An Equifax Goof, an iOS Phish, and More Security News This Week
This week was one of revelations in the security world, most of them centered around nation-states pulling off ambitious hacks. In the wake of reports that Russia had used Kaspersky Lab software to steal NSA secrets, we took a look at the antivirus paradox that applies to every company selling it. And given reports that North Korea had attempted to hack a US energy utility, we looked at when exactly grid-attacks should freak you out.
In addition to break-ins, we took a look at a few things that are broken, like Donald Trump’s attempt to use Richard Nixon’s “madman” playbook against North Korea. (It didn’t work so great for Nixon, either.) Cyberattacks don’t really work against North Korea anymore, because there’s not much internet to work with. Social Security numbers are a bad system that’ll be hard to replace—but not impossible. Voting tech reforms have started coming in drips, but we need to crank the faucet all the way.
There’s at least some good news though: A method exists that would have helped stop the Equifax megabreach and others like it. If only more companies would use it.
And yet there’s more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories.
You know how annoying it is when you’re just futzing along on your iPhone and suddenly a pop-up prompts you to enter your Apple ID password for no good reason? As developer Felix Krause illustrates, that reason might well be “a bad guy wants to steal your info.” Krause says that it’s “shockingly easy” for a shady developer to prompt people to enter their passwords using iOS’s UIAlertController, which lets developers create pop-ups that also happen to mimic the system dialog. How to protect yourself? Don’t download untrusted apps first of all. But you can also hit the home button when a pop-up asks for your password. If the app quits, someone was phishing you. If not, it’s a real-deal iOS request.
The already absurd Equifax situation seemingly grows a little more so every day. Earlier this week, the company’s site delivered bogus Flash updates to users; if you clicked, your device came down with a nasty case of adware. This time, at least, the company paid a price: The IRS has suspended the $7.5 million (no-bid) contract it first awarded Equifax to “verify taxpayer identity” in the aftermath of the initial debacle. It could be reinstated after a review, but in the meantime the service Equifax had proved, called Secure Access, is down.
One of the original low-cost, high-quality smartphones out of China, OnePlus has a reputation for solid design and an at times archaic order process. It also uses OxygenOS, a forked version of Android with perfectly decent usability and, apparently, one nasty little surprise: It tracks users, but doesn’t anonymize that data. All smartphones send location and other data back to their servers, but they also take precautions not to link that data with a specific phone, because it would enable the kind of privacy overreaches that consumers rightly find deeply unsettling. According to security researcher Christopher Moore, though, OxygenOS recorded the device’s unique identifiers, battery status, timestamps, detailed app usage information, and more. At least now we know what the “plus” stands stands for.
The Daily Beast takes a look this week at Danny Manupassa, a security products vendor who, the report says, has sold phones that “have been linked to assassinations, armed robbery, money laundering, and other serious crimes.” More than a look at just one supplier, the story looks at the underworld use of encrypted, hard to trace smartphones. It’s a cutthroat business in a murky legal territory, and worth spending a little time with.