The (In)Security Behind Trump's Twitter Account

According to an investigation of President Trump’s Twitter security, his account might be vulnerable to being hacked, although some disagree.

The source who shared information about Trump’s Twitter security said they don’t believe the account will be hacked, but that the risk should be kept in perspective. “Remember we are talking about access to a Twitter account, not access to the nuclear launch codes,” they said. “While the optics would be bad if the account were ever hacked, it would not be a national crisis.”

iMessage and Safari Make iPhones Less Secure

Andy Greenberg writes about security problems in iMessage and Safari, saying that these products make iPhone less secure.

“If you want to compromise an iPhone, these are the best ways to do it,” says independent security researcher Linus Henze of the two apps…He and other iOS researchers argue that when it comes to the security of both iMessage and WebKit—the browser engine that serves as the foundation not just of Safari but all iOS browsers—iOS suffers from Apple’s preference for its own code above that of other companies.

Apple is in a tough position. If a company isn’t great at security, they could get a third-party to audit its software. But that would create a huge target.

Researchers Test Phones to See if They're Secretly Listening

Researchers put an iPhone and a Samsung phone into a room, playing cat and dog food advertising for 30 minutes.

The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform…They repeated the experiment at the same time for three days, and noted no relevant pet food adverts on the “audio room” phones and no significant spike in data or battery usage.

The results won’t surprise those in the information security industry who’ve known for years that the truth is that tech giants know so much about us that they don’t actually need to listen to our conversations to serve us targeted adverts.

For some people, maybe the belief that phones secretly spy on us is less terrifying than learning how much data these corporations actually have on us.

French Police Defeat Retadup Botnet Infecting 850,000 Computers

French police have defeated a botnet that infected over 850,000 computers. It was created with the Retadup malware. With the help of a web host, they cloned the command & control server and used it to disinfect the zombie computers.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

Using Two-Factor Authentication on Old Apple Devices

Glenn Fleishman has a good tip on how to use Apple’s two-factor authentication on older devices that don’t support it.

But 2FA and outdated versions of Apple TV, iOS, and macOS don’t mix. You try to log in on those devices with your Apple ID and popups with codes may appear on other devices, but there’s no way to enter it on the piece of equipment from which you’re trying to log in. Fortunately, there’s a simple workaround.

I always forget about the manual method.

News+: Don't Give Money to Ransomware Scammers

In the latest issue of PCMag, Max Eddy writes that you shouldn’t give money to ransomware attackers when they ask.

First, most cyberattacks—including ransomware—don’t last long. The command and control servers that issue the unlock commands and receive payment can be found and taken offline…In either case, anyone who has been infected and not paid the ransom can no longer get their system unlocked, even if they pay.

This is why keeping several backups is important, one online, one offline. And keep your operating system up to date with the latest security patches and improvements.

This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.

Online Payment Integrations Can Introduce Vulnerabilities

At Black Hat 2019, researcher Joshua Maddux found that security vulnerabilities can arise when websites add online payment integrations like Apple Pay. To be clear, he says it’s not an issue with Apple Pay itself, but rather how websites add it. And other third-party integrations can be similarly affected.

The flaws fit into a well-known type of vulnerability called “server side request forgery,” which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month’s massive Capital One breach. Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access.

Researchers Spoof Face ID Using Tape and Glasses

During the Black Hat 2019 conference, researchers demonstrated a way to spoof Face ID using nothing more than glasses and tape.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.

Microsoft Launches Azure Security Lab and Doubles Bug Bounty

Announced at Black Hat 2019 today, Microsoft launched the Azure Security Lab, as well as doubling its top Azure bug bounty to US$40,000.

The Azure Security Lab takes the idea to the next level. It’s essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.

The Azure Security Lab isn’t open to the public — you have to apply. Microsoft is promising quarterly campaigns for targeted scenarios with added incentives, including exclusive swag. Security researchers will also be able to engage directly with Azure security experts.

Jamf Gets Native Mac Security With Digita Security

Enterprise Mac company Jamf has acquired Digita Security, bringing native Mac security to its platform.

Digita, a two-year old startup, was founded by a team of security experts led by Patrick Wardle, whose background includes a decade as a Mac security researcher, seeking out vulnerabilities on the Mac, and time at the NSA where he honed his security research skills.

Patrick makes a lot of great Mac tools with Objective See that I recommend.