AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 09/14/2021

Apple issues urgent iPhone software update to address critical spyware vulnerability

Apple has updated its software for iPhones to address a critical vulnerability that independent researchers say has been exploited by notorious surveillance software to spy on a Saudi activist. Researchers from the University of Toronto’s Citizen Lab said the software exploit has been in use since February and has been used to deploy Pegasus, the spyware made by Israeli firm NSO Group that has allegedly been used to surveil journalists and human rights advocates in multiple countries. The urgent update that Apple (AAPL) released Monday plugs a hole in the iMessage software that allowed hackers to infiltrate a user’s phone without the user clicking on any links, according to Citizen Lab. The Saudi activist chose to remain anonymous, Citizen Lab said. Apple credited the Citizen Lab researchers for finding the vulnerability, but an Apple spokesman declined further comment.

 

Over 60 million wearable, fitness tracking records exposed via unsecured database

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online. On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth. Based in New York, GetHealth describes itself as a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.” The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit. On June 30, 2021, the team discovered a database online that was not password protected. The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information — some of which could be considered sensitive — such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets. 

 

How a Russian Mobile App Developer Recruited Phones into a Secret Ad-Watching Robot Army

In October 2020, Maxim Karpenko, an independent Russian mobile game developer, was sitting on a train about to go on vacation when a friend messaged him with troubling news. Stavrio Ltd., a little-known company in the U.K., had just filed for a trademark to Karpenko’s most prized work, WorldBox, a “god simulator” mobile game that allows users to create and nurture virtual civilizations. Karpenko had spent eight years developing WorldBox, which had been downloaded millions of times. Now it looked as though he might lose everything overnight. Stavrio Ltd. had quietly replicated the game and was offering it on mobile app stores under its own name. “I panicked and cancelled the trip, went back home … and started looking for lawyers,” Karpenko told OCCRP and its Estonian partner, Eesti Ekspress.

 

AI POWERED COFFEE MAKER KNOWS A BIT TOO MUCH ABOUT YOU

People keep warning that Skynet and the great robot uprising is not that far away, what with all this recent AI and machine-learning malarky getting all the attention lately. But we think going straight for a terminator robot army is not a very smart approach, not least due to a lack of subtlety. We think that it’s a much better bet to take over the world one home appliance at a time, and this AI Powered coffee maker might just well be part of that master plan. [Mark Smith] has taken a standard semi-auto espresso maker and jazzed it up a bit, with a sweet bar graph nixie tube the only obvious addition, at least from the front of the unit. Inside, a Raspberry Pi Zero sits atop his own nixie tube hat and associated power supply. The whole assembly is dropped into a 3D printed case and lives snuggled up to the water pump.

 

Twitter starts rolling out Communities, its dedicated space for groups

After 15 years, Twitter is getting dedicated features for groups. The company is now starting to test Communities, “a more intimate space for conversations” on the platform. Communities, which the company first teased back in February, are sort of like Twitter’s version of a subreddit or a public-facing group on Facebook. Communities are dedicated to specific topics, and members can post tweets to a dedicated group timeline. Each community has its own moderators who set rules for the group, and users must be invited by an existing member or moderator to participate. The feature is meant to address what’s been a long-running issue for the platform: that it can be incredibly difficult for new users to wade through the noise and find the corner of Twitter that speaks to their interests. The company has tried to address this with Topics, which injects tweets into your timeline based on your interests, but Communities takes the idea a step further.

 

BLOCKCHAIN, EXPLAINED

You can think of a blockchain like an obsessive club filled with members who love to keep track of things. The club has a ton of complicated rules to make sure that every member writes down the exact same set of records about what happens each day (whether it’s bird sightings, or beer tastings, or flower sales) and that once data is recorded and accepted, it becomes exponentially more difficult to change as more and more records are added on top of it. Then, usually, outsiders can come by and check out all their records and go, “Oh, wow, a cardinal flew by at 10AM in front of Mike’s house. Cool.” At their core, blockchains let you agree about data with strangers on the internet. Public blockchains provide a place to put information that anyone can add to, that no one can change, and that isn’t controlled by any single person or entity. (Generally, at least; we’ll deal with the caveats and exceptions later.) Instead of one company or person keeping track of everything, that responsibility is spread out to everyone on the network.

Related Posts