Huawei, the Chinese technology giant whose devices are at the center of a far-reaching trade dispute between the U.S. and Chinese governments, is reducing orders for new phones, according to a report in The South China Morning Post.
According to unnamed sources, the Taiwanese technology manufacturer Foxconn has halted production lines for several Huawei phones after the Shenzhen-based company reduced orders. Foxconn also makes devices for most of the major smart phone vendors including Apple and Xiaomi (in addition to Huawei).
In the aftermath of President Donald Trump’s declaration of a “national emergency” to protect U.S. networks from foreign technologies, Huawei and several of its affiliates were barred from acquiring technologies from U.S. companies.
The blacklist has impacted multiple lines of Huawei’s business including it handset manufacturing capabilities given the company’s reliance on Google’s Android operating system for its smartphones.
In May, Google reportedly suspended business with Huawei, according to a Reuters report. Last year, Huawei shipped over 200 million handsets and the company had a stated goal to become the world’s largest vendor of smartphones by 2020.
These reports from The South China Morning Post are the clearest indication that the ramifications of the U.S. blacklisting are beginning to be felt across Huawei’s phone business outside of China.
Huawei was already under fire for security concerns, and will be forced to contend with more if it can no longer provide Android updates to global customers.
Contingency planning is already underway at Huawei. The company has built its own Android -based operating system, and can use the stripped down, open source version of Android that ships without Google Mobile Services. For now, its customers also still have access to Google’s app store. But if the company is forced to make developers sell their apps on a siloed Huawei-only store, it could face problems from users outside of China.
Huawei and the Chinese government are also retaliating against the U.S. efforts. The company has filed a legal motion to challenge the U.S. ban on its equipment, calling it “unconstitutional.” And Huawei has sent home its American employees deployed at R&D functions at its Shenzhen headquarters.
It has also asked its Chinese employees to limit conversations with overseas visitors, and cease any technical meetings with their U.S. contacts.
Still, any reduction in orders would seem to indicate that the U.S. efforts to stymie Huawei’s expansion (at least in its smartphone business) are having an impact.
A spokesperson for Huawei U.S. did not respond to a request for comment.
I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. It’s not entirely different from my days at Ars Technica, but it has given me a greater appreciation for just how hard it is for normal folks to stay “safe” digitally.
Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked.
The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there’s a good chance they’ll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information.
In part one of our guide to securing your digital life, we’ll talk briefly about that process and about basic measures anyone can take to reduce risks to their devices. In part two, coming in a few days, we’ll address wider digital identity protection measures, along with some special measures for people who may face elevated risks. But if you’re looking for tips about peanut butter sandwich dead drops to anonymously transfer data cards in exchange for cryptocurrency payments… we can’t help you, sorry.
You are not Batman
A while back, we covered threat modeling—a practice that encompasses some of what is described above. One of the most important aspects of threat modeling is defining your acceptable level of risk.
We make risk-level assessments all the time, perhaps unconsciously—like judging whether it’s safe to cross the street. To totally remove the threat of being hit by a car, you’d either have to build a tunnel under or a bridge over the street, or you could completely ban cars. Such measures are overkill for a single person crossing the street when traffic is light, but they might be an appropriate risk mitigation when lots of people need to cross a street—or if the street is essentially a pedestrian mall.
The same goes for modeling the threats in your digital life. Unless you are Batman—with vast reserves of resources, a secret identity to protect from criminals and all but a select few members of law enforcement, and life-or-death consequences if your information gets exposed—you do not need Batman-esque security measures. (There are certainly times when you need additional security even if you’re not Batman, however; we’ll go into those special circumstances in the second half of this guide.)
For those who want to lock things down without going offline and moving to a bunker in New Zealand, the first step is to assess the following things:
What in my digital life can give away critical information tied to my finances, privacy, and safety?
What can I do to minimize those risks?
How much risk reduction effort is proportional to the risks I face?
How much effort can I actually afford?
Reducing your personal attack surface
The first question above is all about taking inventory of the bits of your digital life that could be exploited by a criminal (or an unscrupulous company, employer, or the like) for profit at your expense or could put you in a vulnerable position. A sample list might include your phone and other mobile devices, personal computer, home network, social media accounts, online banking and financial accounts, and your physical identification and credit cards. We’re going to cover the first few here; more will be covered in part two.
Each of these items offers an “attack surface”—an opportunity for someone to exploit that component to get to your personal data. Just how much of an attack surface you present depends on many factors, but you can significantly reduce opportunities for malicious exploitation of these things with some basic countermeasures.
