Here, find your monthly briefing on the latest hacks, scams, news, Apple security patches—and what it means for you.
Hacks, Scams, Trouble + What to Do
Hackers May Have Stolen Every US Citizen’s Social Security Number in the Dumbest Possible Way—What to Do
A massive data breach may affect almost every US Citizen. It contains billions of records stolen from a sketchy data broker called National Public Data, including sets of US addresses, each paired with the social security number of a resident.
National Public Data sounds like a big secure company right? Nope. It is one of several sketchy data broker websites set up by Salvatore (Sal) Verini Jr., a Florida man who played a cop on TV and also briefly served as a deputy at the Broward County Sheriff’s office. In addition to launching a film studio, he also set up multiple nearly identical websites to sell background check info, one of which is National Public Data.
The good news is much of the archive stolen from National Public Data appears to be wrong, redundant, or out of date. More good news: the security research group Pentesters has made a free tool so you can check what data of yours is contained in this breach.
The sadly hilarious news is another of Mr. Verini’s data broker websites, recordscheck.net, which was built from the same template as National Public Data and offers access to the same archive, had kept the passwords to its encrypted database in a file that was freely available on their public website. In other words, it had published its own admin passwords for anyone to see. This might be a clue as to how National Public Data may have gotten hacked.
The much worse news is that ethically questionable but perfectly legal data brokers who collect and store massive amounts of sensitive information in databases they are not equipped to defend are a dime a dozen, meaning that more breaches like this are coming. They might be harder to hack if, unlike National Public Data, they don’t publish their own passwords, but it’s still going to happen.
Data breaches compromising sensitive data on individual Americans are piling up. Compromised records now number in the billions, this year alone, ranging from sensitive voter registration records, to social security numbers and addresses, to phone records, and more.
What to Do: Freeze your credit and brace for endless waves of ever-increasingly well informed scammers by staying educated and vigilant. We used to say “consider freezing your credit,” but it’s time. It takes twenty minutes. Go do it right now.
That Missing Child Poster Is a Scam—Here’s How It Works
“Have you seen my child? Mackie went to school Thursday but hasn’t been seen since. He was wearing…” Posts like this, or perhaps featuring a pet instead of a child, have been circulating on social media swap groups, such as your local “Buy Sell Trade” group.
Clicking the link or engaging with the scam could do one of several things: it could ask you to click a phishing link; it could do nothing at first but after the link is shared many times the original uploader swaps out the images in the post to turn it into an advertisement, making it seem that everyone who shared it endorsed their productt; or most perniciously, link to someone soliciting donations, who would then harass or blackmail any donors for more money.
What to Do: Screenshot any image associated with a post like this and perform a reverse image search. These simple steps may reveal whether the person depicted in the image is really who the post claims. If not, report the post to the page admins and to Facebook. It is also worth searching Facebook for the individuals named in the post, to see if you have mutual contacts in common. Oftentimes, local buy-sell-trade groups are local enough that a missing person would be recognizable by someone you know.
Google Chrome Cancels Popular Ad-Blocker—Maybe Cancel Chrome Instead
Are you still using Google Chrome as your web browser? Chrome is cracking down on ad blockers, making it harder to safely navigate the web.
Chrome has alerted users of the popular and well-trusted ad blocker uBlock Origin that they must soon choose an alternative option. uBlock Origin hasn’t done anything wrong. Instead, Google is phasing out the extension interface uBlock Origin uses to talk to the web browser (Manifest V2) in favor of one that Google claims will be better for security (Manifest V3), but which security experts at the Electronic Frontiers Foundation have long warned mostly just punishes ad blockers without improving security. Since ad blockers are actually good for security, this is a net negative. We recommend ad blockers, but we don’t recommend Google Chrome.
The Bottom Line: Firefox, Safari, and Duck Duck Go are all great web browsers with excellent ad blockers available for each (if you want uBlock Origin, opt for Firefox). Now’s a good time to move from Chrome to a better browser and bring all your bookmarks and history with you.
