Search Results for “Zack Whittaker”

September 2, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Malicious Websites Used to Hack Into iPhones Were Targeting Uyghur Muslims in China in Likely State-Backed Attack, Same Websites Used to Target Android and Windows Users, Sources

A number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims in China’s Xinjiang state as part of a state-backed attacked, likely China, according to sources. Google Project Zero researchers discovered the malicious websites but did not disclose who the sites were targeting. Apple fixed the vulnerabilities in February in iOS 12.1.4, days after Google privately disclosed the flaws. Separately, Forbes said the same websites targeting iPhones were also used to target Android and Windows users. The websites also infected non-Uygurs who inadvertently accessed these domains because they were indexed in Google search, prompting the FBI to alert Google to ask for the site to be removed from its index to prevent infections.

Related: Forbes, Forbes, Digital Journal,,, USA Today, CRN, Newser, Daily Dot, 9to5Mac, MacRumors, Economic Times, Cult of Mac, TechSpot, The Guardian, MSPoweruser, Techradar, Tech InsiderfossBytes, Gizmodo, Telecompaper Headlines, MacRumors, TechNadu, Daily Dot, Slashdot, The Loop, 9to5 Mac, The Next Web, Engadget, AppleInsider, Softpedia

Tweets:@iblametom @HowellONeill @zackwhittaker

Forbes : Apple Just Gave 1.4 Billion Users A Reason To Quit Their iPads, iPhones
Forbes : New iPhone Hack Shock For 1 Billion Apple Users As Attacker Is Revealed
Digital Journal: iPhone flaw shows ongoing concerns with mobile devices : Apple iPhone users exposed to spyware through tainted websites, Google researchers say – ABC News Google Says 1B Apple Users Could Be At Risk Of Hack Attacks
USA Today : Google found iPhone security flaws that allowed websites to hack iOS users ‘en masse’
CRN : iPhone hacking ‘implants’ outed by Google Two-year campaign targeted private data.
Newser : Until Recently, Websites Were Hacking iPhones – Newser
Daily Dot: How China targeted Uyghur Muslims with iPhone-hacking websites
9ot5Mac: Report: China used iPhone website exploit attacks to target Uyghur Muslims
MacRumors: China Reportedly Used iPhone Exploits to Target Uyghur Muslims
Economic Times: Apple iPhone ‘hacking’ websites found by Google also affected Android and Windows devices
Cult of Mac: iPhone security exploit allegedly used to target Uyghur Muslims
TechSpot: iPhone-hacking websites also targeted Google and Windows users
The Guardian: Uighurs in China were target of two-year iOS malware attack – reports
MSPoweruser: Along with iOS, Android and Windows users were also targeted by Chinese government
Techradar: iPhone hack also hit Windows and Android devices
Tech Insider: China may have used a recent massive iPhone hack to target Uighur Muslims
fossBytes: iPhone Hack Uncovered By Google Even Targeted Android And Windows
Gizmodo: The iPhone-Hacking Sites Google Found Apparently Went After Android and Windows Users Too
Telecompaper Headlines: Google reveals two-year-long iOS hacking operation
MacRumors: China Reportedly Used iPhone Exploits to Target Uyghur Muslims
TechNadu: China Was Using the iPhone ‘Watering Hole’ Websites to Spy on Uyghur Muslims
Daily Dot: How China targeted Uyghur Muslims with iPhone-hacking websites
Slashdot: iPhone-Monitoring Crackers Also Targeted Android and Windows, Targeted Ethnic Group in China
The Loop: Sources say China used iPhone hacks to target Uyghur Muslims
9to5Mac : Report: China used iPhone website exploit attacks to target Uyghur Muslims
The Next Web: iPhone spyware campaign reportedly targeted Uyghur Muslims for 2 years
Engadget : Sites stealing iPhone data reportedly targeted Uyghur Muslims – Engadget
AppleInsider: China believed to have used iPhone exploits to track Uyghur Muslims
Softpedia News: iPhone Hackers Going After Windows and Android Users Too

@iblametom: New - iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources
@HowellONeill: The hackers behind the iPhone watering hole attack also targeted Android and Windows
@zackwhittaker: New: @iblametom has confirmed that Android and Windows users were *also* targeted in the same watering hole attacks affecting iPhone users.

