Friday Five: 8/30 Edition
Apple recommits to privacy with Siri, news on a bug bounty program for the DHS, plus the IRS warns of a new phishing attack - catch up on the week's news with the Friday Five.
1. U.S. Cyberattack Hurt Iran’s Ability to Target Oil Tankers, Officials Say by Julian E. Barnes
A U.S. cyber-attack against Iranian missile systems in June has had lasting repercussions on the nation. According to a report this week in the New York Times the attack knocked a database used by the country's paramilitary arm to plot attacks against oil tankers and made it that much harder for it to target ships in the Persian Gulf. It's uncertain how the strikes, which were carried out by the U.S. Cyber Command, were carried out; some theorized that someone could have inserted a malicious USB stick into a port, a la Stuxnet. According to the Times, the country is still trying to recover information destroyed in the attack so it can restart its computer systems.
2. Apple won't listen to Siri recordings without your permission anymore by Alfred Ng
Apple, like many companies of late, has faced a backlash over contractors listening to voice assistant queries. The Cupertino company, apologized this week in a statement released Wednesday, doubling down on its commitment to privacy by saying it has suspended what it calls "human grading" of Siri requests, something that aids in quality evaluation. Going forward the company said it will no longer retain audio recordings of Siri interactions. In lieu of listening to every users' recordings, Apple will allow users to opt in to a program that will do so. When users opt in to the program, Apple employees will be able to listen to audio samples of Siri interactions. Microsoft found itself in hot water earlier this summer after contractors at the company acknowledged that they've been listening to both Xbox recordings and some Skype calls. Amazon, Google, and Facebook previously acknowledged they were following the same practice for Alexa, Assistant, and Messenger.
3. Apple Just Released an Emergency Patch for the iPhone by Lorenzo Franceschi-Bicchierai
The next iteration of iOS can’t be any more than a month away but iPhone users would be well served to install an emergency update shipped for the mobile operating system this week. According to Vice's Motherboard, which broke down the update on Monday, Apple forced its own hand. The company had to release a patch after a previous update it pushed that reintroduced a bug it had already fixed and also made it easier for hackers to jailbreak iPhones. According to the report, it also could have been possible for hackers to have taken the old bug, reintroduced by Apple, and chain it with another bug to hack iPhone users. iOS 13 is slated to arrive next month but Apple isn't wasting anytime giving the software a test drive. It pushed a beta version of iOS 13.1 to developers on Tuesday, weeks before even releasing iOS 13.
4. DHS, OMB prep bug bounty rollout by Derek B. Johnson
A quick one-two punch of government/federal news to close out the week: The Department of Homeland Security and the Office of Management and Budget are apparently getting serious about getting a bug bounty program off the ground. According to the eagle-eyes over at FCW, there was a dradft notice published in the Federal Register this week seeking feedback on how such a program would be structured. The Federal Register is the official journal of the U.S. government. If an agency is seeking feedback, looking to publicize proposed rules, or has anything it wishes to convey to the public, it winds up there. According to FCW, the two departments are interested in how to best structure a program. The proposed form plans on asking security researchers for information on vulnerable hosts, how to reproduce the vulnerability, ideas for remediation and an assessment of what could happen if the DHS left the issue unpatched.
5. IRS Warns of New Imposter Scam That Spreads Malware by Jack Corrigan
Heading into Labor Day weekend it's probably safe to say that doing their taxes isn't high on many people’s list of concerns. It’s still and likely always top of mind for the IRS however, which issued a warning last week urging taxpayers to beware of a new scam in which attackers are impersonating tax collectors to spread malware. According to the IRS, there's a new scam making the rounds in which attackers try to trick users using a website that looks like IRS.gov, insisting they need a "temporary password" or a "one-time password" to access files to submit their refund. This should immediately be a red flag for users who submitted their taxes for a refund back in oh, February, but it still got the attention of a handful of taxpayers this month, who went on to contact the IRS. As a reminder, the IRS wants you to know it “doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.” The IRS is aware it’s a target for cybercriminals. Federal officials lobbied the agency to tighten up its plan for mitigating security vulnerabilities earlier this summer, while pushing for Congress to give the agency legal authority to establish and enforce its own security standards.