Google's Project Zero Finds 6 iOS 'Interactionless' Bugs

Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.

According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.

The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.

Capital One Hack Affects Credit Card Customers

On July 19 Capital One found it had gotten hacked. The FBI arrested the hacker but 100 million U.S. customers are affected.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

What angers me the most about this is the fact that I had to read the news to learn what happened. As a Capital One customer I feel I should’ve been notified by email. Customers affected by this will get an email but I want a notification email as well. Maybe I’ll get five bucks like those affected by Equifax.

William Barr Wants You to Accept Encryption Backdoor Security Risks

U.S. Attorney General William Barr suggested that Americans should just accept encryption backdoor security risks (via TechCrunch). Encryption Backdoor Risks In a speech today, William Barr called on tech companies to help the federal government to access devices with a lawful order. In other words, ignore the security risks and put a backdoor into their…

NSO Group Tool Harvests Targeted iCloud Data

Israel-based NSO Group claims it can harvest iCloud data in targeted attacks. It’s said to be a version of the Pegasus spyware.

Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target’s location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.

When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn’t specifically deny that it had developed the capability described in the documents.

Keeper Password Manager 1-Year Subscription: $19.99

We have a deal on Keeper, a password manager for iOS, Mac, Android, Windows, and Linux. With Keeper’s password manager and vault, you can generate, store, and AutoFill strong passwords on all devices while securely storing private documents. It also supports multiple forms of 2FA, including TOTP, SMS, Touch ID, Face ID, and U2F security keys (e.g. Yubikey). A one year subscription is $19.99 through our deal.

iOS 13 Password Bug Gives Unauthenticated Access in Settings

An iOS 13 password bug was discovered in the latest betas that give unauthenticated access to Website & App Passwords in Settings.

As detailed by iDeviceHelp on YouTube, you can access all of the saved usernames and passwords in Settings by repeatedly tapping the “Website & App Passwords” menu and avoiding the Face ID or Touch ID prompt. After several tries, iOS 13 will show all of your passwords and logins, even if you never successfully authenticated with Face ID or Touch ID.

I haven’t been able to replicate the issue, but I’ll keep trying to see.

Open ID Foundation Publishes Letter about Sign in With Apple

The Open ID foundation published an open letter to Craig Federighi regarding Sign in With Apple. Although the foundation praised Apple for the initiative, it worries that it strays too far from Open ID and opens users to security and privacy risks.

The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.

News+: How to Stay Safe and Secure Online

In the latest issue of Mac Format magazine, Adam Banks writes a guide on how to stay safe online. This is a PDF version and on page 66.

Using a Mac makes you safer than average when going online. That’s partly because of Apple’s efforts to secure the operating system; partly because the Mac App Store gives you somewhere to get most of your third-party software safely. It’s also partly because bad actors – in the security industry sense, not the Hollyoaks sense – tend to be less interested in targeting macOS. But that doesn’t mean either you or your Mac can’t get fooled. Know your way around the common risks and basic protections to keep yourself out of harm’s way.

This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.

Openly Operated Wants to Improve Privacy Policies

Openly Operated is a certification for apps and services. The certification process ensures that they live up to their privacy and security claims with an audit.

An OO-certified app or site must meet three criteria. First, it needs to demonstrate “a basic level of transparency” by making its code and infrastructure — among other things — public and fully documented. Second, it needs to lay out its policy in the form of “claims with proof,” establishing what user data is collected, who can access it, and how it’s being protected. Third, those claims must be evaluated by an OO-certified auditor who then makes the audit results public.

I’ve complained about privacy policies before, and this sounds like a great idea. I hope it gets traction.