Noted Apple security expert Patrick Wardle discusses how cybercriminals are stepping up their game in targeting Apple users with new techniques and cyberattacks.
The phones of 36 journalists were infected by four APTs, possibly linked to Saudi Arabia or the UAE.
https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/
Goontact lures users of illicit sites through Telegram and other secure messaging apps and steals their information for future fraudulent use.
https://threatpost.com/sextortionist-campaign-targets-ios-android-users-with-new-spyware/162321/
Manufacturing powerhouse confirmed North American operations impacted by November cyberattack.
https://threatpost.com/foxconn-confirms-cyber-attack/162035/
Researcher Ian Beer from Google Project Zero took six months to figure out the radio-proximity exploit of a memory corruption bug that was patched in May.
https://threatpost.com/iphone-bug-takeover-over-the-air/161748/
The company patched a vulnerability that could connected video and audio calls without the knowledge of the person receiving them.
https://threatpost.com/facebook-messenger-bug-spying-android/161435/
Attackers can exploit the feature and send people’s data directly to remote servers, posing a privacy and security risk, researchers said.
https://threatpost.com/some-apple-apps-on-macos-big-sur-bypass-content-filters-vpns/161295/
Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution.
https://threatpost.com/2-zero-day-bugs-google-chrome/161160/
Developers will have to reveal how data is shared with any “third-party partners,” which include analytics tools, advertising networks, third-party SDKs or other external vendors.
https://threatpost.com/apple-privacy-labels-apps-data-sharing/161081/
The actively exploited vulnerabilities discovered by Project Zero exist across iPhone, iPad and iPod devices.
The most-rewarded flaw is XSS, which is among those that are relatively cheap for organizations to identify.
Amazon, Apple, Netflix, Facebook and WhatsApp are top brands leveraged by cybercriminals in phishing and fraud attacks - including a recent strike on a half-million Facebook users.
https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
A set of address-spoofing bugs affect users of six different types of mobile browsers, with some remaining unpatched.
https://threatpost.com/mobile-browser-bugs-safari-opera-malware/160326/
The move is a distinct change in direction for the app, which has been criticized and even banned for its security practices.
Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack.
https://threatpost.com/3-month-apple-hack-vulnerabilities-critical/159988/
A researcher claims that the issue can be exploited by attackers in order to gain root access.
Popular ‘safe browsing’ padlocks are now passe as a majority of bad guys also use them.
https://threatpost.com/why-web-browser-padlocks-shouldnt-be-trusted/159659/
FinSpy has returned in new campaigns targeting dissident organizations in Egypt - and researchers uncovered new samples of the spyware targeting macOS and Linux users.
Convincing SMS messages tell victims that they've been selected for a pre-release trial for the soon-to-be-launched device.
Release of iOS 14 and iPadOS 14 brings fixes 11 bugs, some rated high-severity.
https://threatpost.com/apple-bug-code-execution-iphone/159332/
The 'BLESA' flaw affects the reconnection process that occurs when a device moves back into range after losing or dropping its pairing, Purdue researchers said.
https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/
New opt-in COVID-19 Exposure Notifications Express systems baked into Apple’s iOS and available on Android need privacy guardrails, say privacy advocates.
https://threatpost.com/govt-contact-tracing-apps-privacy/159109/
Technology minister bans, Baidu, WeChat Work, AliPay and 115 others for capturing using data and transmitting it to servers outside of the country without authorization.
https://threatpost.com/india-blocks-high-profile-chinese-apps-on-political-privacy-concerns/158959/
The notarized malware payloads were discovered in a recent MacOS adware campaign, disguised as Adobe Flash Player updates.
https://threatpost.com/apple-accidentally-notarizes-shlayer-malware/158818/
While privacy experts praised Apple’s upcoming iOS 14 updates, Facebook said the new features could cut its advertising business in half.
https://threatpost.com/facebook-hits-back-at-apples-ios-14-privacy-update/158734/
Polish security researcher unveiled the flaw in a cross-browser sharing API that could allow attackers to steal user files.
https://threatpost.com/safari-bug-revealed-after-apple-takes-nearly-a-year-to-patch/158612/
At Black Hat 2020, Patrick Wardle disclosed an exploit chain that bypasses Microsoft's malicious macros protections to infect MacOS users.
https://threatpost.com/black-hat-zero-click-macos-exploit-chain-microsoft-office-macros/158112/
COVID-19 pandemic spurs spoofing preference changes, plus a surge in email-based attacks.
https://threatpost.com/apple-most-imitated-brand-phishing-attacks/158006/
Hackers "mislead certain employees" to gain access to internal tools to take over high-profile accounts and push out a Bitcoin scam.
https://threatpost.com/twitter-hack-mobile-spearphishing-scam/157896/
The U.S. government and tech companies continue to butt heads over the idea of encryption and what that means for law enforcement.
https://threatpost.com/encryption-under-full-frontal-nuclear-assault-by-u-s-bills/157748/
Threatpost editors talk about the biggest security news stories for the week ended Jul. 24.
A Dutch elected official is among those whose DMs were hijacked, the company said.
https://threatpost.com/twitter-hackers-private-messages-elite-accounts/157657/
Apple's Security Research Device program is now open to select researchers - but some are irked by the program's vulnerability disclosure restrictions.
https://threatpost.com/apple-security-research-device-program-draws-mixed-reactions/157640/
Mac expert Thomas Reed discusses how EvilQuest is ushering in a new class of Mac malware.
A rare, new Mac ransomware has been discovered spreading via pirated software packages.
https://threatpost.com/evilquest-mac-ransomware-keylogger-crypto-wallet-stealing/157034/
App will stop reading users’ device cut-and-paste data after a new banner alert in an Apple update uncovered the activity.
The Lawful Access to Encrypted Data Act is being decried as "an awful idea" by security experts.
https://threatpost.com/new-bill-targeting-warrant-proof-encryption-draws-ire/156877/
Adobe will prompt Flash Player users to uninstall the application before the Dec. 31, 2020 end of life date hits.
https://threatpost.com/adobe-prompts-users-to-uninstall-flash-player-as-eol-date-looms/156794/
Contact tracing apps for the coronavirus are being developed and tested globally as the world starts to re-open. Are the apps worth using to flatten the curve? Or do data privacy worries trump pu...
https://threatpost.com/podcast-would-you-use-contact-tracing-coronavirus-app/156454/
A $5 billion class-action lawsuit filed in a California federal court alleges that Google's Chrome incognito mode collects browser data without people’s knowledge or consent.
https://threatpost.com/google-faces-privacy-lawsuit-over-tracking-users-in-incognito-mode/156269/