Adobe issued out-of-band patches for their PDF products (Acrobat & Reader) to address critical zero-day vulnerabilities being actively exploited in the wild — nakedsecurity.sophos.com/…
It has been revealed that the update Microsoft released for Skype on Android on the 23rd of December patched a dangerous lock-screen bypass bug — nakedsecurity.sophos.com/…
Phishing just got quite a bit more dangerous with the release of a new penetration-test/hacking tool designed to automate reverse-proxy-style 2FA hacks similar to those recently reported being used against the US government and Amnesty International. The tool is named Modlishka, which is the Polish for Mantis (Editorial by Bart: the existence of software like this just makes it ever more important to check the URL in the address bar before you enter your 2FA code, username, or password) — nakedsecurity.sophos.com/…
🇪🇺 A draft list of supposed piracy sites posted by EU law makers in preparation for the implementation of Article 13 of the controversial new European Copyright Directive has raised serious concerns about this law’s possible impact on the internet. Perhaps most glaringly, the list include CloudFlare as a supposed piracy site — www.macobserver.com/…
🇪🇺 The European Commission has announced 15 new bug bounty programs to reward researchers who find and responsibly disclose bugs in many popular free and open source apps — nakedsecurity.sophos.com/…
The Dutch consumer agency de Consumentenbond tested facial recognition technology on 110 phones (iPhones and Android phones), and found it could be easily fooled with a simple high-resolution photo on 42 of the tested Android devices . An additional six Android devices failed the test with their default settings, but could be configured to use stricter modes that could not be bypassed — nakedsecurity.sophos.com/…
The original report is in Dutch (as you’d expect from a Dutch agency), but you can find the 42 phones that failed the test completely listed under the heading Toestellen ontgrendeld met een foto (translation: devices unlocked with a photo), and those that failed in their default configuration but could be re-configured to be secure under the heading Toestellen ontgrendeld met een foto, maar met betere beveiliging (translation: Devices unlocked with a photo, but with better security). Finally, for completeness, you’ll find the list of 57 devices that passed the test under the heading Toestellen die niet met een foto zijn te ontgrendelen (translation: Devices that were not unlocked with a photo) including all tested iPhones— www.consumentenbond.nl/…
🇺🇸 Research by Motherboard finds that US carriers are still selling customer location data (having promised to stop after a damaging exposé last June), and $300 is all it costs to buy the location of any given US cellphone — motherboard.vice.com/…
AT&T responded to this reporting by promising to stop selling user data (again), T-Mobile & Sprint also say they will stop, and Verizon said it stopped a long time ago — www.macobserver.com/…
The Intercept reports that employees in Ring’s research centre in Ukraine can bring up any video from any Ring doorbell with nothing more than the customer’s email address — theintercept.com/… & www.imore.com/…
We talked about how Ring announced in 2016 that HomeKit was coming (but it’s not here yet): blog.ring.com/…
Investigations by 9to5Mac have found that the popular parcel tracking app Parcels – Track Your Packages (not the even more popular app Parcel) recruits all devices running the app into what is effectively a single-purpose botnet for carrying out the work you would expect to be done on servers run by the developers. This is an interesting way for the company to avoid the expense of running servers, and paying for bulk access to APIs. It also comes at a privacy cost to users. The app exists for both iOS and Android, but 9to5Mac only tested the iOS version — 9to5mac.com/…
Contrary to what you may have heard, the privacy-protecting search engine DuckDuckGo is not using browser fingerprinting to track users — techcrunch.com/…
Research commissioned by the advocacy group Privacy International has found that 61% of the Android apps they tested reported usage stats to FaceBook — nakedsecurity.sophos.com/…
News
⭐️ Research from security firm Trend Micro found that 85 apps downloaded more than 9 million times from the Google Play store contained adware — www.macobserver.com/…
⭐️ Researchers from the Foundation for Research and Technology in Greece and the University of Illinois have published a paper showing just how much can be inferred from the metadata belonging to a public Twitter feed, even when the owner is careful not to reveal sensitive information (they have a sense of humour, because they titled their paper ‘Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data’) — nakedsecurity.sophos.com/…
A recent planet money episode looked at how insurance is providing the incentives for corporations to up their game when it comes to providing their staff with security training, and just how effective that can be: Planet Money Episode 886: The Price of a Hack — overcast.fm/…