Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress.

CVE-2022-36340

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iCloud for Windows 11.4, iOS 14.0 and iPadOS 14.0, watchOS 7.0, tvOS 14.0, iCloud for Windows 7.21, iTunes for Windows 12.10.9. Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents.

This document describes the security content of iCloud for Windows 7.21.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iCloud for Windows 7.21**

Released September 24, 2020

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-36521: Xingwei Lin of Ant-Financial Light-Year Security Lab

Entry added May 25, 2022

**SQLite**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2020-9991

Entry added November 12, 2020

**SQLite**

Available for: Windows 7 and later

Impact: Multiple issues in SQLite

Description: Multiple issues were addressed by updating SQLite to version 3.32.3.

CVE-2020-15358

Entry added November 12, 2020

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 25, 2022

CVE-2020-36521: About the security content of iCloud for Windows 7.21

New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.

Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they're trusted with more organizations' sensitive data than ever before.

A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study's survey of those safeguards found that hundreds of apps' permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.

“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”

When WIRED reached out to Slack and Microsoft about the researchers' findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior. It "strongly recommends" that users install only these approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator's permission. "We take privacy and security very seriously," the company says in a statement, "and we work to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one."

But both Slack and Teams nonetheless have fundamental issues in their vetting of third-party apps, the researchers argue. They both allow integration of apps hosted on the app developer's own servers with no review of the apps' actual code by Slack or Microsoft engineers. Even the apps reviewed for inclusion in Slack's App Directory undergo only a more superficial check of the apps' functionality to see whether they work as described, check elements of their security configuration such as their use of encryption, and run automated app scans that check their interfaces for vulnerabilities.

Despite Slack's own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. An organization's administrators can switch on stricter security settings that require the administrators to approve apps before they're installed. But even then, those administrators must approve or deny apps without themselves having any ability to vet their code, either—and crucially, the apps' code can change at any time, allowing a seemingly legitimate app to become a malicious one. That means attacks could take the form of malicious apps disguised as innocent ones, or truly legitimate apps could be compromised by hackers in a supply chain attack, in which hackers sabotage an application at its source in an effort to target the networks of its users. And with no access to apps' underlying code, those changes could be undetectable to both administrators and any monitoring system used by Slack or Microsoft.

All of that leaves users—who have grown accustomed to more well-secured third-party app environments, such as the code reviews implemented in Apple's App Store and Google Play—vulnerable to risks they don't expect when they install a seemingly innocent app on their organization's collaboration workspace. "Compared to iOS or Android, I would say their security model is at least five to six years behind," University of Wisconsin researcher Yunang Chen says of Slack and Teams.

As in other stricter app models, Slack and Teams limit apps' data access with a set of permissions that users must approve for an app to be installed. But—setting aside that a single user can often approve those access permissions for an entire organization—the researchers found that apps' permissions can sometimes allow them to perform unexpected and dangerous behaviors. An app intended for scheduled posts that asks for the ability to post as the user can, for instance, impersonate them as part of a phishing scheme or send messages from their account to trigger another app's functionality. In some instances, software developers even allow changes to their code repositories based on Slack messages, potentially allowing an app that sends messages from a user account to alter code and corrupt their software.

In another attack, researchers found that apps can "overwrite" the command that launches another app in Slack or Teams, such as typing "/zoom" in one of the platforms to start a Zoom meeting. A malicious app, the researchers point out, could hijack that command to make "/zoom" instead launch an imposter copy of Zoom that intercepts all the users' communications. While the researchers note that Slack has recently added a safeguard that warns when an app overwrites a command in this way, it warns the user only upon installation of the app, and malicious apps can still perform that takeover trick after they're installed.

To get a sense of just how many apps might pose these sorts of risks, the researchers surveyed the permissions of all Slack and Teams apps and found that about one in three Teams apps and almost one in four Slack apps ask for permissions that would allow them to act as the user, posting messages or adding emoji reactions on their behalf. 52 percent of Slack apps ask for permissions that would allow them to overwrite another app's launch command.

The researchers also point to yet another security issue, specific to Slack, that can allow an app to access private channels that are "locked" and intended to be accessible only to specific users—even when the app asks for no such permission. The researchers found that when a link to a message in a private channel is copied into a user's direct messages to themselves, the private channel message "unfurls," and its text appears in that conversation if the user is a member of the private channel. So an app that merely asks for read and write access to a user's direct messages and basic information about—but not the content of—their private channels can also read all the messages posted to a private channel. (The app could also quickly delete the direct messages it sends to the user as part of the attack, to avoid leaving a record of its snooping.) In their survey of app permissions, the researchers found 11 Slack apps that ask for exactly those permissions, and thus could gain this unexpected private channel access.

Despite Microsoft's response to WIRED that it wanted to discuss the researchers' findings before commenting, the researchers write in their paper that they approached both Slack and Microsoft with their findings prior to publication, and both companies confirmed that their attack techniques were possible. They write, however, that Slack and Microsoft didn't consider their findings to "meet their definitions of a security vulnerability," since they required deceiving users into installing a malicious app, and both Slack and Microsoft expect workspace administrators to police those installations. But that response only puts the onus on administrators, argues University of Wisconsin researcher Yue Gao, who "are even worse off than Slack" when it comes to assessing an app's legitimacy.

