Archive for September 6, 2019

Apple Calls Out Google’s Project Zero Claims Regarding Security Vulnerabilities in iOS [UPDATED]

Posted in Commentary with tags , on September 6, 2019 by itnerd

Back in the day, Steve Jobs declared “thermonuclear war” on Google. It now seems that we may be headed back to those days. I say that because you might recall that Google’s Project Zero put out a statement on zero day attacks that targeted iOS that they found. I then posted a story that said that not only were the attacks aimed at the Uighur minority in China, and likely done by China, but Google failed to mention that the attacks covered Android and Windows as well.

Now Apple has decided to return fire as only Apple can. The company issued a press release that says among other things this:

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

The more that this story goes on, the worse that Google looks. It will be interesting to see if Google responds to this as they’ve pretty much been called out and if they don’t respond, the reputation of Project Zero will be in tatters and un-repairable.

Over to you Google.

UPDATE: Google shot back via The Verge saying that it stands by its statement. Game on Apple.

BREAKING: Facebook Has 8 States That Want To #DeleteFacebook Via An Antitrust Investigation

Posted in Commentary with tags on September 6, 2019 by itnerd

Facebook may be in very deep trouble. The Washington Post in the last few minutes has posted a story that says the following:

New York Attorney General Letitia James released a statement announcing a bipartisan coalition investigating the social media company. The probe includes the attorneys general of Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee and the District of Columbia, according to a press release by James’s office, which said the investigation “focuses on Facebook’s dominance in the industry and the potential anticompetitive conduct stemming from that dominance.”

And that literally all that the story says. At least at 8:30 AM. More details will be coming shortly, but you have to imagine that for Mark Zuckerberg and company, this is not good news to wake up to this Friday morning. And that’s on top of a US senator who wants to see Zuckerberg take a trip to the grey bar hotel.

UPDATE: The Washington Post story has been updated with this text:

New York is leading a multistate investigation of Facebook for possible antitrust violations, Attorney General Letitia James announced Friday, kicking off a bipartisan wave of independent state inquiries targeting the social media giant as well as Google’s parent company, Alphabet.

James will work with the attorneys general of Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee and the District of Columbia on an inquiry focused on “Facebook’s dominance in the industry and the potential anti-competitive conduct stemming from that dominance,” according to a news release.

And there’s this telling Tweet that’s part of the story:

Facebook has not commented yet. Likely because they’re too busy freaking out.

Guest Post: NordVPN Discusses The Fact That Governmental Institutions Around the World Fail to Protect Their Citizens’ Data

Posted in Commentary with tags on September 6, 2019 by itnerd

More and more governments around the world are discussing encryption backdoors to help them fight various criminal activities. However, the data breaches, cyberattacks, and hacks, which we hear about every day, affect not just private companies. Governmental institutions suffer from them too. Due to various software system flaws, millions of unsuspecting citizens have been affected only this year.

Daniel Markuson, the digital privacy expert at NordVPN, says that some governmental institutions believe they are too small and insignificant for hackers to attack them. However, recent events in Baltimore, Florida, and Texas defy this belief. In May, Baltimore struggled with a cyberattack that froze thousands of computers and disrupted real estate sales, water bills, health alerts, and many other services. A few Florida municipalities had to pay hackers a ransom of $1.1 million after municipal employees were locked out of their email accounts and important files. Just recently, in August a ransomware attack hit local governments in Texas, affecting up to 23 entities.

“Out-of-date software used by some governments and a variety of contractors make them an easy target. That’s the most common reason why these institutions get hacked. Updating a digital security system and making it immune to cyberattacks require millions of dollars and high-level skills,” explains Daniel Markuson, the digital privacy expert at NordVPN. “Slow internal processes and complicated procurement procedures add up to the reasons why some organizations are still using unsafe security software. However, data breaches are expensive, and the security of people’s sensitive data should be considered priceless.”

Here are just a few examples of the governmental data breaches that happened this year. They became infamous for the scope and the numbers of citizens affected.

  • This May, Ivan Begtin, a co-founder of a Russian NGO called Informational Culture, discovered and documented several leaks from Russian government sites. The personal information and passport details of 2.25 million citizens, including high-profile politicians and government officials, were exposed online and available for download.
  • In June, five million of Bulgaria’s seven million citizens had their personal data compromised in an attack on the country’s national revenue agency. Both private and social security information on every adult in Bulgaria was exposed – perfect for identity theft or attacking lucrative targets. Half of the leaked database was posted on several public forums.
  • In the late spring of this year, an unknown hacker attacked a US Customs and Border Protection subcontractor and put much of its internal data on the open web for download. The exposed database included photos of travelers’ faces and license plates, surveillance equipment schematics, and sensitive contracting documents. Now, the border surveillance company – the longtime contractor named Perceptics – is suspended from carrying out business with the federal government. However, over 400 GB of data was stolen and 100,000 people were reportedly affected.

Human error is one of the biggest sources of data breaches, according to NordVPN’s Daniel Markuson. Using weak passwords and falling for phishing scams can hurt an organization immensely. The digital privacy professional explains that it is quite easy to leak email and password information when an employee clicks on a virus link, reveals user credentials, or downloads malware attachments. “Just one click can compromise the entire database of an institution,” says digital privacy expert.

Daniel Markuson, the digital security expert at NordVPN, says that we can’t control what information authorities have about us and how they handle it. However, you should take some measures once you hear a company or an institution relevant to you has been hacked. Find out what information has been leaked and act accordingly:

  • If the leaked information included your login details, you should change them immediately. Start using a password generator for creating strong passwords. Set up 2-factor-authentication, which requires a second password or PIN, usually sent to your smartphone.
  • If your payment details were stolen, you should contact your bank as soon as possible and freeze your card. Check your recent statements for any suspicious activity. Set up a fraud alert with the credit bureau that would notify you if someone tries to open new accounts or take out loans using your card.
  • If your ID, passport, or social security number were leaked, inform authorities right away. Prove your identity before anyone else did, issue a fraud alert, and review your Social Security statement and credit reports for any illegal activities or suspicious charges.

Remember, everyone can become a data breach victim. Even governmental institutions that handle our most sensitive information are vulnerable as their cybersecurity is sometimes lacking. Just stay alert and notify authorities whenever there is a need in order to minimize the damage. Hopefully, the authorities learn from the mistakes others endured and start investing more in cybersecurity.