Physical mobile threats
Smart phones and tablets carry a significant portion of our digital identities. They also have a habit of falling out of our direct physical control by being lost, stolen, or idly picked up by others while we’re not attending to them.
Defending against casual attempts to get at personal data on a smart phone (as opposed to attempts by law enforcement, sophisticated criminals, or state actors) is fairly straightforward.
First, if you’re not at home, you should always lock your device before you put it down, no exceptions. Your phone should be locked with the most secure method you’re comfortable with—as long as it’s not a 4-digit PIN, which isn’t exactly useless but is definitely adjacent to uselessness. For better security, use a password or a passcode that’s at least six characters long—and preferably longer. If you’re using facial recognition or a fingerprint unlock on your phone, this shouldn’t be too inconvenient.
Second, set your device to require a password immediately after it’s been locked. Delays mean someone who snatches your phone can get to your data if they bring up the screen in time. Additionally, make sure your device is set to erase its contents after 10 bad password attempts at maximum. This is especially important if you haven’t set a longer passcode.
Also, regularly back up your phone. The safest way to back up data if you’re concerned about privacy is an encrypted backup to your personal computer; however, most iOS device owners can back up their data to iCloud with confidence that it is end-to-end encrypted (as long as they have iOS 13 or later). Your mileage will vary with different Android implementations and backup apps.
Along the same lines, make sure you have installed the most recent version of the phone OS available to prevent someone from taking advantage of known security bypasses. For iOS, this is generally simple—when your device prompts you to upgrade, do it. The upgrade situation on Android is somewhat more complicated, but the same general advice holds true: upgrade ASAP, every time. (There is a school of thought that says you should hold off on the latest upgrades in order for bugs to be worked out, but adhering to that advice will put you in a position where your device might have exploitable vulnerabilities. You can mitigate those vulnerabilities by upgrading.)
More than 100,000 people have had their eyes scanned in return for a cryptocurrency called Worldcoin, as a project to distribute digital money more widely around the world accelerates.
Worldcoin has distributed about 30 iris-scanning hardware devices, which they call “orbs,” to early users on four continents, who get rewards for signing up more people. Orbs take photos of a user’s eyeballs, creating a unique code that can be used to claim free digital tokens.
The project’s developers said on Thursday they planned to release hundreds of orbs in the coming months and eventually distribute 4,000 devices per month. The team plans to debut the cryptocurrency network early next year and begin giving away the tokens at that time. They have not said how much cryptocurrency users can expect to receive.
Worldcoin amounts to one of the most ambitious and complex attempts to hand out cryptocurrency to the world’s population, similar to the economic concept of universal basic income. The project has already faced feverish criticism, and its own developers admit the “outcome is uncertain.”
Alex Blania, the cofounder of Worldcoin, denied that the project would invade people’s privacy, saying that the orbs convert iris scans into unique strings of letters and numbers before permanently deleting the images.
The resulting code would simply be used to check whether a user has already claimed a share of the Worldcoin tokens.
“Even if I would have your iris code in one form or another, I would have no chance to find out who you actually are on the blockchain,” Blania said, referring to the digital ledgers that underpin cryptocurrencies. Worldcoin is built on the ethereum blockchain.
Blania said about 130,000 people had signed up for the project so far, and the token would be valuable as a technology that can be used for new financial applications.
The team behind Worldcoin has raised $25 million in venture capital, including a round of funding led by Andreessen Horowitz that valued the company, Tools for Humanity, at $1 billion.
Sam Altman, a former president of the Y Combinator start-up accelerator, is also an investor and co-founder of the project. Altman has been a vocal proponent of universal basic income, the concept of providing people with free money on a regular basis.
Worldcoin plans to issue 10 billion tokens in total, with 80 percent going to users, 10 percent to the company’s investors and another 10 percent to a foundation for manufacturing the orbs and developing the network.
Blania said co-founders and employees will receive a portion of the foundation’s tokens, declining to provide an exact figure. A Worldcoin spokesperson said the company planned to set up the foundation before the network’s debut.
Like many cryptocurrency projects, Worldcoin’s tokens are not backed by any hard assets and could fluctuate in value based on their popularity.
Worldcoin estimated it could reach more than 1 billion people within the first two years of the network’s operation, assuming people continue signing up at current rates and the team meets its orb distribution targets.
People who sign up for Worldcoin will receive their full allotment of tokens over time through a pre-planned vesting schedule, which Blania said was still in development.
