Lit Apple Mac, iPhone, iPad User Group

TikTok privacy policy now says app will collect ‘faceprints and voiceprints’

TikTok-privacy-policy-references-faceprints.png



A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information” from its users’ content. This includes things like “faceprints and voiceprints,” the policy explained. Reached for comment, TikTok could not confirm what product developments necessitated the addition of biometric data to its list of disclosures about the information it automatically collects from users, but said it would ask for consent in the case such data collection practices began.

The biometric data collection details were introduced in the newly added section, “Image and Audio Information,” found under the heading of “Information we collect automatically” in the policy.

This is the part of TikTok’s Privacy Policy that lists the types of data the app gathers from users, which was already fairly extensive.

The first part of the new section explains that TikTok may collect information about the images and audio that are in users’ content, “such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content.”

While that may sound creepy, other social networks do object recognition on images you upload to power accessibility features (like describing what’s in an Instagram photo, for example), as well as for ad targeting purposes. Identifying where a person and the scenery is can help with AR effects, while converting spoken words to text helps with features like TikTok’s automatic captions.

The policy also notes this part of the data collection is for enabling “special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations,” it says.

The more concerning part of the new section references a plan to collect biometric data.

It states:

We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection.

The statement itself is vague, as it doesn’t specify whether it’s considering federal law, states laws, or both. It also doesn’t explain, as the other part did, why TikTok needs this data. It doesn’t define the terms “faceprints” or “voiceprints.” Nor does it explain how it would go about seeking the “required permissions” from users, or if it would look to either state or federal laws to guide that process of gaining consent.

That’s important because as it stands today, only a handful of U.S. states have biometric privacy laws, including Illinois, Washington, California, Texas and New York. If TikTok only requested consent, “where required by law,” it could mean users in other states would not have to be informed about the data collection.

Reached for comment, a TikTok spokesperson could not offer more details on the company’s plans for biometric data collection or how it may tie in to either current or future products.

“As part of our ongoing commitment to transparency, we recently updated our Privacy Policy to provide more clarity on the information we may collect,” the spokesperson said.

The company also pointed to an article about its approach to data security, TikTok’s latest Transparency Report and the recently launched privacy and security hub, which is aimed at helping people better understand their privacy choices on the app.

The biometric disclosure comes at a time when TikTok has been working to regain the trust of some U.S. users.

Under the Trump administration, the federal government attempted to ban TikTok from operating in the U.S. entirely, calling the app a national security threat because of its ownership by a Chinese company. TikTok fought back against the ban and went on record to state it only stores TikTok U.S. user data in its U.S. data centers and in Singapore.

It said it has never shared TikTok user data with the Chinese government nor censored content, despite being owned by Beijing-based ByteDance. And it said it would never do so, if asked.

Though the TikTok ban was initially stopped in the courts, the federal government appealed the rulings. But when President Biden took office, his administration put the appeal process on hold as it reviewed the actions taken by his predecessor. And although Biden has, as of today, signed an executive order to restrict U.S. investment in Chinese firms linked to surveillance, his administration’s position on TikTok remains unclear.

It is worth noting, however, that the new disclosure about biometric data collection follows a $92 million settlement in a class action lawsuit against TikTok, originally filed in May 2020, over the social media app’s violation of Illinois’ Biometric Information Privacy Act. The consolidated suit included more than 20 separate cases filed against TikTok over the platform’s collection and sharing of the personal and biometric information without user consent. Specifically, this involved the use of facial filter technology for special effects.

In that context, TikTok’s legal team may have wanted to quickly cover themselves from future lawsuits by adding a clause that permits the app to collect personal biometric data.

The disclosure, we should also point out, has only been added to the U.S. Privacy Policy, as other markets like the EU have stricter data protection and privacy laws.

The new section was part of a broader update to TikTok’s Privacy Policy, which included other changes both large and small, ranging from corrections of earlier typos to revamped or even entirely new sections. Most of these tweaks and changes could be easily explained, though — like new sections that clearly referenced TikTok’s e-commerce ambitions or adjustments aimed at addressing the implications of Apple’s App Tracking Transparency on targeted advertising.

In the grand scheme of things, TikTok still has plenty of data on its users, their content and their devices, even without biometric data.

For example, TikTok policy already stated it automatically collects information about users’ devices, including location data based on your SIM card and IP addresses and GPS, your use of TikTok itself and all the content you create or upload, the data you send in messages on its app, metadata from the content you upload, cookies, the app and file names on your device, battery state and even your keystroke patterns and rhythms, among other things.

This is in addition to the “Information you choose to provide,” which comes from when you register, contact TikTok or upload content. In that case, TikTok collects your registration info (username, age, language, etc.), profile info (name, photo, social media accounts), all your user-generated content on the platform, your phone and social network contacts, payment information, plus the text, images and video found in the device’s clipboard. (TikTok, as you may recall, got busted by Apple’s iOS 14 feature that alerted users to the fact that TikTok and other apps were accessing iOS clipboard content. Now, the policy says TikTok “may collect” clipboard data “with your permission.”)
 
Apple Card Issue Prevents Some Users From Making In-Store Purchases

Apple is experiencing an issue with its credit card that's preventing some users from making in-store purchases


BqTxV35.jpg



Some users of Apple's in-house credit card may be experiencing issues as of Monday morning.

Apple reported an issue with the card as of 3:30 a.m. Monday that is preventing some users from making in-store purchases. It appears that the issue is affecting those who use the card via Apple's digital wallet service, Apple Pay, rather than the physical credit card.

It's unclear how widespread the issue is or when it will be resolved. An Apple spokesperson did not immediately respond to Insider's request for comment.

Apple unveiled the card, its first foray into physical credit cards, in March 2019. While Apple does offer a white, titanium credit card that can be used in stores, there's also a digital version of the card that's meant to be used at merchants that accept Apple Pay.

Apple has touted the card's lack of hidden fees or late-payment fees, as well as a rewards program that offers cardholders 2% cash back when they use Apple Pay, as well as 3% back on purchases made on the App Store or iTunes. Apple has also highlighted the card's baked-in security: it comes with multiple credit card numbers in the event your card is compromised, and the physical version of the card is free of numbers altogether.

Because the Apple Card lives entirely in a virtual wallet, it offers both simplicity and an over-dependence on your iPhone, according to reviews of the card. The Wallet app allows users to easily track their spending and pay off their balance, but it also means you're locked into the Apple ecosystem more than ever.
 
Apple confirms some Card users currently unable to make in-store purchases [Ongoing]

Apple confirms some Apple Card users are currently unable to make in-store purchases [Ongoing]


apple-card-ad.jpeg




After seeing an Apple Card outage earlier this month that affected all users, the credit card is seeing downtime again this morning which is preventing some from using it for in-store purchases.

Update 6/15 5:00 am PT: The Apple Card downtime is continuing for a second day.

Update 2:15 pm PT: Apple is still working on a fix.

Update 10:30 am PT: The downtime is still ongoing.



