When an exploit turns into a murals


Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Google Project zeroThe elite team of insect hunters does not need an introduction.

The white hat hackers were good at finding something Bug in Android and iOS, but that’s impressive new disclosure by Ian Beer beats everything that came before.

Beer spent six months of his lockdown single-handedly devising a method that would allow iPhones to be remotely hijacked. This shows that with just one Raspberry Pi, commercially available WiFi adapters that cost a total of $ 100 and a few lines of code available are possible for a remote attacker too Take full control from any iPhone nearby.

What’s more impressive is that multiple vulnerabilities don’t have to be chained together to fully control an iPhone, Beer explained in a 30,000 word magnum opus.

The exploit “uses a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro,” allowing a villain to “view all photos, read all email, copy all private messages, and monitor everything that happens” [the device] Real time.”

The bugs Beer discovered while developing this chain of exploits were all fixed before iOS 13.5 was released earlier this year.

But, as Beer wrote in his post, the takeaway here should be: “A person working alone in their bedroom has been able to develop a skill that allows them to seriously become iPhone users they’ve come in close contact with endanger. “

Patrick Wardle, a senior security researcher at Jamf, described Beer’s Lockdown Project as “Artwork. ”

What’s the trend in terms of security?

Google News app for Android, Facebook patched a critical problem in its Messenger app for Android, which could allow an attacker to eavesdrop on callers, and Twitter was introduced Support for two-factor authentication with physical security keys.

  • In a big win for privacy and security, Google has announced that it will expand its messaging app for Android to include end-to-end encryption, starting with one-on-one calls between users of the app. [Google]
  • Swiss lawmakers raised concerns after reports that a country-based encryption company called Omnisec was allegedly used as a Trojan horse by US and German intelligence agencies to spy on governments around the world. [AFP]
  • Facebook has patched a critical problem in his messenger app for Android, which could have allowed a hacker to call you and listen before you answered the call. It’s similar to a security flaw in FaceTime that Apple quickly fixed last year. [Google Project Zero]
  • Researchers at the University of Leuven in Belgium found flaws in the keyless entry system of the Tesla Model X, which would have allowed attackers to steal the car within minutes. This is the third such attack on Tesla’s key chain. [IMEC]
  • Symantec researchers engaged Chinese threat actor APT10 (also known as Stone Panda and Cicada) for a year to steal sensitive data from numerous Japanese companies and their subsidiaries. [Symantec]
  • T.The hacking group known as APT32 or OceanLotus has set up a new MacOS backdoor that gives attackers a window into the compromised computer, allowing them to search and steal confidential information and confidential business documents. [Trend Micro]
  • Security engineer and bug hunter Ashar Javed is on the lookout for 365 security holes in Microsoft Office 365. [Vice]
  • North Korean hackers attempted to destroy UK drug maker AstraZeneca’s systems using LinkedIn and WhatsApp to send out bogus job postings containing malware as national threat actors continue to target health organizations working on COVID-19 vaccine research. [Reuters]
  • Just like that Pitfalls of privacy The Australian Inspector General for Intelligence and Security (IGIS) found that the country’s espionage agencies “randomly” collected data from the country’s COVIDSafe contact tracking app for the first six months of operation. However, the data has not been decrypted, accessed or used. [iTnews]
  • Scientists at Israel’s Ben Gurion University in the Negev described a new form of “cyber biological attack” that could allow a malicious actor to compromise a biologist’s computer in order to inject pathogenic substrings into DNA sequences and deliver dangerous viruses and toxins develop. [ZDNet / ESET]
  • Twitter added support for two-factor authentication using hardware security keys. [Twitter]
  • The last 14 days of data breaches, leaks and ransomware: Advantech, Belden, Embraer, Spotify, US fertilityand the personal data of 16 million Brazilian COVID-19 patients.

Data point

According to cybersecurity firm Kaspersky’s IT Threat Evolution Report For the third quarter of 2020, cyber criminals are resorting to the spread of malware containing the names of popular streaming platforms to trick users into downloading.

“Typically, backdoors and other Trojans are downloaded when users try to gain access in an unofficial way – by buying discounted accounts, getting a ‘hack’ to keep their free trial running, or trying on a free subscription to access. “

Between January 2019 and April 8, 2020, Trojans made up 47.23% of all malware camouflaged under the names of popular streaming platforms.

That’s it. I’ll see you all in two weeks. Stay safe!

Delighted x TNW (enthusiastic[at]the next web[dot]With)

Read Next: How to Set Your Google Photos Pictures as Live Wallpaper for Android

Leave A Reply

Your email address will not be published.