Security

There’s a lack of cybersecurity products devoted to iOS and macOS, and the startup DoubleYou thinks it can fix that problem, says co-founders Patrick Wardle and Mikhail Sosonkin.

DoubleYou will be like a “supplier of car parts” for Apple cybersecurity solutions, developing tools that it can license to companies, who can then build them in their security products.

The Citizen Lab analyzed Chinese keyboard apps from Baidu, Honor, Huawei, iFlytek, Oppo, Samsung, Tencent, Vivo, and Xiaomi. It found that each of these apps — except for Huawei’s — has an exploit that can “reveal the contents of users’ keystrokes in transit.” The research group estimates these vulnerabilities impact up to 1 billion people.

During a keynote interview at Open Source Summit North America, the Linux founder discussed tabs vs. spaces, RISC-V, and the risks of security issues from maintainers raised by the recent exploit attempt:

Torvalds acknowledges that “Clearly it’s a wake-up call — there’s no question about that… I think we’re going to see a lot of work being put into some kind of trust model, where people see, ‘Oh, this is a new person’, or ‘This is a person that is acting differently from before.”

The think tank said the cyberattack happened earlier this week, but it’s unclear what data may have been leaked... and by who. Yikes. As for why it matters, the Heritage Foundation is the conservative think tank in the US and widely recognized as having a significant influence in US public policy.

While the platform’s influence has waned, your dormant Twitter account could still have embarrassing or dire consequences if hijacked. So it’s probably worthwhile to setup a more secure passwordless passkey on your iPhone just in case.

The long-term plan to gain access, and the backdoor’s careful design have experts agreeing that “Jia Tan” was probably not a lone wolf. Security researcher Costin Raiu tells Wired the XZ Utils attack is far more “cunning” than anything he’d seen previously.

Others have looked into when Tan submitted their code. Most uploads were linked to China’s time zone, while several were (perhaps accidentally) in the Middle East or Eastern Europe, and they continued working on notable Chinese holidays.

Poland’s parliament opened an inquiry into the use of the NSO Group’s spyware under the right-wing Law and Justice (PiS) party, which ruled the country for eight years. The government will notify those who were targeted.

“Too long we’ve been lied to about Pegasus by PiS and we’re going to get to the bottom of it now,” the member of parliament leading the inquiry said.

Red Hat urgently warned this week that recent beta versions of Fedora operating systems contained malicious code for backdoor access. Debian issued a similar warning.

A blog post from security firm Deepfactor points out that Microsoft developer Andres Freund notified the Linux security Openwall Project after stumbling on the exploit. On Mastodon, Freund said discovering it “really required a lot of coincidences,” starting with him probing curiously high CPU usage by an SSH process.

Update March 7th, 11PM ET: We have more details on the XZ Utils backdoor attempt right here.

The House is removing and blocking Copilot from “all House Windows Devices” after the Office of Cybersecurity determined that it risked “leaking House data to non-House approved cloud services,” reported Axios.

The House cited similar concerns when it restricted the use of ChatGPT in congressional offices last year and declared that no non-ChatGPT chatbots were authorized yet. A Microsoft spokesperson told Axios that meeting “federal government security and compliance requirements” with AI tools like Copilot is on its roadmap for “later this year.”

This WSJ report details the chaos that went on behind the scenes when hackers broke into MGM’s network using social engineering techniques, bringing down its systems for days.

As executives scrambled to lock out the hackers, MGM decided to rebuild its entire system rather than pay the over $30 million ransom requested by hackers:

The company’s task had become more daunting. Instead of simply cleaning up infected parts of the computer systems, now they’d have to rebuild the thousands of servers the company used from scratch, installing clean versions of the operating system and other software. The cost would far exceed the ransom request. MGM decided to do it anyway.

Facebook's “In App Panel” program ran from 2016 to 2019 using Onavo’s technology as a man-in-the-middle attack to decrypt secured Snapchat traffic. Court documents unsealed as part of an ongoing class-action antitrust lawsuit show how the program came together.

A June 2016 email included in the documents from Mark Zuckerberg says:

Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .

Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.

The ecommerce giant’s latest brand protection report reveals that it identified, seized, and disposed of over 7 million counterfeit products on its marketplace in 2023. It says it also worked with Chinese authorities to carry out more than 50 “successful raid actions,” which led to the identification and questioning of over 100 counterfeit manufacturers, suppliers, and distributors.

The macOS Sonoma‌‌‌ 14.4‌.1 / Ventura 13.6.6 update released today fixes bugs affecting Java apps and Audio Unit plug-ins for professional music apps. It also fixes a problem where USB hubs connected to external displays weren’t recognized.

It also fixes the same security flaw that was addressed in updates to iOS, iPadOS, and visionOS last week. Image bugs identified by Google Project Zero could have led to code execution, so you should probably update ASAP.

In an indictment unsealed on Monday, the US government said that seven Chinese nationals were charged with conspiracy to committee computer intrusions and conspiracy to commit wire fraud.

Law enforcement said the hackers were part of a China-based group that targeted “thousands of U.S. and foreign individuals and companies” over 14 years.

TechCrunch’s Zack Whittaker has been pushing the company for answers, now that the massive cache of customer data is circulating once again. But although a known hacker claimed responsibility in 2021, AT&T still claims its systems weren’t breached at all — and yet it wouldn’t give Whittaker any other explanation for where the data came from.

After rolling out its end-to-end encrypted password manager last year, Proton has announced that it will now let you manage passkeys across mobile and desktop devices, allowing you to log into sites without a password.

Described as an “Energy Star label for the IoT,” this will put the logo revealed last year on participating products that meet certain standards for security, along with a QR code customers can scan to find the latest info about how updates work, or how long the support window will be.

After voting in favor of rules and a framework to move forward, the FCC is now asking for some input:

The Commission is also seeking public comment on additional potential disclosure requirements, including whether software or firmware for a product is developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.