Today’s Apple Card outage is more minor than the one we saw two months ago. But the company has confirmed on its System Status page that Apple Card via Apple Pay isn’t working for some in stores.

Some users may not be able to make in-store purchases with Apple Card using Apple Pay.

That means using the physical card with the chip or to swipe should work for in-store purchases and also Apple Card via Apple Pay online and in apps should be fine as well.

The outage has been going on since 12:30 am PT / 3:30 am ET. We’ll update this post as the issue is worked on and resolved.

The previous Apple Card outage that took the credit down completely for all users lasted about six hours. Hopefully this one will be resolved more quickly.

apple-card-outage.jpg
 
Apple confirms some Apple Card users currently unable make in-store purchases [Fixed]

Apple confirms some Apple Card users are currently unable to make in-store purchases [Ongoing]


apple-card-ad.jpeg




After seeing an Apple Card outage earlier this month that affected all users, the credit card is seeing downtime again this morning which is preventing some from using it for in-store purchases.

Update 6/15 5:00 am PT: The Apple Card downtime is continuing for a second day.

Update 2:15 pm PT: Apple is still working on a fix.

Update 10:30 am PT: The downtime is still ongoing.



Today’s Apple Card outage is more minor than the one we saw two months ago. But the company has confirmed on its System Status page that Apple Card via Apple Pay isn’t working for some in stores.

Some users may not be able to make in-store purchases with Apple Card using Apple Pay.

That means using the physical card with the chip or to swipe should work for in-store purchases and also Apple Card via Apple Pay online and in apps should be fine as well.

The outage has been going on since 12:30 am PT / 3:30 am ET. We’ll update this post as the issue is worked on and resolved.

The previous Apple Card outage that took the credit down completely for all users lasted about six hours. Hopefully this one will be resolved more quickly.


Update 6/16 3:41 am PT: Fixed!

6/15 2:15 pm PT: Nope.

6/15 12:45 pm PT: Not solved yet.

6/15 8:50 am PT: Fix still in the works.

6/15 5:00 am PT: Still down.

6/14 2:15 pm PT: Apple is still working on a fix.

6/14 10:30 am PT: The downtime is still ongoing.


Screen-Shot-2021-06-16-at-8.03.52-AM.jpg
 
iCloud Calendar spam continues to impact users, despite Apple’s multiple fixes

5446F57E-2BE6-431A-9EEB-377528EC6C6F.jpeg



iCloud Calendar spam has been a problem for many users since 2016 and earlier, and Apple has made a handful of changes and improvements to remedy the situation. Despite Apple’s best efforts, however, the problem continues to affect iCloud users, and it’s once again receiving widespread attention.

There are multiple ways spam calendars have been delivered to users over the years. For instance how iCloud users were receiving spam Calendar and Photo Sharing invitations. As we wrote then:

Essentially what happens in these instances is an iCloud user will receive a request for either a Calendar event or to view/share an iCloud Photo Sharing album or image. The issue with this type of spam is that, even if the user hits “Decline,” it informs the spammer that the account is active and thus encourages them to continue sending the spam.

So, if you receive a Calendar invite that’s spam and simply choose the “Decline” option, the problem won’t go away. In fact, it’s likely to increase because the spammer knows that the account is active.

Calendar spam is also commonly distributed through pop-ups on shady websites. A new thread on Reddit this week has garnered nearly 5,000 upvotes and is calling on Apple to roll out additional protections against these pop-ups. This thread is what’s put the Calendar spam problem back in the spotlight once again.

In many instances, this is a simple pop-up that will appear as a Safari dialog box when you visit certain websites. The pop-up simply asks whether you would like to add a rogue calendar subscription, and apparently many people simply tap “OK” to move on to the next screen and continue to load the web page.

Apple really needs to do something about these calendar scams. pic.twitter.com/BIVS0EIWpf
https:// t . c o /BIVS0EIWpf

— ✦ (@bieberfluid) June 20, 2021

Apple’s solution

The problem of calendar spam on iPhone has become so widespread that Apple has even published a video on YouTube on how to remove calendar spam. Apple says you should:

hqdefault.jpg


How to remove calendar spam on your iPhone — Apple Support - 0:39
https://www.youtube.com/watch?v=FgKO3Ed9-Bs

  1. Open the Calendar app

  2. Tap a spam event

  3. Look for the “Unsubscribe from this Calendar” button at the bottom


Doing this will automatically remove all other spam events from that specific calendar from your iPhone. You’ll need to repeat the process, however, if you’ve managed to subscribe to multiple spam calendars. This process is significantly easier than it used to be, indicating that Apple is aware of the problem and working to make changes.

Apple also rolled out a new “Report Junk” button to iCloud Calendars, which helps users remove unwanted junk from their calendars. Apple’s efforts, however, have focused mainly on iCloud calendar invite spam, rather than spam and junk calendar events added because of Safari pop-ups.

The best thing you can do, however, is always make sure you always thoroughly read pop-up notifications in Safari and not randomly click through to load webpages as quickly as possible.
 
1 of 2 - Apple's Newest Retail Location Opens Thursday in an Iconic LA Theater

Get an early look inside Apple's newest store that's opening in an iconic theater after a meticulous 3-year renovation effort



xOARa48.png


1512 × 1008



Apple offered an early look at its newest retail store location at the historic Tower Theater in downtown Los Angeles before it opens to the public on Thursday.

The project was first announced almost three years ago, and the renovation involved manually removing layers of paint and delicately restoring architectural features that are nearly a century old.

"At every corner, Los Angeles bursts with creativity across the arts, music, and entertainment, and we are thrilled to build on our relationship with this special city," Apple's senior vice president of Retail + People, Deirdre O'Brien said in a statement. "Apple Tower Theatre honors the rich history and legacy of this entertainment capital."


First opened in 1927, the Tower Theater was the first to offer such modern features as motion pictures with sound, and "manufactured weather," also known as air conditioning.

d9jtdKx.png


1512 × 1008



Renowned motion-picture theater architect S. Charles Lee designed the space, including several cinematic and classically inspired flourishes.

ZYCsXRM.png


1512 × 1008



The theater closed in 1988 and was largely unused apart from serving as a set for films like Coyote Ugly and The Gangster Squad.

3uLtnx8.png


1512 × 2117



The theater's original seats were removed for one production years ago, and now the main floor is home to Apple's latest gadgets.

OhvOQa7.png


1512 × 851

.
 
2 of 2 - Apple's Newest Retail Location Opens Thursday in an Iconic LA Theater

.
The design team used techniques like laser modeling and forensic paint analysis to document and restore every inch of the building.

6jvcNUQ.png


2400 × 1600



Each pane of stained glass and every crystal of the chandelier was individually removed and cleaned before being reassembled.

6NP8IkR.png


1512 × 1134


A presentation screen in the event area is reminiscent of the theater's original function...

UC2aXWl.png


1512 × 1890


...and the upper balcony now serves as a Genius Bar for personalized help.

