Here, find your monthly briefing on the latest hacks, scams, news, Apple security patches—and what you can do about it.
In this roundup:
- Your Voting Machine Is Safe, But Is Your Social Media Feed?
- Warning! That Fraud Alert Call Could Be a Scam
- The Internet Archive Suffers Breach, Loses Info on 31 Million Users
- This Should Be On Your Radar
- Security Fail of the Month
- Security Updates from Apple
Hacks, Scams, Trouble + What to Do
Your Voting Machine Is Safe, But Is Your Social Media Feed?
The US election system is resilient against direct hacking efforts, reports Jen Easterly, head of the US Cybersecurity and Infrastructure Security Agency (CISA), responsible for securing elections, in an interview with the AP. The system’s strength lies in the use of paper ballots by over 97% of voters that are audited and counted by humans, she says. Her assessment agrees with the consensus among cybersecurity professionals, like Google’s cybersecurity firm Mandiant, which stated in a report that there has never been a known case of a voting machine being compromised by hackers in the wild, and there has been little observed effort to compromise voting machine manufacturers. Those machines do not connect to the internet, so any effort to hack them would have to happen in advance of the election, and would be evident immediately upon the auditing of associated paper ballots.
With hacking vote-counting machines off the table, entities with an interest in swaying the outcome instead focus on you and me, individual voters, whose opinions they may change through propaganda or the leak of stolen information. Here’s what to watch out for.
Foreign entities such as Russia, Iran, Israel, and China are engaged in efforts to sway the outcome of US Elections. Those efforts focus on social media manipulation and propaganda—on changing the beliefs of citizens—rather than the hacking of voting machines or systems. That said, one of the consistent objectives of adversarial propaganda is to sow doubt and confusion about the validity of the election process, so we should expect to see amplified, distorted, or fully fabricated stories of successful hacks in the coming weeks, and we should treat those stories with skepticism.
Side note: did you catch our free 1 hour livestream covering modern scams and how to protect yourself? If you missed it, catch the replay! We cover 7 things you can do on your iPhone today to harden your defensese, make life harder for scammers, and cut back on spam calls at the same time.
Warning! That Fraud Alert Call Could Be a Scam
Scammers can call you and have it appear as coming from any phone number they like. This technique, called spoofing, gets used in all kinds of mischief. The latest innovation in the scuzzy market of scammers is to call you pretending to be Google support, claiming your account has been compromised. The scammer may ask if you’re traveling, offer details about your account, and tell you your account has been compromised and someone has downloaded copies of your data. The calls are professional, polished, and sound like they might just be legitimately from Google, except for one thing: Google will never call you this way. Google also has some powerful security features that, if enabled for your account, should short-circuit this kind of attack.
You can protect yourself from this attack in two ways: first, by never giving out information to someone who calls you. We can’t trust that incoming calls are legitimate. Instead, if your bank or a trusted service like Google calls you to warn of fraud, then you should thank them for the warning and hang up, then call them back at the official number.
Second, you can activate Advanced Email Protection from Google to turn on additional levels of security to protect your inbox.
The Internet Archive Suffers Breach, Loses Info on 31 Million Users
The Internet Archive is yet another victim of a data breach. The Internet Archive is likely the world’s largest online library, preserving entire websites, media, software, and more. Like Wikipedia, this organization is completely nonprofit and offers its information for free. Which puts these attackers firmly in the kicking-of-puppies stage of their descent toward the heart of darkness.
On October 9th, the hacktivist group known as BlackMeta targeted the Internet Archive with a devastating distributed denial-of-service (DDoS) attack, which brought the entire site down. At the same time, the site suffered a data breach, which was unrelated to the DDoS attack, according to Bleeping Computer. The data that was stolen included “email addresses, screen names, password change timestamps, encrypted passwords, and other internal data.” As of October 21st, the Internet Archive is slowly coming back online. Read more and how to find out if you’re affected.
Why any hacker would want to target the Internet Archive is a mystery. The site offers a unique service, cataloging and preserving the entire history of the internet. On top of that, it offers its vast wealth of information completely free and does not profit off of it in any way. It’s like attacking a library or a museum. Whatever the hackers’ reasoning, hopefully, the Internet Archive will be able to bounce back from this.