March 13, 2020
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Princess Cruises Says It Suffered Data Breach Last Year, Third Party Gained Access to Employee, Crew and Guest Personal Data

Princess Cruises, the cruise liner forced to halt its global operations after two of its ships confirmed on-board outbreaks of coronavirus, confirmed a data breach that gave unknown parties access to personal data. The breach occurred between April 11 and July 23, 2019, when, according to a company statement, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our employees, crew, and guests. Among the data stolen were name, address, Social Security number, government identification number, such as passport number or driver’s license number, credit card and financial account information, and health-related information. The company said it has no evidence of misuse of the data but warned guests to be on the lookout for phishing emails or identity fraud threats.

December 19, 2019
Stuart A. Thompson and Charlie Warzel / New York Times

Stuart A. Thompson and Charlie Warzel / New York Times  
Massive File From Data Location Company Reveals Movements of More Than 50 Billion Location Pings From More Than 12 Million Americans, Contains Just Sliver of What’s Collected on Smartphone Users Every Day

The New York Times obtained a file originating from a data location company that logged the movements of more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco, and Los Angeles. Each piece of information in the file represents the precise location of a single smartphone over several months in 2016 and 2017.  In the cities that the data file covers, it tracks people from nearly every neighborhood and block, whether they live in mobile homes in Alexandria, Va., or luxury towers in Manhattan. The data spotted visitors to the estates of Johnny Depp, Tiger Woods, and Arnold Schwarzenegger, connecting the devices’ owners to the residences indefinitely. Despite its magnitude, the file represents only a sliver of what’s collected every day by the location tracking industry, which can legally collect and sell all the information its companies collect.

Tweets:@kashhill @rosenbergerlm @carlquintanilla @fs0c131y @blakehounshell @stuartathompson @stuartathompson @cwarzel @seamushughes @gregotto @kimzetter @joeuchill @laurengoode @xeni @zackwhittaker @zackwhittaker @josephfcox @bryanl @jwarminsky @josephfcox @joannastern @leakissner @zittrain @SarahFKessler @zachsdorman