Some of the problems that the researchers identified in Slack and Teams—like apps' ability to overwrite other apps' launch commands and read messages in private channels—could be fixed with relatively simple patches, says Andrei Sabelfeld, a computer science professor at Chalmers University of Technology in Sweden who reviewed the researchers' work. But if Slack and Teams apps continue to be hosted on third-party servers, the deeper problem would remain. "There's no way to have any account of what the developers are doing," Sabelfield says. "This points to a fundamental tension: The code is outside their control."

That means, both Sabelfield and the University of Wisconsin researchers argue, that any real fix would require Slack and Microsoft to broadly overhaul their app model to make it more like traditional operating systems that carefully vet the code of apps, monitor that code for changes, and strictly enforce the permissions apps are granted. If Slack and Teams are going to become the hub traversed by every organization's holiest of holy data, in other words, it's time they took better care of who is invited to the inner sanctum.

Slack’s and Teams’ Lax App Security Raises Alarms

Manufacturers need to document a medical device's intended use and operational environment, as well as plan for misuse, such as a cyberattack.

Due to the increasing concerns about medical devices' cybersecurity risks, European Union regulators put forward a new set of market entry requirements for medical devices and in vitro diagnostic medical devices to reduce the risk of patient harm as a result of a cyber incident, as well as protect national health systems.

EU regulators are raising the bar on cybersecurity requirements with the European Union Medical Device Regulation (MDR) and the European Union In Vitro Diagnostic Regulation (IVDR), which went into effect May 26, 2021. The regulations are intended to "establish a robust, transparent, predictable and sustainable regulatory framework ... which ensures a high level of safety and health whilst supporting innovation."

Organizations have until May 26, 2024, or when their current market certification expires, to make the necessary changes to their quality management systems and technical documentation to comply with the new requirements. Despite the number of assessment processes and standards and guidance documents that have been provided, medical device manufacturers, providers, and certification services may not be ready in time.

More than 90% of currently valid AIMDD/MDD certificates will expire by 2024, so a significant number of existing devices need to be reapproved, in addition to new devices entering the market. It is estimated that 85% of products currently on the market today still require new certification under MDR.IVDR. Considering that the process takes 13 to 18 months, companies need to start the process now in order to meet the 2024 deadline.

**Setting Instructions for Use**

In general, cybersecurity processes are not that different from general device performance and safety processes. The goal is to assure (through verification and validation) and demonstrate (through documentation) device performance, risk reduction and control, and minimization of foreseeable risks and undesirable side effects through risk management. Combination products or interconnected devices/systems also require management of the risks that result from interaction between software and the IT environment.

The Medical Device Coordination Group's MDCG-16 Guidance on Cybersecurity for medical devices explains how to interpret and fulfill cybersecurity requirements under MDR and IVDR. Manufacturers are expected to take into account the principles of the secure development life cycle, security risk management, and verification and validation. Further, they should provide minimum IT requirements and expectations for cybersecurity processes, such as installation and maintenance in their device's instructions for use. "Instructions for use" is a highly structured required section of the certification application manufacturers must file.

Cybersecurity measures must reduce any risks associated with the operation of medical devices, including cybersecurity-induced safety risks, to provide a high level of protection for health and safety. The International Electrotechnical Commission (IEC) spells out high-level security features, best practices, and security levels in IEC/TIR 60601-4-5. Another IEC technical report, IEC 80001-2-2, enumerates specific design and architecture security capabilities, such as automatic logoff, audit controls, data backup and disaster recovery, malware detection/protection, and system and OS hardening.

To meet ISO guidelines (ISO 14971), the Association for the Advancement of Medical Instrumentation advises striking a balance between safety and security. Careful analysis is required to prevent security measures from compromising safety and safety measures from becoming a security risk. Security needs to be right-sized and should be neither too weak nor too restrictive.

**Sharing Responsibility for Cybersecurity**

Cybersecurity is a responsibility shared between the device manufacturer and the deploying organization (typically the customer/operator). Thus, specific roles that provide important cybersecurity functions — such as integrator, operator, healthcare and medical professionals, and patients and consumers — require careful training and documentation.

The "instructions for use" section of a manufacturer's certification application should provide cybersecurity processes including security configuration options, product installation, initial configuration guidelines (e.g., change of default password), instructions for deploying security updates, procedures for using the medical device in failsafe mode (e.g., enter/exit failsafe mode, performance restrictions in fail-safe mode, and data recovery function when resuming normal operation), and action plans for the user in case of an alert message.

That section should also provide user requirements for training and enumerate required skills, including IT skills required for the installation, configuration, and operation of the medical device. In addition, it should specify requirements for the operating environment (hardware, network characteristics, security controls, etc.) that cover assumptions on the environment of use, risks for device operation outside the intended operating environment, minimum platform requirements for the connected medical device, recommended IT security controls, and backup and restore features for both data and configuration settings.

Specific security information may be shared through documentation other than the instructions for use, such as instructions for administrators or security operation manuals. Such information may include a list of IT security controls included in the medical device, provisions to ensure integrity/validation of software updates and security patches, technical properties of hardware components, the software bill of materials, user roles and associated access privileges/permissions on the device, logging function, guidelines on security recommendations, requirements for integrating the medical device into a health information system, and a list of the network data streams (protocol types, origin/destination of data streams, addressing scheme, etc.).

