of a new superpower in the spyware industry. NSO has potential to grow after the damaging—yet not deadly—hacks on FinFisher and Hacking Team, which are still the most well-known, and notorious, spy tech vendors today.
And all of these revelations would have remained in the shadows if Mansoor had clicked on that link he got on August 10.

Tags: , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
Edward Snowden’s Autobiography Makes a Plea for the Fourth Amendment, the Right to Privacy, and Encryption
September 24, 2019

America's most famous whistleblower calls for restricting the power of government. Article by SCO...

Read more
Chinese deepfake app Zao sparks privacy row after going viral
September 3, 2019

Critics say face-swap app could spread misinformation on a massive scale A Chinese app that lets ...

Read more
Google tightens grip on some Android data over privacy fears, report says
August 19, 2019

The search giant ends a program that provided network coverage data to wireless carriers. BY CARR...

Read more
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more