Security researchers from Duo Labs have found a vulnerability in an Apple-specific mechanism used to control devices as part of closed enterprise networks.
The mechanism is quite widespread and is known as Mobile Device Management (MDM). It is used by small to large companies to enroll Apple devices under one management server from where system administrators can deliver common certificates, applications, WiFi passwords, VPN configurations, and so on –all specific to that company’s network.
In a research paper published today and shared with ZDNet in advance, the Duo Labs team has revealed a vulnerability in DEP, or the Device Enrollment Program, the protocol through which new Apple devices are added to an MDM server.
More specifically, Duo Labs researchers say that the “device authentication” process of the DEP scheme can be exploited by an attacker –step #4 in the image below.
Duo researchers say that flaws in the way DEP was designed allow an attacker to trick the authentication step and enroll a device of the attacker’s choosing in an organization’s MDM server.
Furthermore, researchers also say the DEP pre-enrollment authentication process can also be abused to leak information about the organization that owns a specific device, information that can be abused for planning future attacks.
Also: The best way to buy a new iPhone, Galaxy, OnePlus phone right now
The main reason why these attacks on the MDM DEP authentication process are possible is because Apple only relies on a device’s serial number to uniquely identify an iPhone, iPad, or Mac device that is being added to an MDM server.
“The weaknesses in Apple’s Device Enrollment Program authentication outlined in [our] paper can be remediated in several ways,” said Duo Labs researchers.
“Some of the recommended remediation steps will require re-architecting how DEP and MDM enrollment work, and could require hardware changes, while others are more straightforward and can be implemented directly by customers using DEP.”
These remediation steps are described in a 32-page report released today. They include the use of cryptographic signatures generated by modern chips embedded in Apple’s latest devices, adding a rate-limit to DEP API requests to prevent mass device data harvesting, or the use of modern authentication support via SAML or Auth 2.0 as part of the DEP enrollment process.
“Regardless of the authentication weaknesses in the current implementation of Apple’s Device Enrollment Program, there’s no question that it still provides value for organizations with large fleets of Apple devices,” researchers said, also suggesting the issue they found could be mitigated via various security best practices applied to internal networks and user devices.
Duo said it notified Apple of the MDM DEP vulnerability in May this year. Apple has not deployed any countermeasures as of yet. Researchers will be presenting their findings tomorrow, September 28, at the ekoparty security conference, held in Buenos Aires, Argentina.
TikTok is confronting Holocaust misinformation, but antisemitism persists – TechCrunch
In honor of International Holocaust Remembrance Day, TikTok launched a portal on its Discover page this morning, intended to educate users about the historic catastrophe, as well as the ongoing threat of antisemitism. The platform also hosted a similar portal last year.
When users navigate to the Discover page on the TikTok mobile app, they will see a clickable banner acknowledging International Holocaust Remembrance Day. This directs them to a page with three educational TikToks from Jewish creators, including a 98-year-old Holocaust survivor who makes TikToks with the help of her great-grandson. Plus, from now on, when users search terms like “Holocaust” or “Holocaust survivor” on TikTok, they will see a banner prompting them to “consult trusted sources to prevent the spread of hate and misinformation,” directing them to visit a multilingual website about the Holocaust. In the coming months, TikTok will add a similar notice as a permanent banner on videos about the Holocaust. TikTok made these changes in collaboration with UNESCO and the World Jewish Congress, an organization that has been working with the platform since 2020.
This initiative directly addresses Holocaust denial, a false conspiracy theory that the Holocaust didn’t happen. But some Jewish TikTokers think that antisemitism on the platform is a larger, more complex issue that can’t be solved through a few pop-ups on Holocaust content.
A stylist with 74,000 followers, Liv Schreiber partnered with Jewish dating app The Lox Club on an advertisement in November. A week later, she posted a video showing a cascade of antisemitic comments she received each day since posting the video.
“I don’t understand why antisemitism is tolerated,” Schreiber said in her video. “I don’t understand why it doesn’t get taken down. This is non-negotiable, TikTok.”
Conversations about antisemitism on TikTok swelled last April when one trend went viral, in which users would sing “If I Were a Rich Man” from the Jewish musical “Fiddler on the Roof” while using a filter that elongated their facial features, like their nose. For Jewish people on TikTok, this trend evoked a historic stereotype, where antisemitic caricatures depicted Jewish people with exaggerated noses, alongside other harmful antisemitic imagery.
As that trend percolated through TikTok, the platform tried to shine a positive light on the app’s Jewish creators through a tag called #MyJewishHeritage, which the app created to celebrate Jewish Heritage Month in May 2021. TikTok highlighted some posts about Judaism on the Discover page, but the creators who had their content promoted got no warning from TikTok. As a result, some Jewish creators were suddenly flooded with a barrage of antisemitic comments.
TikTok said that the creators featured on this year’s International Holocaust Remembrance Day portal were compensated for their work.
