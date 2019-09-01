Security Leftovers
The frighteningly simple technique that hijacked Jack Dorsey’s Twitter account [iophk: s/become/always been/]
Friday afternoon, Jack Dorsey’s 4.2 million Twitter followers got an unpleasant surprise. A group of vandals had gained access to the account, and used that access to blast out a stream of offensive messages and plugs for their group’s discord channel. Within 15 minutes, the account was back under control and the group was banned from Discord, but the incident was a reminder of the serious vulnerabilities in even the highest-profile accounts, and just how insecure phone-based authentication has become.
Australia hit by 9.2 million malware attacks in just six months [iophk: Windows TCO]
Australia continues to be a malware target, with 9.2 million malware detections in the first half of 2019 - with malicious URLs also proving a popular form of attack, as the number of times a malicious URL was accessed reached 8.9 million, according to a new global security report.
Significant iOS Vulnerabilities Used Against Uyghur Muslims in China
On 29 August 2019, Google’s Project Zero security research team released the details of a major series of attacks against iOS using sophisticated, zero-day exploits on a scale unprecedented in the iOS world. (Wired has a less technical summary of the Project Zero report, which is aimed at security professionals.) This is the most significant iOS security incident we are aware of since the launch of the iPhone. And while it’s extremely unlikely that any TidBITS readers had their devices compromised, the news remains a concerning development.
[...]
Google reported the vulnerabilities to Apple in February 2019, and Apple patched them 6 days later with the release of iOS 12.1.4. At the time, iOS 12.1.4 seemed more important for its fix of a FaceTime bug that let a caller listen in on another FaceTime user while the device was ringing (see “Apple Re-Enables Group FaceTime with iOS 12.1.4 and macOS 10.14.3 Supplemental Update,” 7 February 2019). But if you look at the security notes for iOS 12.1.4, you’ll notice fixes for problems in Foundation and IOKit that acknowledge an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero. (Beer and Groß wrote the Project Zero report as well.)
When governments attack: malware campaigns against activists and journalists
This year at Nullcon Eva gave her talk on When governments attack: malware campaigns against activists and journalists. After introducing EFF, she explained about Dark Caracal, a possibly state-sponsored malware campaign. If we leave aside all technical aspects, this talk has a few other big points to remember.
