Google Calls Out Safari for Privacy Flaws
Credit to Author: Brian Barrett| Date: Sat, 25 Jan 2020 14:00:00 +0000
Facial recognition, iCloud encryption, and the rest of this week's top security news.
Hello, friends! If you have any reason to think that Saudi Arabia might have issues with you or one of your business concerns, please read about how crown prince Mohammad bin Salman appears to have hacked Amazon CEO Jeff Bezo's iPhone with a WhatsApp text. Or, you know, read it regardless, because these are absurd times to live in.
Speaking of which! The impeachment trial of Donald Trump kicked off this week, and will continue into the next. When you hear Trump's lawyers use "national security" as an excuse not to share documents, remember that they're taking a page out of Nixon's playbook.
In Brazil, the government accused journalist Glenn Greenwald of cybercrimes, but offered no evidence that he had actually committed any. Global elections are under threat from disinformation, and not enough is being done to protect them.
Porn pirates have plagued Patreon for years, but the platform has essentially given up fighting them. Security researchers have proposed a new way to encrypt the Internet of Things. And if Chrome bugs you about your bad passwords, don't ignore it! Take the chance to fix things up.
Lastly, we took a trip to Miami for this year's Pwn2Own competition, where hackers took on industrial control systems software. They broke… all of it.
And that's not all! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Apple's Safari browser has admirable privacy protections built in. But as Google researchers observed in a paper released this week, some of them actually backfired to enable the very tracking they try to prevent. Specifically, Safari's Intelligent Tracking Prevention had vulnerabilities that could enable multiple types of attacks that give away your browsing history. Apple patched the issue when Google alerted Cupertino to the issues several months ago, but it's a reminder of just how even the best-intentioned security measures can be to implement.
There are really two stories worth reading about Clearview AI, a company that claims to have scraped 3 billion images from the internet—including social media sites—to power an unprecedented facial recognition database. The New York Times broke the news with an extensive look at the company and its founder, Hoan Ton-That. And Buzzfeed dug into whether Clearview AI's marketing claims hold up to reality. Both make clear that the world's not nearly ready for the kind of omnipresent surveillance Clearview AI promises—or the people who peddle it.
And back to Apple! Reuters reports this week that Apple had plans to encrypt iCloud backups end-to-end—they're currently encrypted, but Apple retains a key—until conversations with the FBI led them to drop it. The events apparently happened two years ago, but have current significance, as the agency continues to pressure Apple to unlock the iPhones of the Pensacola shooter. Apple says it has already provided the FBI with ample iCloud information in the case, and regularly assists investigations when it can—which is to say, when it doesn't require weakening the security of all iPhones everywhere.
The Department of Homeland Security this week warned of six vulnerabilities in GE's line of CARESCAPE monitors. No public exploits have been spotted yet, but the flaws could allow an attacker to change alarm times or discharge patients. It's not the most serious medical vulnerability we've seen in recent years, but it's a category where every misstep has outsized potential effects. GE is currently developing a patch.