If the operating environment is not exclusively local but involves external hosting providers, the documentation must clearly state what, where (in consideration of data-residency laws), and how data is stored, as well as any security controls to safeguard the data in the cloud environment (e.g., encryption). The instructions for use section of the documentation needs to provide specific configuration requirements for the operating environment, such as firewall rules (ports, interfaces, protocols, addressing schemes, etc.).

Security controls implemented during premarket activities may be inadequate to maintain an acceptable benefit-risk level during the operational life of the device. Therefore, regulations require the manufacturer to establish a post-market cybersecurity surveillance program to monitor operation of the device in the intended environment; to share and disseminate cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; to perform vulnerability remediation; and to plan for incident response.

The manufacturer is further responsible for investigating and reporting serious incidents and fielding safety corrective actions. Specifically, incidents that have cybersecurity-related root causes are subject to trend reporting, including any statistically significant increase in the frequency or severity of incidents.

**Planning for All Scenarios**

Today's medical devices are highly integrated and operate in a complex network of devices and systems, many of which may not be under control of the device operator. Therefore, manufacturers should carefully document the device's intended use and intended operational environment, as well as plan for reasonably foreseeable misuse, such as a cyberattack.

Cybersecurity pre- and post-market risk management requirements and supporting activities are not necessarily different from traditional safety programs. However, they do add an additional level of complexity as:

*   The range of risks to consider is more complex (safety, privacy, operations, business). 
*   They require a specific set of activities that need to be conducted along the device development life cycle via a Secure Product Development Framework (SPDF).

Global regulators, including MDR/IVDR, are starting to enforce a higher level of security for medical devices and specifically requiring demonstrable security as part of the larger device life cycle. Devices should meet, based on device type and use case, a security baseline, and manufacturers need to maintain that baseline over the entire lifetime of the device.

How Europe Is Using Regulations to Harden Medical Devices Against Attack

Vulnerability could have been used to bypass cloud isolation protection

Vulnerability could have been used to bypass cloud isolation protection

Oracle has patched a critical vulnerability in its cloud infrastructure that could have allowed attackers to steal data or tamper with client files.

On September 20, Wiz security researcher Elad Gabay publicly disclosed the security flaw, found in June following an examination of Oracle Cloud Infrastructure (OCI).

Dubbed #AttachMe, the “major” bug centers on one problem: a lack of permissions protection when attaching volumes to OCI.

**Attack path**

An attack would begin with the use of a target’s unique identifier, their cloud environment ID (OCID), which could be found via publicly available information or a low-privilege account.

A threat actor would then initiate an instance in an attacker-controlled tenant – located in the same availability domain (AD) as the target volume – before attaching the victim’s volume to the instance.

Read more of the latest cloud security news

OCI, by design, supports the attachment of a single volume to multiple instances simultaneously.

The lack of authorization checks would ensure the attacker had read/write privileges over the target volume, whether or not they had sufficient permissions.

As a result, it may have been possible for attackers to leverage this avenue to steal or modify information, search for cleartext secrets, or move laterally across the volume.

**Worst-case scenario**

In the worst-case scenario, attackers could potentially hijack an environment by manipulating binaries to achieve code execution.

“Before it was patched, #AttachMe could have allowed attackers to access and modify any other users’ OCI storage volumes without authorization, thereby violating cloud isolation,” Gabay said.

Wiz added that the vulnerability could have impacted all OCI customers or could have been used to target the infrastructure of individual client services.

The Wiz security team disclosed its findings to Oracle on June 9, three days after discovery.

Oracle acknowledged the security report on June 10, and it was on the same day that the vulnerability was confirmed and fixed. No OCI customer action is required.

Catch up with the latest cybersecurity vulnerability news

Speaking to The Daily Swig, Wiz researcher Sagi Tzadik said that the real-world ramifications of the vulnerability, if not patched so rapidly by oracle, could have been quite severe.

“This could lead to severe sensitive data leakage for potentially all OCI customers and in some scenarios could even be exploited to gain remote code execution on their environment, providing an initial entry point for further movement in the victim’s cloud environment,” he commented.

“While OCIDs are generally private, they are not treated as secrets. It is relatively feasible to obtain these IDs from a quick GitHub or Google search.”

Oracle declined to comment, but thanked Gabay in the firm’s July 2022 Critical Patch Update notes.

“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz added.

“The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage. We also recommend performing service-specific penetration tests and participating in bug bounty programs, as these have proven effective with these types of issues.”

DON’T MISS Tarfile path traversal bug from 2007 still present in 350k open source repos

#AttachMe Oracle cloud bug exposed volumes to data theft, hijack 

An integer overflow in WhatsApp could result in remote code execution in an established video call.

**WhatsApp Security Advisories****2022 Updates**

**_February Update_**

**CVE-2021-24043**

A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.

**_January Update_**

**CVE-2021-24042**

The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.

CVE-2022-36934: WhatsApp-turvallisuustiedotteet

Churches are using invasive phone-monitoring tech to discourage “sinful” behavior. Some software is seeing more than congregants realize.

Gracepoint is the kind of evangelical Southern Baptist church that’s compelled to publicly enumerate all of the ways it’s not a cult. “We’ll admit that we’re a bit crazy about the Great Commission and sharing the Gospel,” reads an FAQ page titled, “Is Gracepoint a Cult?” So when Grant Hao-Wei Lin came out to a Gracepoint church leader during their weekly one-on-one session, he was surprised to learn that he wasn’t going to be kicked out. According to his church leader, Hao-Wei Lin says, God still loved him in spite of his “struggle with same-sex attraction.”