A Mac Web Browser Feature Has Let Hackers into Your Local Network for 18 Years—How to Fix it
A feature of web browsers for macOS including Safari, Firefox, Chrome, and all others built using Chrome’s engine such as Brave and Opera, makes it possible for hackers to access devices on your local network through your browser.
While widely reported, this scary-sounding hack only works if you are running vulnerable processes on your local host, and if you don’t know what that is, then you’re probably not doing it. Normal users don’t mess around with running anything on their local host, let alone vulnerable processes that might be affected by this hack. So, most of us can rest easy on this one. Referred to as the 0.0.0.0. vulnerability, this bug has been around for 18 years, but it’s now been patched by every major browser.
The Bottom Line: Update your web browsers. How to update Safari. How to update Firefox.
Your Smart TV Knows Everything You Watch and It’s a Tattletale—But You Can Turn It Off
Did you know that by default your smart TV takes a screenshot every few seconds to see if it can identify what you’re watching? It then reports its findings to its parent company, which uses the information to price advertising slots.
This behavior is called Automatic Content Recognition (ACR), is employed by every smart TV manufacturer, and is often on by default. It offers no advantage to users and disabling it costs nothing.
The Bottom Line: Here’s how to disable smart TV monitoring and other information hoovering features happening without your knowledge.
This Should Be on Your Radar
Trump Campaign Breached
The presidential campaign of Former President Donald Trump has suffered a cybersecurity breach and various internal communications have been stolen. This breach seems to have occurred through a targeted phishing campaign, a reminder to stay ever vigilant against phishing emails.
Details of what in particular the thieves managed to steal have not been revealed. According to both Google and the U.S. Government, the same Iranian group responsible for this breach has also targeted the Biden as well as the Harris campaigns, reports the Washington Post, though with no success so far. It is no surprise that Iran and other countries with adversarial attitudes toward the United States, such as Russia and China, are actively engaged in seeking access to the communications of American political figures.
The Bottom Line: This breach seems to have occurred through a targeted phishing campaign. The hackers compromised an email account belonging to a senior Trump advisor and then used it to send more phishing emails to his associates and staffers. To prevent this, use phishing resistant multi-factor authentication such as a passkey or hardware key on your email accounts, employ a password manager, and practice vigilance against phishing emails.
Hack of Internet Service Provider Permits Exploit Customers
Here’s one reason why it’s important to be careful what software you install, since even programs that are safe can open the door to malware later, without you doing anything. A hacker group codenamed Storm Bamboo managed to compromise some hardware at an internet service provider, and used this compromise to install malware on the Mac computers of some of that service provider’s customers, all without those customers ever having to do anything.
According to the security firm Volexity, which discovered the hack, they managed this feat in an unusually clever new way. Whenever you type a website into your address bar, your computer looks up that web address in a sort of phone book called a Domain Name System, usually hosted by your internet service provider. The DNS lookup replies with the address for how to find that website’s hosting servers in the tangled skein of the internet. You ask for pictures of cats, the DNS lookup responds with the server holding cat pictures. If a hacker has compromised the DNS lookup, they can simply answer with whatever info they like, rerouting your computer to something other than what you asked for. You ask for pictures of cats, but instead they serve you pictures of dogs. This could easily be used to route you to a lookalike website for phishing, but that’s relatively easy to detect because the poser site will appear right in front of your eyes, and you might notice something wrong with it.
Storm Bamboo’s new attack is clever, because they didn’t reroute browser activity, instead, they went for the invisible internet lookups done by programs installed on your computer, which routinely check the internet to see if an update is available. If one is available, they may even install that update without input from you. These attackers were able to identify some common apps that sought updates in that insecure way, and the attackers were able to reroute those requests and install malware instead. Clever hackers! Clever hacksy tricks.
The Bottom Line: Even with all these clever tricks, this attack still only works on computers that are running software with insecure update mechanics. In general, avoid installing applications that have not been updated recently, and try to make a habit of removing applications you no longer use and replacing ones that are no longer supported. A complete system refresh every few years helps cut down on the number of applications left installed. And, of course, keep a malware scanner on your Mac. We recommend Malwarebytes.
