Google researcher details iOS exploit that can take over an iPhone with a text message || BGR
As a general rule, if you avoid clicking on suspicious links that might pop on your phone — whether they’re sent via text message or appear as an in-browser pop-up ad — the odds of your device becoming infected with malware is slim to none.
That notwithstanding, security researchers from Google’s Project Zero team recently divulged a sophisticated exploit that would allow a malicious actor to take control of a targeted device with no interaction required from the device owner at all. As Google researcher Natalie Silvanovich detailed during a presentation at the Black Hat security conference this week, there are a handful of iOS 12 exploits — which have since been patched by Apple with iOS 12.4 — that can let a third-party gain full control of a device simply by sending over a text message.”
Hackers Can Break Into Your iPhone Just By Sending a Text || Wired
“WHEN YOU THINK about how hackers could break into your smartphone, you probably imagine it would start with clicking a malicious link in a text, downloading a fraudulent app, or some other way you accidentally let them in. It turns out that’s not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched six of them, a few have yet to be patched.
“These can be turned into the sort of bugs that will execute code and be able to eventually be used for weaponized things like accessing your data,” Silvanovich says. “So the worst-case scenario is that these bugs are used to harm users.”
Silvanovich, who worked on the research with fellow Project Zero member Samuel Groß, got interested in interaction-less bugs because of a recent, dramatic WhatsApp vulnerability that allowed nation-state spies to compromise a phone just by calling it—even if the recipient didn’t answer the call.
But when she looked for similar issues in SMS, MMS, and visual voicemail, she came up empty. Silvanovich had assumed that iMessage would be a more scrutinized and locked-down target, but when she started reverse engineering and looking for flaws, she quickly found multiple exploitable bugs.
This may be because iMessage is such a complex platform that offers an array of communication options and features. It encompasses Animojis, rendering files like photos and videos, and integration with other apps—everything from Apple Pay and iTunes to Fandango and Airbnb. All of these extensions and interconnections increase the likelihood of mistakes and weaknesses.
One of the most interesting interaction-less bugs Silvanovich found was a fundamental logic issue that could have allowed a hacker to easily extract data from a user’s messages. An attacker could send a specially crafted text message to a target, and the iMessage server would send specific user data back, like the content of their SMS messages or images.
The victim wouldn’t even have to open their iMessage app for the attack to work. iOS has protections in place that would usually block an attack like this, but because it takes advantage of the system’s underlying logic, iOS’ defenses interpret it as legitimate and intended.
Other bugs Silvanovich found could lead to malicious code being placed on a victim’s device, again from just an incoming text.
Interaction-less iOS bugs are highly coveted by exploit vendors and nation-state hackers, because they make it so easy to compromise a target’s device without requiring any buy-in from the victim. The six vulnerabilities Silvanovich found—with more yet to be announced—would potentially be worth millions or even tens of millions of dollars on the exploit market.
“Bugs like this haven’t been made public for a long time,” Silvanovich says. “There’s a lot of additional attack surface in programs like iMessage. The individual bugs are reasonably easy to patch, but you can never find all the bugs in software, and every library you use will become an attack surface. So that design problem is relatively difficult to fix.”
Silvanovich emphasizes that the security of iMessage is strong overall, and that Apple is far from the only developer that sometimes make mistakes in grappling with this conceptual issue. Apple did not return a request from WIRED for comment.”
UCLA prof guilty of conspiring to steal missile secrets for China, could face more than 200 years in prison
|| Campus Reform
“A jury found an electrical engineer and University of California, Los Angeles (UCLA) professor guilty of exporting stolen U.S. military technology to China.
UCLA adjunct professor Yi-Chi Shih was convicted June 26 on 18 federal charges, Newsweekreported, and could now lose hundreds of thousands of dollars, while also facing up to 219 years behind bars for numerous violations of the law. These include conspiracy to break the International Emergency Economic Powers Act (IEEPA), committing mail and wire fraud, lying to a government agency, subscribing to a false tax return, and conspiring to gain unauthorized access to information on a protected computer, according to a Department of Justice news release.
“Schemed to export to China semiconductors with military and civilian uses, then he lied about it Tweet This
Shih and co-defendant Kiet Ahn Mai tried to access illegally a protected computer owned by a U.S. company that manufactured semiconductor chips called monolithic microwave integrated circuits (MMICs). MMICs are used by the Air Force and Navy in fighter jets, missiles and missile guidance technology, and electronic military defense systems.
