Google uncovers a years-long effort to plant malware on iPhones; disquiet over a botnet takedown operation; and the return of Kernel Panic – but in a good way
Retadup goes down
A takedown operation against the Retadup worm – spearheaded by antivirus firm Avast and French police – spawned some controversy on social media this week.
Disquiet centered on the 850,000, mostly Latin American, systems that had been disinfected by a strain of malware linked to cryptocurrency mining and ransomware distribution.
This might seem like a good thing, but how did it sit against laws prohibiting the interference of operating other peoples’ computers, some wondered?
Friday brought news that security experts at Google have uncovered evidence of a “sustained effort” to hack iPhones in an operation dating back at least two years.
Hacked websites were being used to serve exploits to surfers who happened to visit these booby-trapped websites on their iPhones.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” a blog post from Google Project Zero explains.
“We estimate that these sites receive thousands of visitors per week.”
The attack had “the capability to target and monitor the private activities of entire populations in real time”, Ian Beer, of Google’s Project Zero, concludes.
Infosec watchers on social media noted how much effort had gone into putting the sophisticated attack together.
Kicking dirt into a sandbox
Google got a more mixed response to its suggestion that its new concept, dubbed ‘Privacy Sandbox’, would enhance privacy on the web.
The scheme goes beyond Google’s previously announced plans to “improve the classification of cookies, give clarity and visibility to cookie settings” and block fingerprinting.
Privacy will center on efforts by Google to “work with the web community to develop new standards that advance privacy, while continuing to support free access to content”.
This free access to content is, of course, supported by ads.
Google argues about the supposed benefits of relevant ads to surfers – but this has always been an issue that publishers and ad brokers like Google care about more than ordinary users.
Indeed, personalized ads are seen by some privacy activists as little better than a scourge, a line reflected in some of the reactions to the tech giant’s latest initiative.
If the face fits…
In other news, coders’ favorite GitHub upgraded its 2FA system to support Web Authentication (WebAuthn).
The move was touted by the repo giant as a way for developers to securely access their code using fingerprint, facial recognition, and more – making authentication more secure in the process.
Support for biometrics got a lukewarm response in the chat about the topic on social media, perhaps unsurprisingly given recent high-profile breaches.
For those in search of some weekend viewing, a new series from Mashable called ‘Kernel Panic’ promises spills and exploits aplenty.
The first episode pulls focus on the Morris Worm – the “computer worm that changed the world”.
Mashable explains: “The Morris Worm opened the world’s eyes to unforeseen vulnerabilities, planting the seeds of public mistrust that have steadily grown for decades and, today, are flourishing.”