All posts in “Hackers”

What putting medical records on an Apple Watch means for your privacy

Apple wants to put your medical history in the palm of your hand. And, for good measure, on your wrist as well. 

The tech giant confirmed Wednesday that it intends to allow customers access to their medical records via iPhones and Apple Watches on iOS 11.3 beta. But like with so many things in the world of highly personal data, putting medical information on a digitally connected device is not without risk — and how it all shakes out could have a huge impact on the lives of millions. 

According to CNBC, which broke the story, the new feature will be folded into the Apple Health app. After a health provider is added to the app, the “user taps to connect to Apple’s software system.”

Does that mean this information passes through Apple’s servers before hitting your iPhone, or does it come directly from the provider itself? And how, exactly, is that data protected from hackers or leaks? That, unfortunately, is unclear. This reporter reached out to numerous people at Apple with a series of questions about the new service, but received no response. 

This is a problem. If Apple wants people to trust it with details regarding their “allergies, conditions, immunizations, lab results, medications, procedures and vitals,” as CNBC reports, then it needs to be more forthcoming about how it plans to secure that information. 

Your life in an app.

Your life in an app.

Image: NurPhoto/Getty Images

Mashable was able to confirm that the medical records in question can be kept on an iCloud account — if you opt in — but that otherwise they’re stored locally on the device, and protected with the same form of encryption that secures everything else on the device. It’s unclear if this is a separate opt-in than the one an iPhone user makes to back files up to iCloud.

It is very possible that you might want your photos backed up to the cloud, but not the details of your embarrassing medical condition. Hopefully Apple plans to give users that flexibility. Unfortunately, however, at this time we don’t know. 

Risk and reward

While the benefits of having your medical history at your fingertips may be numerous, so are the potential pitfalls. After all, it’s not hard to imagine what could go wrong. As the notorious 2014 hack of celebrity iCloud accounts made clear, Apple can’t guarantee the safety of your data. Sure, that incident involved targeted phishing, but for many people, a jealous ex is part of a valid threat model — and that’s exactly the type of person who would be able to bluff their way into an iCloud account. 

That is also the same kind of person who might have physical access to your iPhone or Apple Watch. As soon as they got into one of those devices, your medical records would potentially be up for grabs.

To be clear, it’s not like your medical data is necessarily safe where it is. We learned in 2014 that hackers had stolen the records of some 4.5 million patients after breaching the systems of an American hospital network. 

As soon as they got into one of those devices, your medical records would potentially be up for grabs.

But, still. Throwing another potential target in the mix in the form of an iPhone or Apple Watch, no matter how secure Apple may claim them to be, doesn’t make this reality any better. 

We reached out to both the Electronic Frontier Foundation and the U.S. Department of Health and Human Services for additional insight, and will update this when and if we hear back. 

In the meantime, it’s perhaps best to keep in mind that medical records present a unique challenge when it comes to balancing privacy, security, and availability. Not getting them into the hands of your doctor could have disastrous effects, but so could having them fall into the hands of a hacker. 

Apple’s customers would be better served by an open dialogue on how the company plans to achieve that optimal balance. Until that happens, however, upload your medical records to Apple’s cloud at your own risk. a2d2 4a0e%2fthumb%2f00001

Purchased a OnePlus phone? Yeah, your credit card might have been stolen.

Phone with a side of theft.
Phone with a side of theft.


Things aren’t looking so hot for approximately 40,000 OnePlus customers. And no, not because they’ll probably have to wait until June to upgrade to the OnePlus 6. 

It turns out that the company’s website was hacked, and in the process credit card numbers and other payment information was likely stolen. 

According to a statement issued by the Chinese smartphone manufacturer, “a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.”

What this means in practice is that, from roughly mid November of 2017 to January 11, 2018, any customer who put their credit card into could have had it lifted by hackers. Some customers are already reporting fraudulent charges

“The malicious script operated intermittently, capturing and sending data directly from the user’s browser,” the company said in a statement. “It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

OnePlus emailed the customers it believes might have been affected, and noted that both card expiration dates and security codes could also have been stolen. 


Security researchers at Fidus Information Security looked into the breach, and what they found doesn’t look so good for OnePlus. According to a Fidus blogpost, “OnePlus do not appear to be PCI compliant, nor do they mention this anywhere on the website.”

Why does this matter? PCI is short for Payment Card Industry Data Security Standard, and, according to the PCI Security Standards Council, the standards are “the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.”

