Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

wiredmikey shares a report from SecurityWeek: Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations. If that makes you scratch your head, that was exactly the reaction from Google’s premier security research team after disassembling the so-called FORCEDENTRY iMessage zero-click exploit used to plant NSO Group’s Pegasus surveillance tool on iPhones.

“We assess this to be one of the most technically sophisticated exploits we’ve ever seen,” Google’s Ian Beer and Samuel Grob wrote in a technical deep-dive into the remote code execution exploit that was captured during an in-the-wild attack on an activist in Saudi Arabia. In its breakdown, Project Zero said the exploit effectively created “a weapon against which there is no defense,” noting that zero-click exploits work silently in the background and does not even require the target to click on a link or surf to a malicious website. “Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the research team said.

The researchers confirmed the initial entry point for Pegasus was Apple’s proprietary iMessage that ships by default on iPhones, iPads and macOS devices. By targeting iMessage, the NSO Group hackers needed only a phone number of an AppleID username to take aim and fire eavesdropping implants. Because iMessage has native support for GIF images (especially those that loop endlessly), Project Zero’s researchers found that this expanded the attack surface and ended up being abused in an exploit cocktail that targeted a security defect in Apple’s CoreGraphics PDF parser. Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white. Describing the exploit as “pretty terrifying,” Google said the NSO Group hackers effectively booby-trapped a PDF file, masquerading as a GIF image, with an encoded virtual CPU to start and run the exploit. Apple patched the exploit in September and filed a lawsuit seeking to hold NSO Group accountable.

Read more of this story at Slashdot.

Apple Delays Corporate Return To Offices Indefinitely

Long-time Slashdot reader ttyler shares a tweet from NBC News tech reporter Zoe Schiffer: Tim Cook just sent out an email delaying Apple’s return to work to a date ‘yet to be determined. He also said the company is giving every corporate employee $1,000 to spend on home office equipment. MacRumors adds: There is no word on when employees will be expected to go back to work, and for now, those who are able to do so will continue to work from home. The delay will be welcome news to Apple employees who have been dreading the return to corporate offices, but Apple does plan to have employees come back at some point. Apple executives have made it clear since the beginning of the pandemic that employees will eventually need to return work. “Video conference calling has narrowed the distance between us, to be sure, but there are things it simply cannot replicate,” Cook said back in June.

When it is safe for employees to return to the office, Apple is planning for a hybrid work schedule. Employees will be expected to be in the office three days a week, but will have the option of working from home for two days a week. Apple also plans to allow employees to work remotely for up to one month per year, giving them more time to travel and be closer to loved ones. Because employees will need to continue to work from home, Cook said that Apple is giving every corporate employee $1,000 to spend on home office equipment.

Read more of this story at Slashdot.

Apple Removes All References To Controversial CSAM Scanning Feature From Its Child Safety Webpage

Apple has quietly nixed all mentions of CSAM from its Child Safety webpage, suggesting its controversial plan to detect child sexual abuse images on iPhones and iPads may hang in the balance following significant criticism of its methods. From a report: Apple in August announced a planned suite of new child safety features, including scanning users’ iCloud Photos libraries for Child Sexual Abuse Material (CSAM), Communication Safety to warn children and their parents when receiving or sending sexually explicit photos, and expanded CSAM guidance in Siri and Search. Following their announcement, the features were criticized by a wide range of individuals and organizations, including security researchers, the privacy whistleblower Edward Snowden, the Electronic Frontier Foundation (EFF), Facebook’s former security chief, politicians, policy groups, university researchers, and even some Apple employees.

Read more of this story at Slashdot.

USPS Built and Secretly Tested a Blockchain-Based Mobile Voting System Before 2020

An anonymous reader quotes a report from The Washington Post: The U.S. Postal Service pursued a project to build and secretly test a blockchain-based mobile phone voting system before the 2020 election (Warning: may be paywalled; alternative source), experimenting with a technology that the government’s own cybersecurity agency says can’t be trusted to securely handle ballots. The system was never deployed in a live election and was abandoned in 2019, Postal Service spokesman David Partenheimer said. That was after cybersecurity researchers at the University of Colorado at Colorado Springs conducted a test of the system during a mock election and found numerous ways that it was vulnerable to hacking.

The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system. The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system.

The Postal Service system allowed people to cast votes on an Internet-connected mobile app similar to how they might add items to an online shopping cart or fill out an online survey. The votes were designed to be anonymous and to be recorded in multiple digital locations simultaneously. The idea is that each of those digital records would act as a check to verify the accuracy of the other records. This is essentially the same method that cryptocurrencies such as bitcoin use to ensure transactions are accurately recorded. But the system didn’t protect against the numerous ways hackers might fake or corrupt votes, the University of Colorado researchers said. Those include impersonating voters, attacking the blockchain system itself so votes can’t be trusted, flooding the system with information so it becomes too overwhelmed to function, and using techniques that undermine voters’ privacy and the secrecy of the ballot. The researchers were able to successfully perform all those hacks during a mock election held on campus. “The Postal Service was awarded a public patent for the concept in August 2020, but had not previously revealed that it built a prototype system or tested it,” the report notes.

