Search Results for “Lily Hay Newman”

August 20, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Yubico Releases First Lightning YubiKey for iOS Devices for Secure Authentication

Authentication fob maker Yubico is releasing the first Lightning port YubiKey for use with iPhones and iPads, eight months after its initial announcement. Priced at $70, the dongle has a Lightning connector on one side and USB-C on the other side so that it works with not only iPhones and iPads, but also MacBooks or any other USB-C device. Even though Apple has authorized the device, YubiKey still hasn’t incorporated the underlying open authentication standard, FIDO 2, into its operating systems by default, meaning that the Lightning YubiKey can’t automatically work as an authentication token throughout a user’s iOS experience. Each app needs to add compatibility individually through a new application programming interface.

Related: ZDNet Security, TechCrunch, Macworld, Trusted Reviews, MacRumors, SecurityWeek, The Verge, iDownloadblog

Tweets:@nxthompson @eduardkovacs @enygma @zackwhittaker

August 9, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Critical Remote Code Execution Vulnerability in Avaya Desk Phones Originally Patched in 2009 Came Back to Life, Patch Issued in July

A critical remote code execution vulnerability in Avaya desk phones that was originally patched in 2009 has come back to life researchers at McAfee Advanced Threat Research say. After the flaw was fixed in 2009, Avaya seemingly forked the code later, took the pre-patched version, and didn’t properly account for the fact that there was a public vulnerability there. Avaya was responsive to the discovery of the reincarnated bug and issued a patch for it on July 18 although the researchers say it will take time for the patch to distribute out to all the corporate and institutional environments where vulnerable phones are lurking on every desk.

September 27, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
DEF CON 27 Voting Village Report Released Showing Vulnerabilities in Top Voting Machines Used in Nearly 30 States

The organizers of DEF CON’s annual voting machine hacking village released the results of this year’s efforts where participants vetted dozens of voting machines, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Their report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use, including the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year. Among the vulnerabilities found were inadequate physical security protections that could allow undetected tampering, easily guessable hardcoded system credentials, the potential for operating system manipulations, and remote attacks that could compromise memory or integrity checks or cause a denial of service.

Related: Dark Reading, Cyberscoop, – Politics, The Register – Security, The Hill: Cybersecurity, Defcon (PDF), Politico

Tweets:@mattblaze @ericgeller @ericgeller

Dark Reading: Voting Machine Systems New & Old Contain ‘Design’ Flaws
Cyberscoop: DEF CON Voting Village report explores vulnerabilities in ballot-marking devices, calls for paper-based audits – Politics: Hackers find voting machines used throughout the US are vulnerable to attack
The Register – Security: Accept certain inalienable truths: Prices will rise, politicians will philander… And US voting machines will be physically insecure
The Hill: Cybersecurity: Hacker conference report details persistent vulnerabilities to US voting systems
Defcon: DEF CON 27Voting MachineHacking Village (PDF)
Politico: First in MC: DEF CON reveals election security findings

@mattblaze: Getting ready for the ?@VotingVillageDC ? report release, in the not-at-all-easy-to -find auditorium of the Capitol Visitor Center (turn around after you get through security and go through the doors and down the stairs.
@ericgeller: @VotingVillageDC has officially released the report that we brought you this AM, with lots of details about what hackers found in currently used voting systems: event starting shortly w/ @mattblaze @HarriHursti @MaggieMacAlpine @RonWyden @RepSpeier
@ericgeller: Obviously most people's attention is elsewhere right now, but...Scoop: Popular electronic voting machines contain a host of security vulnerabilities, @VotingVillageDC said in a report set for release today and provided first to Politico. Lots in here.

