It was a busy week in security.
Newly released documents shown exclusively to TechCrunch show that U.S. immigration authorities used a controversial cell phone snooping technology known as a “stingray” hundreds of times in the past three years. Also, if you haven’t updated your Android phone in a while, now would be a good time to check. That’s because a brand-new security vulnerability was found — and patched. The bug, if exploited, could let a malicious app trick a user into thinking they’re using a legitimate app that can be used to steal passwords.
Here’s more from the week.
THE BIG PICTURE
Every iPhone now has a working jailbreak
Hackers found a previously unreported or so-called “zero-day” vulnerability in iOS 11 and later that lets users break through Apple’s “walled garden” limiting how much a user can customize their phone and which apps can run. It’s that approach that Apple has said keeps its device and users (largely) secure, even if it lacks the customizability that Android devices have to offer.
In simple terms, the jailbreak means users can install apps from outside of the Apple App Store and customize parts of the device that are typically off limits to users. But security experts have long warned users that jailbreaking a device vastly increases the surface area for attacks.
It didn’t take long for Apple to release iOS 13.5.1, which kills the jailbreak.
FBI is mad it can hack into locked iPhones without Apple’s help
Speaking of, you know who’s really good at hacking iPhones? The FBI. You know who’s really pissed off about it? Also the FBI. Riana Pfefferkorn, a security expert who serves as the associate director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, penned an op-ed for TechCrunch on the latest spat between Apple and the FBI over the Pensacola shooter, who killed three airmen at a naval base in Florida. In her piece, Pfefferkorn offers a deep look at the FBI’s arguments, the pitfalls and what it means for the encryption debate.
LiveJournal breach affects 26 million users
More than 26 million credentials believed to belong to Russian blogging platform LiveJournal have leaked online and are now for sale on the dark web. The data is believed to date back to at least 2014, according to ZDNet, and has been floating around since at least last year when security expert Troy Hunt flagged a possible incident.
LiveJournal denied it was breached, claiming the data was “compiled using different sources and mostly falsified.” But Hunt, who runs data breach notification service Have I Been Pwned, obtained a copy of the data, which included usernames, email addresses and plaintext passwords.
ACLU is suing shady surveillance startup Clearview AI
Clearview AI, the controversial surveillance startup, has been sued by the ACLU in Illinois. In a blog post, the ACLU said the company’s activities are a “threat to privacy, safety and security.” The civil liberties group says building a massive database of biometric photos — read: people’s faces — Clearview has created “the nightmare scenario that we’ve long feared, and has crossed the ethical bounds that many companies have refused to even attempt.”
It’s the second lawsuit that Clearview faces in Illinois. A separate class action suit against Clearview cites the same privacy law. Facebook was also stung by the same law, forcing the social media giant to settle charges for $550 million. Clearview made headlines earlier this year for its perceived threat to privacy “as we know it.” Since then it’s been dogged by security issues — a data breach, a data exposure, and an Apple-issued ban.
MOVERS AND SHAKERS
“As COVID-19 impacts every aspect of our work and life, we have seen two years’ worth of digital transformation in two months. This acceleration has actually created momentum for a number of cybersecurity businesses, which is why the best companies continue to draw significant interest from investors.”
That’s the view from Shardul Shah, partner at Index Ventures. He’s one of a dozen leading cybersecurity VCs we surveyed in the past month to look at industry trends, valuations and where they’re spending their money. Check it out.
$ECURITY $TARTUPS
Cisco snapped up network monitor ThousandEyes for a reported $1 billion. The networking giant has been on a spending spree in recent years, following the purchase of AppDynamics in 2017 and Duo Security in 2018. ThousandEyes monitors for outages and downtime across networks, and has big name customers like Microsoft, Slack, PayPal and Lyft. Interestingly, the deal was largely done over Cisco’s own WebEx video conferencing service — so says CNBC. Just goes to show what can be done while the world is still in lockdown.
Bug bounty platform Synack has raised $500 million. The company lets hackers report vulnerabilities to companies and get paid for their findings.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.