“The issue with TikTok antisemitism is you end up being harassed from all sides,” Ezra, a political TikToker with over 37,000 followers, told TechCrunch. “You have far-right accounts, troll accounts, unintentionally antisemitic accounts that don’t know better, and left-wing accounts that can’t differentiate between Jews and Israel. So cracking down on antisemitism is a multi-pronged issue.”
TikTok has publicly condemned antisemitism on its platform, but public gestures of solidarity like the launch of the new portal might ring hollow for users who have experienced harassment on the platform. It’s also unclear how much time TikTok spent on the effort because when TechCrunch first accessed the Holocaust Remembrance Day portal — several hours after its release at 3 AM ET — its link to report an antisemitic incident to the Anti-Defamation League didn’t work. A few hours later, the issue appeared to be fixed. TikTok has not yet responded to inquiries as to why it launched without a functioning link.
Stephanie Gurewitz (@shachar.mg), a grad student who posts about antisemitism on TikTok, was surprised to see that the International Holocaust Remembrance Day portal only addressed the impact of the Holocaust on Jewish people. Yom HaShoah, a separate day of remembrance, specifically observes the death of six million Jewish people in the Holocaust. But the Nazis also persecuted disabled, homosexual and Romani people, among other marginalized populations.
“This is International Holocaust Remembrance Day, rather than the remembrance day that’s specifically for Jewish people,” Gurewitz told TechCrunch. “Today’s about all victims of the Holocaust, and it doesn’t mention anything about Romani people. There are some things missing there, and that’s an issue.”
They mentioned that they’ve received antisemitic comments on their videos today, too.
“People come on TikTok with biases already, and I don’t think banners are enough to stop that,” they said.
Content moderation on a platform with one billion monthly active users is no easy task. But users regularly get around detection mechanisms through means that are obvious to any regular user — even when talking about something like sexuality, users might write “s3xuality” to avoid being wrongfully flagged as violating guidelines (adult content is a violation; talking about homosexuality, for example, is not). These same tactics are regularly applied by malicious users to send antisemitic messages, which TikTok fails to detect.
“I really am all about TikTok and other social media platforms doing what they can to bring attention to important causes […] When I see that [Holocaust Remembrance] portal, I think of all the meetings they had about it internally, and because of that, I’m grateful,” Schreiber told TechCrunch.
Messenger upgrades its end-to-end encrypted chat experience – TechCrunch
Although default end-to-end encryption won’t fully arrive on Facebook Messenger until sometime in 2023, the company says today its feature offering end-to-end encrypted group chats and calls in Messenger is now fully rolled out. In addition, Messenger is adding another security feature with the launch of screenshot notifications in end-to-end encrypted chats, similar to rival Snapchat, that will alert you if someone snaps a photo from Messenger’s disappearing messages. Users will also now be able to add GIFs, stickers, and reactions to their encrypted chats, too.
Support for end-to-end encrypted (E2EE) group chats and calls was first announced in August 2021, promising Messenger users a way to keep their personal conversations safe from criminals and nation-state surveillance. Many governments, however, have not necessarily been on board with the idea, saying that Messenger’s plans to expand its encryption efforts would complicate law enforcement’s ability to investigate crimes. But Meta has pushed back, noting that E2EE was already widely used by apps like WhatsApp and was becoming an industry standard.
E2EE for group calls and chats wasn’t fully launched at the time of last year’s announcement, though. Instead, Meta said it would first begin testing the feature for friends and family who already had an existing chat thread and were already connected. It also said it would begin a test for delivery controls that would work with E2EE encrypted chats, allowing users to prevent unwanted interactions so they could decide who went to their chat list, their message requests folder, and who couldn’t message you at all.
Now, months later, the feature is fully rolled out to Messenger users globally, who can choose to turn on E2EE for their private conversations.
Soon, Messenger will also warn users if someone screenshots a disappearing message in E2EE chats. This is the same feature that’s already offered in Messenger’s vanish mode — a feature that functions much like Snapchat, where messages will disappear after they’ve been seen. If someone takes a screenshot of a vanish mode chat — and now a disappearing message in E2EE chats, as well — you’ll receive a notification so you can address this with the other party, or even block or report the conversation if need be. The company says these notifications will roll out “over the next few weeks.”
Finally, E2EE chats will also gain access to other features that have been available to non-E2EE before, including GIFs, stickers, and reactions, as well as support for replies to a specific thread, typing indications, and forwarding options. Verified badges will also be available to E2EE chats to help you identify authentic accounts, when chatting. And users will be able to save media with a long-press and edit photos and videos before sending. These features are not new, but they’re new to end-to-end encrypted chats.
Meta says all the features are available on all platforms, including web and mobile, for all users. But the rollout is ongoing, so some people won’t see all of the features immediately.