Blania said the rate at which Worldcoin is distributed would ultimately depend on the design of the vesting schedule and the pace of user sign-ups.
Worldcoin has so far distributed orbs to 12 countries in Africa, South America, Europe and Asia. The most productive orb owner has signed up more than 10,000 people in Chile by hiring 20 people who work in shifts, the company said.
Since at least 2019, hackers have been hijacking high-profile YouTube channels. Sometimes they broadcast cryptocurrency scams, sometimes they simply auction off access to the account. Now, Google has detailed the technique that hackers-for-hire used to compromise thousands of YouTube creators in just the past couple of years.
Cryptocurrency scams and account takeovers themselves aren’t a rarity; look no further than last fall’s Twitter hack for an example of that chaos at scale. But the sustained assault against YouTube accounts stands out both for its breadth and for the methods the hackers used, and an old maneuver that’s nonetheless incredibly tricky to defend against.
It all starts with a phish. Attackers send YouTube creators an email that appears to be from a real service—like a VPN, photo editing app, or antivirus offering—and offer to collaborate. They propose a standard promotional arrangement: Show our product to your viewers and we’ll pay you a fee. It’s the kind of transaction that happens every day for YouTube’s luminaries, a bustling industry of influencer payouts.
Clicking the link to download the product, though, takes the creator to a malware landing site instead of the real deal. In some cases the hackers impersonated known quantities like Cisco VPN and Steam games, or pretended to be media outlets focused on COVID-19. Google says it has found over 1,000 domains to date that were purpose-built for infecting unwitting YouTubers. And that only hints at the scale. The company also found 15,000 email accounts associated with the attackers behind the scheme. The attacks don’t appear to have been the work of a single entity; rather, Google says, various hackers advertised account takeover services on Russian-language forums.
Once a YouTuber inadvertently downloads the malicious software, it grabs specific cookies from their browser. These “session cookies” confirm that the user has successfully logged in to their account. A hacker can upload those stolen cookies to a malicious server, letting them pose as the already authenticated victim. Session cookies are especially valuable to attackers because they eliminate the need to go through any part of the login process. Who needs credentials to sneak into the Death Star detention center when you can just borrow a stormtrooper’s armor?
“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” says Jason Polakis, a computer scientist at the University of Illinois, Chicago, who studies cookie theft techniques. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”
Such “pass-the-cookie” techniques have been around for more than a decade, but they’re still effective. In these campaigns, Google says it observed hackers using about a dozen different off-the-shelf and open source malware tools to steal browser cookies from victims’ devices. Many of these hacking tools could also steal passwords.
“Account hijacking attacks remain a rampant threat, because attackers can leverage compromised accounts in a plethora of ways,” Polakis says. “Attackers can use compromised email accounts to propagate scams and phishing campaigns or can even use stolen session cookies to drain the funds from a victim’s financial accounts.”
Google wouldn’t confirm which specific incidents were tied to the cookie-theft spree. But a notable surge in takeovers occurred in August 2020, when hackers hijacked multiple accounts with hundreds of thousands of followers and changed the channel names to variations on “Elon Musk” or “Space X,” then livestreamed bitcoin giveaway scams. It’s unclear how much revenue any of them generated, but presumably these attacks have been at least moderately successful given how pervasive they became.
This type of YouTube account takeover ramped up in 2019 and 2020, and Google says it convened a number of its security teams to address the issue. Since May 2021 the company says it has caught 99.6 percent of these phishing emails on Gmail, with 1.6 million messages and 2,400 malicious files blocked, 62,000 phishing page warnings displayed, and 4,000 successful account restorations. Now Google researchers have observed attackers transitioning to targeting creators who use email providers other than Gmail—like aol.com, email.cz, seznam.cz, and post.cz—as a way of avoiding Google’s phishing detection. Attackers have also started trying to redirect their targets over to WhatsApp, Telegram, Discord, or other messaging apps to keep out of sight.
“A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming,” Google TAG explains in a blog post. “The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.”
Though two-factor authentication can’t stop these malware-based cookie thefts, it’s an important protection for other types of scams and phishing. Beginning on November 1, Google will require YouTube creators who monetize their channels to turn on two-factor for the Google account associated with their YouTube Studio or YouTube Studio Content Manager. It’s also important to heed Google’s “Safe Browsing” warnings about potentially malicious pages. And as always, be careful what you click and which attachments you download from your email.
The advice for YouTube viewers is even simpler: If your favorite channel is pushing a cryptocurrency deal that seems too good to be true, give it some Dramatic Chipmunk side eye and move on.