- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° Your Weekly Security Update
- 𤨠This Should Be on Your Radar đĄ
- đ Security Fail of the Week đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Check what data apps collect from you. Before installing an app, scroll down and find the App Privacy section to check what data you are allowing the app to access.
- Create new passwords using a password manager. Your password manager can create secure passwords and keep track of them for you.
- Keep your email address private. The Hide My Email feature allows you to create dummy addresses that forward emails to your primary email address.
What should you do in the following scenario?
You click a link and suddenly regret it. Youâre not sure the link led to a malicious website, but something feels off: maybe the email was a little sketchy to begin with, maybe the page loaded in a really unusual way, or maybe something about the web page just feels wrong. What should you do? đ¤Â
- Do not engage with the website, close the tab, then run a malware scan.
- Do not engage with the website, close the tab, and empty browser history and cookies.
- Do not engage with the website, close the tab, and reboot your computer.
Scroll to the bottom to see how you did!
A new report from Genâthe parent company behind Norton, AVG, Avast, LifeLock, and other consumer-security products and companiesâclaims that almost a third of English-language advertisements on Facebook and Instagram in the UK and EU were malicious: either scams or pointing to malicious websites that would try to infect victims with malware. Check out the abbreviated report from Genâs blog, where the companyâs researchers offer some (sparse) details behind how they arrived at this conclusion. The researchers note that the only reason they were able to do this research at all was because of laws in the EU and UK that force Meta to make advertising data publicly available to researchers. The USA does not have similar laws, so while the rate of scams on Facebook ads here in the USA may be similar, the researchers canât study it, so we donât know.
The researchers found that a majority of these scams seem to stem from a small number of highly organized operations that create thousands of fraudulent webpages and swap them out for new ones at a high rate. This saturates Metaâs fraud-detection system, which is reactive and can only take down a post when it has been reported. Producing huge numbers of scam accounts easily overcomes this system.
This report comes in the wake of reporting by the Wall Street Journal, which, based on documents from Meta, suggests that the company is aware of its many scam advertisers and chooses to charge extra for ads that it suspects may be fraudulent.Â
The Bottom Line: Continue to practice great caution when engaging with ads on Meta technologies: Facebook, Instagram, and Threads. These ads are saturated with scams. Likewise, continue to practice caution when engaging with private messages on Meta technologies, where moderation of scam activity does not keep up with the volume of fraudulent traffic. Consider adopting alternative social networking platforms such as Mastodon.
Photo Booth Service Exposes All Photos
A company called Curator Live, which sells photo booth services to weddings and leisure venues, has been exposing all its customersâ photos in an unsecured database visible on the web. Security researchers notified the company, but it never fixed the issue. Photos of revelers at parties might be sensitive in certain contexts, but this really serves to highlight a common problem: Companies keep customer data around for longer than itâs strictly necessary, then expose that data to theft. 404 Media has the full story.
The Bottom Line: In general, when you have personal data stored by a service provider, only leave it with the provider until the service is concluded. Using the photo booth photos as an example, once youâve downloaded your copies from the companyâs website or app, make sure to delete the photos or ask for them to be removed. The same principle applies to services like a printing company: Once youâve printed the materials, ask for any records of that transaction to be deleted, especially if what you were printing might be considered sensitive.
Private Cellular Provider Deletes Call Logs After 24 Hours
A new cellular provider with privacy as its goal has emerged. The company, Cape, claims that it wipes call data records (CDRs) every 24 hours. CDRs contain user call and text records, like the userâs own phone number, as well as the number they contacted. Other carriers retain CDRs indefinitely, making them vulnerable to data leaks, like what happened to AT&T in 2024. After a single day, Cape deletes its CDRs. However, because the company operates on other carriersâ cell towers, those carriers may still collect some user data. Find out more about Cape at 404 Media.
The Bottom Line: When you use a cell phone, it is nearly impossible to stay 100% private. There will always be third parties tracking you in some way, whether through apps installed on your device or through cell towers. Capeâs strategy of deleting call records is certainly a step in the right direction, though, and we hope other cellular providers will follow in its footsteps.
