this week in security — december 31 edition

THIS WEEK, TL;DR

Years-long campaign backdoored iPhones using advanced exploits, Kaspersky finds
Ars Technica: Kaspersky dropped the last in its running series of Operation Triangulation, an ongoing campaign involving the use of several new zero-days to target the iPhones belonging to Kaspersky employees. The Russian cybersecurity company said the attack involved the backdooring of iPhones in part by exploiting an undocumented hardware feature known by very few people outside of Apple and chip suppliers. The whole saga is fascinating — not least that Kaspersky employees were targeted and subsequently uncovered the campaign — but because it hints at a potentially wider net of victims. Using the exploits, the attackers delivered spyware capable of listening to ambient microphone recordings and gave full access to the device's data. Apple has since fixed the four vulnerabilities, but many questions remain about who first discovered and exploited the bugs, against who else, and why.
More: SecureList | CCC | Dark Reading | Bleeping Computer

India targets Apple over its phone hacking notifications
Washington Post ($): Speaking of spyware, guess who's been caught with their hand in the spyware cookie jar? India's Modi government. The Post has a wild story about how Apple notified a ton of spyware victims in India — including opposition politicians — that their iPhones were compromised (with NSO Group's Pegasus spyware, the Post reports), and how the Modi government took action against Apple's executives as a result. "They were really angry," according to one person with knowledge of the Modi government's dressing down of Apple's India executives. Apple stood by the notifications, but Apple's corporate comms (its PR people, basically) cast doubt on its own security team by watering down their guidance to avoid backlash from Modi officials. It's bad enough that the Modi government used spyware to snoop on its opposition and journalists, but weak to see Apple buckling to pressure from the Modi government by undermining its own security defenders. Incredible reporting from @josephmenn and @gerryshih.
More: TechCrunch | @josephmenn tweets | @rondeibert | @evacide

EasyPark discloses data breach that may impact millions of users
Bleeping Computer: Parking app maker EasyPark has confirmed a data breach. The Swedish app maker (which also makes RingGo and ParkMobile) has said little about the incident, only that it affects "a portion of European users" (rather than its U.S. customers), but the number of affected users may reach the millions given how many users EasyPark has. According to EasyPark, some contact information was taken — including names, phone number, physical and email address, and partial payment data. Parking apps have been targeted by bad actors in the past given the amount of sensitive data (such as locations of where and when) they store.
More: EasyPark | The Guardian

~ ~

THE STUFF YOU MIGHT'VE MISSED

The most dangerous people on the internet in 2023
Wired ($): This year's list of most dangerous people on the internet includes two ransomware gangs, a Russian-backed hacking crew and a former U.S. president. You can probably guess the last one. Less a look back at 2023 per se, and more a warning about what 2024 could bring — if we let it happen.

Police have easy access to vehicle data
The Record: Cars these days are computers on wheels, and offer fancy features that let you sync your phone to your car's dash. But an exception to the Fourth Amendment (think protections from searches and seizures) means that if you sync your phone to your car, those constitutional protections don't go as far as some might think. As @SuzanneMSmalley looks in this second part of a series, police can use search warrants to access data from your phone via your car. More from @ByronTau.

A new idea could fix AirTag stalking while maximizing privacy
Wired ($): AirTags have utility, but they're also a stalker's dream — and if you've ever had a tracking notification warning (even if it's a false positive), it can be alarming. Apple has taken steps over the past year to limit their abuse while also keeping their data private (from outsiders). But now researchers say they have figured out a better cryptographic system that both preserves the privacy of the user while also prioritizing the detection of potentially malicious AirTags by using a mix of secret sharing and a sprinkling of error correction. Great thread from @matthew_d_green, who was in part behind the research. The full paper can be found here.

~ ~

OTHER NEWSY NUGGETS

Google settles $5B "incognito" lawsuit: "Incognito" in heavy quotes here, since it doesn't do half of what people think it does... Google settled a long-running class action suit that alleged Google violated users' privacy by using cookies, analytics and tools in apps to track internet browsing activity in Chrome even when incognito mode is turned on. Google previously disputed the claims after a judge denied the company's motion for a summary judgment. (via DataBreachToday)

Mass. bill would not hinder firms from reporting cyber incidents: A new bill in Massachusetts (spotted by @brett) has a provision that would prevent cybersecurity insurance firms from placing limits on informing the government of a security incident or data breach. That's right: greedy insurance companies have been telling ransomware victims not to notify the government (as they're required to do), so Massachusetts' bill would effectively block the blockers. It's in early stages but one to keep an eye on. (via @gossithedog, @brett)

Paramount parent corp. says it was hacked: National Amusements, a chain of U.S. cinemas that also happens to be the parent company of CBS and Paramount (it's a long story), says it was hacked and more than 82,000 people's information was taken. But whom, exactly, National Amusements wouldn't say. Customers? Users? Employees? The latter is likely, since the data breach notice was signed by the company's HR chief, but it's certainly an eyebrow raiser when the company itself doesn't seem to know (or want to disclose). (Disclosure: I wrote this story.) (via TechCrunch, Maine.gov)

~ ~

~ ~

THE HAPPY CORNER

Happy Sunday from the happy corner as we rapidly approach 2024 (if you're reading this later, happy new year).

A lot happened this year. There's a lot of doom and gloom (which isn't a surprise given!) but this week I looked back at some of the lighter moments in cyber of 2023. (Bzzzt! There goes the disclosure buzzer again.)

We've had cyber cats galore, and enough cat content to broadcast across the universe. And of course they only went and did it using a huge freaking laser. You can't make this stuff up.

And that's the last happy corner of 2023. Into the trash you go.

If you have good news you want to share, get in touch at: this@weekinsecurity.com.

~ ~

CYBER CATS & FRIENDS

This week's (and this year's final) cyber cat is Boris, whose human tells me is a very committed pentester of various automated feeders. There's no cat better suited for the task. Many thanks to Gleb M. for sending in!

Send in your cyber cats! Drop me an email with your cyber cat (or non-feline friend) with their name and photo and they'll feature in an upcoming newsletter.

~ ~

SUGGESTION BOX

And that's it for this year's final edition of ~this week in security~, thanks so much for reading! I'll be back next week year with the usual roundup from the cyber realm — and I'm sure it'll be busier than ever. It's been a privilege to bring this newsletter to you every week, and I love hearing from you (and getting cyber cats!).

You can always get in touch with any feedback you have. Have a peaceful and restful New Year wherever you are in the world.

All my best,
@zackwhittaker