- ποΈβ Your Security Checklist
- πποΈ Test Your Security Skills
- π° Your Weekly Security Update
- π€¨ This Should Be on Your Radar π‘
- π Security Fail of the Week π
- ππ± Security Updates from Apple π
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Set up an authenticator app for 2FA. When you use two-factor authentication, you can use an app, like the Passwords app, as your second form of authentication.
- Double-check the sender of suspicious emails. Email scams are more common than ever, and sometimes they can be a bit hard to identify. There are a few telltale signs to look out for when identifying a scam email.
- Turn off App Tracking. When opening an app for the first time, you might be asked to allow the app to track you. You can turn off App Tracking entirely in Settings.
What should you do in the following scenario?
You receive a phone call from an unknown number, and when you answer, you recognize the voice. Maybe it's a spouse, a kid, a grandkid, or your best friend. They tell you that they've been in a car accident and need some money to pay hospital bills. They give you a bank account number to wire the money to. What do you do? π€Β
- Send the money; it sounds like they need it.
- Hang up and call the police.
- Drive to the hospital to pay in person.
- Hang up and call their phone number.
Scroll to the bottom to see how you did!
Artificial intelligence has made scammers' jobs much easier. One of the most common scams going around today involves calling the victim and using AI to impersonate the voice of a friend or family member. The scammer, using the AI voice, will usually explain that they are in some kind of trouble, such as being in the hospital or jail, and that they urgently need money.
A woman in California experienced a version of this scam in which she received a call from a stranger who claimed they were with the Mexican cartel and had kidnapped her daughter. As proof, they played a recording of the daughter's voice begging her mom to comply. The woman then wired thousands of dollars to the person on the other end of the phone call. It was only later that she called her daughter directly and realized she had been scammed. Check out the full story at ABC News.
The Bottom Line: If you receive a phone call from a panicked friend or family member asking for money, the best thing you can do is stay calm and call your loved one at a number that you trust to find out if they are really in danger or not. If they don't answer, try reaching out to someone who might know where they are, like a close friend or another family member. If the person claiming to be your loved one gave a specific location, like the hospital or jail, you can also try calling the hospital itself or your local police department's non-emergency line. Never send money to strangers over the phone without first verifying they are who they say they are.
Linux Could Be Exempt from Age Verification Law
A few weeks back, we reported on a potential California law that would require operating systems to verify user ages at setup. Lawmakers are now looking to amend that bill to specify "operating system providers." The rationale is that, unlike Windows and macOS, which are controlled by Microsoft and Apple, respectively, Linux is not maintained by a central entity. Linux is an open-source operating system, which means it can be modified, repackaged, and distributed by independent developers, who almost always work in a completely voluntary capacity and do not have the resources to verify every user's age. By narrowing the definition of "operating system provider," the bill's new language will exempt certain builds of Linux from the age-verification law. Read more at Tom's Hardware.
The Bottom Line: Linux takes a bit more effort to set up than Windows or macOS, but if you live in California and age verification is a concern for you, it may be the best option available to you.
Discord Now Encrypting Voice & Video Calls
We've talked about Discord a few times in past newsletters. It's an online social platform primarily used by gamers to chat while playing video games together. We've covered Discord a few times. The company is known for handing over chat logs to law enforcement and recently implemented age verification, requiring users to scan their IDs or their faces. So it's a somewhat surprising turn of events that Discord now encrypts voice and video calls. End-to-end encryption means that calls placed over Discord cannot be accessed by third parties or even Discord itself. Despite this huge leap toward improved privacy, Discord says it has no plans to encrypt text messages. Check out Discord's blog post for more information.
The Bottom Line: If you're a Discord user, you don't need to do anything special to enable end-to-end encryption. There's no way to opt in or opt out; Discord's new encryption protocol is the new default.
School Buses Could Soon Be Equipped with ALPRs
Automated license plate readers (ALPRs) are becoming a regular topic of this newsletter. If you've been reading Security Friday for a while now, you probably know that ALPRs are essentially cameras that capture the license plates of every vehicle that passes by and record them to a database. ALPR companies are privately run and are often happy to provide law enforcement agencies access to their databases with no need for a warrant. That means law enforcement operatives can track anybody they want, whether it's the suspect of a crime or a former romantic partner. Flock is probably the most notorious ALPR company, but a new company called BusPatrol is giving them a run for their money.
BusPatrol originally installed AI-powered cameras on more than 40,000 school buses to catch drivers who were illegally passing stopped buses. Now, the company wants to turn those cameras into ALPRs, which would effectively turn school buses equipped with them into traveling surveillance drones. This could mean that any school bus you drive past would record your movements and track your location without your knowledge or consent. Read the full story at 404 Media.