FRXyqBq.png


1512 × 1008


Apple declined to share the total cost of the project, but several other theater renovations easily topped $30 million.

jl0Hgec.png


1512 × 2016


The store opens to customers at 10am on Thursday, June 24.

ySjiTvn.png


2400 × 1600

.
 
PSA: Western Digital My Book Live drives maliciously erased; disconnect them from web

PSA: Western Digital My Book Live drives being maliciously erased; disconnect them from internet



WD My Book NAS devices are being remotely wiped clean worldwide

Help! All data in mybook live gone and owner password unknown


Western-Union-My-Book-Live.jpg



Western Digital My Book NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted.

WD My Book is a network-attached storage device that looks like a small vertical book that you can stand on your desk. The WD My Book Live app allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.

Today, WD My Book owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app.

When they attempted to log in via the Web dashboard, the device stated that they had an "Invalid password."

"I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity," a WD My Book owner reported on the Western Digital Community Forums.

"The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck."


1e8364d28a7110868b324a842ff18ae8a4e14ce0_2_690x373.jpeg


Password no longer working in My Book Live
Source: WD Forum


My Book devices issued a factory reset command

After further owners confirmed that their devices suffered the same issue, owners reported that the MyBook logs showed that the devices received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.

"I have found this in user.log of this drive today:
Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 My BookLive _: pkg: wd-nas
Jun 23 16:02:30 My BookLive _: pkg: networking-general
Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 My BookLive _: pkg: date-time
Jun 23 16:02:31 My BookLive _: pkg: alerts
Jun 23 16:02:31 My BookLive logger: hostname=My BookLive
Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api
I believe this is the culprit of why this happens…No one was even home to use this drive at this time…"

Unlike QNAP devices, which are commonly connected to the Internet and exposed to attacks such as the QLocker Ransomware, the Western Digital My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access.

Some users have expressed concerns that Western Digital's servers were hacked to allow a threat actor to push out a remote factory reset command to all devices connected to the service.

If a threat actor wiped devices, it is strange as no one has reported ransom notes or other threats, meaning the attack was simply meant to be destructive.

Some users affected by this attack have reported success recovering some of their files using the PhotoRec file recovery tool.

Unfortunately, other users have not had as much success.

If you own a WD My Book Look NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.

"At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device," Western Digital said in an advisory.


Unpatched vulnerability believed to be behind attacks

Western Digital told BleepingComputer that they are actively investigating the attacks but do not believe it was a compromise of their servers.

"Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available." - Western Digital

Western Digital further told BleepingComputer that they believe the devices were compromised using an unpatched vulnerability after they were connected directly to the Internet.

The WD My Book Live devices received their final firmware update in 2015.

Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed along with a public proof-of-concept exploit.

It is believed that a threat actor performed a mass scan of the Internet for vulnerable devices and used this vulnerability to issue the factory-reset command.
 
Apple Tower Theatre premieres: Experience the reimagined Los Angeles landmark

This is so typical of Apple: competent and cool. Thanks!


That's nothing. Check this out. Michael Steeber did a pretty good job with the website



tower_theatre_interior_hero_16_9.jpg



Apple Tower Theatre celebrated its grand opening Thursday in Los Angeles. The new store marks the completion of an extensive historic restoration project and the first Apple Store downtown.

In the Broadway Theater District, Apple worked for years with preservation experts, restoration artists, and the City of Los Angeles to reimagine and reactivate the historic Tower Theatre at 8th and Broadway streets.

Apple Tower Theatre recalls the original splendor of the gilded movie palace era, blending thoughtful preservation with cutting edge technology. The new store offers an experience like none before it and will become one of Apple’s most significant flagship stores.

To celebrate the grand opening of Apple Tower Theatre, Apple launched Today at Apple Creative Studios – LA, an initiative to connect underrepresented youth with creative resources.

Grab a seat and tap the button below to go inside and explore Apple Tower Theatre.

Explore The Store
https://www.towertheatre.store/



tower_theatre_hero_wider.jpg
 
Snapchat Aware of Latest App Store Update Causing App Crash, Promises Fix Soon

Snapchat's support account today confirmed on Twitter that its latest App Store update, pushed less than one day ago, is causing widespread issues for users, specifically causing the app to crash a few seconds after launch.


General-Snapcaht-Apps-Feature-2.jpg




The latest *App Store* update, version 11.34.05.45, is listed as a normal update with bug fixes, but it has caused widespread crashes for users. Over the last few hours, Twitter has been bombarded with users reporting the issue, with no fix currently available. Snapchat, at the time of writing, has not yet pulled the update and says it is working on a fix. The fix will likely come in the form of a new *App Store* version.

Snapchat users on previous versions of Snapchat for iOS should be clear of any app crashes. For users impacted by the latest update, be sure to keep the app up to date by periodically checking the *App Store* for any updates or by enabling automatic *App Store* updates within Settings.
 
Snapchat's support account today confirmed on Twitter that its latest App Store update, pushed less than one day ago, is causing widespread issues for users, specifically causing the app to crash a few seconds after launch.

Snapchat-games.jpg



Update 5:15 pm PT: Snapchat says this issue has been fixed and that users should manually update their Snapchat application through the App Store.
.
 
700 Million LinkedIn Records For Sale on Hacker Forum

700 Million LinkedIn Records Leaked in Recent Data Breach


Things are not looking good for LinkedIn right now. Just two months after a jaw-dropping 500 million profiles from the networking site were put up for sale on a popular hacker forum, a new posting with 700 million LinkedIn records has appeared.

The seller, “GOD User” TomLiner, stated they were in possession of the 700 million records on June 22 2021, and included a sample of 1 million records on RaidForums to prove their claims. Our researchers have viewed the sample and can confirm that the damning records include information such as full names, gender, email addresses, phone numbers, and industry information.

Reashing out to LinkedIn for verification and received an official statement from Leonna Spilman:

“While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”

Update: Since alerting LinkedIn of the posting on the hacker forum, the company released a second statement on June 29th 2021, saying, “We want to be clear that this is not a data breach and no private LinkedIn member data was exposed.”


Is the data the same as from the previous LinkedIn leak?

According to a statement from LinkedIn, the previous data leak contained an “aggregation of data from a number of websites and companies” as well “publicly viewable member profile data.” However, it was not technically a breach since no private information was stolen.


linkedin_leak_raw-1-1000x605.png


1,843px × 1,115px



700mlinkedinleak.png




What this leak means for LinkedIn users

The leaked information poses a threat to affected LinkedIn users. With details such as email addresses and phone numbers made available to buyers online, individuals could become the target of spam campaigns, or worse still, victims of identity theft.

Even though the records don’t appear to contain any information such as credit card details or private messages, expert hackers may still be able to track down sensitive data through just an email address. LinkedIn users could also be on the receiving end of email or telephone scams that trick them into sharing sensitive credentials or transferring large amounts of money.