In the meantime, if you have an Internet Archive account and you use the same password for other accounts, be sure to change it to protect yourself. You may check to see if your email address and password were in the stolen data by entering them at HaveIBeenPwned.com. As always, we recommend using a password manager, like Bitwarden or the iPhone Passwords app, to create unique secure passwords for every account, so the loss of one does not affect the rest.
This Should Be On Your Radar
Warning to Timeshare Owners: Beware of Offers to Buy
The FBI has issued numerous warnings about a scam involving fake offers to buy time-share properties, a racket ultimately run by a violent Mexican drug cartel. Krebs On Security has the full story.
Hackers Take Over Ecovacs Robot Vacuums, Shout Obscenities at Owners
A strong contender for our cybersecurity fail of the month. Owners of robot vacuums made by Chinese company Ecovacs got an unpleasant surprise when unknown hackers gained remote access to swaths of the devices and used the onboard speakers and cameras to hurl invective. ABC Australia has the full story, including past Ecovacs security flaws.
Ukrainian Hackers Eat Putin’s Lunch
On Russian president Vladimir’ Putin’s 72nd birthday, a team of Ukrainian hackers shut down the Russian state media service’s website (not that big a deal) and stopped the digital transmission of several television channels (a pretty big deal), then more Ukrainian hackers shut down Russia’s court system (an astonishingly big deal).
Twitter Unbanned in Brazil
A personal tiff between Elon Musk and the Brazilian high court briefly caused the social media platform X (Formerly Twitter) to be banned from operating in the country of Brazil (with high fines for any private citizen caught in violation of the ban). The billionaire has rolled over to all demands and your Brazilian friends may return to using Musk’s platform. Or they may not, at their discretion. The New York Times has the story.
Can You Trust Wikipedia? Wiki-Foundation Stands Strong Against Flood of Low-Quality AI Content
A new initiative at Wikipedia aims to maintain the website’s high standards by emphasizing human moderation and editing. We wish them luck. Read more from 404 Media.
You May Be Among the One-Third of Americans Whose Information Was Leaked by MC2 Data
Reporters at Cybernews found that a company called MC2 Data, which runs background checks as a service and operates a number of different websites, had left one of their databases accessible to the net. Cybernews has the full story.
Trouble Unsubscribing? US Federal Trade Commission Announces New Rules to Help
The new rules require subscription services to always supply a way to unsubscribe that is just as easy and obvious as the way to subscribe, and will go into effect 180 days from the announcement. We very much welcome this.
Security Fail of the Month
Kia Cars Hackable en Masse
A bug in the web interface for internet-connected Kia cars allowed a team of independent researchers to remotely access the digital features of virtually any KIA car, including unlocking doors and starting engines. All they needed was the license plate number.
The thing about internet-connected stuff is if it’s on the internet, it can be accessed on the internet. So, when it comes to cars and front door locks, how badly do we really need an app for that? Maybe your car doesn’t need a web interface to begin with? Read the full story at Wired.
Security Updates from Apple
Everything you need to know about Apple’s latest software updates.
iOS 18 is Loaded With Features!
- The most recent iOS and iPadOS is 18.0.1
- The most recent macOS is 15.0.12
- The most recent tvOS is 18
- The most recent watchOS is 11.0.1
- The most recent visionOS is 2.0.1
The iOS 18.0.1 patch included fixes for a number of security issues, including one in the Passwords app that would have permitted the VoiceOver accessibility feature to read passwords out loud. Even if you are using VoiceOver to assist with your iPhone, you probably don’t want your passwords read out loud in public.
iOS 18.1, expected on October 28th, finally brings the first wave of AI features, called Apple Intelligence (or AI, see what they did there?) to the iPhone. Features include the writing “tools” to rewrite your words in different tones of voice, a Siri redesign, and AI-driven summaries of your notifications and emails, but don’t include the image generation tools, yet.
Mission Statement (Section Header)
There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Donna Schill.