@kashhill: Last December, @nytimes did an amazing story on how your location gets tracked by phone apps & sold: Now, @PrivacyProject revisits the topic, w/a huge dataset of those locations & interviews with the people tracked:
@rosenbergerlm: This is the most important article you should read today. Period.
@carlquintanilla: “The greatest trick technology companies ever played was persuading society to surveil itself.” The massive NYT investigation into how you are tracked, through your phone. (via @nytopinion @cwarzel)
@fs0c131y: Holy sh*t, the @nytimes obtained a file with more than 50 billion location pings from the phones of more than 12 million Americans! If you still use your phone after that you are crazy
@blakehounshell: Massive NYT project... this is unreal. Just published:
@stuartathompson: Months ago, someone contacted us with an astounding dataset. It tracked the precise movements of more than 12 million Americans in several major cities including Washington, New York and San Francisco. Today we published our findings:
@stuartathompson: When we first started working with the data, we wanted to see if any sensitive sites were included. I zoomed into the Pentagon and saw this. Our jaws hit the floor. Full piece:
@cwarzel: Here is what was in the data: More than 50 billion location pings from the phones of more than 12 million Americans, across several major cities. @stuartathompson and I then spent months reporting on how we are all tracked through apps on our phones.
@seamushughes: The Times should discuss how it will or won’t use data in the leak for the straight news section. Are reporters on that side able to access it to check & build stories? Whole thing makes make uncomfortable, which I imagine is the point of story @cwarzel
@gregotto: I'm not trying to denigrate this story, I think journalists as a whole should be covering this stuff until the greater public understands it. But I'm having trouble feigning shock/surprise at anything contained herein.
@kimzetter: Awesome piece from @nytimes w/ great visuals showing the movements of millions of mobile phones (and their owners). Data compiled by a location data company, “one of dozens quietly collecting precise movements using software slipped onto mobile phone apps”
@joeuchill: If you were caught off guard by this morning's New York Times article about the vast troves of cell phone location data, you might like @josephfcox 's work at Motherboard. He's been covering the issue for a while now.
@laurengoode: What stands out is not the fact that our smartphones and smartphone apps are collecting our location data - that we knew - but that protections around anonymity crumble once data sets are cross-referenced or combined
@xeni: I am officially an old technobiddy I just sent this to 5 girls and women in my family under 30 and said GIRL TURN IT OFF NOW.
@zackwhittaker: Just a friendly reminder that the 'location services' on your phone can do nothing to stop the cell-based tracking that logs your location every second of every day.
@zackwhittaker: We (cc: @chronic) covered last year how some of these location data collectors, like Reveal Mobile, Factual, and Cuebiq, and how they collect vast amounts of location data from iPhone apps.
@josephfcox: NYTimes Opinion obtains a large dataset of phone locations sourced from apps. Although supposed to be anonymous, it's not difficult to identify particular people
@bryanl: You are being tracked. Data scientists are working hard to make it even easier to do this. Everyone is complicit. Protips: * don't carry your cell phone when doing serious crimes * never turn on your burner at your house or job or while driving there
@jwarminsky: I was expecting them to *not* shout-out @motherboard, but they did
@josephfcox: A lot of people on here are asking why the NYTimes location piece was published by the op-ed desk and not the news one. If you want that piece, news published one last year. Maybe people missed it, idk, but it was a great piece. There's no conspiracy here
@joannastern: My biggest worry after reading this great piece by @cwarzel and @stuartathompson? That people simply don’t care enough to understand the larger implications of this sort of tracking.
@leakissner: The companies you should worry most about with regards to your privacy probably aren't the ones you're thinking of. They're the ones who siphon data off the sides where you don't see it and can't control it: trackers, ISPs, data brokers. ???
@zittrain: A data leak powers a great piece by @stuartathompson and @cwarzel on the personal location data free-for-all. Another reason for brokers to be information fiduciaries. Meanwhile, self-styled privacy champion Apple could tweak iOS to default to city-level location sharing only.
@SarahFKessler: Interesting example for the Times to pick
@zachsdorman: You need to read this story. It underlines conversations I've had with intel officials bewildered that Americans will submit to a lawless, massive, private surveillance matrix far more invasive than what they would ever assent from their government.

December 15, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Senators Ask Credit Ratings Agencies Why They Don’t Disclose Vast Government Demands for Consumer Data They Receive

Democratic senators Ron Wyden (OR) and Elizabeth Warren (MA), and Republican senator Rand Paul (KY) have sent letters to Equifax, Experian, and TransUnion, expressing their “alarm” as to why the credit giants have failed to disclose the number of government demands for consumer data they receive. For years, the FBI has requested vast amounts of Americans’ consumer and financial information from the largest U.S. credit agencies. It is publicly unknown how many national security letters have been issued to the credit agencies since the legal powers were signed into law in 2001. The senators have given the agencies until December 27 to disclose the number of demands each has received.

Related: Ron Wyden

Tweets:@zackwhittaker @SwiftOnSecurity @cyberarms

December 11, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Apple Issues Updates for Nearly All Consumer Products, Fixes Serious Bug That Could Lock Users Out of Their iPhones and iPads

Apple released software updates for nearly its consumer products, including iOS 13.3, iPadOS 13.3, macOS Catalina 10.15.2, watchOS 6.1.1, and tvOS 13.3, and implemented several security fixes, including one for a bug in iOS 13.3 which let anyone temporarily lock users out of their iPhones and iPads by forcing their devices into an inescapable loop. Researcher Kishan Bagaria found the flaw in AirDrop and discovered he could repeatedly send files to all devices able to accept files within the wireless range of an attacker. Bagaria calls the bug “AirDoS,” the latter part is short for “denial-of-service,” which effectively denies user access to their device.

