An alert complaint about a potential foreclosure conversation that President Donald Trump had in July with Ukrainian President Volodymyr Zelensky led to a congressional hearing and investigation with full inquiry this week. At one point in the conversation, Trump brought up the cyber security incident crowdfunding company Crowdstrike, indicating that he still does not believe the US intelligence community's conclusion that Russia hacked the Democratic National Committee and interfered in the 2016 election. Here is a map of all code relations between Russia's hacker groups, in case you need a quick update.
Meanwhile, we went through the privacy and security settings you should know about in Apple's new iOS 1[ads1]3 mobile operating system, but Apple is still shaken by game-changing iOS device security disclosures. On Friday, a researcher published a rare exploit that can be used to jailbreak almost all iOS devices released between 2011 and 2017, namely every iPhone model from 4S to X.
Findings from Defcon Voting Village show that voting machines currently is still in use contains vulnerabilities discovered more than ten years ago. Google on Monday apologized for how they had handled human review of audio excerpts captured by smart speakers and other devices. The cameras in the bells capture small moments that used to go unnoticed and change cultural norms. And internet infrastructure company Cloudflare launched its security-focused VPN after, ahem, a rocky start.
If all this is not enough for you, read this excerpt from Edward Snowden's new book Permanent Record to hear, in his own words, why he became a whistleblower.
And there's more! Every Saturday, we round up the security and privacy stories that we didn't break or report in depth, but which we think you should know about anyway. Click on the headlines to read them and stay safe out there.
DoorDash suffers Major Data Breach
DoorDash, a delivery company, confirmed a data breach on Thursday nearly five months after it happened on May 4, and a year after some users began to complain that their accounts were inexplicably compromised. The company said the incident exposed data from 4.9 million users, merchants and delivery workers. Users who created accounts after April 5, 2018 were not affected by the breach. DoorDash said the incident happened through a third-party service. The breach compromised names, email addresses, order history, phone numbers, delivery addresses and hashed and salted passwords. Hackers also grabbed the last four digits of some user credit cards, but not the complete numbers or card verification (CVV) values. Hackers also gained access to the last four digits of some merchant and delivery worker's bank account number. The cherry on top is that the hackers also stole the driver's license number of around 100,000 delivery workers.
In a class action lawsuit on September 17, first announced in July, FedEx shareholders claim that the company's executives did not disclose the complete damage caused by NotPetya cyberattacks in 2017 and its destabilizing impact on a European acquisition. It further claims that the same executives simultaneously sold tens of millions of dollars worth of shares in the company overall. The NotPetya attacks are the most costly and devastating in history, totaling $ 10 billion in damage worldwide.
Uyghur-focused hacking campaign also hit Tibetans
Earlier this month, security firm Volexity revealed that a likely Chinese hacking campaign had used a collection of iOS days exploits – originally unveiled by Google's research group Project Zero – to infect to the country's Uyghur minority group. So it is little surprise that the same hacking campaign also extended to the second perennial victim of China's hacking and surveillance: Tibetan activists and exiles. Civil society-focused security research group Citizen Lab revealed that a hacking campaign linked to the Uyghur attacks also targeted Tibetans, including the Dalai Lama staff, and hacked both iOS and Android with one-click attacks delivered in WhatsApp messages that exploited now-updated vulnerabilities .
This week, YouTubers dealt with a flood of account transfers that appear to have specially targeted creators focused on auto tuning and car reviews. Dozens of complaints emerged on Twitter and in the YouTube Support Forum for what appears to be a coordinated phishing attack that seized user credentials. After infiltrating accounts, the hackers assigned compromised channels to new owners and then changed their custom URL to make it look like the accounts had been deleted.
Chrome Update Bricks Mac Pros
Google Keystone, which manages Chrome updates, had an error this week that could damage the file system on computers running macOS and even cause data corruption. A series of Hollywood video editors first noticed the problem when their Mac Pros would not boot. Some of the configurations used with third-party graphics cards in Mac Pros made film industry professionals more prone to damage. Google paused the rollout of the offending Chrome update until it could provide a solution and instructions for regaining access to the walled Macs.