- ๐๏ธโ Your Security Checklist
- ๐๐๏ธ Test Your Security Skills
- ๐ฐ Your Weekly Security Update
- ๐คจ This Should Be on Your Radar ๐ก
- ๐ Security Fail of the Week ๐
- ๐๐ฑ Security Updates from Apple ๐
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Enable RCS messaging. If you haven't already, you should enable RCS messaging on your iPhone. RCS messaging is a way of texting non-iPhone users that does not rely on SMS, and, now, with iOS 26.5, supports E2E encryption.
- Block spam texts when you receive them. Scammers will often text from iMessage accounts using generic email addresses. You can report these as spam and block them.
- Only share passwords through the Passwords app. You can securely share passwords with friends and family as long as you both use the same password manager. Here's how to share passwords through the Passwords app.
What should you do in the following scenario?
You receive a text from an unknown number asking you to confirm dinner plans, even though you don't have any upcoming dinner plans. What should you do? ๐คย ย
-
Text back to let them know they have the wrong number.
-
Report the text as spam and delete it.
-
Play along and see where it goes. Maybe you can make a new friend.
-
Reach out to your friends to make sure you didn't forget about getting dinner with one of them.
Scroll to the bottom to see how you did!
Canvas is an online education platform used for turning in assignments, taking exams, communicating between students and teachers, and more. Now, Canvas has been hacked by the hacking group ShinyHunters. Over 8,000 schools, from grade school to university, use Canvas and have been affected by this breach, which includes course names, email addresses, and private messages. According to Instructure, the parent company of Canvas, user credentials were not exposed. After taking the site offline, ShinyHunters threatened to leak the stolen data if Instructure did not pay a ransom. Since then, Canvas announced that it has come to an "agreement" with ShinyHunters to return the stolen data and end any further threats. This most likely means that the company paid the ransom.
The Bottom Line: Data breaches are out of our control, so the only thing we can do is take the precautions necessary to mitigate the potential damage. Use a password manager to generate unique passwords so that one account being breached doesnโt put all your accounts at risk. You can also freeze your credit to protect your identity. This particular breach highlights the danger of relying on a single platform for everything. Since the majority of schools across the US rely on Canvas, its failure meant that students at all of these schools not only could not access or complete coursework, but also had their data stolen.
Apple Releases iOS 26.5
Apple released iOS 26.5, its latest iPhone software update, this week. In addition to the array of security vulnerabilities that were patched, the update also introduces encrypted RCS messages. RCS messaging is a texting protocol that is more secure than SMS and allows for more features like typing indicators, read receipts, emoji reactions, and much more. Now, with this update, RCS is brought up to par with iMessage by enabling end-to-end encryption with supported carriers. The encryption feature is still in beta testing, meaning it may require some refinement, and itโs being rolled out gradually. Read more about what's new in this update at MacRumors.
The Bottom Line: After installing iOS 26.5, users in many networks should be able to text their non-iPhone-using friends with full E2E encryption. This prevents your messages from being intercepted or read by anyone else. You can check whether this is available on your network and in your region by going to Settings > Apps > Messages > RCS and looking for the End-to-End Encryption (Beta) toggle.
Flock Caught Surveilling Community Spaces
Our "favorite" surveillance company, Flock, recently demonstrated how much it can see by using footage collected from various locales across the city of Dunwoody, Georgia, including a childrenโs gymnastics room, a playground, a school, a Jewish community center, and a pool, in sales presentations to potential customers. To be clear, the company was surveilling these locations casually, repeatedly, for its own benefit, and without the knowledge or consent of the customers who had paid to have the cameras installed there. Citizens have voiced their concerns over Flock's ability to access cameras in these areas, many of which are populated almost exclusively by children. However, the company claims the demonstration was only part of a sales pitch and that it does not use its camera to spy on children. Despite the concerns, Dunwoody has decided to continue working with Flock. Head over to 404 Media for more details.
In other Flock news, a report from the Institute of Justice highlights 16 cases where police officers have used Flock surveillance cameras to stalk spouses, exes, and even women that they've never met but have taken an interest in. These cases occurred in cities across the country, and most of them were discovered by the victims themselves rather than by Flock's own internal investigations. Read more at Futurism or check out the Institute of Justice's report.
The Bottom Line: Flock is a surveillance system that can easily be abused since it does not require police to present a warrant to access its license plate readers. If Flock cameras pop up in your city, all you can really do is voice your concerns to local representatives. You can also check to see if your area has Flock cameras at deflock.org.
Therapy App Training AI on Client Data
Talkspace is a virtual therapy app where users can connect with a therapist over video call or text. According to a new report from Proof News, the app records and saves a transcript of every conversation a user has with their therapist, and the company currently has access to millions of messages between users. The goal, according to Talkspace's CEO, is to use this data to train an AI chatbot. This new AI chatbot, which is supposed to launch later this year, is not meant to replace therapists but to be used alongside them. Proof News has the full report.
The Bottom Line: Using virtual therapy apps like Talkspace comes with risks to your privacy. If you plan on using a therapy app, take the time to research how the company uses your data before connecting with a therapist. At this time, we would not recommend Talkspace. AI training data is unlikely to be protected by doctor-patient privilege.
