Friday Five 8/19
Security issues in Apple devices and one of the largest DDoS attacks on record dominated the headlines this week. Read about these stories and more all in this week's Friday Five!
1. APPLE SECURITY UPDATES FIX 2 ZERO-DAYS USED TO HACK IPHONES, MACS BY LAWRENCE ABRAMS
Apple released a surprise update for iOS iPadOS, and macOS devices this past Wednesday that fixes two zero-day vulnerabilities being actively exploited by attackers. According to Apple, one of the two vulnerabilities is an out-of-bounds write vulnerability in the operating system's Kernel, which could result in full device control, while the second vulnerability is an out-of-bounds write vulnerability in WebKit, which could allow arbitrary code execution. Read the full story from BleepingComputer to find out where the vulnerabilities were first reported and which devices are affected.
2. ARREST OF A STALKERWARE-MAKER IN AUSTRALIA UNDERSCORES LINK BETWEEN STALKERWARE AND DOMESTIC ABUSE BY KAREN GULLO
Australian Federal Police recently arrested 24-year-old Jacob Wayne John Keene, the creator of Imminent Monitor stalkerware, and identified over 200 users of the remote access tool (RAT). In their investigation, the Australian police noted that a statistically high percentage of those customers were respondents on domestic violence orders, underscoring the clear link between domestic violence and the use of stalkerware. "Imminent Monitor, once installed on a victim’s computer, could turn on their webcam and microphone, allow perpetrators to view their documents, photographs, and other files, and record all keystrokes entered."
3. EX-CISA CHIEF KREBS ADVOCATES FOR STANDALONE CYBER AGENCY. EXPERTS SAY THAT'S IMPRACTICAL BY SUZANNE SMALLEY
At the 2022 Black Hat Conference this past week in Las Vegas, Nevada, former Director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs stated that a standalone CISA - separate from the Department of Homeland Security - could prove to be beneficial for private sector organizations and other stakeholders in combating cyberthreats. While Krebs seems to think that "[making] the front door clearly visible" rather than forcing organizations to approach 5 or 6 different agencies, though, other CISA officials and cybersecurity experts aren't so sure. Read the full story from CyberScoop to find out more about Krebs' thoughts on the subject as well as why other officials have concerns about an independent CISA.
4. GOOGLE BLOCKS LARGEST HTTPS DDOS ATTACK 'REPORTED TO DATE' BY IONUT ILASCU
A recent distributed denial of service attack against a Google Cloud Armor customer shattered the previous record of 26 million requests per second set back in June, at its peak reaching a whopping 46 million RPS. According to Google, which mitigated the attack, it was so severe that it was as if the site had received all of Wikipedia's daily requests in just 10 seconds. Read more to find out what kind of malware may have been responsible for the attack.
5. IOS VPNS HAVE LEAKED TRAFFIC FOR YEARS, RESEARCHER CLAIMS BY KEVIN PURDY
In a recent blog, security researcher Michael Horowitz boldly stated, "VPNs on iOS are broken." According to Horowitz, sessions and connections established before a VPN is activated do not terminate, and with advanced router logging, can still send data outside the VPN tunnel while it's active. ProtonVPN reportedly first made Apple aware of the issue over two years ago, but no fixes have been released. ProtonVPN's founder and CEO, Andy Yen, said in a statement: "The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing."