Location data scandals, a Zcash bug, and other security-related headlines from the past week.
AT THE END OF THIS LONG WEEK, IT IS REALLY DIFFICULT TO DEVOTE MUCH MENTAL ENERGY TO ANY NEWS OTHER THAN Jeff Bezos’s war with the National Enquirer, BUT STAY WITH US! There are numerous intriguing developments in the investigation of special counsel Robert Mueller.
Before we continue, however, please take a moment to update to iOS 12.1.4, which fixes that very serious FaceTime group chat bug as well as a few other previously unknown vulnerabilities. Got it? Good, thank you! Consider this new Google Chrome extension that will prevent you from using passwords that have been exposed in data breaches. Those who prefer less expensive Android devices will be pleased to know that Google has also found a way to bring full disk encryption to less powerful hardware.
We also examined the US Census, which will be here before you know it, but hopefully, after the initial risks of going digital have been mitigated. Congress wants to hear from Facebook, Google, and Apple regarding Facebook’s efforts to monitor the iPhone activity of children as young as 13 without Apple’s knowledge.
Two researchers believe they have a better solution for Twitter’s bot abuse problem, despite Twitter’s inability to keep up. And renowned security expert Bruce Schneier argues that any faith you have placed in the blockchain is misplaced.
However, there is more! Each week, we compile the news that we did not break or extensively cover. Click on the headlines to view the complete articles. And remain safe outside.
A Teen Hacks Apple and Won’t Share How
This week, Apple had multiple encounters with adolescents! In the second instance, an 18-year-old German hacker demonstrated a vulnerability in macOS that allows an attacker to steal keychain passwords. Perhaps even more importantly, he has expressly chosen not to reveal his method. This is a protest against Apple’s lack of a macOS bug bounty program, a system that rewards hackers for discovering and disclosing vulnerabilities. Apple has an invite-only bug bounty program for iOS, but not for its desktop operating system.
The Zcash cryptocurrency had a flaw that permitted “infinite” forgery
Zcash is a promising cryptocurrency that prioritizes privacy. Until a small team of engineers patched it in October, it was also home to a pretty hilarious, potentially catastrophic vulnerability. The issue stems from a flaw in a cryptographic paper that describes the “zero-knowledge proofs” that enable the privacy features of Zcash. The Zcash team asserts that they found no evidence that anyone exploited the bug, although they cannot be certain. At the very least, no one appears to have printed an infinite quantity of digital currency.
The SIM Swapper Crackdown Has Finally Commenced
SIM swap attacks, in which cybercriminals use stolen phone numbers to circumvent two-factor authentication and break into your online accounts, have become a plague. However, there appears to be some progress in identifying the perpetrators. Last week, Joel Ortiz accepted a plea bargain to become the first person convicted of SIM-swapping, and recently unsealed indictments in California indicate that the federal government has built a case against two additional alleged hackers. Hopefully, the increased law enforcement action will have a greater deterrent effect.
For years, Bounty Hunters Could Track U.S. Smartphone Locations
Motherboard revealed that approximately 250 bounty hunters could purchase access to location data from AT&T, Sprint, and T-Mobile, including ultra-precise GPS data intended for emergency responders. All of these carriers promised they would stop sharing location information with third parties, then failed to do so, and then promised again. A single company submitted over 18,000 individual smartphone location requests in a single year, according to data obtained by Motherboard.