But Gracepoint did not leave the matter in God’s hands alone. At their next one-on-one the following week, Hao-Wei Lin says the church leader asked him to install an app called Covenant Eyes on his phone. The app is explicitly marketed as anti-pornography software, but according to Hao-Wei Lin, his church leader told him it would help “control all of his urges.”

Covenant Eyes is part of a multimillion-dollar ecosystem of so-called accountability apps that are marketed to both churches and parents as tools to police online activity. For a monthly fee, some of these apps monitor everything their users see and do on their devices, even taking screenshots (at least one per minute, in the case of Covenant Eyes) and eavesdropping on web traffic, WIRED found. The apps then report a feed of all of the users’ online activity directly to a chaperone—an “accountability partner,” in the apps’ parlance. When WIRED presented its findings to Google, however, the company determined that two of the top accountability apps—Covenant Eyes and Accountable2You—violate its policies.

The omnipotence of Covenant Eyes soon weighed heavily on Hao-Wei Lin, who has since left Gracepoint. Within a month of installing the app, he started receiving accusatory emails from his church leader referencing things he had viewed online. “Anything you need to tell me?” reads one email Hao-Wei Lin shared with WIRED. Attached was a report from Covenant Eyes that detailed every single piece of digital content Hao-Wei Lin had consumed the prior week. It was a trail of digital minutiae accumulated from nights spent aimlessly browsing the internet, things Hao-Wei Lin could barely remember having seen—and would have forgotten about had a member of his Church not confronted him. The church leader zeroed in on a single piece of content that Covenant Eyes had flagged as “Mature”: Hao-Wei Lin had searched “#Gay” on a website called Statigr.am, and the app had flagged it.

Gracepoint, which focuses on colleges, claims to “serve students” on more than 70 campuses across the United States. According to emails between a Covenant Eyes representative and a former Gracepoint church leader that WIRED reviewed, the company said that in 2012 as many as 450 Gracepoint Church members were signed up to be monitored through Covenant Eyes.

“I wouldn’t quite call it spyware,” says a former member of Gracepoint who was asked to use Covenant Eyes and spoke on the condition of anonymity, due to privacy concerns. “It’s more like ‘shameware,’ and it’s just another way the church controls you.”

Similar to surveillance software like Bark or NetNanny, which is used to monitor children at home and school, “shameware” apps are lesser-known tools that are used to keep track of behaviors parents or religious organizations deem unhealthy or immoral. Fortify, for instance, was developed by the founder of an anti-pornography nonprofit called Fight the New Drug and tracks how often an individual masturbates in order to help them overcome “sexual compulsivity.” The app has been downloaded over 100,000 times and has thousands of reviews on the Google Play store.

The current iteration of the Covenant Eyes app was developed by Michael Holm, a former NSA mathematician who now serves as a data scientist for the company. The system is allegedly capable of distinguishing between pornographic and non-pornographic images. The software captures everything visible on a device’s screen, analyzing the images locally before slightly blurring them and sending them to a server to be saved. “Image-based pornography detection was a huge conceptual change for Covenant Eyes,” Holm told _The Christian Post_, an evangelical Christian news outlet, in 2019. “While I didn’t yet know it, God had put me in that place at that time for a purpose higher than myself, just as I and others had desired and prayed for.”

Covenant Eyes spokesperson Dan Armstrong says the company is “concerned” about “people being monitored without proper consent.” He adds that “accountability relationships are better off between people who already know each other and want the best for one another, such as close personal friends and family members,” and that the company discourages using its app in relationships with a power imbalance.

Among the top accountability apps—including Accountable2You and EverAccountable—Covenant Eyes appears to be the largest player. The company organizes conferences that are attended by thousands of people and dedicated to educating attendees about the dangers of pornography while pitching the company’s product as an urgent solution to what it characterizes as a growing moral crisis. According to the app analytics firm AppFigures, in the past year more than 50,000 people have downloaded Covenant Eyes. Rocketreach estimates that the company has an annual revenue of $26 million.

Ed Kang, pastor of Gracepoint Church in Berkeley, California, and a major figure in the organization, says in an email that volunteer staff members are required to install Covenant Eyes or Accountable2You “as part of their staff agreement.” But he disputes that church leaders were instructed to monitor congregants’ phone activity. “Usually it’s whoever they \[congregants\] designate, and we actually discourage leaders from being the accountability partners as that seems a bit too heavy,” he writes. (All five former Gracepoint congregants who spoke to WIRED said a church leader was their accountability partner.) Kang adds that the number of Gracepoint congregants who use Covenant Eyes or Accountable2You “may be significantly higher than 450 nowadays” and that Accountable2You “has better pricing.”

What’s common across Covenant Eyes, Accountable2You, and EverAccountable is their zero-tolerance approach to pornography. All three suggest in their marketing materials that not only is watching porn a moral failure, but any amount of porn consumption is bad for your health. Their solution: Promote purity through what they call “radical accountability,” a concept wherein a community comes together to confront a person who is living in sin. At its most basic level, the idea is pretty straightforward: Why would anyone watch porn if they are going to have to talk to their parents or pastor about it?

While these apps claim to have helped many people overcome pornography addictions, experts who study sexual health are skeptical that the apps have a lasting positive effect. “I’ve never seen anyone who’s been on one of these apps feel better about themselves in the long term,” says Nicole Praus, a scientist at the University of California, Los Angeles, who studies the effects of pornography on the brain and the spread of disinformation on sexual health. “These people just end up feeling like there’s something wrong with them when the reality is that there likely isn’t.”