The chips were exported to Chengdu GaStone Technology Company (CGTC), a Chinese company, without a required Department of Commerce license. Shih previously served as the president of CGTC, which made the Commerce Department’s Entity List in 2014 “due to its involvement in activities contrary to the national security and foreign policy interest of the United States – specifically, that it had been involved in the illicit procurement of commodities and items for unauthorized military end use in China,” according to court documents cited by the DOJ.
Shih “schemed to export to China semiconductors with military and civilian uses, then he lied about it to federal authorities and failed to report income generated by the scheme on his tax returns,” U.S. Attorney Nick Hanna said, according to the DOJ release. “My office will enforce laws that protect our nation’s intellectual property from being used to benefit foreign adversaries who may compromise our national security.”
Ex-State Department Worker Gets 40 Months In Prison For Secret Dealings With China
“A former State Department employee was sentenced to 40 months in prison for concealing her interactions with two Chinese intelligence agents, along with the extravagant gifts they gave her in exchange for government information.
Candace Claiborne began to work as an office management specialist at the State Department in 1999, according to court documents. She had a top secret security clearance and served overseas in such cities as Baghdad, Beijing and Shanghai.
But she ignored her responsibility to report foreign contacts, prosecutors said as they announced her sentence on Tuesday.
“Claiborne was entrusted with privileged information as a U.S. government employee, and she abused that trust at the expense of our nation’s security,” Acting Assistant Director John Selleck of the FBI’s Washington Field Office said in a statement. “The targeting of U.S. security clearance holders by Chinese intelligence services is a constant threat we face,” he added.
Over the course of five years, Chinese agents allegedly gave Claiborne and her family “tens of thousands of dollars” in gifts and perks – including wired cash, a monthly stipend, overseas trips, tuition at a Chinese fashion school and an apartment that was fully furnished. In exchange for the gifts, Claiborne gave them a window into the State Department’s inner workings through copies of internal documents about dignitary visits and other topics.
Prosecutors said she told a co-conspirator that the agents were “spies” and wrote in her journal that she could “Generate 20k in 1 year” by working with one of the agents.
Federal public defender David Walker Bos, Claiborne’s attorney, did not immediately respond to NPR’s request for comment.
Her arrest came in March 2017 after a sting operation in January of that year. An FBI agent, posing as a Chinese agent, approached Claiborne on a street in Washington, D.C. She welcomed him to her home and their lengthy discussion ended with the undercover agent thanking her for helping the “Ministry,” NPR previously reported.
After the arrest, she pleaded not guilty to charges of obstruction and making false statements to the FBI. In April 2019, she pleaded guilty to a charge of conspiracy to defraud the United States. In the plea agreement, prosecutors agreed to drop the other charges.
A judge ordered Claiborne detained pending sentencing, but she requested to self-surrender on June 5, the document stated.
In addition to a 40-month prison sentence, Claiborne received three years of supervised release and a fine of $40,000.
Her sentence comes after former CIA officer Jerry Chun Shing Lee pleaded guilty this spring to spying for China – and as U.S. officials have warned that Chinese espionage is the country’s most serious security threat.”
SpaceX Is Launching a Historic Crew Dragon Test Flight for NASA Tonight! Watch It Live
|| Space X
CAPE CANAVERAL, Fla.— SpaceX is counting down toward a historic test flight early Saturday of its first spaceship designed to carry astronauts, and you can watch the action live online.
The spacecraft, called Crew Dragon, will launch on a SpaceX Falcon 9 rocket from NASA’s Kennedy Space Center here in the wee hours of Saturday, March 2, to help show the space agency that it’s ready to launch astronauts. Liftoff is set for 2:49 a.m. EST (0749 GMT) from Pad 39A — the exact same site used by NASA’s Apollo moon shots and where, nearly eight years ago, the agency launched its final space shuttle mission.
“We are on the precipice of launching American astronauts on American rockets from American soil for the first time since the retirement of the space shuttles in 2011,” NASA Administrator Jim Bridenstine said in a Twitter statement. Tonight’s test, he added is a “critical piece” in the path to that goal.
You can watch SpaceX’s Crew Dragon launch on Space.com, courtesy of NASA TV, beginning at 2 a.m. EST (0700 GMT). The preparations running up to launch day have gone smoothly for SpaceX. There’s an 80 percent chance of good weather for the test flight. ”
Sources: CHINA HACKED HILLARY CLINTON’S PRIVATE EMAIL SERVER
|| Daily Caller
A Chinese-owned company penetrated former Secretary of State Hillary Clinton’s private server, according to sources briefed on the matter.
The company inserted code that forwarded copies of Clinton’s emails to the Chinese company in real time.
