- 🗒️✅ Your Security Checklist
- 🏆🎖️ Test Your Security Skills
- 📰 Your Weekly Security Update
- 🤨 This Should Be on Your Radar 📡
- 🙈 Security Fail of the Week 👎
- 🍎📱 Security Updates from Apple 🍎
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Double-check suspicious emails. When you receive scam emails, there are usually some telltale signs to be on the lookout for to help you identify whether the email is legitimate or not.
- Turn off app tracking on your iPhone. Apps will occasionally ask for permission to track your activity, but you can turn off app tracking and prevent apps from even asking in the first place.
- Spend some time reviewing what data you've shared with apps. In the Settings app, you can review what information you've opted to share with apps and people in your contacts and revoke access if needed.
What should you do in the following scenario?
You receive an email from an unfamiliar sender asking you to take a look at a document that is attached to the email. What should you do? 🤔
-
Open the attachment.
-
Download the attachment and scan it for viruses.
-
Reply to the email and ask for clarification.
-
Delete the email and report it as spam.
Scroll to the bottom to see how you did!
Earlier this year, Apple and Google announced a partnership to enhance Apple Intelligence using Google's large language model, Gemini. This week, Google confirmed that not only will Gemini be used for Apple Intelligence, it will also be used to power a new, smarter Siri later this year. Beyond that, we don't have many details on how this partnership will work and if Apple will be able to continue guaranteeing privacy to its users. When Google first announced its partnership with Apple, it promised to maintain Apple's privacy standards by keeping Apple Intelligence running on-device and through Private Cloud Compute. You can read more at MacRumors.
The Bottom Line: Currently, ChatGPT can be used in tandem with Siri and Apple Intelligence, which is slightly more private than using the ChatGPT app. Whenever you send requests to ChatGPT through Apple Intelligence, identifying account details are withheld, and only the relevant details of your request are shared with OpenAI. We're hopeful that Apple and Google have worked out some way to preserve user privacy when using Gemini alongside Apple Intelligence.
EU Age Verification App Hacked
The EU has released its age-verification app, which will allow users to verify their ages at a system level and prevent underage users from accessing adult content. Despite European Commission President Ursula von der Leyen claiming that the app has the "highest privacy standards in the world," a security consultant managed to hack the app in less than 2 minutes. Ordinarily, the app requires a PIN to access saved credentials, but the researcher was able to bypass the PIN and access the ID that the user uploaded to verify their age, as well as any information associated with that ID. You can find out more about how the hack works at SOFX.
The Bottom Line: It's not incredibly surprising that someone has found a way to hack the EU's age verification app so quickly. The app was developed on a short timeline, and it is not uncommon for brand-new apps to have weak security. That's why you shouldn't rush to adopt the latest apps. It's better to wait a bit for any serious bugs to be ironed out. This is especially true when an app is dealing with something as sensitive as age verification.
AI Used to Hack Mexican Government
According to a report from Gambit Security, a single hacker was able to breach nine Mexican government agencies using two AI tools, Claude and ChatGPT. The hacker used thousands of custom scripts, many of which were AI-generated, and used the AI assistants to remotely execute them. Claude and ChatGPT allowed the hacker to work faster than normal and find exploits quicker than if they had acted on their own. You can read the full report on Gambit Security's website.
The Bottom Line: While AI is allowing experienced hackers to work faster, the methods and code they use for hacking remain the same. The best way to protect yourself against hackers is by using a password manager and a privacy-protecting browser, while also staying vigilant of phishing attempts and scams.
US Could Require OSes to Verify Users' Ages
As age verification laws become more commonplace around the world, the US is contemplating requiring operating systems like Windows, macOS, and Linux to verify users' ages when creating a user account at setup. The bill would also require the OSes to allow apps and websites to check users’ age data before they can access apps or websites’ content. You can read more about the proposed bill at PC Gamer.
The Bottom Line: Age verification continues to be a complicated nut to crack. Apple seems to have found a secure method of verifying its users' ages in the EU, so it is possible to implement age verification without compromising privacy.
Microsoft Excel Bug from 2007 Resurfaces
The Cybersecurity and Infrastructure Security Agency (CISA) warned that a critical security flaw that has been plaguing Microsoft Excel for the past 17 years is now actively being exploited. An attacker can take advantage of this vulnerability by tricking the victim into opening a maliciously crafted Excel spreadsheet. From there, the attacker can take control of the victim's computer. Thankfully, this bug only affects versions of Microsoft Excel from 2008 and earlier. Head over to The Register for more details.
The Bottom Line: This bug only affects Excel 2007, so unless your version of Office is impressively ancient, you’re safe from this specific bug. It’s still a good reminder to handle email attachments with caution, especially from unknown senders.
To the Surprise of No One, Google & Others Ignore Cookie Rejection Requests
We're all pretty used to clicking a button to reject or accept cookies. Turns out, that doesn't always matter, according to an independent audit. Specifically, Google, Microsoft, and Meta appear to ignore when users opt to reject cookies and send ad cookies anyway. All three of these companies will likely face fines for this violation of privacy laws, but we wouldn't be surprised if they continue collecting our data and tracking us anyway. 404 Media has more information on the audit.
The Bottom Line: You can protect your privacy from companies that ignore cookie rejection requests by using privacy-preserving web browsers like Safari, DuckDuckGo, and Firefox. You should also use an ad-blocking extension like uBlock Origin or Ghostery. If you use Safari and subscribe to iCloud+, you can also enable iCloud Private Relay.
Vercel the Latest Victim of a Data Breach
Hacking group ShinyHunters has been busy lately. Its most recent victim is Vercel, a cloud app-hosting service. The breach began when an employee at Vercel downloaded a seemingly random app from a service called Context AI. Turns out this app was malicious and was already controlled by the hackers. The employee authorized the app to access their company Google account, which allowed the hackers to completely take over the account and infiltrate Vercel's internal systems. Context AI and Vercel have both begun informing customers of the breach with next steps. Read more at TechCrunch.
The Bottom Line: Letting apps access sensitive data, like a corporate Google account, must be done with care. Apps from reputable developers are one thing, apps from obscure app stores and obscure developers are much more risky. Always be cautious about the apps that you install and even more so about what you authorize them to do. Once a hacker gains a foothold, they can work quickly to spread to other systems.
Journalist Tracks Warship Using Bluetooth Tracker
A Dutch warship had its location compromised after a journalist hid a Bluetooth tracker inside an electronic greeting card and mailed it to the ship. The journalist was able to track the ship for a day before the tracker was discovered. The Dutch Navy is now banning electronic greeting cards in response. Check out the full story at Tom's Hardware.
The Bottom Line: Bluetooth trackers like AirTags are tracked by pinging off nearby devices, which means the journalist was only able to track the ship's location because there were already iPhones and Android devices onboard, which could be tracked just as easily by determined hackers. While this story is definitely concerning, it's not quite as sensational as the headline would have you believe. Most smartphones are also capable of detecting nearby AirTags and other Bluetooth trackers, so if you ever get a notification that an AirTag is detected as traveling with you, be sure to stop and locate it right away.
McGraw Hill Hacked by ShinyHunters
In yet another ShinyHunters-related breach, the hacking group has stolen the data of over 13 million users of McGraw Hill, a company that provides educational materials and resources for students of all ages, to both public and private institutions. ShinyHunters has already leaked the stolen data, which includes names, physical and email addresses, and phone numbers. While the company has confirmed the data breach, it has not yet notified customers of their leaked data. Bleeping Computer has the full story.
The Bottom Line: McGraw Hill should eventually begin reaching out to affected customers with next steps. As with every data breach, we would advise freezing your credit to protect any exposed personal identifiable information and using a password manager to defend yourself against future data breaches.
Microsoft Recall Has Been Cracked Again
Last year, Microsoft introduced Recall, an AI-powered tool on Windows 11 that captures screenshots of the user's screen every few seconds and creates a searchable timeline, allowing users to easily go back and review their history at any time. The intention of the feature was to give you an easy way to find any information you forgot while using your computer. However, to us, allowing your entire screen to be screenshot and saved to your computer sounded like a huge security and privacy risk. Recall is supposed to censor sensitive information like passwords and credit card numbers, but it doesn't always succeed. Microsoft insists that Recall is secure, since the screenshots it captures are encrypted and can only be accessed by entering the user's unique PIN.
But a developer has created a tool called TotalRecall, which would let an attacker easily bypass the PIN requirement and encryption to access the screenshots captured by Recall—giving the attacker access to screenshots of everything you’ve done on the computer, which could reveal passwords, bank accounts, etc. Despite evidence to the contrary, Microsoft insists that there is no bug and the TotalRecall tool's behavior is normal, which means there won't be any patches to block TotalRecall. Read more at Ars Technica.
The Bottom Line: Despite Microsoft's assurances, we still do not recommend enabling Recall if you have Windows 11. The risks far outweigh the benefits. Even if it doesn’t capture passwords or credit card numbers, it could still capture other private details like chat messages or private browsing sessions, and any screenshots could be vulnerable to applications like TotalRecall.
- The most recent iOS and iPadOS is 26.4.2
- The most recent macOS is 26.4.1
- The most recent tvOS is 26.4
- The most recent watchOS is 26.4
- The most recent visionOS is 26.4
Apple pushed an update to prevent notifications from being accessible after they've been cleared, as seen in last week's story about the FBI accessing Signal notifications. Read about the latest updates from Apple.
In most cases, the answer is going to be D. Delete the email and report it as spam. If you were not expecting an email from anyone with any type of document attached, it is likely an attempt to trick you into opening a malicious file.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Worried about viruses infecting your iPhone? Check out:
|