Related: US-CERT, 9to5Mac, ZDNet, Ars Technica, Forbes, MacRumors, The Verge, Kishan Bagaria, Apple

Tweets:@zackwhittaker @KishanBagaria

December 9, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Applications for Birth Certificate Copies Exposed Online Due to Unsecured AWS Storage Bucket

An unnamed online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments exposed birth certificate applications for 752,000 people including their personal information because they were stored on an Amazon Web Services (AWS) storage bucket unprotected by a password researchers at Fidus Information Security discovered. The applications, which date back to 2017, contained the applicant’s name, date-of-birth, current home address, email address, phone number and personal historical information, including past addresses, names of family members and the reason for the application such as applying for a passport or researching family history. Fidus and TechCrunch sent several emails before publication to warn of the exposed data but received only automated responses, and no action was taken. Amazon said it would inform the customers of the problem.

Tweets:@zackwhittaker @chadloder @worldwise001 @Juchtervbergen @LibSkrat

December 5, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Marketing Agency Working on Sprint Promotion Exposed Hundreds of Thousands of AT&T, Verizon, and T-Mobile Customer Phone Bills, Other Sensitive Documents on Unprotected Cloud Server

A contractor working for mobile phone Sprint stored on an unprotected cloud server hundreds of thousands of cell phone bills of AT&T, Verizon, and T-Mobile subscribers, U.K.-based penetration testing company Fidus Information Security discovered. The bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. The bills contained names, addresses, and phone numbers, and many included call histories. They were collected as part of an offer to allow cell subscribers to switch to Sprint, according to Sprint-branded documents found on the server. Other sensitive documents such as a bank statement, and a screenshot of a web page that had subscribers’ online usernames, passwords, and account PINs were also found on the server. The bucket belonged to Deardorff Communications, a marketing agency working on the promotion, which said it will launch an investigation into the matter.

Related: TechNadu

Tweets:@zackwhittaker @JinsonCyberSec @goretsky @Glenda_TNE

November 21, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Jeanette Manfra to Leave Role at CISA to Join Private Sector in the New Year

As first reported by Cyberscoop, Jeanette Manfra, one of the most senior and experienced U.S. cybersecurity officials, is leaving her position as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), to join the private sector in the New Year after a decade of working for the government. She has served three presidents at the Department of Homeland Security. She has shepherded the work on top cybersecurity projects election security, threats to the supply chain, and efforts to protect U.S. critical infrastructure (like the power grid and water networks) from nefarious attempts by nation-states. She hasn’t yet revealed what position she will take in the private sector.

Related: FCW, JD Supra Law News, Federal News NetworkFederal News Network, Cyberscoop, Homeland Security Today

Tweets:@Bing_Chris @dnvolz @zackwhittaker @cisamanfra @ericgeller @ngleicher

FCW: Manfra announces plans to step down from CISA
JD Supra Law News: Covering the Basics: CISA Announces Cybersecurity Essentials for Small Businesses
Federal News Network: CISA cyber official headed for private sector Cybersecurity
Federal News Network: CISA cyber official headed for private sector Cybersecurity
Cyberscoop: Senior DHS cyber official Jeanette Manfra to step down
Homeland Security Today: CISA Cyber Leader Jeanette Manfra to Leave Government

