At the end of August, Google security researchers published a report about sustained – at least two years – and indiscriminate campaign to hack iPhones, belonging to visitors of certain websites. It is believed to be the worst hack in iPhone history so far. Affected models included every iPh one 5c to iPhone 10 and operating systems from iOS10 to iOS12.
When users visited one of the infected websites, their phones were infected with a malware which was capable to steal messages, files and track location data every 60 seconds. At the moment bugs used in those attacks are fixed in updated versions of iOS starting version 12.1.4 or higher.
What lessons can be drawn from this incident?
Frankly, not much one can do about it. Mobile phone security – whether it is iPhones or Androids – generally is worse than general PCs. In addition, your security is usually directly proportional to whether you have the latest mobile devices, better directly from Apple and Google, with the latest operating systems installed and updated. (Read here for more information keeping your devices and apps updated.)
Also, if you worry that you may be a target of those expensive and persistent attacks, you may want to use different devices for communications and general Internet browsing. Also, it’s a good idea to find a local dedicated digital security specialist to help you strengthen your digital defences.
If you’re working inside or have a partnership with some big organisation, you might have used the Zoom app to have a video conference meeting over the Internet.
Independent researcher found a critical vulnerability in the Zoom’s desktop application for macOS. It gave a malicious website an ability to enable your camera without your permission. Luckily, this vulnerability was fixed pretty quick, both by Zoom and Apple – so users who keep their operating systems and software updated were out of harm’s way.
This case highlights that even apps and operating systems we generally trust have issues and need to be kept updated.
What can I do about it?
Apart from the importance of the updates, there is another cautionary tale – if security is more important than convenience, it is usually safer to use web – in-browsers – versions of the applications you need. Nowadays browsers have multiple protections themselves, and if you are running some program inside them, you don’t expose your device to possible vulnerabilities inside a desktop or mobile clients.
Of course, that means that your browser itself should be updated and all the addons inside it should be trusted as well.
The fewer apps the better
Your browser can now take screenshots and open PDF – reducing the number of apps you need. The fewer apps you have on your device, then there are fewer ways for an attacker to attack and fewer updates to worry about. Luckily, modern operating systems and browsers now propose a good replacement for many programs.
For example, Windows 10 users can easily get a screenshot by Windows+Shift+S hotkey combination. Windows 10 users can use it to capture, make basic edits and save screenshots of the screen. On macOS, Shift+Command+5 hotkey opens a whole panel with different options to capture the entire screen, part of it or a specific window, as well as save video recording of the screen.
Also, in case you need simply to read PDF you don’t need anything apart from your browser. Most modern browsers can open PDF files as a separate tab. Some of the PDF files may be even edited by converting it the Google Docs and then exported back again as a file in .pdf format. Unless you need to do some signing or heavy editing of the PDF files, there is no real need to have something like Adobe Acrobat Reader, which itself is a constant source of critical vulnerabilities.
RESOURCE: Digital Security Starter (Free online course)
Don’t know where to get started with digital security? Get started with practical advice and tips specially designed introduction for individuals and civil society. Current topics include “doable” digital security and passwords for the real world. Available for free until November 2019, register here.
Please forward this newsletter to others that would appreciate this newsletter.
If this email was forwarded to you, and you would like to subscribe to Data Talks almost monthly newsletter. Please send an email to DataShift@CIVICUS.org with the subject line: Subscribe Data Talks. If you would like to unsubscribe, please send an email to DataShift@CIVICUS.org with the subject line: Unsubscribe DataTalks