ICE-Spotting Apps Breached
In the past few months, there has been a surge in ICE-spotting apps, apps designed for users to report sightings of ICE in order to help warn friends and neighbors who might be undocumented. Several of these apps have seemingly been breached, with users reporting that they have received notifications and texts from the apps saying that their data had been sent to law enforcement. At least one of these appsâ developers has responded, claiming that his app, StopICE, doesnât store the information that the threatening notifications are claiming to have leaked. Read more at 404 Media.
The Bottom Line: Security is hard to get right, especially for independent app developers who collect a lot of user data, as weâve seen with apps like the Tea app or TeaOnHer. The best way to avoid data leaks like this is to avoid sharing the data to begin withâno matter how reputable an app seems, always ask yourself what might happen if the data youâre sending to the app is stolen. Stay away from new apps that are jumping on a fad.
Google Settles Lawsuit Alleging Its Voice Assistant Recorded User Conversations
Google is settling a $68 million class action lawsuit alleging that Google Assistant illegally recorded private conversations, similar to the lawsuit Apple faced last year regarding Siri. Google claims that its devices only record users' voices when they speak an activation phrase. However, the lawsuit claims otherwise, alleging that Google Assistant has recorded conversations about personal details, such as financial or employment information, and then shared these recordings with advertisers. Head over to CBS News for the full story.
The Bottom Line: If you are included in this lawsuit, you will likely receive an email or a letter soon with information on how you can submit a claim.
Notepad++ Update Servers Breached
Notepad++, a popular notepad application for Windows, was recently hijacked. State-sponsored hackers were able to redirect traffic from Notepad++âs update servers and serve users with malware. The update server was compromised from June to September of last year. Notepad++ has since switched hosting providers for updates and has bolstered the applicationâs security. You can find more details at Notepad++.
The Bottom Line: If you use Notepad++, it is strongly recommended that you install the latest version of the app from the official website.
Multiple Companies Breached Including Hinge, OKCupid & Match
Hackers called ShinyHunters figured out a way to use a voice-cloning AI to bypass a common sign-in system used by many companies, and have gone on a spree hacking multiple victims, including Hinge, OKCupid, Match, Panera Bread, and others. Records stolen from dating apps have a particular sensitivity: they may be used to blackmail people whose dating history may be sensitive for various reasons. See the Malwarebytes blog for more.
The Bottom Line: If youâve used any of these services, be on the lookout for a notification from the company. They should be notifying victims. Passwords were not the only things compromised in these attacks, but as always, using a password manager to produce unique passwords for every account will mitigate the compromise of one password.
Bug in Ransomware Corrupts Files
Ransomware group Nitrogen has run into a small problem. The way ransomware works is that malware is deployed, which encrypts the victimâs file system, making it impossible for the victim to access their data, while the ransomware group has the decryption key. The group then offers to hand over the decryption key if the victim pays a large sum of money. However, a bug in the malware used by Nitrogen causes it to encrypt files with the incorrect decryption key. That means that not even the threat actor itself can decrypt the files, so anyone affected by the group's ransomware cannot regain access to any data that was stolen, even if the ransom is paid. Coveware has a more detailed write-up about the bug.
The Bottom Line: Ransomware groups cannot be trusted. Thereâs no guarantee youâll get your files back even if the ransom is paid. And if youâre dealing with incompetent coders, the ransomware hackers might not even be able to give you back your files in the first place.
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.2.1
- The most recent macOS is 26.2
- The most recent tvOS is 26.2
- The most recent watchOS is 26.2.1
- The most recent visionOS is 26.2
Read about the latest updates from Apple. Apple has also updated its platform security documentation, explaining how all of Appleâs products are secured from a technical standpoint.
The correct answer was probably 1: Donât engage with the website, close the tab, and run a malware scan. Malicious websites will try to trick you into downloading dangerous payloadsâinfostealers, ad-injectors, even ransomware. But on a Mac or iPhone, youâd have to actually download it most of the time, so simply not engaging with the website at all and closing the tab is your first line of defense. If you donât download anything, then youâre most of the way there. It may occasionally be possible for malware to infect your web browser without your installing anything, so it is also a good idea to run a malware scan. As for the other two answers, clearing your browser cache isnât a terrible idea, and rebooting your computer can help with a lot of things, but it wonât protect you from a malware infection or a browser-jacker attack.
Related: How to Get Rid of Fake Virus Alerts
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Worried about viruses on your iPhone? Check out:
|
