You know how they say most crime victims know their attacker? Two incidents this week suggest this holds true in the case of cyber-crime too.
The culprit in both cases was none other than Apple — not some sketchy Android app created who-knows-where. It turns out the iPhone’s software contains a “very high severity issue” that could let hackers steal passwords with nothing more than a text message. Meanwhile, a second vulnerability allows snoops to exploit FaceTime and listen in on your calls.
Apple has issued patches for both problems but this won’t help unless you, and this is probably worth shouting: UPDATE YOUR SOFTWARE. After all, those update notifications on your phone aren’t there for nothing.
The Apple incidents are also a reminder of the value of bug bounty programs that companies use to pay people to expose their software flaws. It might cost firms a tad of money and embarrassment, but it’s infinitely better than letting bad guys find the flaws first. If you have doubts, take it from Google’s former head of spam, who brought up bug bounties in the context of a clever phone scam:
Finally, I should introduce myself: I’m Fortune‘s legal reporter, Jeff John Roberts, and I’m thrilled to say I’ll be teaming up with Robert to build up our cyber-security coverage. Robert will be back next week. In the meantime, enjoy your weekend — and download those updates.
More news below.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Creepy or clever marketing? A teenage idol persuaded thousands of fans to send him their social media passwords so he could post messages from inside their accounts. The idea is intimate engagement or, well, something. Per the NYT: “It’s the virtual equivalent of a boy climbing in through a girl’s bedroom window” Umm, okay. (New York Times)
iPhone safety with Snowden: You can’t argue with the branding strategy. Edward Snowden is teaming up with a famous U.S. hacker to offer a piece of hardware that attaches to your iPhone and alerts you every time the device leaks location data. (Fortune)
Yes, our cars are compromised. The CEO of GM said car hacking is now a public safety issue for the auto industry, which this week issued a set of best practices to address it. Meanwhile, one media outlet coined the infelicitous term “jackware” to describe what happens when connected cars meet ransomware. (MIT Tech Review, We Live Security)
Shopping for cyber-security: meet the buyers. A common refrain we hear from cyber consultants is there are far, far too many companies and that consolidation is coming. But how will this happen? This list of the 10 biggest cybersecurity acquirers seems to provide one hint. You won’t be surprised by many of the names – Microsoft, IBM et al – but you might be surprised by who is number one. (Fortune)
Would be a shame if something happened to that server… AIG is launching a new form of policy that will offer insurance payouts up to $100 million for property damage and $100 million in bodily injury caused by a cyber-attack. This actually makes a lot of sense given the pervasiveness of cyber-attacks today. AIG predicts the market will grow five-fold to $10 billion worth of premiums by 2020. (Bloomberg)
Geeks sue the government. A controversial copyright law called the DMCA has been a bugbear for years to the security community, who object to criminal provisions that forbid tinkering with software. A remarkable lawsuit this week, brought by a comp-sci professor and a famous hacker, and aided by the EFF, asks a court to strike down the law because it violates the First Amendment. (Fortune)
Finally, if you’re getting Pokemon fatigue, this might end the silly crazy: hackers have reverse-engineered an API to reveal the location of all the digital beasts in one map.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Robert reports on the folks responsible for cyber-security at the RNC and the new challenges they face, especially the proliferation of non-traditional devices now on the network. Here’s a taste:
The temporary cybershop is a bit drab, admits Gronberg, vice president for government affairs at cybersecurity firm ForeScout. The mission, however, is anything but: protecting the computer networks that the convention’s staffers depend on to keep the show up and running. […]
“There has been an explosion of devices, including TV screens, cameras, and even lights—these wouldn’t have been networked even four years ago,” Gronberg said. “You need a different kind of security approach.”
Can Anonymous Apps Succeed and Avoid User Harassment and Abuse? by Kia Kokalitcheva
How to Rob Microsoft, Google and Instagram with Just a Phone Call by Jeff John Roberts
ONE MORE THING
Did police get into a dead guy’s iPhone with a fake fingerprint? You’ve probably heard of law enforcement spoofing fingerprints with clay or plastic in order to trick a phone’s sensor. Now, a report suggests Michigan police used a 3-D printer to recreate the fingerprint of a murder victim in order to access his iPhone. (The Verge)