Monthly Archives: December 2020

Enlarge / Just some of the iDevice types that Corellium didn’t break one law—but may still have broken another—by emulating.

Security firm Corellium, which develops software that researchers can use to analyze Apple products, has been handed a partial victory in Apple’s lawsuit against it, as a judge ruled that its creation of virtual iOS environments does not violate Apple’s copyrights.

Corellium has since 2017 been creating iOS environments that can run on desktop computers, for use as a research and development tool. Apple sued Corellium in 2019, alleging, “Corellium’s true goal is profiting off its blatant infringement” of iOS, and claiming that the firm “encourages its users to sell any discovered information [about system vulnerabilities] on the open market to the highest bidder.”

Earlier this year, Apple amended the suit to include allegations that Corellium’s work violated the Digital Millennium Copyright Act’s (DMCA) prohibition circumventing or breaking DRM.


Read More

2020 was a tough year for a lot of reasons, not least of which were breaches and hacks that visited pain on end users, customers, and the organizations that were targeted. The ransomware menace dominated headlines, with an endless stream of compromises hitting schools, governments, and private companies as criminals demanded ransoms in the millions of dollars. There was a steady stream of data breaches as well. Several mass account takeovers made appearances, too.

What follows are some of the highlights. For good measure, we’re also throwing in a couple notable hacks that, while not actively used in the wild, were impressive beyond measure or pushed the boundaries of security.

The SolarWinds hack

2020 saved the most devastating breach for last. Hackers that multiple public officials say are backed by the Russian government started by compromising the software distribution system of SolarWinds, the maker of network monitoring software that tens

Read More

Enlarge / People are complaining about situations like this in Cyberpunk 2077.

On its release day, Cyberpunk 2077 immediately pivoted from one of the holiday season’s most hotly anticipated new games to one of this year’s biggest debacles, as bugs both comical and game-breaking proved to be so prolific on consoles that Sony even delisted the title entirely from its digital storefront for the time being. Developer and publisher CD Projekt Red has had its hands full for the last few weeks juggling broad mockery and unhappy customers, and now there’s a new woe on their pile: shareholder suits.

Two different law firms announced last week they were filing suit against CD Projekt, alleging the company violated securities law by misleading investors (and everyone else) about the state of Cyberpunk 2077 and whether it would be playable on current-generation consoles, the PlayStation 4 and XBox One.

Statements CD Projekt

Read More

Getty Images

Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that made it possible for attackers to execute malicious code that would spread from computer to computer with no user interaction required. Again.

The vulnerability, which was first disclosed in September, was the result of several flaws discovered by researchers at security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements contained in user-sent messages. The filter was based on an incomplete blocklist that could be bypassed using a programming attribute known as onanimationstart.

Messages that contained the attribute passed directly to DOM of an embedded browser. Because the browser was based on the Chromium Embedded Framework, it would execute any scripts that made it through the filter.

With the filter bypassed, the researchers still had to find a way to break out of a security sandbox that’s designed to

Read More

Getty Images

Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days.

The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices, as shown in the following image:

IBM Trusteer

The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.

To bypass protections banks use to block such

Read More

Amazon’s competitor to SpaceX Starlink is moving through the prototype-development phase, with the company announcing yesterday that it has “completed initial development on the antenna for our low-cost customer terminal.”

Amazon said its “Ka-band phased-array antenna is based on a new architecture capable of delivering high-speed, low-latency broadband in a form factor that is smaller and lighter than legacy antenna designs” and the “prototype is already delivering speeds up to 400Mbps.” Performance will get better in future versions, Amazon said.

Amazon in July received Federal Communications Commission approval to launch 3,236 low-Earth orbit satellites. The company says it plans to invest over $10 billion in its satellite-broadband division, which it calls Project Kuiper.

Ka-band antennas

To reduce production costs, Amazon said it must “decrease the size, weight, and complexity” of the antenna. But this is difficult with Ka-band equipment, which needs “more physical separation between transmit and receive antennas to

Read More