But Covenant Eyes and Accountable2You do much more than just police pornography. When WIRED downloaded, decompiled, and tested Covenant Eyes and Accountable2You, we found that both apps are built to collect, monitor, and report all sorts of innocent behavior. The applications exploited Android’s accessibility permissions to monitor almost everything someone does on their phone. While the accessibility functionalities are meant to help developers build out features that assist people with disabilities, these apps take advantage of such permissions to either capture screenshots of everything actively being viewed on the device or detect the name of apps as they’re being used and record every website visited in the device’s browser.

In Hao-Wei Lin’s case, that included his Amazon purchases, articles he read, and even which friends’ accounts he looked at on Instagram. The trouble is, according to Hao-Wei Lin, providing his church leader with a ledger of everything he did online meant his pastor could always find something to ask him about, and the way Covenant Eyes flagged content didn’t help. For example, in Covenant Eyes reports that Hao-Wei Lin shared with WIRED, his online psychiatry textbook was rated “Highly Mature,” the most severe category of content reserved for “anonymizers, nudity, erotica, and pornography.” The same was true of anything Hao-Wei Lin felt was “remotely gay,” like his Statigr.am searches.

After WIRED contacted Google about Covenant Eyes and Accountable2You, both apps were suspended from the Google Play store. “Google Play permits the use of the Accessibility API for a wide range of applications,” spokesperson Danielle Cohen says in an email. “However, only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools.”

Covenant Eyes and Accountable2You both remain available on iOS. While WIRED did not test the apps on Apple devices, neither app appears to utilize iOS’ accessibility permissions. Apple has not yet responded to a request for comment.

In our tests of Accountable2You prior to its suspension, we found that the software similarly flagged content with keywords like “gay” or “lesbian” in the URL. For instance, when we set up a test account and navigated to the US Centers for Disease Control’s website for LGBTQ youth resources, the phone we designated as our accountability partner was immediately texted and emailed a “questionable activity report” indicating that our test phone had visited a “Highly Questionable” website.

“It’s really not about pornography,” says Brit, a former user of Accountable2You who asked to only be identified by her first name, due to privacy concerns. “It’s about making you conform to what your pastor wants.” Brit says she was asked to install the app by her parents after she was caught looking at pornography and that her mother and her pastor were both her designated accountability partners. “I remember I had to sit down and have a conversation with him \[her pastor\] after I Wikipedia’d an article about atheism,” she says. “I was a kid, but that doesn’t mean I don’t have some kind of right to read what I want to read.”

While accountability apps are largely marketed to parents and families, some also advertise their services to churches. Accountable2You, for example, advertises group rates for churches or small groups and has set up several landing pages for specific churches where members can sign up. Covenant Eyes, meanwhile, employs a director of Church and Ministry Outreach to help onboard religious organizations.

Accountable2You did not respond to WIRED’s requests for comment.

Eva Galperin is director of cybersecurity at the Electronic Frontier Foundation, a digital rights nonprofit, and cofounder of the Coalition Against Stalkerware. Galperin says consent to such surveillance is a major concern. “One of the key elements of consent is that a person can feel comfortable saying no,” she says. “You could argue that any app installed in a church setting is done in a coercive manner.” While WIRED did not speak to anyone who was unaware that the app was on their phone, which is often the case with spyware, Hao-Wei Lin says he didn’t feel like he was in a position where he could say no to his church leader when he was asked to install Covenant Eyes. Gracepoint had secured him a $400-a-month apartment in Berkeley, where he was attending college. Without the church’s support, he might have had nowhere to live.

But this is not the experience of everyone we spoke to. James Nagy is a former Gracepoint church member who, as a one-time congregation leader, was on both sides of Covenant Eyes reports. Nagy, who is gay, was taught from a young age that homosexuality was a sin. So when Gracepoint offered him a software solution that claimed to be able to help what he then considered to be a moral dilemma, he jumped at the opportunity. He says that while he believed many people at Gracepoint were pressured to install the app, in his case, the pressure came from himself. “Gracepoint didn’t try to change me,” Nagy says. “I tried to change me.” Nagy is now an elder at the Presbyterian Church (USA) and until 2021 was a facilitator with the Reformation Project, a nonprofit whose mission is to advance LGBTQ inclusion in the church.

In the quest to curb behavior churches deem immoral, these accountability apps will collect and store extremely sensitive personal information from their users, including from those under the age of 18. Fortify, which describes itself as an addiction recovery app, asks its users to log information about when they last masturbated, where they were when it happened, and what device they used. While Fortify’s privacy policy states that the company doesn’t sell or otherwise share this data with third parties, its policy does allow it to share data with trusted third parties to perform statistical analysis, though it does not mention who these trusted third parties are. In a phone call, Clay Olsen, the CEO of Fortify parent company Impact Suite, clarified that these trusted third parties include companies like Mixpanel, an analytics service company that tracks user interactions with web and mobile applications.

While WIRED found several churches recommending Fortify to their congregations, Olsen says neither Fortify nor Impact Suite count religious institutions as customers.