@Bing_Chris: Important scoop here. Manfra was well liked throughout DHS and has been an important figure in standing up CISA. Just one year out from the election - this is a vital agency that can’t lose its top talent.
@dnvolz: A person familiar with the matter confirms this @snlyngaas scoop. Manfra was well liked at DHS and respected within the cybersecurity community.
@zackwhittaker: New: Jeanette Manfra, one of the most senior cybersecurity officials in the U.S. government, is leaving for the private sector. In an exclusive interview, she talked about her time in government and the "wake up" calls that put cybersecurity on the map.
@cisamanfra: From @zackwhittaker : ...Manfra said she was most proud of her team. “A lot of them have been with me since we started,” she said. “They could be working out in the private sector making a ton of money, but they’re dedicating their lives here,” she said.
@ericgeller: Manfra made it official earlier this afternoon. And here's a TechCrunch interview with her where she says that (no surprise here) she's going to the private sector:
@ngleicher: @CISAManfra is sharp as hell, committed to the mission, and deadly effective. She’s also an excellent colleague and good person to boot. There are very few people that manage both sides of that coin so well. Congratulations on all the amazing work and good luck with next steps!

May 20, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Millions of Instagram Influencers’ Contact Information Exposed Online in Unsecured AWS Database Belonging to Social Media Marketing Company Chtrbox

A massive database hosted on Amazon Web Services belonging to Mumbai-based social media marketing firm Chtrbox which contained the contact information of millions of Instagram influencers, celebrities and brand accounts was found exposed online by security researcher Anurag Sen. Each record in the database contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country. Each record also contained the influencers’ private contact information, such as the Instagram account owner’s email address and phone number. Chtrbox pays influences to host sponsored content on their accounts and each record contained the calculated the worth of the account, based off the number of followers, engagement, reach, likes and shares they had. Chtrbox took the database offline after TechCrunch contacted the company.

January 18, 2020
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Microsoft Warns of Zero-Day Flaw in Internet Explorer That Has Been Exploited in the Wild, Issues Workarounds and Says Patch Coming Soon

Microsoft has warned about a zero-day Internet Explorer (IE) vulnerability that is currently that is being exploited in the wild. The zero-day is a remote code execution (RCE) flaw caused by a memory corruption bug in IE’s scripting engine, the browser component that handles JavaScript code. Microsoft has issued workarounds and mitigations that can be applied to safeguard vulnerable systems from attacks. No patch is yet available, but Microsoft said it would issue one soon.

Related: The Register – Security, CERT Recently Published Vulnerability Notes,, TechCrunch, Forbes, Bleeping Computer, The Hacker News, Softpedia News, Microsoft, US-CERT

Tweets:@zackwhittaker @MalwareJake @USCERT_gov

The Register – Security: It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild
CERT Recently Published Vulnerability Notes: VU#338824: Microsoft Internet Explorer Scripting Engine memory corruption vulnerability Microsoft IE Scripting Engine Vulnerability Alert
TechCrunch: Microsoft says it will fix an Internet Explorer security bug under active attack
Forbes : U.S. Government Confirms Critical Zero-Day Security Warning For Windows Users
Bleeping Computer : Microsoft Issues Mitigation for Actively Exploited IE Zero-Day
The Hacker News: Microsoft Warns of Unpatched IE Browser Zero-Day That’s Under Active Attacks
Softpedia News: Microsoft Warns Windows Users of Incoming Attacks Due to Browser Zero-Day
Microsoft: ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability
US-CERT : Microsoft Releases Security Advisory on Internet Explorer Vulnerability

@zackwhittaker: New: Microsoft says hackers are actively exploiting a bug in Internet Explorer, affecting all versions of Windows. Microsoft said it's "working on a fix," but said patches could be weeks away.
@MalwareJake: There's a 0-day in Internet Explorer being exploited in the wild that impacts Windows 7. In 2014, MS patched CVE-2014-1776 shortly after end of support for XP. Will they release a patch for Windows 7 this time? Great & timely reporting by @zackwhittaker
@USCERT_gov: Microsoft has released a workaround for an Internet Explorer vulnerability being used in limited targeted attacks. Implement workarounds and apply updates when available. Read more at #Cyber #Cybersecurity #InfoSec