- ποΈβ Your Security Checklist
- πποΈ Test Your Security Skills
- π° Your Weekly Security Update
- π€¨ This Should Be on Your Radar π‘
- π Security Fail of the Week π
- ππ± Security Updates from Apple π
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Try using DuckDuckGo. If you want a privacy-focused search engine, DuckDuckGo is a good alternative to Google. You can find nearly the same or better search results, all without worrying about your privacy.
- Monitor apps that use your camera and microphone. When you see green or orange dots in your iPhone's status bar or on the Dynamic Island, that means an app has recently accessed your camera or microphone.
- Turn off Face ID in a pinch. In the event that you find yourself in a situation where you might be compelled to unlock your iPhone using Face ID, you can temporarily disable it and require your passcode.
What should you do in the following scenario?
While out for a walk, you find a USB drive on the ground. What should you do with it? π€
- Take it home and plug it in. There could be information about the owner that can help you return it.
- Take it to the police or a nearby lost and found.
- Leave it. The owner will probably come back for it.
- Destroy it and throw it away.
Scroll to the bottom to see how you did!
Meta is rolling out new protections for teen accounts. For users who are 13 years old and older, the company has added content settings that apply across Instagram, Facebook, and Messenger. These settings prevent teens from seeing inappropriate content in their feeds, and disable access to pages and profiles that might post inappropriate content. In Messenger, the content settings limit how teenagers can interact with links and who they can chat with.
Meta will also now be using AI to analyze profiles and determine the age ranges of users. It will rely on contextual clues (the examples Meta offers are "birthday celebrations or mentions of school grades"), as well as scanning photos and videos to estimate the ages of people in them.
Lastly, Meta will keep parents in the loop by notifying them about child account activity, such as if an underage account searches terms related to self-harm or suicide. In the Family Center, parents will have more control over how they manage their children's social media accounts. Check out the full Meta news post for more details.
The Bottom Line: If you have a child with a Facebook or Instagram account, these changes should help how you manage their accounts.
Malware Targets WhatsApp Users
Cybersecurity firm Kaspersky has discovered a malware campaign affecting WhatsApp users. The campaign involves scammers using compromised accounts to send messages containing a malicious file. The files are given innocuous names but when opened on a Windows device will run a script that installs software that allows hackers to remotely access the computer. Find out more at SecureList.
The Bottom Line: This campaign mainly affects desktop and web users of WhatsApp who use Windows machines, so if you only use WhatsApp on your iPhone, you most likely don't have too much to worry about. However, you should still exercise caution and avoid opening attachments that end in .vbs, .vbe, .exe, .bat, .cmd, .js, or .ps1.
Texas Parks & Wildlife Leaks License Data
A vendor for Texas Parks & Wildlife, a government department that handles hunting and fishing licenses, was hit by a data breach last week. The data that was stolen included driver's licenses, passports, email addresses, phone numbers, and physical addresses. The department is working with the vendor to implement new safeguards to prevent this type of breach from happening again. Read more at TechCrunch or check out the Parks & Wildlife website itself.
The Bottom Line: If you are affected by this breach, the department has likely already reached out to you to notify you. The department is offering affected individuals a year of free credit monitoring from Kroll, which we suggest enrolling in. This kind of breach is so commonplace now that we suggest freezing your credit.
Would You Upload Your Credit Card to Prove Your Age?
Earlier this year, social platform Discord implemented age verification via facial scans, which were quickly bypassed using video games and other methods. This, combined with major backlash from users, prompted Discord to put its age verification plans on hold. Now, it has begun testing new methods using Google Wallet and credit cards. The idea is that if a user adds a credit card to their account, it's proof enough that they are 18 or older. Read more at XDA Developers.
The Bottom Line: This is a step in the right direction for age verification. It is slightly less invasive than facial scans or uploading images of your ID, though it still contains identifying information, because your name is linked to the card. Since Discord and every other tech company seem determined to link our identities to our online profiles, using a credit card seems to be the lesser evil. However, Discord states that it has not given up completely on facial recognition just yet.
Kansas City Moves Ahead with Rolling Surveillance Vehicles
Kansas City is installing facial recognition cameras on public buses, despite pushback from citizens. The idea is that cameras can identify banned riders or missing persons, but the presence of these cameras effectively turns buses in Kansas City into rolling surveillance vehicles. According to SafeSpace Global, the company that develops this technology, the facial data is deleted when the bus returns to the depot. However, the raw video footage captured by the cameras is retained in an archive for up to five years. Read more at AP News.
The Bottom Line: If you live in or visit Kansas City and this concerns you, it may be worth contacting local representatives to voice your opinion.
Could Flying Toasters Give You a Virus?