The Intelligence Community Inspector General warned of the problem, but the FBI subsequently failed to act, Texas Republican Rep. Louie Gohmert said during a July hearing.
“A Chinese-owned company operating in the Washington, D.C., area hacked Hillary Clinton’s private server throughout her term as secretary of state and obtained nearly all her emails, two sources briefed on the matter told The Daily Caller News Foundation.
The Chinese firm obtained Clinton’s emails in real time as she sent and received communications and documents through her personal server, according to the sources, who said the hacking was conducted as part of an intelligence operation.
The Chinese wrote code that was embedded in the server, which was kept in Clinton’s residence in upstate New York. The code generated an instant “courtesy copy” for nearly all of her emails and forwarded them to the Chinese company, according to the sources.
The Intelligence Community Inspector General (ICIG) found that virtually all of Clinton’s emails were sent to a “foreign entity,” Rep. Louie Gohmert, a Texas Republican, said at a July 12 House Committee on the Judiciary hearing. He did not reveal the entity’s identity, but said it was unrelated to Russia.”
Two officials with the ICIG, investigator Frank Rucker and attorney Janette McMillan, met repeatedly with FBI officials to warn them of the Chinese intrusion, according to a former intelligence officer with expertise in cybersecurity issues, who was briefed on the matter. He spoke anonymously, as he was not authorized to publicly address the Chinese’s role with Clinton’s server.
Among those FBI officials was Peter Strzok, who was then the bureau’s top counterintelligence official. Strzok was fired this month following the discovery he sent anti-Trump texts to his mistress and co-worker, Lisa Page. Strzok didn’t act on the information the ICIG provided him, according to Gohmert.
Gohmert mentioned in the Judiciary Committee hearing that ICIG officials told Strzok and three other top FBI officials that they found an “anomaly” on Clinton’s server.
The former intelligence officer TheDCNF spoke with said the ICIG “discovered the anomaly pretty early in 2015.”
“When [the ICIG] did a very deep dive, they found in the actual metadata — the data which is at the header and footer of all the emails — that a copy, a ‘courtesy copy,’ was being sent to a third party and that third party was a known Chinese public company that was involved in collecting intelligence for China,” the former intelligence officer told TheDCNF.
“The [the ICIG] believe that there was some level of phishing.But once they got into the server something was embedded,” he said. “The Chinese are notorious for embedding little surprises like this.”
The intelligence officer declined to name the Chinese company.
“We do know the name of the company.There are indications there are other ‘cutouts’ that were involved.I would be in a lot of trouble if I gave you the name,” he told TheDCNF.
A government staff official who’s been briefed on the ICIG’s findings told TheDCNF that the Chinese state-owned firm linked to the hacking operates in Washington’s northern Virginia suburbs. The source was not authorized to publicly discuss the matter.
The company that penetrated Clinton’s server was not a technology firm and it served as a “front group” for the Chinese government, the source told TheDCNF.
The Fairfax and Loudoun county governments told TheDCNF that 13 state-owned Chinese companies operate in the area. Of those, three were not technologically oriented.”
Halfway Through 2018, Streaming Continued Growth Defies Mathematical Trends
“In the first half of 2018, overall on-demand streaming increased 41.7 percent to reach 403.5 billion U.S. streams, according to Nielsen Music. That growth defies mathematical trends, which dictate that, as a base enlarges, it becomes harder to achieve a bigger percentage growth than in preceding time periods.
When looking at only album consumption units constructed with audio on-demand streams — the kind used in tallying the Billboard 200 and U.S. market share — the industry grew by 13.8 percent to 270 million units at midyear 2018, compared to 237.2 million at the midway point of 2017. Audio on-demand streams grew 45.5 percent to 268.3 billion, from the 184.5 billion accumulated in the first six months of 2017, while video on-demand streams grew 34.7 percent to 135.2 billion from the 100.4 billion streams tallied in the first half of 2017. (Overall video stream count is not available because YouTube stopped reporting streams of song videos that do not garner at least 1,000 views a day in mid-2016.)
R&B/hip-hop remained the most popular genre with a 31.2 percent market share, and had the largest gain overall, up from 28.65 percent in 2017. Conversely, rock came in second at 23.1 percent, but had the largest decline, falling from the 24.81 percent it had accumulated in the first six months of 2017. Latin continued to show strong growth, accounting for 7.74 percent market share, up from 6.46 percent for the corresponding period in 2017, while the other large genre, pop, grew to 15.09 percent this year from 14.76 percent last year, with its album consumption units increasing to 46.22 million from 38.93 million units.
