- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° Your Weekly Security Update
- 𤨠This Should Be on Your Radar đĄ
- đ Security Fail of the Week đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use an authenticator app to generate 2FA codes. Two-factor authentication codes generated by an app are more secure than those texted to you via SMS, and the Passwords app has one built in.
- Turn off app tracking to protect your personal data. Apps will sometimes ask for permission to track your activity even outside of the app. You can turn off app tracking altogether in your iPhone settings.
- Disable location data for apps that donât need it. You can turn off location access on an app-by-app basis so that you can still get real-time weather information for your location, while preventing other apps from knowing where you are at all times.
What should you do in the following scenario?
You have an iPhone with sensitive information on it, but youâd like to get rid of the device. After copying your sensitive information to a new device, what is the best way to be certain that the sensitive information cannot be accessed by someone else? đ¤
- Return the device to Apple.
- Drop the iPhone in a bucket of water.
- Remove the battery, then put the device in your microwave for five minutes.
- Smash it with a hammer.
- Go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings.
- Do something else (email us your answer).
Scroll to the bottom to see how you did!
The tool is called Webloc, and itâs made by a company called Penlink. The US Immigration and Customs Enforcement agency, ICE, has a new contract with Penlink to use Webloc, and reporters at 404 Media have obtained internal documents that detail what the tool does and does not do. Webloc allows ICE agents to easily access a commercial archive of phone-location data. They can ask for every device that visited a specific block, or every device that visited two specific locations, and then expand their investigation by selecting an individual phone and seeing where else it has been. From such data, they can learn where the phone goes at night (likely the ownerâs home), where it goes during the day (likely the ownerâs workplace), where it spends social time, who it meets with, etc.Â
Webloc relies on phone-location data that is aggregated as part of advertising efforts. Apps like Candy Crush Saga, Tinder, and others harvest location data from millions of devicesâboth through app location permissions and via the Real-Time Bidding (RTB) systemâand sell that information as a product intended to help advertisers reach their intended targets. Information brokers collect these profiles into archives and rent access to apps like Webloc. This allows government entities like ICE, using tools like Webloc, to query these commercial databases without establishing probable cause or applying for a warrant.Â
The Bottom Line: The good news is that iPhones have a bunch of tools to limit how much location information you leak to commercial databases. On your iPhone, go to Settings > Privacy & Security > Location Services and review which apps can access your location. Itâs safe to set almost every app to Never [share your location], with the exception of Apple Maps or similar navigation apps, which need to know where you are in order to function.
To limit how much information the RTB system can gather about you, use a privacy-preserving web browser, such as DuckDuckGo or Brave, and anonymizing tools like Appleâs iCloud Private Relay, or a secure consumer VPN. If you do these things, then you will not be supplying much location data that can end up in a commercial location database, and tools like Webloc may not be very effective at tracking your location. That said, it is difficult to know for sure, and no mitigation strategy is foolproof.
Â
The Romance Scammerâs Playbook
Human trafficking victims held in a scam compound in the Philippines were provided with a detailed instruction manual in Chinese, explaining how to conduct relationship-investment scams. The manual, and others like it, provide exact, step-by-step instructions on how to form romantic attachments in seven days, and then convert those romantic relationships into monetary investments in a fake cryptocurrency investment app controlled by scam-compound operators. The manuals lay out different strategies for conversational gambits, depending on the personality and even horoscope of the intended victim. Reuters got ahold of one copy of such a manual, and their full write-up offers a valuable look at the tools and strategies used in these pernicious scams. If you prefer your news in podcast form, Smashing Security did an excellent and entertaining episode discussing the scammer manual (among other things) and offering helpful takeaways. Note: The Reuters article refers to this scam type as âpig butchering,â but we prefer the name ârelationship-investment scam.â
The Bottom Line: Cryptocurrency investment advice from an online-only contact, friend, or romantic partner is a huge red flag. These scammers rely on effective strategies for tricking their victims into believing the relationship is genuine. They identify and then exploit genuine emotional needs, so the connections can feel valuable, heartfelt, and compelling to the victim. Then they offer a get-rich-quick investment opportunity, and the emotional needs intersect with financial needs for a powerful incentive. Have a look at Reutersâ full write-up for details of specific phrases and strategies the scammers tend to use, which might serve as red flags.
Hacker Charged for Breaking into Snapchat Accounts
The US Attorneyâs Office is charging a hacker for allegedly attempting to break into thousands of womenâs Snapchat accounts and steal nude photos. The hacker used social engineering techniques to acquire the usernames and phone numbers of his victims, whom he then texted from anonymous phone numbers and convinced to give him two-factor authentication codes needed to access their accounts. Of the thousands of potential victims, the US Attorneyâs Office says approximately 570 of them handed him their 2FA codes, and the hacker accessed at least 59 of these accounts. The hacker is also reported to have been hired by a former Northeastern University coach to hack the Snapchat accounts of women he had coached. You can read the full statement from the US Attorneyâs Office here.
The Bottom Line: Sensitive data, whether itâs nude photos or photos of your social security card, should not be stored somewhere as insecure as Snapchat. Secure storage options like iCloud or, even better, local storage like a password-protected hard drive are the ideal choices. Additionally, you should never answer unsolicited texts asking for a two-factor authentication code. While this hacker posed as Snapchat customer support, a real customer support team should never need a 2FA code from you.
