CyberSecurity Pulse 2016-10-06

CyberSecurity Pulse 2016-10-06

“If you don’t make mistakes, you’re not working on hard enough problems. And that’s a big mistake.”
Frank Wilczek

Analyst Insight

Apple Logs Your iMessage Contacts, According To The Intercept

Apple, which has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, hands over its users’ information on iMessage contacts under the corresponding warrants. According to The intercept, Apple records a log of which phone numbers you typed into their iPhone for a message conversation, along with the date and time when you entered those numbers as well as your IP address.CyberSecurity Pulse 2016-10-06 And it’s true, based on the sample information provided in the FAQ, that Apple doesn’t appear to provide any indication whatsoever that an iMessage conversation took place. However, the list of the people you choose to associate with can be just as sensitive as your messages with those people are. In fact, Andrew Crocker, an attorney with the Electronic Frontier Foundation, has already commented the implications that this approach may imply and doubts about which is the real legitimate use that a user can give to the affected information: “How often are lookups performed? Does opening [an iMessage] thread cause a lookup? Why is Apple retaining this information?”. In fact, providing this type of information is not a recent phenomenon. Telcos are usually forced to deliver metadata about phone calls to the police in response to warrants legally claimed by the corresponding judicial authority. The novelty here is that Apple itself is the one that provides the information about iMessage contacts (even when no communication has taken place and when the information does not have an apparent usage for the end user) after getting positioned as a firm Privacy defender.

» More information at The Intercept

Top Stories

India Orders WhatsApp to Keep Data From Facebook

CyberSecurity Pulse 2016-10-06 An Indian court ruled that WhatsApp could not share user information collected before September 25, 2016, the date in which the policy changes took effect. The chief justice of the Delhi High Court said that WhatsApp should delete the data of users who opt out of the changes that took effect at the end of last month. The case was raised after two Indian students, Karmanya Singh Sareen and Shreya Seth, brought it up in late August 2015, claiming that the policy changes would endanger the privacy of users. The statement published by Mashable confirms that WhatsApp and Facebook “have introduced this policy which severely compromises the rights of its users and makes the privacy rights of users completely vulnerable”. » More information at SC Magazine UK

Julian Assange Announces Upcoming Leaks about the US Election

CyberSecurity Pulse 2016-10-06 The editor-in-chief of Wikileaks announced at an event that took place in Berlin that the organization is intending to publish exclusive documents on how the electoral process in the United States works. Assange himself, who was speaking via a live video, announced that during the next ten weeks Wikileaks will release several documents related to the electoral process although he did not want to make any further reference about the content of the documents to be published. This report is aired weeks after the organization made public several leaks affecting the US Democratic party in which they got access to emails and messages from different email inboxes belonging to high party officials including Hillary Clinton and Colin Powell amongst others. » More information at The Register

Rest of the Week´s News

Source Code for IoT Botnet Mirai Released

The source code that powers the Internet of Things (IoT) botnet which was responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month, has been publicly released online. This revelation increases the risk of a flood of DDoS attacks in the internet being launched from new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. » More information at Ars Technica UK

» More Than 400 Malicious Apps Infiltrate Google Play

One app infected with DressCode malware had been downloaded from 100,000 to 500,000 times. The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 samples detected on Google Play. Known as Mod GTA 5 for Minecraft PE, the malware was disguised as a benign game that included in the code a component that established a persistent connection with an attacker controlled server. » More information at Trend Micro

Deanonymizing Tor Users with the Analysis of DNS Traffic from Tor Exit Relays

A group of security researchers have been able to define two new correlation attack techniques to deanonymize Tor users. Although the effort required to carry out the attack was quite high, the simulations of the attacks conducted by the researchers allowed them to identify the vast majority of the visitors to unpopular visited websites. » More information at Security Affairs

Further Reading

Zero-Day Acquisition Platform Triples iOS 10 Bug Bounty to $1.5 Million

» More information at Ars Technica UK

You Can Get Hacked Just by Opening a JPEG 2000 Image

» Más información at The Hacker News

Transmitting Logins Through the Human Body

» More information at The Register