Read more of this story at Slashdot.

Two US Senators Urge Federal Investigations Into Facebook About Safety – and Ad Reach

Two leading U.S. Senators “are urging federal regulators to investigate Facebook over allegations the company misled advertisers, investors and the public about public safety and ad reach on its platform,” reports CNBC:

On Thursday, Senator Warren urged the heads of the Department of Justice and Securities and Exchange Commission to open criminal and civil investigations into Facebook or its executives to determine if they violated U.S. wire fraud and securities laws. A day earlier, Senator Cantwell, chair of the Senate Commerce Committee, encouraged the Federal Trade Commission to investigate whether Facebook, now called Meta, violated the agency’s law against unfair or deceptive business practices. Cantwell’s letter was made public on Thursday…

In her letter to the FTC, Cantwell focused on Facebook’s claims about the safety of its products, in addition to the allegedly inflated ad projections… She suggested the agency investigate Facebook and, depending what the evidence shows, pursue monetary relief for advertisers and disgorgement of allegedly ill-gotten gains.
Senator Warren points to a whistleblower’s recent allegations that Facebook misled both investors and advertising customers about their ad reach, according to the article. But Warren’s letter also argued the possibility Facebook violated securities law with “breathtakingly illegal conduct by one of the world’s largest social media companies,” according to the article.

And in addition, Warren “wrote that evidence increasingly suggests executives were aware the metric ‘was meaningfully and consistently inflated.'”

Bloomberg adds this quote from Senator Cantwell’s letter:
“A thorough investigation by the Commission and other enforcement agencies is paramount, not only because Facebook and its executives may have violated federal law, but because members of the public and businesses are entitled to know the facts regarding Facebook’s conduct as they make their decisions about using the platform.”

Read more of this story at Slashdot.

‘When a Newspaper Publishes an Unsolvable Puzzle’

Slashdot reader DevNull127 writes: It’s a newspaper puzzle that’s like Sudoku, except it’s impossible. [Sort of…] They call it “The Challenger” puzzle — but when the newspaper leaves out a crucial instruction, you can end up searching forever for a unique solution which doesn’t exist!

“If you’re thinking ‘This could be a 9 or an 8….’ — you’re right!” complains Lou Cabron. “Everyone’s a winner today! Just start scribbling in numbers! And you’d be a fool to try to keep narrowing them down by, say, using your math and logic skills. A fool like me…” (Albeit a fool who once solved a Sudoku puzzle entirely in his head.) But two hours of frustration later — and one night of bad dreams — he’s stumbled onto the web page of Dr. Robert J. Lopez, an emeritus math professor in Indiana, who’s calculated that in fact Challenger puzzles can have up to 190 solutions… and there’s more than one solution for more than 97% of them!

At the end of the day, it becomes an appreciation for the local newspaper, and the puzzles they run next to the funnies. But with a friendly reminder “that they ought to honor and respect that love — by always providing the complete instructions.”

Apple Launches AirTags and Find My Detector App For Android, In Effort To Boost Privacy

Apple has released a new Android app called Tracker Detect, designed to help people who don’t own iPhones or iPads to identify unexpected AirTags and other Find My network-equipped sensors that may be nearby. CNET reports: The new app, which Apple released on the Google Play store Monday, is intended to help people look for item trackers compatible with Apple’s Find My network. “If you think someone is using AirTag or another device to track your location,” the app says, “you can scan to try to find it.” If the Tracker Detector app finds an unexpected AirTag that’s away from its owner, for example, it will be marked in the app as “Unknown AirTag.” The Android app can then play a sound within 10 minutes of identifying the tracker. It may take up to 15 minutes after a tracker is separated from its owner before it shows up in the app, Apple said.

If the tracker identified is an AirTag, Apple will offer instructions within the app to remove its battery. Apple also warns within the app that if the person feels their safety is at risk because of the item tracker, they should contact law enforcement. […] The Tracker Detect app, which Apple first discussed in June, requires users to actively scan for a device before it’ll be identified. Apple doesn’t require users have an Apple account in order to use the detecting app. If the AirTag is in “lost mode,” anyone with an NFC-capable device can tap it and receive instructions for how to return it to its owner. Apple said all communication is encrypted so that no one, including Apple, knows the location or identity of people or their devices.