When WIRED tested the Fortify software, we found that the app also utilizes other technology to track users. For instance, because it includes Facebook’s Pixel, data related to Fortify’s masturbation-tracking form is sent to Facebook. While the data does not appear to include the contents of the tracking form, it does have metadata about the form itself, including when it was filled out. Facebook appears to store that data and, when possible, associates it with a user’s account. After setting up a test account with Facebook, logging in, and then interacting with Fortify, we were able to see interactions with Fortify in a copy of the test account’s data obtained through Facebook’s privacy center.

Fortify’s inclusion of Facebook’s Pixel isn’t just a privacy issue, it’s a security problem. While testing the app, we also noticed that the password to our account was sent in plaintext to Facebook in the URL of the tracking requests. Facebook claims to have filtering mechanisms to prevent its systems from storing this type of personal information, but Fortify’s apparent oversight is still concerning to experts like Galperin. “That’s a huge vulnerability,” she says. “It’s the sort of behavior that makes me feel like they don’t have security experts reviewing the app or its policies.”

Facebook spokesperson Emil Vazquez says companies that share sensitive user data with the Meta-owned social media platform are violating its policies. “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies,” Vazquez says. “Our system is designed to filter out potentially sensitive data it is able to detect.” Facebook did not say whether its filters detected the plaintext passwords sent by Fortify.

After being notified of the password issue, Olsen said Fortify would stop transmitting users’ unencrypted passwords to Facebook. As we went to press, the issue had not yet been addressed.

Hao-Wei Lin has since moved on from Gracepoint but is still processing the trauma he feels the church has caused him. I met him earlier this month at his thesis exhibition at Parsons School of Design in New York City, where he is about to get his Master of Fine Arts in photography. He tells me that it was only after he went back to school that he felt he was in a safe enough space to start processing what he went through at Gracepoint.

Hao-Wei Lin’s photography was somber, but not without humor. One was of a 3D rendering of a room where he says he and other members of Gracepoint would meet after their Sunday service. A solitary figure is hunched over praying, his head resting in the seat of his plastic chair. As I look at the photo, Hao-Wei Lin tells me he wants the viewer to feel like they are a surveillance camera perched in the top corner of the room. The name of his work: “Covenant Eyes.”

The Ungodly Surveillance of Anti-Porn ‘Shameware’ Apps

Red Hat Security Advisory 2022-6536-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.5.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.5 bug fix and security update  
Advisory ID:       RHSA-2022:6536-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6536  
Issue date:        2022-09-20  
CVE Names:         CVE-2015-20107 CVE-2021-3121 CVE-2022-0391  
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166  
                   CVE-2022-28199 CVE-2022-30629 CVE-2022-34903  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.5 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.5. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2022:6535

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index  
validation (CVE-2021-3121)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-x86_64

The image digest is  
sha256:fe4d499ac9fc7d12fcfccf3d6ae8a916c31e282d18adbebb0456c0fd6aef02c9

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-s390x

The image digest is  
sha256:c816b9487177b51db60875c794679b6df41c74d522ca00376cb9f86f9b44b577

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-ppc64le

The image digest is  
sha256:528174504037b4b9d8fda04bdad3f4acf7f68eeadb3a8fe2539f7a8a9bdff76a

(For aarch64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.5-aarch64

The image digest is  
sha256:04d3f194379cdd1c0e8015fd51038967c5fdb2eff52c6c60645b3a9381ed5f04

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation  
2024946 - Ingress Canary does not respect router sharding on default IngressController  
2104825 - Installer creates unnecessary master_ingress_cluster_policy_controller security group rule  
2108214 - Route status isn't always getting cleared with routeSelector updates  
2108595 - etcd Dashboard should be removed on guest cluster of hypershift  
2109193 - Power VS machine Processor is always defaulted to 0.5  
2109887 - [UI] MultiClusterHub details after it's creation starts flickers, disappears and appears back (happened twice)  
2110528 - Route status isn't always getting cleared with routeSelector updates  
2111345 - should use the same value for AlertRelabelConfig with oc explain  
2117424 - Backport:  https://github.com/openshift/kubernetes/pull/1295

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1007 - CVE-2021-3121 telemeter-container: [1924548] telemeter-container: gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation [openshift-4]  
OCPBUGS-1070 - Update ODC owners  
OCPBUGS-1104 - package-server-manager does not migrate packageserver CSV from v0.17.0 to v0.18.3 on OCP 4.8 -> 4.9 upgrade  
OCPBUGS-1145 - Bug 2085336 - [IPI-Azure] Fail to create the worker node which HyperVGenerations is V2 or V1 and vmNetworkingType is Accelerated  
OCPBUGS-1233 - [IPI] nodelink controller is not able to reconcile and match nodes and machines with logical interfaces defined by nmstate at baremetalhost creation  
OCPBUGS-1261 - Backport: https://github.com/openshift/kubernetes/pull/1295  
OCPBUGS-393 - Setting disableNetworkDiagnostics: true does not persist when network-operator pod gets re-created  
OCPBUGS-455 - [vsphere] update install-config description for diskType  
OCPBUGS-524 - Plugin page error boundary message is not cleared after leaving page  
OCPBUGS-668 - Prefer local dns does not work expectedly on OCPv4.11  
OCPBUGS-744 - [4.11] Spoke BMH stuck ?provisioning? after changing a BIOS attribute via the converged workflow  
OCPBUGS-746 - [4.11] Supermicro server FirmwareSchema CR does not contain allowable_values, attribute_type and read_only flag  
OCPBUGS-747 - [4.11] Disconnected IPI OCP cluster install on baremetal fails when hostname of master nodes does not include the text "master

6. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2021-3121  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-28199  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypf3NzjgjWX9erEAQi2+g//e7w8ENLVf90+9hEvNCJQkUk4fj1Tcuh/  
8h5rggfxHSIUdloqrvB3g3rxEflxDVeGR1VEOQz+WDW+rHFfk1WzRUIdYHBxPw+K  
S+SlOQybNr50P6Dtgb7FZNfvC6XU0wemC5qDFJgw4kIFf0irZZin+EGGMeMN/S6w  
CNRLb28zcOesG6FH1CnKkeUMeJHBj4+ZXFQXCXkLZBUswmYzwe9gTCdnvCtjrCbw  
OBWe3ATZdChrhRkgiymfQSvrVqgIvYAcfPRlLiUhS09dqXtyBXLJ6ug5v1jERYCx  
jFV4L3jf1mCkSRFLRNSry0o7YdmdKT6s1Rn/C7UjLD++i2iNM1bORKBAOPwcCdPL  
j+wykhTP2v3EXhxMerk5iLqu5wbmlEEBVwIjNan/qAP06zAs25Lwy4x6wOqVudnC  
zrGYp1zmmA6fS2q7XiUIb9QnBfTpPBY/QQcPwovRWoXsv7Hb9yMEQDP1RcZRcsER  
dNn825lo4j8U+12qySctvguQ8TTJoRKxUIO0V4D7r33jf468Z5qB6cvFpjYWCtlN  
Kp2btFYdoDzRkkplhlWUnwqEdjs/1a1yh2BJuaWZTl9kxOG1/39U1+zaGbPzFk4T  
28KK31vWz+x5R+kO433MV6hRzBLLVC5PgfcwPSSmJBhRSDNJoHLMpIxGE97h+xLR  
fzfZ+WswY5c=Qqzx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6536-01

By Owais Sultan
In this article, we’ll be exploring the landscape of DeFi, demonstrating how the recent DeFiChain developments are set to innovate the industry as a whole and drive the usability of DeFi.
This is a post from HackRead.com Read the original post: How DeFiChain gives DeFi a major boost with innovative decentralized assets

Decentralized finance (DeFi) is an industry that provides a range of benefits to investors. From permissionless access to the complete transparency of blockchain, these systems allow users a new way to trade, buy, sell, and exchange.

With a total value of $40 billion (as of Feb 2021) locked in different protocols, the popularity of DeFi has become incredibly visible over recent months.

Processing from a small financial system into a global movement, DeFi has now reached every corner of our world. However, there are some apparent limitations of DeFi. As it’s a decentralized system, it cannot interact with centralized assets, meaning that stock options, commodities, and indices were off the table.

DeFiChain, a blockchain system, is set to change that, with its introduction of decentralized assets bridging the gap. In this article, we’ll be exploring the landscape of DeFi, demonstrating how the recent DeFiChain developments are set to innovate the industry as a whole and drive the usability of DeFi.

**How has the DeFi Landscape changed?**

Decentralized finance began with the creation of Bitcoin, with the creator intending it to be a digital currency that could be used without having to rely on centralized intermediaries. What started with a rejection of centralized banking and governance has grown into an incredibly rich and comprehensive ecosystem.

Currently, there are over 18,000 cryptocurrencies alongside Bitcoin as of July 2022. The second-largest cryptocurrency is Ethereum, which has a total market cap of over $140 billion, accounting for 15.3% of the total crypto market cap. One of the main reasons that Ethereum has grown to be so popular is the ease of creating decentralized applications on this system.

Ethereum has a fantastic level of documentation, comprehensive unit test frameworks, debuggers, critical developer tools, and a range of tutorials and other learning materials. Quite simply, it has absolutely everything that a developer would need when creating a decentralized application.

The dApp industry has steadily grown over recent years, spanning across financial, healthcare, education, and even property inventions. The versatility of the system, and the benefits of bringing blockchain to different industries, have made the creation of dApps a useful way of expanding the utility of this ecosystem.

DeFi has become all-encompassing, spanning across different industries and weaving its way onto the world’s stage. Yet, while decentralized finance does have a range of benefits, there are also areas in which it falls short. One of these main roadblocks is the fact that, as a decentralized system, it currently has no way of allowing investors to trade stocks on its platforms.

This is due to the fact that stocks are a centralized unit, making them incompatible with DeFi. While this was an issue that seemed insurmountable, the arrival of decentralized assets on the DeFiChain blockchain is set to change the industry forever. 

Let’s take a look at how DeFiChain is combating this issue for DeFi. 

**How DeFiChain’s Decentralized Assets boost the utility of DeFi**

While investors in DeFi can put money into their favorite cryptocurrencies and dApps, they have always fallen short at accessing actual stocks. However, with DeFiChain’s development of decentralized assets, this is all set to change.

A decentralized asset, also known as dAsset or dToken, is a token on the DeFiChain blockchain that gives you price exposure (not ownership) to real-world stocks. For the stocks, TSLA, APPL, FB, there exist dTSLA, dAPPL, dFB, each of which attempts to mirror the price of the real stock. Anyone can mint new dTokens by depositing BTC, DFI, USDT, USDC, or DUSD as collateral in the DeFiChain Vault.

These creations essentially mean that users of DeFiChain can buy a decentralized asset that aims to reflect the real asset, providing them with a method of trading stocks on a decentralized system. They seamlessly allow investors to diversify their portfolios without leaving the DeFi ecosystem.