Brute force attacks are also something that LinkedIn users affected by the leak will need to be aware of. Using email addresses provided in the records, hackers may attempt to access users’ accounts using various combinations of common password characters.

Finally, targeted advertising towards specific users becomes much more probable thanks to this list. With information about users’ jobs and gender, companies can more easily market their products to individuals.


What to do if you are part of the leak

Although password and email address combinations are not a part of this recent leak, it is a good idea to secure your LinkedIn account by updating your password and passwords for your other online accounts. Enabling two-factor authentication will also help prevent brute force attacks, which are a likely result of this recent data leak.

You can also check whether or not your email address or telephone number has been involved in any data leaks by visiting Have I Been Pwned.






We want to be clear that this is not a data breach and no private LinkedIn member data was exposed.
– LinkedIn’s full statement can be found here.

It is important to note that LinkedIn is not denying that data was harvested from their servers. They are simply pointing out that:
  • Some of the data was also obtained from “other various websites”.

  • They do not consider your LinkedIn data that was exposed to be “private”.

So what is the definition of “private data”


References:

LinkedIn statement: https://news.linkedin.com/2021/april/an-update-from-linkedin
 
Popular Audacity audio app dubbed ‘spyware’ by users over policy changes from new own

IMG_0463.jpeg



Since its first release in 2000, Audacity has served as a useful audio editing tool for both Windows and Mac. Audacity grew in popularity fast thanks to being both free and open-source. Earlier this year, Muse Group acquired the development project and would be continuing the main fork. There weren’t many issues with that change until now.

The Audacity Privacy notice was updated on July 2 to include new data collection provisions. The new owners break down the two main types of data they collect including data for analytics and for legal enforcement.

The analytics are limited to more specific information including the OS version, CPU, user country (based on IP), and error codes. The main issue most have with the change is the vague and overarching wording, especially within the legal enforcement section.

They list the personal data they collect as, “Data necessary for law enforcement, litigation and authorities’ requests (if any)” without any limitations. That’s a significant change to Audacity after over 20 years of development.



Audacity_Privacy_Derek.png

Screenshot from the Audacity Privacy notice.


Users have not been pleased with this latest change. A large portion of the user base are advocates for privacy, and this vague from concerning change is seen as a betrayal of Audacity’s users and history. So what can be done about it?

Thankfully, Audacity is open source so you can still download other versions of the program. While the Muse Group may own the development of the main release, there are several versions of the program across the web.

You can also download older versions of the Audacity program for now that do not have “phone home” functionality. Or if you have read the privacy policy and don’t mind the terms, you can keep using the main release. This change just puts Audacity in line with countless other apps that harvest your data.
 
PSA: Kaspersky Password Manager has been creating flawed passwords

Kaspersky Password Manager caught out making easily bruteforced passwords

If you are using Kaspersky Password Manager, you might want to regenerate any password created before October 2019.



Kaspersky-Password-Manager-problem.jpg



Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time, but for a long time, that's all Kaspersky Password Manager (KPM) used.

In a blog post to cap off an almost two year saga, Ledger Donjon head of security research Jean-Baptiste Bédrune showed KPM was doing just that.

"Kaspersky Password Manager used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers. However, such method lowers the strength of the generated passwords against dedicated tools," Bédrune wrote.

One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bédrune said was probably an attempt to trick password cracking tools.

"Their password cracking method relies on the fact that there are probably 'e' and 'a' in a password created by a human than 'x' or 'j', or that the bigrams 'th' and 'he' will appear much more often than 'qx' or 'zr'," he said.

"Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. This is quite clever."

The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it.

"If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool."

The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator.

"It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second," Bédrune said.

Because the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered.

"The consequences are obviously bad: every password could be bruteforced," he said.

"For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes."

Bédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords.

However, due to some bad coding leading to an out-of-bounds read on an array, Ledger Donjon found an additional smidgen of entropy.

"Although the algorithm is wrong, it actually makes the passwords more difficult to bruteforce in some cases," the post said.

KPM versions prior to 9.0.2 Patch F on Windows, 9.2.14.872 on Android, or 9.2.14.31 on iOS were affected, with Kaspersky replacing the Mersenne Twister with BCryptGenRandom function on its Windows version, the research team said.

Kaspersky was informed of the vulnerability in June 2019, and released the fix version in October that same year. In October 2020, users were notified that some passwords would need to be generated, with Kaspersky publishing its security advisory on 27 April 2021.

"All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough," the security company said.

In late 2015, Kaspersky said one in seven people were using just one password.

"A strong password that differs for each account is an important basic element of protecting your digital identity," David Emm, principal security researcher at Kaspersky Lab, said at the time in a delicious piece of irony.






Update: Kaspersky has shared an official statement on the flaws:

“Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool. This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings.

The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing.

We recommend that our users install the latest updates. To make the process of receiving updates easier, our home products support automatic updates.”
 
HomePod Users Complain of Sudden Failures, Could Be Linked to 14.6 and 15 Updates

Original HomePod models appear to be mysteriously failing at an increasing rate, according to multiple people and complaints on Reddit and Twitter. Many of the HomePods that have suddenly stopped working were running the beta version of the *HomePod* 15 software, but some affected users had HomePods with the 14.6 software installed.



HomePod-Crash-Feature.jpg



Jose said that his 18-month-old *HomePod* running the 14.6 update recently stopped working, and that's a common complaint across multiple Reddit threads that have been created over the course of the last few days.

In one notable case, a Reddit user with a total of 19 HomePods had seven of them stop working today. Four of those HomePods were running the *HomePod* 15 beta, and three of them were running the 14.6 software.

I have a total of 19 HomePods at home. 6 of them are on Beta and the others on 14.6. As of today, 7 are no longer working. 4 on the beta and 3 on 14.6. I use the HomePods normally and listen to music from time to time but not very loud, on average about 20% volume. All the ones on the beta are connected as default speaker on the Apple TV. Either there is a massive problem with the OS or something in the hardware is built wrong.

That Reddit thread has complaints from several other *HomePod* owners who have had their HomePods die, and MacRumors reader Andre curated a list of Reddit complaints, all from users who have had their HomePods die over the course of the last few days.


  • Failure 1, 5 days ago - Reddit user UnderstandingNo5785 was running the *HomePod* 15 beta and found that his *HomePod* was hot on the top, which may have led to a logic board issue. Other Reddit users have speculated about the failures being caused by using the *HomePod* as a default speaker to the *Apple TV* while running the *HomePod* 15 beta

  • Failure 2, 2 days ago - A newly opened *HomePod* was set up, updated to 14.6, and then it lost connection. A hard reset caused the LED to turn red and the volume lights to blink, but it was non-functional.

  • Failure 3, 1 day ago - One of two HomePods set as a stereo pair suddenly stopped working. Both HomePods were running the 14.6 update. Broken *HomePod* doesn't power up and doesn't respond to touch.

  • Failure 3, today - 7 HomePods stop working, four on beta, three on 14.6.