In other words, according to Fidus, OnePlus may not have been taking basic steps to protect its customers data. Like we said, not looking good. 

So, what can you do if you got an email from OnePlus notifying you of the breach? Not much, unfortunately. OnePlus says you should check your bank statement for fraudulent charges, and reach out to the company for any “enquiries.” 

OnePlus will also offer “one year of credit monitoring to affected customers,” according to a company spokesperson. 

Somehow, for those who already had their credit cards stolen, we don’t imagine these measures will provide much solace.

This story has been updated to note that OnePlus is offering limited credit monitoring. 6d62 ce77%2fthumb%2f00001

Facebook and WhatsApp malware attack is yet another stark reminder: Be wary of links

Image: Sergei Konkov\TASS via Getty Images

Hackers continue to successfully dupe people into clicking on shady (though carefully disguised) links, thereby gaining access to the text messages, Facebook accounts, and e-mails on both computers and phones. 

A new in-depth cybersecurity report — undertaken by the cybersecurity firm Lookout and digital rights group the Electronic Frontier Foundation — show that professionals of all persuasions are making poor clicking decisions: military personnel, medical professionals, journalists, lawyers, and universities.

The perpetrators of this recently uncovered hacking scheme have been dubbed “Dark Caracal” by the report, and the cybersecurity researchers present compelling evidence that the group has been operating out of a building in Beirut, Lebanon (which happens to be owned by the Lebanese General Directorate of General Security) since 2011. Phones or computers were breached in at least 21 countries, including the United States, China, and Russia.

The hackers used common, though still sophisticated, phishing techniques to steal text messages, call records, audio recordings, photos, and other data from their targets. Broadly speaking, phishing involves hackers disguising themselves as trustworthy or known sources — perhaps an e-mail from a bank or social media account — and then tricking people into sharing confidential information.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said Electronic Frontier Foundation technologist Cooper Quintin in a statement

In the case of the once-secret Dark Caracal operation, these hackers used WhatsApp messages and Facebook group links to successfully dupe people into clicking, and thereby allow spying and password collecting malware to enter their Android phones and computers. In the cybersecurity realm, these are called “waterhole attacks,” in which hackers identify the specific websites or apps used by a certain group of people — like an activist group or military organization — and infects these sites with malware in hopes that someone will click.

For instance, Dark Caracal sent WhatsApp messages to specific individuals, suggesting that they click on a link in a message. Dark Caracal also dropped links into Facebook groups and created mock login portals for Facebook, Google, and Twitter accounts — where some folks invariably typed in their passwords. 

Successful phishing campaigns are inherently deceptive, intended to feel trustworthy and encourage interaction. These sort of operations are surely not going away — in fact, they appear to be expanding in use and popularity. 

For this reason, one can employ two simple tactics in a malice-filled web: First using two-factor authentication to add a layer of security to your e-mail and social media accounts (although this is far from full proof — Dark Caracal appears to have even stolen 2-FA pass codes). The second is to always carry a healthy sense of distrust on the web, which in short means, don’t click. 

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f84228%2fb70ccc42 3a6f 4ef6 bbe9 a320b12126a8

Those huge CPU vulnerabilities, Meltdown and Spectre, explained

By now you’ve probably heard. A large portion of the world’s computer processors are vulnerable to at least one of two exploits that render them susceptible to hackers. But what, exactly, is going on — and what can you do to protect yourself?

While the answer to the first question is complicated, thankfully the answer to the second isn’t. It turns out that companies like Google and Microsoft have been working behind the scenes to create patches for what the security community has named Meltdown and Spectre. 

But we’re not out of the woods yet, and, depending on your operating system, you still need to take some proactive measures to make sure your data is safe. 

What’s in a name: Meltdown and Spectre

One of the reasons this latest threat is so complicated is because it’s actually multiple vulnerabilities that were unveiled at the same time. They’re similar in some ways, but differ in important others — a fact hinted at by their names. 

According to researchers, Meltdown “basically melts security boundaries which are normally enforced by the hardware.” Spectre, meanwhile, “breaks the isolation between different applications” allowing “an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”

And what does that actually mean? Essentially, either of these vulnerabilities could be theoretically exploited to steal sensitive data, like passwords, off your computer. Spectre is also a threat to your smartphone, so no escape there.  