While country grew 8.1 percent to 25.74 million album consumption units at the midway points, its market share actually declined to 8.4 percent, down from 9.03 percent last year, because it isn’t growing as fast as the overall market.”
Beyoncé Claps Back At Accusations Of Fake Streaming Numbers On New Album
|| The Federalist
Beyoncé and Jay-Z’s new collaborative album takes a shot at Spotify, presumably in response to recent reports about Tidal’s fudging of subscriber numbers.
“My success can’t be quantified/ If I gave two f–ks about streaming numbers, would’ve put ‘Lemonade’ up on Spotify/ F–k you, f–k you,” Beyoncé spits on her new joint album with Jay-Z. Queen Bey’s not-so-cryptic lyrics seem to be a response to accusations her husband’s streaming service, Tidal, faked hundreds of millions of plays and subscriber numbers.
In May, the Norwegian newspaper Dagens Næringsliv reported that Tidal fudged the streaming numbers for both Kanye West’s “The Life of Pablo” and Beyonce’s “Lemonade,” generating “massive royalty payouts at the expense of other artists.”
According to Variety, Tidal claims that West’s album recorded 250 million plays in the first 10 days of its release with just 3 million subscribers. Meaning that every subscriber played the album on average eight times per day. Tidal also said “Lemonade”was streamed 306 million times in its first 15 days of release last April.
The paper’s investigation used data from the Norwegian University of Science and Technology, where researchers estimated that Tidal’s total number of subscribers was closer to 1 million globally. Tidal denied the report and responded in a statement issued to Music Week: “This is a smear campaign from a publication that once referred to our employee as an ‘Israeli Intelligence officer’ and our owner as a ‘crack dealer’. We expect nothing less from them than this ridiculous story, lies and falsehoods. The information was stolen and manipulated and we will fight these claims vigorously.”
This isn’t the only sign of Tidal’s struggle. Kanye West ended his contract with the company last summer over money, claiming Tidal owed him $3 million. And TMZ reported on Tuesday that the heirs of Prince’s estate are about to back out of a deal giving Tidal exclusive streaming rights, saying “they don’t want the estate getting caught up in the streaming service’s legal problems.”
The other tracks on the power couple’s new album collaboration talk about their life at home, life in the public eye, celebrating their marriage rehab and growing family. “This beach ain’t always been no paradise/But nightmares only last one night,” Bey raps on “LoveHappy.”
The real irony of Beyonce’s lyrics on the track ‘NICE’ is that she actually does give more than two f–ks about her streaming numbers. The album dropped exclusively on Tidal over the weekend, but was available on Spotify and Apple Music by Monday morning.”
FORGET ABOUT FAKE ARTISTS – IT’S TIME TO TALK ABOUT FAKE STREAMS
|| Music Business Worldwide | By Tim Ingham
“I’ve got a confession to make. I’m a fake artist.
One afternoon, about a decade ago, I started nobbing about on GarageBand. Made a scratchy demo. It wasn’t very good.
Last month, thinking nothing of it, I uploaded that demo to Spotify, via Tunecore.
I called it PH, by Pinky Hue. On Pinky Hue Records.
(As it turns out, my pseudonymous tendencies wererather more in vogue than I’d appreciated.)
Then, for over a fortnight, nothing. Aside, that is, from one loyal monthly listener in Milton Keynes, England. (Thanks mum.)
But this past week-and-a-half, things have kicked right off.
First 1,000 listens, then 3,000, then 5,000. Word’s getting out.
As we stand today, Pinky Hue has racked up more than 10,000 Spotify plays – and is already marching towards 15,000.
Anyone know a good manager?
There’s just one problem with this empowering rags-to-riches story, of course.
I bought these streams off the internet.
And I could have bought 2 million of them.
The issue of fake streams has been on my mind since Midem back in June – in particular, a panel called ‘How distributors and streaming services collaborate.’
Anne-Marie Robert (VP International, Tunecore France) appeared alongside reps from the likes of The Orchard and ADA, and was asked how self-releasing artists could gain better access to streaming playlists which would then revolutionize their career.
“Contrary to my friends from ADA and The Orchard, we don’t provide direct trade marketing services because we let the artist do [that] and we take no commission,” she replied.
“But we give a lot of advice on our blog… and also, we are partnering with some services where you can buy some streams [on] Deezer and other websites which can help you.”
Robert specifically mentioned Feature.fm, which allows artists and rights-holders to have their music played in promotional slots on streaming platforms – for a price.
Robert’s comments triggered a subsequent thought in my head: How hard is it to go out and actually purchase fake plays online?