Disruption of Air Traffic Communication Grounds Flights in Greece
Travelers in Greece were left stranded last week when air traffic communications broke down due to interference. The interference appeared to come from a âcontinuous, involuntary emissionâ of ânoise,â causing a loss of communication across all radio frequencies and forcing a complete shutdown of the airspace over Greece. It is currently unknown where this noise originated from, but the chair of the Association of Greek Air Traffic Controllers believes it to be the result of âan aging systemâ and not a cyberattack. The communications outage lasted several hours but was resolved the same day, and all flights have since resumed. The chief of Greeceâs Civil Aviation Authority has resigned in the wake of this incident. Head over to Reuters for the full story.
The Bottom Line: While this incident wasnât the result of a cyberattack, it does highlight the risks of not updating equipment. Outdated equipment is more vulnerable to attack or failure, which is why itâs important to keep your devices up to date.
Was Instagram User Data Leaked?
Last week, Malwarebytes reported that many Instagram users had received password reset emails, and, at the same time, a data set allegedly containing more than 17 million usersâ data went up for sale on the dark web. The data includes usernames, real names, partial locations, and email addresses. Malwarebytes initially believed that the two events happening so close together meant that Instagram had been breached, but it would appear that the data set is older and likely contains out-of-date information. Instagram has also denied any data breach and said that it had âfixed an issue that let an external party request password reset emails for some people.â Check out the full blog post at Malwarebytes.
The Bottom Line: While it appears your Instagram account information should be safe, it never hurts to update your password. You should also enable two-factor authentication for your Instagram account, which can be done by tapping your profile icon, tapping the hamburger menu icon (it looks like three horizontal lines), selecting Accounts Center, and tapping Password and Security. Then, just tap Two-factor Authentication and follow the on-screen prompts. The process is similar to enabling 2FA for your Facebook account.
New Phishing Campaign Uses QR Codes
The FBI is warning against a spear-phishing campaign involving QR codes, in which an unsuspecting victim scans a QR code with their phone and inadvertently gives threat actors access to their devices or accounts. It is believed that North Korea is behind this campaign, which is targeting âthink tanks, academic institutions, and both U.S. and foreign government entities.â The FBI identified multiple incidents throughout May and June, in which individuals with access to sensitive work positions received job offers and other emails from fake recruiters. Some messages contained QR codes with prompts to scan them, which would result in the victim being directed to malicious websites. Check out the full story at The Hacker News.
The Bottom Line: While this campaign likely isnât aimed at the average everyday citizen, it doesnât hurt to stay vigilant. Practice caution when considering whether to scan a QR code with your iPhone. If you receive an email or text with a QR code, always verify the sender before scanning.
India Introduces New Cryptocurrency Regulations
India is attempting to combat money laundering by introducing new guidelines on cryptocurrency. Under these new regulations, cryptocurrency exchanges will need to register with Indiaâs Financial Intelligence Unit to operate in the country. Additionally, cryptocurrency exchanges will be required to report suspicious activity and verify clients before completing transactions. For more on these new regulations, check out the full story at The Hindu.
The Bottom Line: Cryptocurrency is one of the most common targets of scammers, so more regulation is certainly welcome. Hopefully, we can see more regulation in other countries as well.
Scammer Outs Himself By Bragging on Social Media
A scammer known as Haby made quite a name for himself by stealing more than $2 million in cryptocurrency from Coinbase users. Haby made his fortune by impersonating Coinbase customer support, contacting users, and convincing them to transfer their cryptocurrency to his wallet under the guise of securing their accounts. It would seem that that wasnât enough for Haby, as he then proceeded to brag across every social media platform about all the money he was making and how he was doing it. An independent investigator known as ZachXBT on X/Twitter exposed Haby, and the scammer has since wiped his social media accounts. Read more at Rude Vulture or check out ZachXBTâs Twitter thread.
The Bottom Line: Unfortunately, despite ZachXBT exposing Haby as a Canadian citizen, Canadian law enforcement has yet to take action against the scammer. Still, if youâre going to commit crimes, itâs probably smart not to post about them on social media.
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.2
- The most recent macOS is 26.2
- The most recent tvOS is 26.2
- The most recent watchOS is 26.2
- The most recent visionOS is 26.2
Read about the latest updates from Apple.
The correct answer is 5: Go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings. All information on your iPhoneâs memory is encrypted. When you issue an Erase All command, whether in settings or remotely using Find My, the system permanently erases the keys to the encryption. This immediately makes the information stored on the iPhone unreadable. A digital forensics expert could still probably recover the data, eventually, by cracking the encryption, but for all practical purposes, this is about as good as youâre going to do. Regarding the other answers: Apple recommends erasing a device before returning it to them. Most iPhones are water-resistant, so dropping your phone in a bucket of water probably wonât hurt it. Smashing it with a hammer actually wonât stop a forensics expert from recovering data from the deviceâs memory, but it will stop Apple from giving you a good value on your used-device buyback. The microwave is not a good option! That could start a fire. Donât do that!Â
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Want to keep your iPhone data safe if itâs ever stolen? Check out:
|