The Bottom Line: We always recommend staying informed about local legislation and making sure you voice your concerns. In some jurisdictions, the thoughts and opinions of citizens can affect local, state, and federal laws.
7-Eleven Hit by Data Breach
Convenience store 7-Eleven has been hit by a data breach affecting over 185,000 people. The exposed data includes names, phone numbers, email addresses, physical addresses, and possibly social security numbers. The hacking group ShinyHunters has claimed responsibility for the cyberattack and threatened to release the stolen data if 7-Eleven does not pay a ransom. Head over to Bleeping Computer for more details.
The Bottom Line: 7-Eleven has begun notifying customers, so if you are affected by this data breach, you will likely hear from the company soon. In the meantime, we always recommend keeping your credit frozen so that if your identity is exposed in a data breach, it cannot be stolen.
How Wi-Fi Signals Can Map Your Home
German researchers have found a new way to transform Wi-Fi routers into surveillance systems. In the same way that cameras use light waves to see into rooms, the radio waves emitted by Wi-Fi routers can be used to visualize the area around them and the people in it. This technology is not exactly new, but what is new is that the researchers have found a way to obtain beamforming feedback information (BFI) from routers without any specialized equipment. BFI is transmitted from Wi-Fi routers unencrypted to any nearby wireless device, whether it's connected to the network or not. Read more at ScienceDaily.
The Bottom Line: While this might sound alarming at first, it is something that will only work for specific use cases. It is unlikely that a hacker capable of using this technology will stand around outside your house trying to map the inside of it.
Trump Mobile Leaks Customer Data
Almost a year ago, President Trump unveiled a new cellular provider called Trump Mobile. At the time, we were especially skeptical about the privacy and security of the new cell carrier. The iPhone and your Apple Account are only secure because Apple has had decades to build the security of their devices and services, and a tech startup like Trump Mobile coming around so suddenly was bound to have issues. Turns out, we were right to be skeptical. This past week, the company confirmed that Trump Mobile customers' data had been leaked. The exposed information includes names, email addresses, mailing addresses, and cell numbers. Read more at TechCrunch.
The Bottom Line: Privacy and security are difficult to get right, especially for tech startups making extraordinary promises. Always approach new tech companies with caution and take what they claim with a grain of salt.
Tech Manufacturer Hit by Ransomware
Foxconn, a major tech manufacturer, is the latest victim of a ransomware hack. Foxconn provides manufacturing services for many major tech companies like Apple, Nvidia, Google, and Dell. The company was targeted by the Nitrogen group, a relatively new hacking group, which claims to have stolen 8 terabytes of data, including design schematics. Nitrogen appears to have used a ransomware called "Conti 2," which, rather than actually stealing the data, encrypts it. The idea is that Nitrogen would have the decryption key and would only turn it over to Foxconn once it paid the ransom. I say "would" because the developers of Conti 2 made a mistake in how the encryption functions, and operators of that ransomware are unable to provide a decryption key. If this is still true, it means even if Foxconn pays the ransom, they won't get their files back. Read the full story at Wired.
The Bottom Line: The epidemic of ransomware cases is ongoing. For us regular consumers, it's a constant drumbeat of reminders to use a password manager, employ passkeys or other phishing-resistant multi-factor authentication, and take our digital security seriously.
Media Company Fined for Not Being Able to Spy on Customers
Cox Media Group and two associated marketing firms are being fined $1 million for deceiving their customers. Cox once claimed that it had technology called Active Listening that could listen into private conversations through smartphones and other devices and serve ads based on what was said. It's the type of thing smartphone users have been paranoid about since Facebook and Instagram started serving ads. Cox sold Active Listening to its customers for years. Except that the technology doesn't exist, and never did. Now the Federal Trade Commission is fining the company for the deception. Check out the full story at Wired.
The Bottom Line: As far as we know, your iPhone isn't actually listening to your private conversations and serving you ads. The technology that Cox was selling was never real.
- The most recent iOS and iPadOS is 26.5
- The most recent macOS is 26.5
- The most recent tvOS is 26.5
- The most recent watchOS is 26.5
- The most recent visionOS is 26.5
Read about the latest updates from Apple.
The first thing you should do is D. Hang up and call their phone number. This scenario has all the hallmarks of an AI voice scam, like in today's top story. Scammers can clone a person's voice using AI and will use it to try to scam loved ones. Once you verify that your loved one is safe and sound, then you can call the police, though the scammer likely spoofed their phone number, so the police likely won't be able to track them down.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byΒ Cullen ThomasΒ andΒ Rhett IntriagoΒ and edited byΒ August Garry.
Interested in protecting your iPhone from viruses? Check out:
|