So, the other week, I Googled ‘buy fake Spotify streams’.
And voila: options.
The top result was for a company called Streamify, which boasts on its homepage: ‘Whether you want to get more fans, boost sales or just monitor your plays [sic] count, Streamify has the answers and insights you need to get your songs played more.’
Streamify LLC is officially located in Houston, Texas and offers a full menu of fake stream delicacies specific to Daniel Ek’s platform.
For the timid trialist, $5 will buy you 1,000 Spotify plays.
For the bolder connoisseur, $200 will buy you 100,000 Spotify plays.
And for the full-on, screw-it-this-will-change-my-life desperado, $2,250 will buy you 2 million Spotify plays.
Other options for buying Spotify streams on the internet – and to be clear, MBW cannot vouch for the legitimacy of these companies – include Streampot/StreamKO and Mass Media, both of which also sell packages of fake YouTube plays.”
Did Tidal really fake Kanye and Beyoncé’s streaming numbers?
|| Digital Trends
“A Norwegian newspaper made huge waves in the music streaming industry on May 9, claiming that on-demand music streaming service Tidal had manipulated listener data for two of its biggest artists: Kanye West and Beyoncé.
The accusations surround both artists’ most recent albums, Kanye’s The Life of Pablo and Beyoncé’s Lemonade, with the newspaper claiming that it had gained access to royalty reports and a hard drive that contained “extensive data” regarding Tidal’s streaming plays. Tidal had exclusive streaming rights to both albums when they launched. Tidal owner Jay-Z is married to Beyoncé and is a longtime friend and collaborator of West.
Rolling Stone has since reported that Tidal has contracted a third-party cybersecurity firm to investigate the data breach. The company still denies the allegations made by the story and says it is undertaking the investigation as a means of reassuring its customers that their data is secure.
“Although we do not typically comment on stories we believe to be false, we feel it is important to make sure that our artists, employees and subscribers know that we are not taking the security and integrity of our data lightly,” Tidal CEO Richard Sanders told Rolling Stone.
The newspaper, Dagens Naeringsliv, worked in collaboration with the Norwegian University of Science and Technology to analyze the data, producing a report which claims that more than 320 million false plays had been logged for the two albums on more than 1.7 million user accounts. In March 2016, Tidal claimed that The Life of Pablo had been streaming 250 million times in 10 days. The streaming service claimed that Lemonade had 306 million plays in just 15 days following its release.
A later article from Dagens Naeringsliv that was published Wednesday, May 16 claims that Tidal has also failed to make royalty payments to some major labels since October of 2017.
Many may be wondering why Tidal would want to skew its own streaming numbers in the first place. After all, you may think that increased plays would just cost the streaming service more money in royalty payments overall, thereby hurting the company. That is not true, as Billboard points out. Due to the nature of its contracts with major labels, Tidal — as well as competitors like Apple Music and Spotify — pays royalties from a percentage of revenue, not based on the total number of plays in a given term. This means it would simply shift the proportion of money they would have already paid other labels and artists towards West and Beyoncé.
There a few reasons this may have been in Tidal’s interest, should the allegations be true. First, it would have garnered increased publicity for two of its biggest artists. Second, it would have increased Tidal’s position and valuation in the marketplace — potentially profiting the company in terms of its increased ability to sell equity (Tidal sold a 30 percent stake in the business to Sprint in early 2017). And third, it would have made both artists over a million dollars in extra royalties, provided they were paid the “superstar” royalty rate of 50 percent on streaming from Def Jam and Columbia, the labels that produced the albums.
Tidal claims that the data was stolen and manipulated by Dagens Naeringsliv itself. One thing the study did indicate is that the data was unlikely to have been manipulated by a software bug or by accident.
“Due to the targeted nature and extent of the manipulation, it is very unlikely that this manipulation was solely the result of a code-based bug or other anomalies,” the study reads.
“[It] is highly likely that the manipulation happened from within the streaming service itself,” concludes professor Katrin Franke, who led the university team.
As part of its extensive story, Dagens Naeringsliv interviewed numerous affected customers, whose accounts show numerous plays of the album during odd hours.
Music critic Geir Rakvaag, for example, is shown in the data to have listened to songs from The Life of Pablo 96 times in a single day, and 54 times in the middle of the night.
“It’s physically impossible,” he claims in the story.
We’ll continue to keep tabs as this story develops. As for whether or not Tidal actually did manipulate user data to generate bigger publicity and profits for two of its biggest artists: Time will tell, and numerous lawsuits are likely forthcoming.”