Wallpaper Engine is a popular Windows application that lets you set animated live wallpapers for your desktop background. The app has a community that allows users to create their own custom wallpapers and share them with other users. Unfortunately, this means that users can upload malicious files that others can download unknowingly when trying to set a new live wallpaper. Check out the full story at PC Mag.
The Bottom Line: This problem is not exclusive to Wallpaper Engine. Any website or app that allows you to download files that have been shared by users poses this type of risk. We recommend against downloading and installing any files that were shared by users you don't know. Stick to the official app stores wherever possible.
Cryptocurrency-Stealing Malware Spreads Via USB Drives
Microsoft is warning about a cryptocurrency malware called Crypto Clipper, which infects computers through malicious USB drives. The malware works by monitoring your computer's clipboard, looking for 12- or 24-word seed phrases (a seed phrase is basically the password used to access a crypto wallet). When it detects one, the malware copies it and takes several screenshots of your computer screen, all of which are forwarded to the attacker. With this information, attackers can steal cryptocurrency funds without the victim knowing until it's too late. Head over to Ars Technica for more information.
The Bottom Line: A common way to spread malware is to drop USB drives outside in frequently trafficked areas. You should never plug random USB drives into your computer, especially if you find them lying around outside. Only use USB drives you know are safe, like ones that you purchase yourself.
Cybersecurity Firm's Vulnerability Exposes 30,000 Devices
Cybersecurity company Fortinet manages firewalls and VPNs for many companies around the world. However, it appears that many of Fortinet's firewalls and VPNs were secured using exposed credentials. Now, hackers with access to the leaked passwords have breached more than 73,000 Fortinet URLs and over 30,000 enterprise devices. The affected companies include Comcast, Foxconn, Lenovo, Oracle, Samsung, and others. Read more at TechCrunch.
The Bottom Line: When you reuse the same password across multiple websites, and one of them is leaked, hackers then have access to every website where you have used that password. That's why it is so important to use a password manager, which can create unique, strong passwords for every website and remember them for you.
Hackers Steal Data from Madison Square Garden
Last week, 404 Media reported that ShinyHunters had breached Madison Square Garden and stolen 45 GB of data. It appears that the hackers used social engineering to gain access to a low-level employee's computer. According to 404 Media, the stolen data included "files mentioning Knicks-related personalities," as well as the contents of the employee's OneDrive, which contained personal information such as work documents, screenshots, and W-2 forms. Check out the full write-up for more details.
The Bottom Line: This employee was targeted using "vishing," a form of phishing that involves calling the victim and impersonating an authoritative entity. In this case, the hackers used vishing to bypass the employee's Microsoft Entra account, an identity verification service that is used to access work-related tools and services. If you receive a phone call from someone claiming to be with a company or organization (such as your bank or Apple), hang up and call back at a phone number you know you can trust.
Hacker Almost Rickrolls World Cup Audience
A self-proclaimed ethical hacker found their way into FIFA's backend and could have taken control of the World Cup stream. "Bobdahacker" discovered that if they registered as a FIFA agent (which only required a photo of their ID), they could access the streaming management interface for every single World Cup match. With the controls they had access to, Bobdahacker could have stopped the entire stream, played YouTube videos over it (such as the infamous "rickroll" meme), changed editorial notes, and more. Ultimately, they did none of those things and instead did their best to report the vulnerability to whoever they could, including FIFA itself, the US Cybersecurity and Infrastructure Security Agency, and the FBI. Check our Bobdahacker's full breakdown of what happened for a good laugh.
The Bottom Line: The vulnerability that allowed this to happen was that the streaming management panel authenticated users client-side rather than server-side. What this means is that while Bobdahacker's computer displayed an "Access Denied" screen, the server did not actually know that they should not have access to the panel. So when they managed to bypass the "Access Denied" screen, the panel did nothing to stop them from proceeding further.
- The most recent iOS for the iPhone 17 lineup and iPhone Air is 26.5.1
- The most recent iOS for the iPhone 11 through 16e is 26.5
- The most recent iPadOS is 26.5
- The most recent macOS is 26.5.1
- The most recent tvOS is 26.5
- The most recent watchOS is 26.5
- The most recent visionOS is 26.5
Read about the latest updates from Apple.
The correct answer is probably B. Take it to the police or a nearby lost and found. If someone lost their USB drive and comes back looking for it, the police or lost and found can return it to them. Never, under any circumstances, should you plug an unknown USB drive into your computer. If it contains malware, it can install and execute before you even realize it's happening.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byΒ Cullen ThomasΒ andΒ Rhett IntriagoΒ and edited byΒ August Garry.
Want to ensure your privacy when using your iPhone? Check out:
|

