Friday Five: 9/6 Edition
iPhone hacking levels up, military veterans targeted in an identity fraud scam, and more - catch up on the week's biggest stories with the Friday Five!
1. Prompt Notification Reduces Data Breach Fallout, Consumer Impact by Jessica Davis
Sometimes, in the end, being prompt and transparent can pay off. That could be the case for companies that fall victim to data breaches too, according to a recent study. According to HealthITSecurity.com, which parsed through the study - carried out by KRC Research and Experian, 90 percent of respondents said they'd be more forgiving of a business if it communicated in a timely fashion that the individual had their information compromised in a breach. Almost half of those polled said they'd look for an alternative service provider following a breach; 66 percent said they'd likely stop doing business with the company entirely. When it comes to a time frame, perhaps respondents' concept of data breach disclosures was a bit skewed. 73 percent of those polled said they'd expect to be notified within 24 hours, which is a nice idea in concept but usually quite outside the norm.
2. Mysterious iOS Attack Changes Everything We Know About iPhone Hacking by Andy Greenberg and Lily Hay Newman
This story is from last week, last Friday to be exact, but we're going to include it here because we didn't have time to include it in last week's Friday Five and omitting it would be a disservice considering how big the story was. Security Twitter had a field day when Google's Project Zero team dropped a series of blogs detailing a whopping 14 vulnerabilities across five exploit chains embedded in websites: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. It's hinted in the piece but the whole story has shades of a massive domestic surveillance operation. It's hinted in the piece but the whole story has shades of a massive domestic surveillance operation, potentially a less expensive one than ever expected. "If a hacking operation is brazen enough to indiscriminately hack thousands of phones, iPhone hacking isn't all that expensive," the article reads, going on to reference a quote from the Electronic Frontier Foundation's Cooper Quintin: "We've sort of been operating on this framework, that it costs $1 million to hack the dissident’s iPhone. It actually costs far less than that per dissident if you’re attacking a group.”
3. China hacked Asian telcos to spy on Uighur travelers: sources by Jack Stubbs
The efforts of China hackers to spy on Uighurs (or Uyghurs depending how you spell it) - an oppressed minority Turkic ethnic group residing in China - has been well documented at this point. It was brought to another level this week following a Reuters report that uncovered that hackers associated with the country's government went as far as to use malware to break into Asian telecom networks in countries including Turkey, Kazakhstan, India, Thailand and Malaysia to spy on and track the movement of Uighurs. While Google didn't confirm it in its blog, it's widely believed that the iOS malware attack was also used to carry out surveillance on Uighurs. Both stories come on the heels of other news stories involving hacks of Google's Android devices to carry out the same motive.
4. Service Members Targeted in Identity Fraud Scheme by Christopher Burgess
For years a civil medical records technician swiped personally identifiable information belonging to thousands of military veterans and then forwarded that data to co-conspiring cybercriminals who went on to access further information on the victims and steal millions from their bank accounts. Security Boulevard recapped the story (and boils down the unsealed indictment) on Tuesday. According to the piece, the technician had access to the names, date of birth, gender, mailing address, telephone number, social security numbers and Department of Defense ID numbers of military-affiliated personnel. “The trio was able to spoof the system into thinking they were specific individuals, given they had garnered sufficient information to be “validated” as the veteran or service member, thus perpetrating the identity fraud.”
5. Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too by Nathaniel Popper
Twitter temporarily disabled users’ ability to tweet via SMS - a feature that unless you were an early adopter of the service may not be as well-known – after the company’s CEO Jack Dorsey had his account compromised. Before Twitter disabled the feature an attacker could have sent tweets through another account without being logged into it as long as they had access to the phone number. The technique is easier than you'd expect and relies on taking the tiny SIM card in a phone and transferring it to another device. Online services, when prompted to send a temporary login code via text message, usually send one, even though the phone number corresponds to a different device. It's not a new attack vector but it's clearly successful and easy for attackers.