How Espionage Agencies Track Phones
Researchers at The Citizen Lab identified mobile networks affected by advanced spyware that tracks the physical location of cellphones. Some of these campaigns involve using 3G and 4G signals to track a user's location or using specially formatted SMS messages to hijack a user's SIM card. These vulnerabilities have apparently existed and have been exploited for years without detection. Check out the full technical breakdown at The Citizen Lab.
The Bottom Line: Beyond removing the SIM card or placing your device in a Faraday bag (both extreme steps to take), there is not much that you as the end user can do to combat an attack like this, as it relies on exploiting cellular infrastructure. Thankfully, this is a very high-level exploit that is likely only being used against high-value targets. The average citizen likely does not need to be concerned about these vulnerabilities.
Web Hosting Control Panel Compromised
Many websites rely on the web-hosting interface cPanel, which has recently disclosed a security vulnerability that allowed malicious actors to gain administrative access to websites. The company was aware of the vulnerability as early as February of this year. It is possible that many websites have already been affected. Webhosting.today has a full write-up about the exploit. You can also check out cPanel's Security Update for more details.
The Bottom Line: If you do not own or operate a website, there's nothing you need to do. However, if you are a cPanel user, your servers need to be updated immediately to patch the vulnerability. Servers that did not have specific firewalls set up prior to February could be compromised regardless of whether or not they are updated and should be migrated to a clean server. The webhosting.today article linked above has more information on what to do if your servers are affected.
Google Play Store Allows Stalkerware Apps
An app being sold on the Google Play Store called Cerberus can be used to spy on phone owners. Cerberus is advertised as an anti-theft app: It is able to snap photos from the camera, capture audio from the microphone, send its GPS location, monitor call logs and SMS messages, and much more, all without the phone's owner being aware. These features make it ripe for abuse as stalkerware. In addition to Cerberus, the app's developer also sells other apps with similar functions, advertising them as parental controls or safety apps. Read more at Hexproof.
The Bottom Line: For now, these apps only affect Android users, since they are not available on the iOS App Store. If you have an Android phone, Hexproof offers instructions on how to find and delete the apps from your device. You can check for them in the app list in your phone's settings by looking for "Cerberus Anti-theft," "System Framework," and "Lock Screen Protector."
Utah Moves to Ban VPN Use
Like many other states, Utah has implemented age verification requirements for websites. However, unlike other states, Utah is also attempting to prevent its citizens from using VPNs to get around age verification. A VPN allows you to disguise your location, so users could trick websites into thinking they are located outside of Utah and, therefore, do not need to verify their age. Utah's law requires websites to ask for the age of users who are physically located in the state, even if they are using a VPN. This places the liability on websites, even though it is not possible to conclusively recognize when someone is using a VPN to disguise their location. Read more at the Electronic Frontier Foundation.
The Bottom Line: Age verification laws are spreading to many states throughout the US and have even been passed in countries like the UK and Australia. Be sure to stay informed and voice any concerns to your representatives. The thoughts and opinions of citizens can affect these types of laws.
Google Chrome Installs AI Without User Permission
In the latest version of Google Chrome, the browser now installs a 4 GB AI model onto your computer called Gemini Nano. Chrome won't ask for your permission to do this and doesn't tell you that it's doing it either. Gemini Nano cannot be deleted, as Chrome will simply reinstall it if the user manually deletes the files. Read more at That Privacy Guy.
The Bottom Line: 4 GB isn't a huge amount of space, unless you're using a MacBook Neo or Chromebook (both machines with very little storage capacity), in which case, those 4 GB may be very valuable to you. In any case, we don't recommend using Google Chrome. Mozilla Firefox and Safari are great web browsers that won't force you to install AI, though they both have optional AI features.
White House Email Ordering Staff to Stop Leaking Is Leaked
Every presidential administration has issues with leaks, and the Trump administration is no exception. Presidential orders, memos, emails, and more have all leaked, prompting White House Chief of Staff Susie Wiles to issue a warning to all staff that they need to stop leaking information to the press, as it can "result in significant disruption to ongoing operations and can potentially endanger missions and activities of national significance." Unfortunately for Wiles, that email itself has now been leaked to the press. Read more at The Independent.
The Bottom Line: The personal security of one individual is only as good as the security of the people they surround themselves with. If you are concerned about your digital security, it may be worthwhile to talk to your close friends and family about their own security practices to ensure you are all on the same page.
- The most recent iOS and iPadOS is 26.5
- The most recent macOS is 26.5
- The most recent tvOS is 26.5
- The most recent watchOS is 26.5
- The most recent visionOS is 26.5
Read about the latest updates from Apple.
The correct answer is B. Report the text as spam and delete it. While it's possible this person did indeed text the wrong number, there is a common scam tactic known as the wrong-number scam. Scammers text you pretending that they meant to text someone else. When you respond, the scammer will often try to strike up a conversation with you and build a friendship, which will eventually lead to them asking for money. Even just responding once to let them know they have the wrong number lets the scammer know that your phone number is active, and they can try other scam tactics on you if this one fails.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byย Cullen Thomasย andย Rhett Intriagoย and edited byย August Garry.
Worried about viruses on your iPhone? Check out:
|
