Israeli spyware firm NSO Group 're-acquired' by founders

The NSO Group is an Israeli firm that has long marketed itself as a "cyber warfare" company, selling mobile surveillance technology to governments that include notoriously corrupt human rights abusers. One of these is Mexico, where NSO spyware played a key role in targeting teachers and journalists, and missing students.

On Thursday, NSO Group announced it has been “re-acquired” by its founders. Read the rest

Was that huge 2017 Equifax data breach part of a nation-state spy scheme?

That massive Equifax data breach on September 7, 2017, shocked everyone, but a year and a half later, where the data of all those 143 million Equifax users ended up is still a mystery. Read the rest

Your locked phone could verify it's you by listening to your lips move

LipPass is a user verification system for mobile devices that verifies your identity by the unique way that you move your lips. Developed by researchers at Shanghai Jiao Tong University, the system doesn't validate based on the sound of your voice but rather the movement of your mouth. From IEEE Spectrum:

The researchers realized the audio components on smartphones can be exploited to depict the movement of a person’s mouth by analyzing the acoustic signals that bounce off the user’s face. Since each person exhibits unique speaking behaviors—like lip protrusion and closure, tongue stretch and constriction, as well as jaw angle changes—this creates a unique Doppler effect profile that can be detected by the phone. The platform then uses a deep learning algorithm, which extracts distinct features from of the user’s Doppler profile as he or she speaks. Next, a binary tree-based approach is applied to distinguish the new user’s profile from previously registered users, which also helps discriminate between the identity of legal users and spoofers...

In a controlled laboratory environment, LipPass achieved an overall authentication accuracy of 95.3 percent... Across all environments and all kinds of attacks, the overall (spoof) success rate was less than 10 percent, though attacks that used the third method—a recording of the user's Doppler profile—did succeed nearly 20 percent of the time under controlled, laboratory conditions.

"Lip Reading-Based User Authentication Through Acoustic Sensing on Smartphones" (IEEE/ACM Transactions on Networking) Read the rest

Gay dating app Jack'd stored users' private images and data on unsecured AWS server

The gay dating app Jack'd, which has more than a million downloads in the Play store, stored images that users marked 'private' and posted in 1:1 chat sessions *on an unsecured AWS server.* Read the rest

Chasing down that list of potential Predpol customers reveals dozens of cities that have secretly experimented with "predictive policing"

Last October, I published a list of cities that appeared to have contracted with Predpol, a "predictive policing" company, based on research provided to me by an anonymous source who used clever methods to uncover the customer list. Read the rest

After more than a year of inaction,one of those privacy-leaking kids' smart watches has been recalled in Europe

It's been a year and a half since the Norwegian Consumer Council commissioned a security audit of kids' "smart watches" that revealed that anyone on the internet could track the wearers, talk to them through their watches, and listen in on them; a year later, Pen Test Partners revealed that the watches were still leaking sensitive information, a situation that hadn't changed as of last week. Read the rest

18 months on, kids' smart watches are STILL a privacy & security dumpster-fire, and a gift to stalkers everywhere

In late 2017, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't). Read the rest

Apple was slow to act on FaceTime bug report, which came from mother of 14 year old who found it

Go get a developer account and send us a formal bug report, Apple reportedly told them.

New privacy hires at WhatsApp: Nate Cardozo (EFF), Robyn Greene (Open Technology Institute)

This bodes well for WhatsApp users. Read the rest

Discarded smart lightbulbs reveal your wifi passwords, stored in the clear

Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that's just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties. (Thanks, John!) Read the rest

Major vulnerability in 5G means that anyone with $500 worth of gear can spy on a wide area's mobile activity

Stingrays (AKA IMSI catchers) are a widespread class of surveillance devices that target cellular phones by impersonating cellular towers to them (they're also called "cell-site simulators"). Read the rest

FaceTime bug lets you hear or see through someone else’s iPhone, even if they haven’t answered

“We’re aware of this issue and we have identified a fix that will be released in a software update later this week.” — Apple.

Australia may have just backdoored your mobile phone

A really bad new law in Australia gives police the right to force companies like Apple to 'backdoor', or create encryption circumvention alternatives, in all their products. The issue has been controversial in the U.S. for a long time, and spiked in 2016 after the mass shooting in San Bernardino. Read the rest

DHS issues security order after DNS hijack attacks from Iran, 6 agency domains already affected

The Department of Homeland Security on Tuesday issued an “emergency” security alert urging federal civilian agencies to secure login credentials for their respective internet domain records. Read the rest

Most Facebook users don't know their interests are tracked for ad targeting, Pew study finds

Most Facebook users have no idea how the company tracks and profiles everything they do to target ads, a new Pew Research study confirms. Read the rest

FBI arrests Georgia man suspected of planning to bomb White House

Federal agents today arrested a man in Georgia who they say was planning an attack with weapons and explosives on the White House, the Washington Monument, and the Lincoln Memorial in Washington, DC. Read the rest

Bug in reservation system used by 140+ international airlines exposes passenger data and allows for manipulation

Noah Rotem got an intriguing error message from El Al's reservation system ("PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE*) and by tugging at the loose thread it revealed, he was able to view any "Passenger Name Record" in El Al's system, allowing him to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service." Read the rest

More posts