Apple and Google trade barbs over bugs, digital lothario arrested and Bluekeep gets busy
Also, XKCD forums hacked and Monster monstered
Roundup Here's a look back at some of the latest security bits and bobbles besides the stuff we already covered over the past week.
That's the way the Cook, he grumbles
Apple isn't taking too kindly to Google's decision to disclose a family of security vulnerabilities that were under active attack by Chinese authorities seeking to monitor targeted groups within the country.
On Friday the Cupertino phone flinger issued a statement to criticize Google over the Project Zero report on the flaws and the way it described issues Apple says it long ago addressed.
"Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case," Apple said.
In response, Google issued its own statement in defense of its research team and their decision to issue the report.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," Google said.
"We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities."
Neither statement made mention of the targeted populations in China who were subjected to years of government monitoring.
Con-man Casanova cuffed, charged in $2m dating scam
A man from New Jersey has been charged for allegedly scamming more than $2m out of people on dating websites.
Rubbin Sarpong, 35, was said by prosecutors to have run the scheme in combination with conspirators in Ghana who helped lure the victims to splashing out cash and then process the payments. Sarpong and his crew are accused of duping more than 30 victims, each time by playing with their emotions via dating sites.
"After establishing virtual romantic relationships with victims on the online dating platforms and via email, the conspirators asked them for money, often for the purported purpose of paying to ship gold bars to the United States," prosecutors allege. "Although the stories varied, most often Sarpong and the conspirators claimed to be military personnel stationed in Syria who received, recovered, or were awarded gold bars."
The scam worked so well that it is alleged the crew made more than $2m, of which $823,386 was deposited directly into Sarpong's own bank accounts. He faces one charge of conspiracy to commit wire fraud and, if convicted, could spend up to 20 years behind bars.
XKCD forums hacked
A bit of an embarrassing turn of events for beloved nerd comic XKCD: the site says its forums have been hit by hackers who were able to make off with some basic user details.
"The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration," the site said.
"We’ve taken the forums offline until we can go over them and make sure they're secure. If you're an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password."
While the passwords were encrypted, it wouldn't be a bad idea to make sure those credentials were not reused for other sites.
Still haven't patched BlueKeep? Now would be a great time
The Windows RDP vulnerability known as "BlueKeep" just got a bit more dangerous, thanks to the release of a MetaSploit module that will make the flaw even easier for attackers to exploit in the wild. Other researchers, notably controversial British talent Marcus Hutchins, have also published research.
Having the bug included in the exploit kit will lower the bar for targeting the flaw and will make it easier for criminals to go after end users. If you haven't updated your PC to patch the bug, now would be a good time.
NHS loses 2,000 records from gender identity clinic
The Guardian reports that an NHS-run gender identity clinic in London has managed to lose the email addresses of some 2,000 patients currently in the process of transitioning. While no other patient details were lost, the disclosure of email addresses alone are cause for concern given the personal nature of the clinic's practice.
Man pleads guilty in hare-brained Trump tax hack scheme
Andrew Harris, one of the two college students caught trying to hack President Donald Trump's tax records back in 2016 has pleaded guilty to two counts of computer fraud. He could face up to two years in prison when he is sentenced later this year.
Harris and co-conspirator Justin Hiemstra were cuffed in 2016 when they tried to get hold of the US president's tax records by setting up a fraudulent financial aid application for one of his family members.
Hiemstra pleaded guilty to the same charge last month.
Monster partner leaks CV data
Job-hunting site Monster says one of its clients is to blame for the disclosure of CVs for job seekers.
Apparently one company that had purchased access to CVs from job seekers left some of the files out in the open, only to be stumbled upon by researchers looking for exposed storage buckets. Seeing as CVs are, by nature, handed out to complete strangers all the time this isn't a huge deal, but it's definitely not a good look for Monster.
Facebook Android app caught scooping device details
Not that we're surprised anymore when Facebook is caught digging into user devices for info, but the Social Network is the subject of a report from security pro Jane Manchun Wong, who found that the Android version of the Facebook mobile app was collecting diagnostic information from hundreds of Android libraries.
As Wang notes, the collected information is mostly technical data from various phone components, not personal information or media files. This may not be a huge violation of privacy, but the app certainly is a bit more nosy than most people would like. ®
- Apple M1
- App stores
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Immigration and Nationality Act of 1965
- Privacy Sandbox
- Software License
- Tavis Ormandy
- Telecommunications Act of 1996
- Tim Cook