May 11, 2020
David Redekop

This Week In Nerd News – May 11, 2020

Your weekly top 5 technical and security issues Nerds should pay attention to:

Zoom acquires Keybase to get end-to-end encryption expertise.

Seems like a talent-acquisition/acqui-hire only by the accounts of Keybase. If so, sad for Keybase fans.

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. It did not reveal the purchase price.

Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains.

 

Read More: Zoom acquires Keybase to get end-to-end encryption expertise

 

Samsung patches 0-click vulnerability impacting all smartphones sold since 2014.

This is significant. Anyone you love with a Samsung, send them this link.

South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014.

The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.

Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.

 

Read More: Samsung patches 0-click vulnerability impacting all smartphones sold since 2014 

 

GoDaddy reports data breach involving SSH access on hosting accounts.

Watch for client servers’ compromises attacked using this breach, but best to be proactive.

GoDaddy on Tuesday reported [PDF] an October data breach to Californian authorities, stating that an unauthorised individual was able to access SSH accounts used in its hosting environment.

“We have no evidence that any files were added or modified on your account,” the company said while omitting evidence that files could have been viewed and exfiltrated.

 

Read More: GoDaddy reports data breach involving SSH access on hosting accounts 

 

Stealing your SMS messages with iOS 0day.

If this isn’t another reason to run off a deny-all policy, I’m not sure what is. Wow.

Siguza told us that his 0day was patched in the iOS 13.5 beta3. So this is actually a sandbox escape 0day for the newest, non-beta iOS version (13.4.1). In this post, I’ll show you how I reproduced that bug and wrote a malicious application that uses that 0day to steal the iMessage history!

 

Read More: Stealing your SMS messages with iOS 0day

 

Finally, some sanity on COVID-19 tracing apps.

Bruce Schneier has no horse in this race. Worth reading!

Resource: Me on COVID-19 Contact Tracing Apps

 

Did you know?

Our son Silas discovered not one, not two, but three (3!) escapes from iOS Guided Access. To his credit he told us (parents) about them within minutes of discovering them. Haven’t had a chance to blog about them but we will…

Need an IT professional? Request service today.