September 25, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
After a Few Missteps, Cloudflare Relaunches Warp, a Streamlined Alternative to Buggy VPNs

Cloudflare, which announced in April Warp, a streamlined alternative to the buggy, slow and frustrating options that make up most of the mobile VPN market, has finally relaunched the VPN following a few missteps that left Warp with the same problems as other VPNs. Between then and now, the waitlist of users who want Warp grew to two million. The VPN builds on Cloudflare’s existing mobile app, which encrypts “domain name system” connections, so internet service providers or other lurkers can’t see which websites users access. It also offers end-to-end encryption to the web server and back and it does it quickly without draining batteries. It also offers an easy set-up.

September 23, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Google Resumes Human Audio Review of Google Assistant Recordings but with Tighter User Control, Improved Filters to Catch Recordings Made in Error, Promises to ‘Vastly Reduce’ Stored Audio

After pausing human audio review of its Google Assistant recordings worldwide in July, Google said that human review will now resume with increased options for user data control. Google said that sending audio for review has never been the default mode on its devices but now Assistant users will be prompted to review their settings choice if their devices are currently opted in to the “Voice & Audio Activity” program that potentially sends recordings out for vetting. Google says it has also taken steps to improve filters meant to catch and immediately delete even more sensitive recordings made in error, those that are created when a smart speaker mistakenly thinks it has detected its so-called wake word. Google said it will further update the Google Assistant policies to “vastly reduce” the amount of audio data the company stores.

Related: Engadget, BetaNews, VentureBeat, ZDNet Security, 9to5Google, Android Authority, TechNadu, Slashdot, Z6 Mag, The Keyword, Fast Company, Threatpost, CNET, Android Police, 9to5Google, Engadget, Android Authority, VentureBeat

Tweets:@wagner_digital @josephfcox

Engadget: Google vows to never store Assistant recordings without permission
BetaNews: Google to automatically delete more audio recorded by Assistant and introduce new privacy protections
VentureBeat: Google Assistant no longer saves voice recordings by default
ZDNet Security: Google revamps privacy policy to give users more control over Assistant voice recordings
9to5Google: Assistant gaining ‘Hey Google’ hotword sensitivity setting, will store less audio data
Android Authority: Google pledges to reduce amount of audio recordings for Assistant
TechNadu: Google Assistant Will Return to Eavesdropping You, but With Your Permission
Slashdot: Google Loans Cameras To Volunteers To Fill Gaps in ‘Street View’
Z6 Mag: Users now need to opt-in before Google can save Google Assistant recordings
The Keyword: Doing more to protect your privacy with the Assistant
Fast Company: Google restarts human audio reviews of Assistant recordings with new safeguards in place
Threatpost: Google Assistant Audio Privacy Controls Updated After Outcry
CNET: Google Assistant updates seek to calm privacy concerns over human review
Android Police: Google Assistant improves privacy and adds sensitivity options for hotword detection
9to5Google: Assistant gaining ‘Hey Google’ hotword sensitivity setting, will store less audio data
Engadget: Google vows to never store Assistant recordings without permission
Android Authority: Google pledges to reduce amount of audio recordings for Assistant
VentureBeat: Google Assistant no longer saves voice recordings by default

@wagner_digital: Google revamps privacy policy to give users more control over Assistant voice recordings. You will be spared human eavesdroppers, too, unless you choose to opt-in. via @ZDNet & @SecurityCharlie
@josephfcox: After revelations human contractors were listening to Google Assistant recordings, Google suspended use of human contractors. Now, it's started the program up again with some changes in place

September 11, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Operation reWired Results in Global Arrests of 281 Suspects in Business Email Compromise Schemes

In its biggest move to date against this kind of scam, the Justice Department announced the arrest of 281 suspects in connection with email scams and wire transfer fraud known as business email compromise. The mass effort, dubbed Operation reWired, involved extensive international coordination to make 167 arrests in Nigeria, 74 in the United States, 18 in Turkey, and 15 in Ghana, with the remaining arrests taking place in France, Italy, Japan, Kenya, Malaysia, and the United Kingdom. Numerous law enforcement agencies across the globe were involved, including, in the US alone, the DOJ, the Department of Homeland Security, the Treasury, the State Department, and the Postal Inspection Service.