Read more of this story at Slashdot.

South Korea To Test AI-Powered Facial Recognition To Track COVID-19 Cases

South Korea will soon roll out a pilot project to use artificial intelligence, facial recognition and thousands of CCTV cameras to track the movement of people infected with the coronavirus, despite concerns about the invasion of privacy. Reuters reports: The nationally funded project in Bucheon, one of the country’s most densely populated cities on the outskirts of Seoul, is due to become operational in January, a city official told Reuters. The system uses an AI algorithms and facial recognition technology to analyze footage gathered by more than 10,820 CCTV cameras and track an infected person’s movements, anyone they had close contact with, and whether they were wearing a mask, according to a 110-page business plan from the city submitted to the Ministry of Science and ICT (Information and Communications Technology), and provided to Reuters by a parliamentary lawmaker critical of the project.

The Bucheon official said the system should reduce the strain on overworked tracing teams in a city with a population of more than 800,000 people, and help use the teams more efficiently and accurately. […] The Ministry of Science and ICT said it has no current plans to expand the project to the national level. It said the purpose of the system was to digitize some of the manual labour that contact tracers currently have to carry out. The Bucheon system can simultaneously track up to ten people in five to ten minutes, cutting the time spent on manual work that takes around half an hour to one hour to trace one person, the plan said.

Read more of this story at Slashdot.

Cable News Talent Wars Are Shifting To Streaming Platforms

The vacancies at cable news companies are piling up as networks and journalists begin to eye streaming alternatives. Axios reports: Why it matters: Primetime cable slots and the Sunday shows are no longer the most opportunistic placements for major TV talent.

Driving the news: Long-time “Fox News Sunday” host Chris Wallace is leaving the network after nearly two decades, he announced Sunday. He will be joining CNN as an anchor for its new streaming service, CNN+. Wallace will anchor a new weekday show and will contribute to the network’s daily live programming, per CNN. It was his decision not to renew his contract with the network, which expired this year, CNN’s Brian Stelter reported.

The big picture: Wallace marks the latest in a string of cable news host departures and shakeups in the past few weeks and months. There are now several holes cable bosses will need to fill in coming weeks. […] Major networks are investing heavily to lure talent to streaming alternatives in light of the decline of linear television. CNN hired NBC News veteran Kasie Hunt as an anchor and analyst for CNN+, reportedly for a salary of over $1 million. It’s hiring hundreds of new roles for the streaming service, set to launch next quarter. NBC News has already hired the majority of the 200+ new jobs it announced over the summer for its new streaming service and digital team, a top executive confirmed to Axios last month. One of its linear TV anchors, Joshua Johnson, moved full-time to host a primetime streaming show for NBC News Now. Fox News launched a new weather-focused streaming service in October. A Fox executive said last week the company is prepared to migrate Fox News to a streaming platform when the time is right. CBS News changed the name of its streaming service recently from CBSN to “CBS News” to represent a new streamlined vision for streaming. “TV networks won’t stop seriously investing in linear news programs until sports move out of the cable bundle, and that won’t be for another few years,” adds Axios.

Read more of this story at Slashdot.

An Experimental Target-Recognition AI Mistakenly Thought It Was Succeeding 90% of the Time

The American military news site Defense One shares a cautionary tale from top U.S. Air Force Major General Daniel Simpson (assistant deputy chief of staff for intelligence, surveillance, and reconnaissance). Simpson describes their experience with an experimental AI-based target recognition program that had seemed to be performing well:

Initially, the AI was fed data from a sensor that looked for a single surface-to-surface missile at an oblique angle, Simpson said. Then it was fed data from another sensor that looked for multiple missiles at a near-vertical angle. “What a surprise: the algorithm did not perform well. It actually was accurate maybe about 25 percent of the time,” he said.

That’s an example of what’s sometimes called brittle AI, which “occurs when any algorithm cannot generalize or adapt to conditions outside a narrow set of assumptions,” according to a 2020 report by researcher and former Navy aviator Missy Cummings. When the data used to train the algorithm consists of too much of one type of image or sensor data from a unique vantage point, and not enough from other vantages, distances, or conditions, you get brittleness, Cummings said. In settings like driverless-car experiments, researchers will just collect more data for training. But that can be very difficult in military settings where there might be a whole lot of data of one type — say overhead satellite or drone imagery — but very little of any other type because it wasn’t useful on the battlefield…

Simpson said the low accuracy rate of the algorithm wasn’t the most worrying part of the exercise. While the algorithm was only right 25 percent of the time, he said, “It was confident that it was right 90 percent of the time, so it was confidently wrong. And that’s not the algorithm’s fault. It’s because we fed it the wrong training data.”

Read more of this story at Slashdot.