- ๐๏ธโ Your Security Checklist
- ๐๐๏ธ Test Your Security Skills
- ๐ฐ Your Weekly Security Update
- ๐คจ This Should Be on Your Radar ๐ก
- ๐ Security Fail of the Week ๐
- ๐๐ฑ Security Updates from Apple ๐
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use an alphanumeric password for maximum security. An alphanumeric passcode is much more difficult to guess than a 4- or 6-digit passcode, since you can include both letters and numbers, and it can be as long or as short as you want it.
- Remove your location from photos before sharing. If you have location services enabled for the Camera app, every photo you take will also record the location where it was captured. You could inadvertently share your current location if you don't remove it from photos before sharing.
- Lock your private tabs with Face ID. Private browsing in Safari does not track browsing history or keep any other browsing data. You can enable Face ID to ensure no one else can access your private browsing tabs.
What should you do in the following scenario?
You've been searching the web for a solution to an audio issue you've been experiencing on your MacBook. You find a post from a tech blogger who suggests opening the Terminal app and entering a specific command. What do you do? ๐ค
- Enter the command. It's probably safe since it's coming from a tech blogger.
- Research what kind of effect this command will have.
- Look for another solution that doesn't involve the Terminal.
- Contact the blogger for further assistance.
Scroll to the bottom to see how you did!
The M5 is Apple's most secure chip, thanks to a new system called Memory Integrity Enforcement. Without getting into the full technical breakdown, it essentially means MacBook security is protected at a hardware level, making it more difficult for malware to infect the device. However, security researchers using Anthropic AI have discovered an exploit that can provide an attacker with root access to M5 MacBooks. It works by running a specific command in the macOS Terminal, either by convincing the user to enter the command themselves or by tricking them into downloading a malicious file that runs the command upon opening. Read more at Tom's Hardware.
The Bottom Line: The Terminal app on macOS is very powerful, and commands entered there can make drastic changes to the operating system. You should never enter commands into the Terminal without knowing exactly what the outcome will be. Additionally, stay aware of any files you download, and double-check what type of files they are before opening them (be cautious when opening files that end in .iso, .dmg, .pkg, .docm, or .xlsm).
This story also highlights the changing landscape of cybersecurity. Vulnerabilities that previously would have taken researchers months or even years to locate can now be uncovered by powerful AI tools in a matter of days. Though it's worth noting that Anthropic's AI tools are not everyday-use types of tools, like ChatGPT. The researchers who discovered this vulnerability still invested a significant amount of time and money into finding it so that the public can be aware of its existence and defend against it.
New York Town Shocked by Arrival of Flock Cameras
Another city is experiencing an invasion of Flock cameras: this time itโs Troy, NY. Concerned citizens discovered that the cameras had started popping all over town and brought it to the attention of Troy's city council, who were unaware of the city's contract with Flock. However, despite calls to remove the cameras, Troy's mayor Carmella Mantello insists that the cameras will be staying up. Read the full story at the Washington Post.
The Bottom Line: In some jurisdictions, voicing your concerns to your local representatives can result in changes to legislation. In Troy's case, it does not sound like the town's government is interested in hearing the thoughts and opinions of its citizens.
Canada Considers Mandating Backdoor Access to Encrypted User Data
Signal, Apple, and Meta have raised concerns about Canada's Bill C-22, which would compel them to implement backdoors into encrypted user data. Signal, in particular, has threatened to pull out of Canada if the bill were to pass. Signal retains very little data about its users, and user messages are completely inaccessible, so a backdoor would force the company to abandon many of its privacy-preserving policies. Read more at Cyber Insider.
The Bottom Line: If you are a Canadian citizen and the prospect of this bill passing concerns you, you can voice your concerns to your local representative. We're hopeful that whatever happens, Signal will find a way to continue operating in Canada.
AI Recording Patient Interactions at Mayo Clinic
Since at least 2024, Mayo Clinic has been using something called Ambient Listening to record interactions between patients and nurses. The recorded audio is then processed by a third-party artificial intelligence to help with note-taking. The Ambient Listening documentation says that it may capture private information about your health, the reason for your visit, and whatever else might be said during your appointment. Check out the full story at 404 Media.
The Bottom Line: While it is possible for an AI tool like this to operate privately or strip private patient information from the data, it will never be 100% reliable. If you don't want your visit at Mayo Clinic to be recorded, you can opt out of Ambient Listening. All you have to do is ask your nurse to stop recording.
Microsoft Built Vulnerability into BitLocker
A security researcher has discovered a vulnerability in BitLocker, a Windows feature that encrypts disk drives. The vulnerability, called YellowKey, requires physical access to the BitLocker-protected machine and works by copying malicious files to the encrypted disk drive. Once the files have been copied, the computer can be rebooted into the Windows Recovery Environment, and the attacker can bypass the BitLocker encryption to access the disk drive. The researcher who discovered the vulnerability believes that it is a backdoor intentionally placed by Microsoft, as the key to triggering the exploit is found in the Windows Recovery Environment. Head over to TechSpot for more.