Related: The Register – Security,, Homeland Security Today, Bleeping Computer, Data, TechNadu, Spyware, Austin-American Statesman, Cyberscoop,, USATODAY, The Hill: Cybersecurity

September 5, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Google Offers New Set of Open-Source Differential Privacy Libraries to Better Protect User Privacy

Google has announced a new set of open-source differential privacy libraries that not only offer the equations and models needed to set boundaries and constraints on identifying data but also include an interface to make it easier for more developers to actually implement the protections. The purpose of the new libraries is to make it possible for companies to mine and analyze their database information without invasive identity profiles or tracking. Google currently uses differential privacy libraries to protect different types of data, such as location data generated by its Google Fi mobile customers. Differential privacy is complex and difficult to do and experts don’t recommend designing it from scratch because as many reviewers as possible are needed to catch all the flaws and issues. Google is also offering a testing methodology that lets developers run audits of their differential privacy implementation and see if it is actually working as intended.

September 3, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Flaws in Supermicro Baseboard Management Controllers Expose Systems to Remote, ‘Virtual’ Thumb Drive Attacks

Vulnerabilities in a number of Supermicro baseboard management controllers (BMCs), special processors installed on server motherboards to give system administrators hardware-level management powers from afar, can allow attackers to plug in “virtual” thumb drives, according to security firm Eclypsium. The security researchers at Eclypsium discovered that the BMCs on Supermicro X9, X10, and X11 platforms contain flaws that can be exploited to weaponize the BMCs legitimate function of installing software or upgrading operating systems without the need to physically plug anything into the server itself, offering the equivalent of physical presence. The authentication protections on the Supermicro BMCs that run these virtual media protocols are vulnerable to numerous different types of attacks, including allowing attackers to trick employees into plugging in malicious “virtual” thumb drives. The researchers disclosed the flaws to Supermicro in June and the company has issued firmware updates for all of the affected BMCs.

Related: The Hacker News, ZDNet Security,, SecurityWeek, Threatpost, The Register – Security, Eclypsium, Help Net Security, Computer Business Review, Cyberscoop, SecurityWeek,

August 30, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Intricate Watering Hole Websites Were Used to Indiscriminately Hack Thousands of iPhones for Two Years, Attackers Able to Gain Complete Control Over Phones, Google Project Zero

For two years, an attacker used a rich collection of iPhone vulnerabilities to indiscriminately hack thousands of iPhones just by getting users to visit malicious “watering hole” websites, Google’s Project Zero security research team has revealed. In a rare and intricate situation, the websites had assembled five so-called exploit chains, tools that link together security vulnerabilities, allowing a hacker to penetrate each layer of iOS’s digital protections, exploiting a total of 14 security flaws, targeting everything from the browser’s “sandbox” isolation mechanism to the core of the operating system known as the kernel, ultimately gaining complete control over the phone. The researchers say the malicious sites were programmed to assess devices that loaded them and to compromise them with powerful monitoring malware if possible. Almost every version of iOS 10 through iOS 12 was potentially vulnerable to the sites which were active since at least 2017 and had thousands of visitors per week. The malware could provide deep access to the devices and could monitor live location data, or be used to grab photos, contacts, and even passwords and other sensitive information from the iOS Keychain. The malware could also allow the attackers to potentially read or listen to communications sent through encrypted messaging services, like WhatsApp, iMessage, or Signal.  Google says it alerted Apple to its zero-day iOS vulnerabilities on February 1, and Apple patched them in iOS 12.1.4, released on February 7.