Any user on the platform is able to mint tokens, with interest rates being based on the amount of collateral provided. These dAssets are then tradable on decentralized exchanges, meaning that users are able to trade their dTokens just like they would with real stocks. People who couldn’t buy US stocks due to geographical restrictions or other limitations can get price exposure to their favorite assets from anywhere in the world.

Just like that, DeFiChain bridges the impossible gap between centralized and decentralized systems without compromising their DeFi platform with centralism. With DeFiChain, what was once thought impossible has become a working reality. 

**Moving towards passive income**

One central aspect that is rarely achieved within centralized systems is passive income. While there are some elements to stock trading that could be considered passive income streams, like dividend payments, they are typically only around 5%, which is far less than one would need to see any substantial returns.

DeFi has a solution for this, found within any proof-of-stake system. Typically, users can put their proof-of-stake cryptocurrencies into a liquidity pool. These liquidity pools allow the proof-of-stake coins to validate transactions more quickly, allowing for scalability and rapid transaction processing.

The development of POS cryptocurrencies has solved the central problem that was impacting Ethereum, which has notoriously high ‘gas fees’ for completing transactions. As this network can only process around 30 transactions per second, with a potential demand seeking upwards of 100,000 transactions per second, there is a massive queue for processing on this blockchain.

To push transactions to the front of the queue and make sure that they are safely recorded into the next block, Ethereum asks users to pay a gas fee. This has made development within dApplications costly, as users that want instant transactions will always have to pay a fee. POS cryptocurrencies allow users to process many more transactions per second.

For example, Solana can produce 50,000 transactions each second, meaning there is never really a queue to process your transaction, there is almost no gas fee. This is achieved by creating large liquidity pools, with these pools filled with users’ cryptocurrency being used to validate transactions quickly.

In return for putting their POS crypto into these liquidity pools, users are given a reward in terms of passive income. Over time, you’ll be rewarded with interest in the cryptocurrency that you’ve put in. Whole industries have arisen from this ‘staking’ model, with people seeking to maximize their yields in a practice that’s known as yield farming.

People who stake crypto can expect to get anywhere from 10% – 100% annualized returns on their investment, making this an incredible opportunity for DeFi users. 

**How DeFiChain Takes This Further**

DeFiChain builds upon typical staking protocols and offers even further utility for its investors. While a traditional investor, after buying a stock, will only make money once they sell it at a profit, DeFiChain is changing the game. Once a user buys one of their dToken assets, they’re able to then put that into a liquidity mining pool.

Not only do they gain a profit from their dToken going up in value, but they are also able to get a passive income from putting their dAssets into these liquidity pools. This dual income strategy takes what’s phenomenal about yields within DeFi systems and brings it to dAssets.

With this integration, DeFiChain essentially innovates the field of DeFi, providing a whole new way to make money when taking on decentralized ecosystems. 

**Final Thoughts**

With the introduction of dAssets, DeFiChain has created a new investment pathway for DeFi that radically shifts what is possible within these ecosystems. What’s more, considering that these dTokens can then be entered into liquidity mining pools for additional rewards, this system also creates a new way of earning passive income.

The benefits of DeFiChain for investors are impressive, creating new systems and then pushing that system as far as possible for user benefit. With future plans to bring the actual stock price and the dAsset price closer than ever, through their DeFiChain Improvement Proposal (DFIP), this system will be incredibly advantageous to users.

While still only a young blockchain, with innovative features, exciting updates, and future foresight, DeFiChain is shaping up to be an industry-changing blockchain ecosystem.

1.  The Benefits Of Blockchain In The Travel Industry
2.  This AI Can Generate Unique and Free Bored Ape NFTs
3.  If Bitcoiners Want Bitcoin To Make It Big, They Need DeFi
4.  If the Ethereum Merge Fails, L2s Will Be More Vital Than Ever
5.  Naoris Protocol Will Use Blockchain To Plug Web3 Security Gaps

How DeFiChain gives DeFi a major boost with innovative decentralized assets

At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.

While NSO Group's Pegasus spyware is perhaps the highest-profile surveillance weapon used by repressive governments against civil society, a recently discovered, powerful mobile reconnaissance malware dubbed Hermit has come to light, being touted by an Italian developer as a "lawful intercept" tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit's surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.

**Hermit: Hiding Out 1 Tier Below Pegasus**

The researchers will kick off their Oct. 5 session, entitled "A Hermit Out of Its Shell," with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.

"There's a varied market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything," Hebeisen tells Dark Reading. "But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target's device. That's where Hermit plays."

In terms of its capabilities, he adds that Hermit packs an info-vacuuming punch. In addition to "standard" spyware fare like tracking users' locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.

"This is a very sophisticated surveillance tool," Hebeisen says. "It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody."

He adds that under the hood, the malware is designed to be agile and flexible.

"Hermit is built in a very enterprise way in that it's modular," Hebeisen explains. "So we suspect that that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules."

From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: "Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls already in place, it's still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets," Hebeisen says.

**Nation-State Spyware: A Growing Threat**

It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called "lawful intercept" market, indicating ongoing demand. When one is struck down, "there are plenty of other companies standing in the wings just waiting to take over," he says.

The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.

"As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much easier to get around that when you're dealing with surveillance tools, which are essentially just a different set of weapons in the fight," Hebeisen explains.

Tag

#ios