Furthermore, while Meltdown can be mostly mitigated with software patches, it is thought only certain exploitations of Spectre can be stopped in this manner. In other words, the latter is going to haunt us for some time and either could potentially require new processors for a complete fix (maybe).

So, who has patched?

Companies, if they haven’t already, are rushing to release the aforementioned “mitigations” against possible attacks that could exploit Meltdown or Spectre (a helpful patch list can be found on the Computer Emergency Response Team site). Why mitigations? Well, because the patches and updates mitigate the risk — but might not remove it completely.   

Microsoft, on Jan. 3, released an update for devices running Windows 10 that was downloaded and installed automatically. 

Google, for its part, issued a lengthy blog post on the same day detailing all the steps it had taken to protect users against both Spectre (Variant 1 and 2) and Meltdown (Variant 3). While a lot of that work happened behind the scenes, there are still some actions you need to take yourself. For example, you should definitely enable site isolation on Chrome.

[embedded content]

Android devices with the most recent security updates are also protected from the above mentioned variants.

Apple was a little late to the customer-facing party, but on Jan. 4 made it clear that it is indeed paying attention. Specifically, the company said that — just like with its competitors — its products are at risk. That includes “all Mac systems and iOS devices,” to be exact. 

But wait, there’s good news! Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting “in the coming days.”

What do I need to do?

Meltdown and Spectre are the real deal, and rightly have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don’t involve buying a new computer

Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any all all patches for your operating system and browser of choice. 

But, because more updates are coming down the pike, you’re not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don’t pull the classic “remind me later” bit. 

And what about Spectre? This one is a little trickier. 

“Spectre is harder to exploit than Meltdown, but it is also harder to mitigate,” explain the researchers behind the discovery. “However, it is possible to prevent specific known exploits based on Spectre through software patches.” 

In other words, while nothing is perfect, much of the same advice applies as with Meltdown: update, update, update. 

Which, well, has always been good advice. ed41 036e%2fthumb%2f00001

Here’s what every Chrome user should do in the wake of #Spectre

The new year kicked off with a bang on Jan. 3 when security researchers revealed two major software vulnerabilities that affect, to some extent, most types of computer processors on the planet. Laptops, desktops, Chromebooks, smartphones, and enterprise machines are all potentially at risk, theoretically allowing attackers exploiting what have been dubbed Meltdown and Spectre to steal your passwords and other sensitive data. 

And while the ultimate fix may be a costly hardware one, there are steps you can take today to at least mitigate your risk. If you’re a Chrome user in particular, Google has one very specific recommendation for protecting against Spectre.

Now here’s the rare dash of good news: It’s super easy to implement. 

Buried within Google’s lengthy (and informative!) blog post on its response to Spectre (Variant 1 and 2) and Meltdown (Variant 3) is a link to a page listing the “mitigation status” of affected products. Essentially, this page lists out all the Google services that are at risk, and what steps the company has taken to address that risk. In some cases, it includes stuff you have to do yourself.

Notably, this doesn’t mean that doing these things will 100 percent protect you, but, taken in the aggregate, they represent a line of defense against some seriously big security holes. 

This is where we come back to Chrome, and a little something called Site Isolation. According to The Chromium Projects, and this gets technical pretty quickly, “[Site Isolation] makes it harder for untrusted websites to access or steal information from your accounts on other websites.”

That sounds good, especially considering that a Google spokesperson told Mashable via email that “Variant 1 (Spectre) can be used in Javascript to pull secrets from a user’s browser, by attacking the process memory of the browser.”

[embedded content]

“The Site Isolation protection loads each individual remote website in a separate process,” continued the spokesperson. “By doing so, if a user runs into an attack from a bad site, the process memory for the site the user is trying to reach is unavailable to be attacked. That way, your login secrets for one site cannot be stolen by another.”

This is definitely a welcome additional layer of security. So, how to enable it? In Chrome, go to chrome://flags/#enable-site-per-process and click “enable” on “Strict site isolation.” You’ll need to restart your browser, but otherwise that’s it.

Pretty simple, right?

We also reached out to Google to determine if this will have any adverse affects on your browsing experience — say, reduced speeds — and were pleased to hear that we shouldn’t really worry about that. 

“The performance loss for Chrome specifically should be negligible,” the spokesperson assured us. 

So, yeah, download all your patches and enable Site Isolation on Chrome. Your data will thank you. 

This story has been updated with additional comment from Google. ed41 036e%2fthumb%2f00001