Related: ZDNet Security, iNews, Techradar, Softpedia News, Digital Trends, 9to5Google, The Next Web, CNET, BetaNews, Tech Insider, City A.M. – Technology, Engadget,, Digital Journal, RAPPLER, Channel News Asia, Fast Company, The Verge, AppleInsider, The Hacker News, Glock Takes Stock, : Top News, MSPoweruser, TechSpot, VICE News, TechCrunch, VICE News, Techradar, NDTV, The Guardian, Silicon Republic, Mashable, The Guardian, ITV News, Sky News, Evening Standard, Google Project Zero

ZDNet Security: Google finds malicious sites pushing iOS exploits for years
iNews: iPhone hack: Apple security breach targeted contacts, images and other data for years, Google says
Techradar: A major Google Chrome bug could let criminals attack your PC remotely
Softpedia News: Google Finds Massive iPhone Vulnerability that Was Exploited for Years
Digital Trends: Google claims user data on iPhones was open to hackers for two years
9to5Google: Google researchers detail malicious website exploits that targeted iPhone users for years
The Next Web: Google researchers reveal data-stealing, web-based iPhone exploit that was active for years
CNET: Google says iPhone security flaws let websites hack them for years
BetaNews: Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users
Tech Insider: Google researchers found a bunch of malicious sites that quietly hacked iPhones for years
City A.M. – Technology: Google uncovers ‘indiscriminate’ iPhone hack attack
Engadget: Google uncovers exploit-laden websites that stole data from iPhones Google finds years-long ‘indiscriminate’ iPhone hack
Digital Journal: Google reveals years-long ‘indiscriminate’ iPhone hack
RAPPLER: Google reveals years-long ‘indiscriminate’ iPhone hack
Channel News Asia: Google reveals years-long ‘indiscriminate’ iPhone hack
Fast Company: Google discovered websites that could hack your iPhone just by visiting them
The Verge: Google reveals major iPhone security flaws that let websites hack phones
AppleInsider: iPhone exploits in hacked websites went unnoticed for years
The Hacker News: Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years
Glock Takes Stock: Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years : Top News: Google Project Zero reveals malicious websites habitually attacked iPhones for years
MSPoweruser: Google explains how visiting a website can leave your iPhone exposed to hackers
TechSpot: Google says hacked websites were attacking iPhones for years
VICE News: Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years
TechCrunch: Malicious websites were used to secretly hack into iPhones for years, says Google
VICE News: Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years
Techradar: iPhones “hacked for years” using malicious websites
NDTV Google Reveals Malicious Websites Have Been Secretly Hacking Into iPhones for Years
The Guardian: Google says hackers have put ‘monitoring implants’ in iPhones for years
Silicon Republic: Google claims iPhones were vulnerable to ‘monitoring implants’ for years
Mashable: Hacked sites attacked thousands of iPhones every week for years using undiscovered exploits
ITV News: Google says hackers have been putting ‘monitoring implants’ in iPhones for years
Sky News: Hackers have been ‘monitoring iPhones for years,’ says Google
Evening Standard: Hackers have been putting 'monitoring implants' in iPhones for years, Google says
Google Project Zero:A very deep dive into iOS Exploit chains found in the wild

May 7, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Opinions Diverge Over the Potentially Precedent-Setting Nature of Israel’s Retaliatory Airstrike Response to a Hamas Hacking Group

Experts have divergent opinions over whether Israel’s retaliation against a Hamas hacking group by air bombing a building in Gaza that purportedly housed the group constitutes a landmark moment in hybrid warfare. One factor standing in the way of a true consensus opinion is the lack of details released by the Israeli Defense Force about the attack.  Although state-backed hacking and physical warfare have been moving toward convergence for years, with a US airstrike in 2015 to assassinate Islamic state hacker Junaid Hussain cited as an example of this convergence, some experts see Israel’s action as a crucial turning point in the evolution of hybrid warfare, potentially setting a dangerous precedent that offensive hackers are fair game for physical retaliation. Other experts see it as mostly a traditional military attack because the building used by Hamas was a legitimate target for Israel’s physical attack.