  • Failure 4, June - A MacRumors reader in June had his *HomePod* die after a software update. The *HomePod* does not light up, does not work, and resets do not do anything.

  • HomePod Overheating - A Reddit user had a *HomePod* die when used in stereo mode with the *Apple TV*, and it was hot to the touch. It survived and continued to work, but the Reddit user has noticed the HomePods are still getting hot in stereo mode while running 14.6. This person says that their two other HomePods also died previously.

There are multiple other complaints from affected users in the comment sections of these threads, suggesting that this could be a widespread issue impacting many *HomePod* owners. Most of the impacted HomePods were used in stereo pairing mode and were linked to an *Apple TV* running the tvOS 14.6 update, including HomePods running the 14.6 and 15 software updates.

Since many of the HomePods affected have beta software installed, it's not a good idea to install the *HomePod* 15 update if you have a *HomePod*. *HomePod* software is distributed on an invite-only basis, but some third-party sites often make the beta available, and if you install an unauthorized beta, Apple is not going to be able to help.

One Reddit user says that a senior Apple technician advised them to unplug their HomePods and stop using them until the next software update.

"I would tell your friends if they have installed OS15 beta on one or both of their HomePods and having issues to unplug them and not use them until next software update comes out to avoid damage to the logic board. In result of damaging your *HomePod*. If your *HomePod* has failed due to the developer beta profile being installed which in that case apple cannot be held liable to fix the HomePods due to non licensed developer people installing this software, but suggest if your *HomePod* has in fact failed and you are a licensed developer you are urged to contact apple developer team for further assistance."

There are also many complaints from users who are running the 14.6 update, and unfortunately, Apple support has not been helpful for those who have a *HomePod* that was purchased more than a year ago. MacRumors reader Jose who initially contacted us said that Apple support was unable to offer help because his *HomePod* was out of warranty, and other *HomePod* owners have also had the same response.

Given the high number of sudden failures linked to 14.6, it's possible there's a hardware or software bug that's causing the problem, and if that's the case, Apple may eventually offer more help to *HomePod* users.

There is no known fix for *HomePod* users at this time, but avoiding beta software is recommended, and those who are highly concerned about failures may also want to stop using the HomePods in stereo mode for the time being until more information is available or a new software update is released to address any possible issues.

Another person said that his failure was caused by a diode that failed and he was able to replace the diode and get the *HomePod* working again, but it is not clear if this is the same issue that others are experiencing nor is it reasonable for *HomePod* owners to have to tear down their speakers to solder on a new component.
 
Apple promotes Apple Watch and iPhone ping feature in new ‘Haystack’ ad [Video]

Apple is out with a new ad promoting the integration between iPhone and Apple Watch. In a video posted to YouTube today, Apple plays on the “needle in a haystack” idea, with a farmer using the ping feature on his Apple Watch to find an iPhone that’s lost in a haystack.

“An iPhone that’s lost is easily found. Relax, it’s iPhone + Apple Watch,” Apple touts in the video’s description. The video is set to the song “Searching (For Someone Like You)” by Kitty Wells.

Here’s how Apple describes the feature in a support document:

  • Your Apple Watch can help you find your iPhone if it’s nearby.

  • Touch and hold the bottom of the screen, swipe up to open Control Center, then tap the iPhone icon.

  • Your iPhone makes a tone so you can track it down.

  • Tip: In the dark? Touch and hold the Ping iPhone button and iPhone flashes as well.

  • If your iPhone isn’t in range of your Apple Watch, try using Find My from iCloud.com.


maxresdefault.webp


iPhone 12 | Haystack | Apple - 1:08
https://www.youtube.com/watch?v=cXKu9qTmA2M
 
New iPhone 12 Pro ‘In The Dark’ ad highlights selfies in Night Mode

maxresdefault.jpg



Earlier today, Apple introduced a new advertisement promoting the interaction between the iPhone and Apple Watch. Now, the company has released another ad on its YouTube channel, this time highlighting selfies in Night Mode with the iPhone 12 Pro.

In a 30-second video, Apple shows in a fun way how users can take good selfies even in the dark thanks to Night Mode. Although Night Mode was introduced with iPhone 11, only the iPhone 12 lineup can capture photos in Night Mode with all cameras — wide-angle, ultra-wide, telephoto, and front camera.

Although the advertisement uses an iPhone 12 Pro as an example, this feature is also available for iPhone 12 Pro Max, iPhone 12, and iPhone 12 mini users. Portraits photos in Night Mode with the rear camera, however, require an iPhone 12 Pro or 12 Pro Max due to the LiDAR scanner.

In The Dark — Now you can take amazing selfies in the dark. Night mode on iPhone 12 and iPhone 12 Pro.

The song used in the video is “In The Dark” by YG, which is available on Apple Music. You can watch the full video below:


0S2iyJw.jpg

(you can read her facial expression, "I'm so proud of him, and that he's all mine" LOL)


iPhone 12 Pro | In The Dark | Apple

https://www.youtube.com/watch?v=hbMUGbDM-60
 
PSA: It’s not just you, Apple confirms iCloud Mail is suffering from the Monday blues

iPhone-email.png



iCloud Mail is having trouble this morning with some users seeing password errors and not being able to log in to Apple’s own Mail app or iCloud website or through third-party mail apps to access their email.

Just after 7 am PT Apple officially confirmed the iCloud problems on its System Status page saying “Users may be unable to access iCloud mail.”

For now, Apple says “some users are affected” but reports are certainly growing.



Screen-Shot-2021-07-12-at-10.11.04-AM.png
 
New 'Behind the Mac' ad throws spotlight on Canadian artists

New ‘Behind the Mac’ ad highlights multiple artists from Canada



43114-83753-210712-BehindtheMac-xl.jpg



Apple today released a new advertisement specifically for Canadians. The “Made in Canada” video, which is part of the “Behind the Mac” campaign, highlights multiple artists from Canada, including Justin Bieber, Daniel Caesar, and Shawn Mendes.

In a 30-second video, the advertisement shows singers, songwriters, and other music industry professionals using Mac computers. More specifically, every Mac shown in the video is a MacBook, which is quite interesting.

However, that’s not all. Apple has also introduced a new webpage on its Canadian website for the same campaign, which features brief details about each of the artists featured in the video. Of course, Apple also emphasizes some Mac apps used by these professionals, such as GarageBand and Adobe Photoshop, as well as highlighting the power of the M1 chip.


As noted by Elle, the ad features video clips and still images of successful acts and personalities like Justin Bieber, Shawn Mendes, Arcade Fire's Win Butler, director and actor Karena Evans, and Grammy winner Willo Perron. A-Trak, Daniel Caesar, Charlotte Cardin, The Halluci Nation, High Klassified, Kaytranada, The Kid LAROI, Haviah Mighty, Orville Peck, Jessie Reyez, Curtis Waters and Chiara Young are also featured.

The commercial opens with a quote from Maestro Fresh Wes and is set to "Hot" by Freq Motif & Just John.