U.S. consumers lost $770 million in social media scams in 2021, up 18x from 2017 – TechCrunch
A growing number of U.S. consumers are getting scammed on social media according to a new report by the Federal Trade Commission (FTC), which revealed that consumers lost $770 million to social media scams in 2021 — a figure that accounted for about one-fourth of all fraud losses for the year. That number has also increased 18 times from the $42 million in social media fraud reported in 2017, the FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed, as now adults ages 18 to 39 reported fraud losses at a rate that’s 2.4x higher than adults 40 and over.
Scammers have clearly found that social media is one of the most profitable places to commit fraud. More than 95,000 fraud victims said they were first contacted on social media — more than double 2020’s number, and up 19x from 2017.
More than one in four individuals who reported losing money to fraud to the FTC last year said they first saw a post, message, or ad on social media which had prompted the scam. Excluding reports that didn’t indicate a contact method, social media scams accounted for 26% of the losses attributed to fraud in 2021 ($770 million), followed by websites and apps at 19% ($554 million), then phone calls at 18% ($546 million). The median individual losses, however, were highest with phone fraud at $1,110 compared with $468 for social media fraud.
Facebook and Instagram were where most of these social media scams took place, the data indicated.
In the case of online romance scams, more than a third of users reported the first outreach they had from the scammer was on Facebook or Instagram. Specifically, Facebook accounted for 23% and Instagram 13% of romance scams. These scams would begin with a seemingly innocent friend request, followed by sweet talk, then a request for money, the report explained.
Meanwhile, more than half (54%) of the investment scams in 2021 began with social media platforms, where scammers would promote bogus investment opportunities or connect with people directly to encourage them to invest. Instagram was popular with scammers here, accounting for 36% of investment scams, followed by Facebook at 28%, then messaging apps WhatsApp and Telegram at 9% and 7%, respectively.
A large majority of the investment scams now involve cryptocurrency, the report also found. In 2021, cryptocurrency was the method of payment in 64% of social media investment scams reported to the FTC. Payment apps and services were the payment methods used in 13% of cases, followed by bank transfers or bank payments in 9%.
Although romance and investment scams continued to account for the largest losses by dollar amounts, even reaching record highs, the scams with the largest number of reports to the FTC involve consumers trying to purchase something they first saw on social media. In most cases, people were trying to make a purchase of something they saw marketed on Facebook or Instagram.
In 2021, 45% of reports sent to the FTC over money lost in social media scams were related to online shopping. Nearly 70% of those involved people who placed an order, typically after seeing an ad on social media, but then never received the merchandise. Some also noted the ads would direct them to “lookalike” websites, designed to fool them into thinking they were purchasing from a real online retailer. Facebook and Instagram served as the platforms of choice for 9 out of 10 of these scams, the report noted.
The increase in online shopping scams isn’t just an issue for the consumers losing money — it’s determinantal to the overall e-commerce ecosystem and social media companies’ businesses. In recent years, Facebook and Instagram have invested heavily in making online shopping a core part of their services, promising to connect advertisers with targeted customers. The Meta-owned apps also now include their own “Shop” sections, where consumers can browse goods and check out directly — without having to exit to an external website. But if consumers become wary of the legitimacy of the online retailers featured on these platforms, they may hesitate to shop from social media in the future.
For Meta, a change in consumer shopping behavior would matter more today than in years past, as the company’s larger ad business has been impacted by Apple’s privacy changes on iOS which let consumers opt out of tracking. Anticipating the market shift that would result from this reduced ability to personalize ads, Meta has been diversifying its revenue by creating in-app shops where it can capture more first-party data based on consumer shopping inside its own platform. It’s also tapping into new revenue streams from the creator economy, like subscriptions and tipping.
The FTC said that investment, romance, and e-commerce scams, combined, accounted for 70% of social media scams in 2021, but there were other types of fraud also associated with social platforms. The report did not break these down by category, however.
Biologists name new species of branching worm after legendary King Ghidorah
Enlarge / (left) Biologists have named a newly discovered species of branching worm, Ramisyllis kingghidorahin, after Godzilla’s nemesis. (right) Fragment...
How to fix the Apple ID verification failed error
Is your Apple ID giving you a headache? Many users experience a verification error when trying to sign in to...
Omicron-specific vaccine boosters are now in humans as trials begin
Enlarge / A vial of the current Moderna COVID-19 vaccine. The first doses of omicron-specific COVID-19 vaccines went into the...
Apple just had the biggest holiday quarter in its history
Enlarge / The back of the iPhone 13. Samuel Axon Neither a global pandemic nor a supply chain crunch can...
Apple Q1 2022 winners & losers: iPhone up, iPad down in bumper holiday
Apple has released the earnings report for its first fiscal quarter of 2022, announcing yet another all-time record with revenue...
Social2 years ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Cars3 years ago
What’s the best cloud storage for you?
Social3 years ago
iPhone XS priciest yet in South Korea
Security3 years ago
Google latest cloud to be Australian government certified
Social3 years ago
Apple’s new iPad Pro aims to keep enterprise momentum
Cars3 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise