Happy October from Loose Leaf Security! Or, at least, our calendars say it's October even if the weather here in New York still says it's summer. Regardless, it's always security season.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

An unfixable jailbreak: The big news in iPhone security is a "boot ROM" exploit against all devices with the A5 through A11 chipsets - which is every iPhone and iPad on the market up to the iPhone X series. (The A12 chipset, used in the iPhone XS and 11 series onwards, does not have the bug.) The boot ROM is the very first code executed by the iPhone when it turns on and cannot be updated except by buying newer hardware. It's responsible for verifying the authenticity of the firmware and OS (which can be updated) and also supporting emergency updates to the firmware and OS, if they get corrupted.

The bug is in the update code: specifically, to fix an otherwise-unbootable iOS device, you can connect it via USB to iTunes and upload clean firmware to the iPhone. You need to place the phone in Device Firmware Upgrade mode, which …

Continue reading…

As fall approaches, we at Loose Leaf Security are thinking about security questions that ask you about your favorite drink - and how many new accounts this fall could get their password reset with "pumpkin spice latte." At least as far as our accounts are concerned, our favorite drinks look a lot more like a nice cuppa AQtEgdHAgmnz97zwJ8mDfZsK or 4hrmbT9F3YrDNeAM6PUQChhm with a splash of milk, stored securely in our password manager and unique for each website.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

Hacking the Dalai Lama: The Citizen Lab at the University of Toronto, an interdisciplinary group with both computer science and political science expertise, has an in-depth look at targeted attacks on the Dalai Lama's office and other Tibetan organizations. The attacks took the form of chat messages from accounts pretending to be journalists or other politicians with links to malicious web pages. Most of the malicious web pages attempted to use software vulnerabilities to take control of the device, although a few of them led to malicious third-party login prompts - asking the target to grant access to their Google account to a …

Continue reading…

Good evening from Loose Leaf Security! We're enjoying the last week of iced tea weather here, but remember, while there's always time for a tea break, there's never time for a break from your personal security!

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

The "Simjacker" attack: There's a new attack on cell phones in the news - all types of cell phones this time, unfortunately. The security research firm that found it is calling it "Simjacker," but to be clear, it has no relation to the practice of fraudulently acquiring a SIM card for someone else's account known as "SIM-jacking." The "Simjacker" attack uses SMS to send commands to a particular application running on the SIM card itself (SIM cards themselves are in fact very tiny computers), which can then send commands to the phone. Many carriers have filters or firewalls for these sorts of SMS messages, and in particular, the four major US carriers (AT&T, Sprint, T-Mobile, and Verizon) have confirmed that they are immune to the attack. Unfortunately, other carriers do not, and AdaptiveMobile Security, the research firm that found the attack …

Continue reading…

Hello again! We've been watching Brexit proceedings with a mixture of interest and confusion, but we're sure about one thing - there's never a good time to prorogue your personal security.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

SIM-Jack-ing: Last week, a group calling itself the "Chuckling Squad" got access to the Twitter account of Jack Dorsey, Twitter's own CEO. Sharp-eyed Twitter users quickly found that the tweets they posted were labeled as "via Cloudhopper," which is an app Twitter acquired years ago to facilitate their SMS service. (This 2010 CNET article about the acquisition points out that while Twitter originally had their own functionality to send and receive tweets via text message, they had scaled it back because of costs and relied on Cloudhopper to get it going again.) Apparently, the Chuckling Squad got access to Jack's phone number via "SIM-jacking," a social engineering attack where the attacker impersonates the victim to obtain a "replacement" SIM card from their cell phone provider's customer support. Once the attacker has a replacement SIM card for your phone number, all phone calls and text messages intended for …

Continue reading…

Welcome to Loose Leaf Security's newsletter! Every week, we'll include short takes on interesting security news and summaries of any new Loose Leaf Security content. We're really glad you're here.

In a few of the stories below, we're linking to past episodes on certain topics - if you're here because your favorite type of podcast is the kind you can read, don't worry, our episodes always have both full transcripts and show notes on the web page.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

New from Loose Leaf Security

New episode, "Covering your webcams": Liz and Geoffrey take a look at how attackers compromise webcams and discuss why it's worth physically covering them. Malware and alleged threats of malware are only some of the avenues attackers take to access other people's webcams; vulnerabilities in legitimate software, like the recent Zoom security flaw, can also be exploited. Additionally, sharing ownership of your devices with another party like your school district or workplace may leave you and your webcams exposed. In the news, the FTC fines Facebook, weaknesses in Apple's iMessage and Visual Voicemail, and U2F support added to …

Continue reading…