Posts

Apple patches operating systems due to ‘no click’ spyware exploit

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


In mid-September, Apple was forced to issue an emergency security update for its iPhone, iPad, Mac, and Watch operating systems after being alerted to a “no click” exploit allegedly tied to the Pegasus surveillance software distributed by the Israeli company NSO Group.

The Citizen Lab, a Canadian human rights and security advocacy group, alerted Apple to the exploit, dubbed FORCEDENTRY. The exploit targeted Apple’s image rendering library, which was found on the phone of a Saudi activist that Citizen Lab examined back in March. The exploit uses “maliciously crafted” PDF files that could lead to “arbitrary code execution,” Apple said in a security bulletin .

The “no click” designation by Citizen Lab means Apple users don’t need to open the PDF sent to them for the spyware to infect their devices. Instead, Pegasus gives attackers “virtually unfettered access to the victim’s device, where it can monitor messages, listen in on calls, activate the camera, and more,” said Daniel Markuson, a digital privacy expert at NordVPN .

The Citizen Lab spearheaded recent reporting on the NSO Group’s surveillance software, with news stories in July saying the company’s military-grade Pegasus product had been used to spy on business executives, journalists, human rights advocates, and government officials. NSO Group has disputed the reporting, saying it sells the software to governments to fight crime and terrorism.

But with some NSO customers using the software to spy on other people, several security experts urged Apple users to update their devices immediately.

“These new accusations bring a heightened sense of concern among privacy activists that no smartphone user, even those using software like WhatsApp or Signal, is safe from their privacy being infringed upon,” Markuson told the Washington Examiner. “Cyber-tech surveillance can be a real threat from both individuals and institutions, and this situation with NSO Group is only bringing this long-lasting issue into the limelight.”

Pegasus illustrates the importance of comprehensive mobile security efforts at an organization, added Hank Schless, senior…

Source…

Norton Internet Security 2014 (v21) test and review



Urgent iPhone update issued after spyware discovered that gives hackers access

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


Apple on Monday advised all users to update their devices after researchers warned that the Israeli spyware company NSO Group had developed a way to take control over nearly any Apple computer, watch or iPhone.

“It’s absolutely terrifying,” said John Scott-Railton, a senior researcher at The Citizen Lab, which recently discovered the software exploit and notified Apple about it. The group published a report about it Monday.

The malicious software takes control of an Apple device by first sending a message through iMessage, the company’s default messaging app, and then hacking through a flaw in how Apple processes images. It is what’s known in the cybersecurity industry as a “zero-click” exploit — a particularly dangerous and pernicious flaw that doesn’t require a victim clicking a link or downloading a file to take over.

People whose devices have been exploited are extremely unlikely to realize they’ve been hacked, Scott-Railton said.

“The user sees crickets while their iPhone is silently exploited,” he said. “Someone sends you a GIF that isn’t, and then you’re in trouble. That’s it. You don’t see a thing.”

As is often the case with NSO Group hacking, the newly discovered exploit is both technologically remarkable but likely only used on people specifically targeted by governments who use the company’s software.

NSO Group creates surveillance and hacking software that it leases to governments to spy on individuals’ computers and smartphones. For years, it has insisted that its primary product, Pegasus, is a vital tool to stop terrorists and other criminals, and that it merely leases its technology to legitimate governments in accordance with their own laws. It has also insisted it can’t be used to target Americans’ phones, and that it revokes usage from countries that misuse its products.

But Citizen Lab, a cybersecurity research center at the University of Toronto, has repeatedly found instances of Pegasus software used against journalists in Mexico who investigated cartels and Saudi Arabian dissidents, including associates of the slain Washington Post columnist Jamal Khashoggi.

In an emailed statement, an NSO spokesperson said…

Source…

Apple patches security flaw that leaves users vulnerable to spyware

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


NSO’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers. Civil rights activists say the software – which requires an Israeli government licence for export because it is viewed as a weapon – can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.

In a statement, the company said: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”

Chat apps a weak link

Citizen Lab said its discovery of another previously unknown vulnerability on Apple hardware “illustrates that companies … are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”

Apple said it was issuing the patch because “processing a maliciously crafted PDF may lead to arbitrary code execution”. It said it was “aware of a report that this issue may have been actively exploited”.

Separately, Ivan Krstic, head of security engineering and architecture at Apple, said in a statement that “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals”, adding that they were “not a threat to the overwhelming majority of our users”.

Nevertheless, the revelation could further dent the image of iOS as a more secure operating system than Android. Apple has long emphasised that no system can be 100 per cent secure from hackers.

Citizen Lab said chat apps in particular had become “a major target for the most sophisticated threat actors, including nation-state espionage operations and the mercenary spyware companies that service them”.

Financial Times

Source…