The NSO Group is an Israeli firm that has long marketed itself as a "cyber warfare" company, selling mobile surveillance technology to governments that include notoriously corrupt human rights abusers. One of these is Mexico, where NSO spyware played a key role in targeting teachers and journalists, and missing students.

On Thursday, NSO Group announced it has been “re-acquired” by its founders. Read the rest

That massive Equifax data breach on September 7, 2017, shocked everyone, but a year and a half later, where the data of all those 143 million Equifax users ended up is still a mystery. Read the rest

LipPass is a user verification system for mobile devices that verifies your identity by the unique way that you move your lips. Developed by researchers at Shanghai Jiao Tong University, the system doesn't validate based on the sound of your voice but rather the movement of your mouth. From IEEE Spectrum:

The researchers realized the audio components on smartphones can be exploited to depict the movement of a person’s mouth by analyzing the acoustic signals that bounce off the user’s face. Since each person exhibits unique speaking behaviors—like lip protrusion and closure, tongue stretch and constriction, as well as jaw angle changes—this creates a unique Doppler effect profile that can be detected by the phone. The platform then uses a deep learning algorithm, which extracts distinct features from of the user’s Doppler profile as he or she speaks. Next, a binary tree-based approach is applied to distinguish the new user’s profile from previously registered users, which also helps discriminate between the identity of legal users and spoofers...

In a controlled laboratory environment, LipPass achieved an overall authentication accuracy of 95.3 percent... Across all environments and all kinds of attacks, the overall (spoof) success rate was less than 10 percent, though attacks that used the third method—a recording of the user's Doppler profile—did succeed nearly 20 percent of the time under controlled, laboratory conditions.

"Lip Reading-Based User Authentication Through Acoustic Sensing on Smartphones" (IEEE/ACM Transactions on Networking) Read the rest

The gay dating app Jack'd, which has more than a million downloads in the Play store, stored images that users marked 'private' and posted in 1:1 chat sessions *on an unsecured AWS server.* Read the rest

Last October, I published a list of cities that appeared to have contracted with Predpol, a "predictive policing" company, based on research provided to me by an anonymous source who used clever methods to uncover the customer list. Read the rest

It's been a year and a half since the Norwegian Consumer Council commissioned a security audit of kids' "smart watches" that revealed that anyone on the internet could track the wearers, talk to them through their watches, and listen in on them; a year later, Pen Test Partners revealed that the watches were still leaking sensitive information, a situation that hadn't changed as of last week. Read the rest

In late 2017, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't). Read the rest

Go get a developer account and send us a formal bug report, Apple reportedly told them.

This bodes well for WhatsApp users. Read the rest

Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that's just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties. (Thanks, John!) Read the rest

Stingrays (AKA IMSI catchers) are a widespread class of surveillance devices that target cellular phones by impersonating cellular towers to them (they're also called "cell-site simulators"). Read the rest

“We’re aware of this issue and we have identified a fix that will be released in a software update later this week.” — Apple.

A really bad new law in Australia gives police the right to force companies like Apple to 'backdoor', or create encryption circumvention alternatives, in all their products. The issue has been controversial in the U.S. for a long time, and spiked in 2016 after the mass shooting in San Bernardino. Read the rest

The Department of Homeland Security on Tuesday issued an “emergency” security alert urging federal civilian agencies to secure login credentials for their respective internet domain records. Read the rest

Most Facebook users have no idea how the company tracks and profiles everything they do to target ads, a new Pew Research study confirms. Read the rest

Federal agents today arrested a man in Georgia who they say was planning an attack with weapons and explosives on the White House, the Washington Monument, and the Lincoln Memorial in Washington, DC. Read the rest

Noah Rotem got an intriguing error message from El Al's reservation system ("PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE*) and by tugging at the loose thread it revealed, he was able to view any "Passenger Name Record" in El Al's system, allowing him to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service." Read the rest