Security News

Digital ad company Confiant, which claims to "Improve the digital marketing experience" for online advertisers by knowing about and getting rid of malicious and unwanted ads, has just published an analysis of a malvertising group it calls ScamClub. According to Confiant, the ScamClub crew took things to an even more aggressive level by actively targeting a bug in Apple's WebKit browser engine, the compulsory software core that every browser on your iPhone, including Safari, is required to use.

Apple has quietly added several anti-exploit mitigations into its flagship mobile operating system in what appears to be a specific response to zero-click iMessage attacks observed in the wild. The new mitigations were discovered by Samuel Groß, a Google Project Zero security researcher who specializes in remote iPhone exploitation and zero-click attacks against mobile messaging systems.

Apple says it will roll out a new privacy control in the spring to prevent iPhone apps from secretly shadowing people. Although Apple didn't provide a specific date, the general timetable disclosed Thursday means a long-awaited feature known as App Tracking Transparency will be part of an iPhone software update likely to arrive in late March or some point in April.

Apple, rather unusually in today's cybersecurity world, rarely announces that security fixes are on the way. Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.

In organizations, Apple's App Privacy data can start a conversation about privacy-respecting apps as well as help IT leaders stop the use of apps that collect more data than necessary. For more details, see: How Apple's new App Store privacy requirements may affect users and app developers.

Three dozen journalists working for Al Jazeera had their iPhones stealthily compromised via a zero-click exploit to install spyware as part of a Middle East cyberespionage campaign. In a new report published yesterday by University of Toronto's Citizen Lab, researchers said personal phones of 36 journalists, producers, anchors, and executives at Al Jazeera, and a journalist at London-based Al Araby TV were infected with Pegasus malware via a now-fixed flaw in Apple's iMessage.

In this episode, we dig into research that figured out a way to steal data from iPhones wirelessly; we tell the fascinating story of how environmentalist divers in Germany came across an old Enigma cipher machine at the bottom of the Baltic sea; and we give you advice on how to talk to phone scammers. LISTEN NOW. Click-and-drag on the soundwaves below to skip to any point in the podcast.

A Google security guru has published details of a critical hole in Apple's iOS that can be exploited by miscreants to hijack strangers' iPhones over the air without any user interaction. On Tuesday, Google Project Zero's Ian Beer, who reported the flaw to Apple back on November 29, 2019, published a detailed technical account of how he found and developed an exploit the vulnerability, which he likened to a magic spell to gain remote control of the target device.

Oh, and exploits were wormable­ - meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work.

The exploit sequence he figured out really does allow an attacker to break into a nearby iPhone and steal personal data - using wireless connections only, and with no clicks needed by, or warnings shown to, the innocently occupied user of the device. To give you an idea of just how much effort went into the 5-minute "Teddy bear's data theft picnic" video above, and as a fair warning if you are thinking of studying Beer's excellent article in detail, bear in mind that his blog post runs to more than 30,000 words - longer than the novel Animal Farm by George Orwell, or A Christmas Carol by Charles Dickens.