"Behind the Mac, Canadians are making a major impact on global music culture through their creativity. And doing it on a Mac," the video's description reads.



Apple-Made-in-Canada-Behind-the-Mac.jpg



Made in Canada | Behind the Mac | Apple

https://www.youtube.com/watch?v=egYhuFxu_Dk
 
Facebook Advertisers Impacted By Apple Privacy iOS 14 Changes

Facebook Users Said No to Tracking. Now Advertisers are Panicking
People give iOS apps permission to track their behavior just 25% of the time



1200x-1.jpg




When users get asked on iPhone devices if they’d like to be tracked, the vast majority say no. That’s worrying Facebook Inc.’s advertisers, who are losing access to some of their most valuable targeting data and have already seen a decrease in effectiveness of their ads.

The new prompt from Apple Inc., which arrived in an iOS software update to iPhones in early June, explicitly asks users of each app whether they are willing to be tracked across their internet activity. Most are saying no, according to Branch, which analyzes mobile app growth. People are giving apps permission to track their behavior just 25% of the time, Branch found, severing a data pipeline that has powered the targeted advertising industry for years.



600x-1.jpg




“It’s been pretty devastating for I would say the majority of advertisers,” said Eric Seufert, a mobile analyst who writes the Mobile Dev Memo trade blog. “The big question is: Are we seeing just short-term volatility where we can expect a move back to the mean, or is this a new normal?”

Facebook advertisers, in particular, have noticed an impact in the last month. Media buyers who run Facebook ad campaigns on behalf of clients said Facebook is no longer able to reliably see how many sales its clients are making, so it’s harder to figure out which Facebook ads are working. Losing this data also impacts Facebook’s ability to show a business’s products to potential new customers. It also makes it more difficult to “re-target” people with ads that show users items they have looked at online, but may not have purchased.

A Facebook spokesman declined to share what percentage of its users have accepted the company’s tracking prompt, but roughly 75% of the world’s iPhone users have downloaded the newest operating system, according to Branch. Seufert estimated that in the first full quarter users see the prompt, the iOS changes could cut Facebook’s revenue by 7% if roughly 20% of users agree to be tracked. If just 10% of users grant Facebook tracking permission, revenue could be down as much as 13.6%, according to his models. The first full quarter with the prompt is the third quarter. Facebook reports second quarter earnings at the end of July.

Most retail websites include Facebook software that sends detailed customer data back to the social network, including when a Facebook user makes a purchase. Facebook can then use that data to better understand what a retailer’s target customer looks like, and show that retailer’s ads to other people on Facebook who match that profile, known as a “lookalike” audience.

But as people have asked Facebook and other apps not to track their behavior, the social networking company has started to lose access to this data. Gil David, a media buyer at Run DMG who spends about $1 million on Facebook ads per month for clients, said the company used to know about the vast majority of his client’s sales. Now that data is inconsistent. With one larger client, Facebook captured just 64% of sales. With a smaller client, just 42%.

Zach Stuck, another media buyer who runs Homestead Studio and spends millions on Facebook ads per month, has seen the same changes. Facebook used to capture around 95% of the sales data from his clients. In one case now, there is a 57% gap between sales he can see on Shopify and what Facebook is reporting, he said.

Since Facebook has a smaller sample of data, an advertiser may be paying to reach someone who doesn’t quite fit their target audience, making the ads less effective for the amount of money advertisers spend.

“What Facebook was great at is they were able to see who bought and find that user’s buyer behavior – what other websites are they visiting, what other things are they doing,” Stuck said. When it can’t see this data, Facebook can’t accurately find “other people that might be able to buy a product similar to that.”

Missing this sales data also makes it harder for Facebook to properly measure the impact of its ads because media buyers don’t know how many sales are being driven by their marketing campaigns. Facebook used to tell advertisers how many sales it made within certain demographic cohorts – women in Texas, or 18- to 25-year-old men, for example. The company has stopped sharing that level of detail, advertisers say.

“There’s no source of truth at all anymore,” said Dave Herrmann, who runs his own agency called Herrmann Digital and manages more than $2.5 million in monthly Facebook advertising spend. “Every platform gives you different numbers.”

A Facebook spokesman said ad performance for “lookalike” targeting will experience some fluctuations with the iOS changes, but should not be noticeably impacted in the long term.

Another key part of Facebook advertising is “re-targeting,” or showing someone an ad for a product they may have looked at online or put into a digital shopping cart, but never purchased. When users ask Facebook to stop tracking their behavior, this form of re-targeting isn’t possible.

Losing the ability to re-target products to customers after they viewed them online but didn’t buy hurts businesses trying to sell more expensive products, advertisers say, because it’s rarer for someone to make an impulse purchase on something pricey. Customers are more likely to make a big purchase when that expensive item shows up in their Facebook news feed for weeks after they originally looked at it.

Apple has made privacy a foundation of the company’s latest marketing effort around the iPhone, pushing back against the digital advertising industry that has collected immense amounts of user data for years in ways that few people understood. The tagline for the company’s new iPhone television commercial is, “Choose who tracks your information… and who doesn’t.” The privacy changes apply to all app developers on the iPhone, not just Facebook.

But the social network has been protesting the loudest, arguing for months that Apple’s new privacy features would hurt small businesses that rely on targeted advertising — and make up the bulk of the company’s sales. Facebook said these businesses rely on precise targeting to find customers and may not have the advertising budget for a broader marketing campaign.

“Those bootstrapped advertisers or those advertisers that are trying to start from scratch to enter the market are going to have a much tougher time than a venture-backed company or somebody that’s more established,” said Maurice Rahmey, co-founder of a performance marketing firm called Disruptive Digital.

A Facebook spokesman said the company is doing a number of things to try and make up for the changes, including working on new advertising features that require less data to measure an ad’s success. The company is also looking into technology that would let Facebook deliver personalized ads based on targeting data stored on the user’s device, meaning Facebook wouldn’t need to access it.

“Apple’s policy is hurting the ability of businesses to use their advertising budgets efficiently and effectively, and the limitations being created are driven by Apple’s restrictions for their own benefit,” the spokesman added, noting that Facebook has tried to prep advertisers with notices, blogs and webinars. “We believe that personalized ads and user privacy can coexist.”

While the majority of the world’s smartphone users own devices running Google’s Android operating system, Apple’s iPhones are popular in some of the world’s most valuable advertising markets, including the U.S. Facebook even created its own pop-up to appear before Apple’s required one, hoping that it might encourage more people to grant it permission to track their behavior. During a live audio interview on the app Clubhouse in March, Chief Executive Officer Mark Zuckerberg said Facebook “may even be in a stronger position” following the iOS changes if it means more businesses start to make sales directly within Facebook’s apps instead of sending users to a web address.

Despite the challenges, advertisers don’t appear ready to abandon Facebook just yet. But media buyers said their smaller clients are already starting to struggle. Some don’t make enough sales to effectively leverage Facebook’s “lookalike” targeting features. Herrmann said he’s slowed some of his Facebook spending until the impact of the tracking changes are clearer. He’s also started moving some of his smaller clients to different kinds of advertising, like paying influencers to market their products.

“I don’t think anyone truly understands how many businesses in the world are 100% dependent on Facebook,” Herrmann said. “When you suddenly strip that away and [Facebook ads are] 40% less effective, and will continue to become less effective over time, that creates a kind of a panic.”

Others, like David, are questioning Apple’s privacy push entirely.

“Smaller businesses are a casualty,” he added. “I’m not really sure Apple fully thought that through, or they were aware of that and just thought, ‘We don’t care. This is what we’re doing.’”
 
Apple removes ‘Fakespot’ app from iOS App Store following Amazon request

Amazon just got Fakespot booted off Apple’s iOS App Store

Did Fakespot need permission to call out fake reviews as you shop?



43218-83922-210716-Fakespot-xl.jpg




Fakespot, known for its web browser extensions that try to weed out fake product reviews, suddenly no longer has an iPhone or iPad app — because Amazon sent Apple a takedown request, both Amazon and Fakespot confirm, and Apple decided to remove the app.

The giant retailer says it was concerned about how a new update to the Fakespot app was “wrapping” its website without permission, and how that could be theoretically exploited to steal Amazon customer data. But Fakespot founder Saoud Khalifah said that Apple abruptly removed the app today without any explanation. Apple didn’t respond to multiple requests for comment.

The new Fakespot app launched just over a month ago on June 3rd, and I can confirm it let you log in to Amazon, browse, and buy items with Fakespot’s overlay on top. I downloaded and tried it a few weeks ago to see if it could help spot fake reviews on some new purchases, but I didn’t come to a conclusion on whether it actually helped.
Thank you to all of our users for making this new iOS app a reality. Together we will put an end to eCommerce fraud. We have more amazing products coming soon that will make secure shopping the gold standard for eCommerce. https:/*******UyUnsOydzK
https:// t . c o /UyUnsOydzK

— Fakespot (@FakespotTweets) June 21, 2021

But in mid-June, says Fakespot’s founder, Amazon initiated a takedown notice. And just hours ago, Apple finally delivered a blunt three-line email about how it regretted that the situation couldn’t be resolved amicably and that Fakespot has now been removed from the App Store. “Apple hasn’t even given us the ability to solve this,” says Khalifah. “We just dedicated months of resources and time and money into this app.”

Amazon said it believes Fakespot violated Apple guideline 5.2.2, which reads:

5.2.2 Third-Party Sites/Services: If your app uses, accesses, monetizes access to, or displays content from a third-party service, ensure that you are specifically permitted to do so under the service’s terms of use. Authorization must be provided upon request.

Amazon also said that Fakespot injects code into its website, opening up an attack vector and putting customer data (including email, addresses, credit card info, and your browser history) at risk, though it says it doesn’t actually know if Fakespot is using this information.

“The app in question provides customers with misleading information about our sellers and their products, harms our sellers’ businesses, and creates potential security risks. We appreciate Apple’s review of this app against its Appstore guidelines,” reads a statement from Amazon.

But while Fakespot admits the app injects code to display its own scores, he categorically denies there’s any vulnerability and points out that apps which include a web browser view are common — including coupon apps that Amazon seems to “have no problem with wrapping around a webview browser.” Amazon did, however, try to warn against browser coupon extension Honey by suggesting it was a security risk last January.

Regardless of why, it’s a blow to one of the major outspoken critics of Amazon’s review system, as Fakespot is regularly cited in reports about review fraud on Amazon. Amazon even bought search ads against the “Fakespot” keyword in the App Store to reduce the app’s potential impact:




fakespot_amazon.jpg




“Amazon is willing to bully little companies like ours that showcase the cracks in their company,” Khalifah says, suggesting Amazon must have realized people were choosing their app over the Amazon app. He says Fakespot racked up 150,000 installs from the iOS App Store, without spending any money on marketing.

Amazon says it regularly audits companies that try to call out fake reviews and claims that Fakespot’s ratings are mostly wrong: “We regularly review products where Fakespot rated a product’s reviews as untrustworthy and their findings were wrong more than 80% of the time. They simply do not have the information we have—such as reviewer, seller and product history—to accurately determine the authenticity of a review.” Amazon suggests that it does a much better job of finding fake reviews itself by analyzing 30 million of them each week, though that clearly hasn’t stopped the fake and incentivized review problems yet — something we’re still investigating at The Verge.

Amazon wouldn’t say if it’s contacted Google about the Android version of the app, but that app hasn’t been updated since 2019.

Fakespot’s founder says the company is weighing its legal options now because it believes mobile is the future of shopping. “We’re seeing percentages of 60/40 now hovering in mobile’s favor,” Khalifah said.
 
“Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones

NSO Group says its spyware targets only criminals and terrorists. Critics disagree.



phone.jpeg




Smartphones belonging to more than three dozen journalists, human rights activists, and business executives have been infected with powerful spyware that an Israeli firm sells, purportedly to catch terrorists and criminals, The Washington Post and other publications reported.

The handsets were infected with Pegasus, full-featured spyware developed by NSO Group. The Israel-based exploit seller has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico, and other countries have been found using the malware against journalists, activists, and other groups not affiliated with terrorism or crime.

Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target's iPhone or Android device, Pegasus immediately trawls through a wealth of the device's resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target's movements and steal messages from end-to-end encrypted chat apps.


iPhone 12 running iOS 14.6 felled

According to research jointly done by 17 news organizations, Pegasus infected 37 phones belonging to people who don’t meet the criteria NSO says is required for its powerful spyware to be used. Victims included journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi, according to The Washington Post. Technical analysis from Amnesty International and the University of Toronto’s Citizen Lab confirmed the infections.

“The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021,” Amnesty International researchers wrote. “These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.”

All 37 infected devices were included in a list of more than 50,000 phone numbers. It remains unknown who put the numbers on it, why they did so, and how many of the phones were actually targeted or surveilled. A forensic analysis of the 37 phones, however, often shows a tight correlation between time stamps associated with a number on the list and the time surveillance began on the corresponding phone, in some cases as brief as a few seconds.

Amnesty International and a Paris-based journalism nonprofit called Forbidden Stories had access to the list and shared it with the news organizations, which went on to do further research and analysis.

Reporters identified more than 1,000 people in more than 50 countries whose numbers were included on the list. Victims included Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list. The Guardian, meanwhile, said 15,000 politicians, journalists, judges, activists, and teachers in Mexico appear on the leaked list.

As detailed here, hundreds of journalists, activists, academics, lawyers, and even world leaders appear to have been targeted. Journalists on the list worked for leading news organizations, including CNN, the Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.

“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals,” Sunday’s Washington Post said. “The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”
NSO pushes back

NSO officials are pushing back hard on the research. In a statement, they wrote:


The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the “unidentified sources” have supplied information that has no factual basis and [is] far from reality.

After checking their claims, we firmly deny the false allegations made in their report. Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.

NSO Group has a good reason to believe the claims that are made by the unnamed sources to Forbidden Stories are based on [a] misleading interpretation of data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide.

The claims that the data was leaked from our servers is a complete lie and ridiculous, since such data never existed on any of our servers.


In its own statement, Apple officials wrote:


Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.


Repeat offender


This is by no means the first time that NSO has come under international criticism when its Pegasus spyware was found targeting journalists, dissidents, and others with no clear ties to crime or terrorism. The NSO spyware came to light in 2016 when Citizen Lab and security firm Lookout found it targeting a political dissident in the United Arab Emirates.

Researchers at the time determined that text messages sent to UAE dissident Ahmed Mansoor exploited what were three iPhone zero-day vulnerabilities to install Pegasus on his device. Mansoor forwarded the messages to Citizen Lab researchers, who determined that the linked webpages led to a chain of exploits that would have jailbroken his iPhone and installed the Pegasus spyware.

Eight months later, researchers from Lookout and Google retrieved a Pegasus version for Android.

In 2019, Google’s Project Zero exploit research team found NSO exploiting zero-day vulnerabilities that gave full control of fully patched Android devices. Days later, Amnesty International and Citizen Lab disclosed that the mobile phones of two prominent human rights activists were repeatedly targeted with Pegasus. That same month, Facebook sued NSO, allegedly for attacks that used clickless exploits to compromise WhatsApp users' phones.

Last December, Citizen Lab said a clickless attack developed by NSO exploited what had been a zero-day vulnerability in Apple’s iMessage to target 36 journalists.

The exploits that NSO and similar firms sell are extremely complex, costly to develop, and even more expensive to purchase. Smartphone users are unlikely to ever be on the receiving end of one of these attacks unless they are in the crosshairs of a wealthy government or law enforcement agency. People in this latter category should seek guidance from security experts on how to secure their devices.
 
Apple under pressure over iPhone security after NSO spyware claims

Apple urged to work with rivals after alleged surveillance of journalists, activists.



apple-hax.jpg



Apple has come under pressure to collaborate with its Silicon Valley rivals to fend off the common threat of surveillance technology after a report alleged that NSO Group’s Pegasus spyware was used to target journalists and human rights activists.

Amnesty International, which analyzed dozens of smartphones targeted by clients of NSO, said Apple’s marketing claims about its devices’ superior security and privacy had been “ripped apart” by the discovery of vulnerabilities in even the most recent versions of its iPhones and iOS software.

“Thousands of iPhones have potentially been compromised,” said Danna Ingleton, deputy director of Amnesty’s tech unit. “This is a global concern—anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”

Security researchers said Apple could do more to tackle the problem by working with other tech companies to share details about vulnerabilities and vet their software updates.

“Apple unfortunately does a poor job at that collaboration,” said Aaron Cockerill, chief strategy officer at Lookout, a mobile security provider. He described iOS as a “black box” compared with Google’s Android, where he said it was “much easier to identify malicious behavior."

Amnesty worked with the journalism nonprofit group Forbidden Stories and 17 media partners on the “Pegasus Project” to identify alleged targets of surveillance.

NSO, which has said its technology was designed to target only criminal or terrorist suspects, described the Pegasus Project’s claims as “false allegations” and “full of wrong assumptions and uncorroborated theories."

Amnesty’s research found that several attempts to steal data and eavesdrop on iPhones had been made through Apple’s iMessage using so-called zero-click attacks, which do not require the user to open a link.

Bill Marczak, research fellow at Citizen Lab, a nonprofit group that has extensively documented NSO’s tactics, said Amnesty’s findings suggested that Apple had a “major blinking red five-alarm-fire problem with iMessage security."

A similar kind of zero-click Pegasus attack was identified using Facebook-owned WhatsApp messenger in 2019.

Will Cathcart, head of WhatsApp, called the latest disclosures a “wake-up call for security on the Internet.” In a series of tweets, he pointed to steps taken by tech companies including Google, Microsoft, and Cisco that have sought to push back against Pegasus and other commercial spyware tools.

But Apple, with whom Facebook has a long-running feud over the iPhone’s privacy controls, was absent from his list of collaborators.

“We need more companies, and, critically, governments, to take steps to hold NSO Group accountable,” Cathcart said.

While Apple does “a great job protecting consumers,” said Lookout’s Cockerill, it “should be more collaborative with firms like my own” to protect against attacks such as Pegasus.

“The big difference between Apple and Google is transparency,” Cockerill said.

Apple insisted that it did collaborate with external security researchers but chose not to publicize the activities, which included paying out millions of dollars a year in “security bounty” rewards for spotting vulnerabilities and providing its hardware to researchers.

“For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Apple said in a statement.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” Apple continued. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
 
XLoader malware infects Macs; collects keystrokes and more

XLoader malware infects Macs now; collects keystrokes, screenshots, and more



XLoader-malware-has-now-migrated-to-Macs.jpg



XLoader malware has now migrated from Windows machines to attack Macs too. An evolution of the malware known as Formbook, it lets an attacker log keystrokes, take screenshots, and access other private information.

Worryingly, the malware is sold on the dark web for $49, enabling anyone to deploy it against both Windows and Mac users …

The good news is that it does require user action to trigger it. Attackers typically send an email that contains the malware embedded into Microsoft Office documents.

Security researchers at Check Point discovered it.

Check Point Research (CPR) sees a new strain of malware that has evolved to steal the information of MacOS users. Named “XLoader”, the new strain is a derivative of the famous “Formbook” malware family, which mainly targeted Windows users, but disappeared from being on sale in 2018. Formbook rebranded to XLoader in 2020. Over the past six months, CPR studied XLoader’s activities, learning that XLoader is prolific, targeting not just Windows, but to CPR’s surprise, Mac users as well.

Hackers can buy XLoader licenses on the Darknet for as low as $49, equipping them with capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files. Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.

This is a potential threat to all Mac users. In 2018, Apple estimated that over 100M Macs were in use.

CPR tracked Xloader activity between December 1, 2020 and June 1, 2021. CPR saw XLoader requests from as many as 69 countries. Over half (53%) of the victims reside in the United States.

XLoader is stealthy, meaning it is hard to tell when a Mac is infected with it, but the company does provide one method of checking.

1. Go to /Users/[username]/Library/LaunchAgents directory
2. Check for suspicious filenames in this directory (example below is a random name)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

As with any malware, you can minimize the risk of infection by avoiding sketchy websites and using caution with attachments. Never open an attachment unless you know the sender and are expecting it – because it’s common for attackers to spoof the From address of an email.

Yaniv Balmas, head of cyber research at Check Point Software, said that Mac owners shouldn’t be complacent.

Historically, MacOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage.

I think there is a common incorrect belief with MacOS users that Apple platforms are more secure than other more widely used platforms. While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous. Our recent findings are a perfect example and confirm this growing trend. With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain, and I personally anticipate seeing more cyber threats following the Formbook malware family.
 
Back
Top