Google Search Hegemony Violates Antitrust
A U.S. Judge has ruled in favor of the U.S. Justice Department’s allegation that Google’s controlling share over the internet search marketplace does violate antitrust law, reports AP News. The ruling is likely to shake up the world of internet searches, and the internet itself… eventually.
The ruling is potentially sweeping, and could result in an order that would break up Google or force them to divest of certain holdings, though that has not happened yet. Google says they will appeal the decision, and the appeals process could easily drag out for years.
The Bottom Line: Have you heard of Duck Duck Go? It’s a search engine that puts user privacy front and center. They also actively remove malicious websites from their searches. Here’s how to change which search engine your iPhone uses by default.
Hacker Duel: Lone Researcher Stands Up To Ransomware Gangs, Saves Six Companies
Hackers may not be any better at defending themselves online than you are. A security researcher named Vangelis Stykas set out to understand ransomware gangs, but ended up breaching their networks, watching their communications, and stealing the keys to help save a bunch of companies from ransomware, reports Tech Crunch.
We tip our hats to Vanelis Stykas. Great work sir. He was able to track the servers used by the hackers and it turned out they were using a default password on some of their systems, which let him access their database of stolen data in real time. That meant he could see which systems they were attacking even as they were doing it.
The Bottom Line: Criminal scammers, like everybody else, make mistakes. If you follow all the best practices for security for regular folks, you might be harder to hack than a hacker.
Michigan Hospital Hit with Ransomware
Hospitals have been tempting targets to ransomware gangs because their budgets are often stretched too thinly over too many systems that are legitimately life-and-death to also include the expensive and relatively less life-threatening cybersecurity as a priority. But, they’re also the custodians of treasure troves of private and personal information.
The result has been a swath of ransomware attackers knocking out hospitals around the world. The latest example in this grim parade is a healthcare provider in Michigan, which suffered failures of their phone and computer systems due to a cybersecurity attack, reports The Record. While the hospital continued to function, some services had to be canceled. It’s important to note that a ransomware event, in which a ransomware gang is able to encrypt the hospital systems and ask for a payment for the service of decrypting them again, may not always include data theft. The systems can be disabled remotely without stealing copies of the data contained within them. In this case, we don’t know what happened.
The Bottom Line: We don’t have a choice about what information we share with our healthcare providers, nor can we prevent our hospitals from being targeted. The only thing we can really do is harden our own defenses against scams and fraud so we are less likely to be victimized by scammers who know all about our private medical business.
Security Fail of the Month
12 Voter Databases in Illinois Fully Visible on the Open Web
Most scammers depend on knowing their victims, and the more they know, the easier it is to work out an effective scam. That’s why it’s so shocking to learn that a voter registration company called Platinum left voter records including social security numbers, death certificates, and voter registration applications for Illinois voters all visible on the open internet, reports Wired.
Leaving an entire database open to the internet is something that happens weirdly often, but with an election around the corner, voter databases are critical infrastructure, and leaving them open and unsecured is a serious whoopsie.
The Bottom Line: What are we supposed to do when the people we trust to protect our information prove they are untrustworthy? The best we can. We just do the best we can. That means taking all the basic cybersecurity self-defense steps for Apple enthusiasts. It means staying informed and vigilant. Unfortunately, it also means we cannot assume nearly any piece of information about us, from social security numbers to birth certificates, is private, or will remain private. Instead, we need to architect our personal security so the loss of this information to bad actors will not harm us. Freeze your credit. Use a password manager.
Security Updates from Apple
Bug fixes! Get your fresh hot bug fixes!
The most recent iOS and iPadOS is 17.6.1.
The most recent macOS is 14.6.1.
The most recent tvOS is 17.6.1.
The most recent watchOS is 10.6.1.
The most recent visionOS is 1.3.
All of these updates included bug fixes with no known security content.
If you encounter any hacks, scams, or trouble you think our readers ought to know about, let us know by emailing [email protected].