The Bottom Line: If YellowKey really is a backdoor created by Microsoft, it shows why backdoors into encryption are never a good idea. While governments often claim they need backdoors to stop criminals and terrorists, malicious actors can always find ways to exploit those backdoors. Thankfully, this vulnerability requires physical access to the device, so if you have a Windows computer, you likely don't have much to worry about.
Gemini Nano Can be Uninstalled
Last week, we reported that an update to Google Chrome had been installing Gemini Nano, a 4-GB AI tool, on users' devices, and that it couldn't be deleted. Thankfully, Google has added an option to turn off Gemini Nano. All you need to do is go into Chrome's settings and disable the "On-device AI" toggle. This will also prevent any future downloads or updates to Gemini Nano, and the tool will be uninstalled if your computer is low on storage. Read more at Wired.
The Bottom Line: If you don't want Google's Gemini Nano to be forcibly downloaded to your computer, you can now disable it. This is great for those who either do not want to use AI or who simply need to free up some storage space.
FBI Looking to Access ALPRs Across the Country
The FBI is planning to contract with an automated license plate reader (ALPR) vendor, such as Flock, to access cameras across the country. ALPRs scan and log every car that drives past them, and access to them would allow the FBI to track down nearly anyone it wants, all without a warrant. According to 404 Media, the agency is willing to pay up to $36 million for the contract.
The Bottom Line: Giving the FBI total access to Flock's network of ALPRs would permit them to ignore the judicial warrant process required by the 4th Amendment, and effectively surveil anyone who happens to live in an area where Flock cameras are installed. The only thing any of us can do is protest the installation of Flock and other ALPR cameras in our communities. You can also visit deflock.org to find out if the company has installed cameras in your city.
US Cybersecurity and Infrastructure Agency Leaks Password Databases
A security researcher recently discovered a public GitHub repository where a contractor working for the US Cybersecurity & Infrastructure Security Agency (CISA) was storing a vast array of confidential files. These files included digital keys, logs, backups, and, maybe worst of all, passwords stored in plaintext. Security experts are calling this the worst leak they've ever seenโall the more shocking because CISA is the agency supposedly responsible for overseeing cybersecurity for the USA's most critical infrastructure: from nuclear facilities to election systems. CISA has said that it is aware of the leak but does not believe that there has been any compromise as a result of the exposure. Read the full story at Krebs on Security.
The Bottom Line: While we can't know for sure how this happened, it seems likely that the owner of the GitHub repository did not intend for it to be publicly accessible. It's easy to accidentally share files that were never meant to be shared. For example, Google Docs has an option to publish a document to the web when sharing it with others, which makes it possible for anyone with the link to view itโand anyone with a link scanner to find it. It's possible that the contractor responsible for this leak made a similar mistake. When working with cloud-based storage, always make sure that your files are only accessible to you and those working on those files with you by only sharing with specific people, rather than via a public link
Yet More npm Packages Compromised With Infostealer Malware
Many developers rely on a package manager called npm. In coding, a package is essentially a file containing bits of pre-written code that coders share amongst themselves to lighten the software-building burden. Security researchers have discovered that clones of Shai-Hulud, an infamous infostealer malware, have infiltrated npm, making many developers who rely on npm vulnerable. Infostealers can exfiltrate credentials, crypto wallets, and other private personal data using the malware. Check out OXsecurity for the full breakdown.
The Bottom Line: If you're a developer working with npm, you have more than likely already heard about this. Just be sure to verify packages downloaded through npm. If you're not a developer, there's nothing for you to worry about.
Hackers Accidentally Record Their Own Crimes
Twin hackers are going to prison after snitching on themselves. The pair were working for a company that developed software for the US government and were called into a Microsoft Teams meeting where they were both fired. During the firing, one of the brothers started recording the proceedings. The HR team left the meeting, but the brothers unintentionally stayed in the meeting without either of them realizing itโฆ and the meeting kept recording. The recording captured the entirety of their next move, which was to hack their former employer. Their slip-up provided HR, and therefore government prosecutors, with a full verbatim transcript of the twins discussing their moves as they deleted 96 US government databases. Read the full transcript of the conversation between these two "geniuses" at Ars Technica.
The Bottom Line: We generally advise against committing cybercrimes, though, if you're going to, it's probably best not to record them.
- The most recent iOS and iPadOS is 26.5
- The most recent macOS is 26.5
- The most recent tvOS is 26.5
- The most recent watchOS is 26.5
- The most recent visionOS is 26.5
Read about the latest updates from Apple.
The ideal answer is C. Look for another solution that doesn't involve the Terminal. The Terminal is a powerful application, and malicious actors often use it to gain access to your device. You should never enter a command in the Terminal without knowing how it will affect your computer. If you're more tech savvy, B. Research what kind of effect this command will have can also be a good option if you understand how the Terminal works and what will happen when you enter the command.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byย Cullen Thomasย andย Rhett Intriagoย and edited byย August Garry.
Interested in keeping your iPhone secure when on public Wi-Fi? Check out:
|
