Twitter now puts live broadcasts at the top of your timeline

Twitter will now put live streams and broadcasts started by accounts you follow at the top of your timeline, making it easier to see what they’re doing in realtime.

In a tweet, Twitter said that that the new feature will include breaking news, personalities and sports.

The social networking giant included the new feature in its iOS and Android apps, updated this week. Among the updates, Twitter said it’s now also supporting audio-only live broadcasts, as well as through its sister broadcast service Periscope.

Last month, Twitter discontinued its app for iOS 9 and lower versions, which according to Apple’s own data still harbors some 5 percent of all iPhone and iPad users.

A new CSS-based web attack will crash and restart your iPhone

A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code.

Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link.

The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as <div> tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.

“Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email, he warned.

TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone. Thomas Reed, director of Mac & Mobile at security firm Malwarebytes confirmed that  the most recent iOS 12 beta also froze when tapping the link.

The lucky whose devices won’t crash may just see their device restart (or “respring”) the user interface instead.

For those curious, you can see how it works without it running the crash-inducing code.

The good news is that as annoying as this attack is, it can’t be used to run malicious code, he said, meaning malware can’t run and data can’t be stolen using this attack. But there’s no easy way to prevent the attack from working. One tap on a booby-trapped link sent in a message or opening an HTML email that renders the code can crash the device instantly.

Haddouche contacted Apple on Friday about the attack, which is said to be investigating. A spokesperson did not immediately respond to a request for comment.

FEMA to send its first ‘Presidential Alert’ in emergency messaging system test

The Federal Emergency Management Agency will this week test a new “presidential alert” system that will allow the president to send a message to every phone in the US.

The alert is the first nationwide test of the presidential alert test, FEMA said in an advisory, which allows the president to address the nation in the event of a national emergency.

Using the Wireless Emergency Alert (WEA) system, anyone with cell service should receive the message to their phone.

The presidential alert to be sent Tuesday will look like this. (Image: FEMA)

“THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed,” the message will read, due to be sent out on Thursday at 2:18pm ET.

Minutes later, the Emergency Alert System (EAS) will broadcast a similar test message over television, radio, and wireline video services.

Emergency alerts aren’t new and warning systems have long been used — and tested — in the US to alert citizens of local and state incidents, like AMBER alerts for missing children and severe weather events that may result in danger to or loss of life.

But presidential alerts have yet to be tested. Unlike other alerts, citizens will not be allowed to opt out of presidential alerts.

Allowing the president to send nationwide alerts was included in the passing of the WARN Act in 2006 under the Bush administration, creating a state-of-the-art emergency alert system that would replace an aging infrastructure. As alarming as these alerts can (and are designed to) be, the system aims to modernize the alerts system for a population increasingly moving away from televisions and towards mobile technology.

These presidential alerts are solely at the discretion of the president and can be sent for any reason, but experts have shown little concern that the system may be abused.

But the system isn’t perfect. Earlier this year, panic spread on Hawaii after an erroneous alert went out to residents warning of a “ballistic missile thread inbound.” The message said, “this is not a drill.” The false warning was amid the height of tensions between the US and North Korea, which at the time was regularly testing its ballistic missiles as part of its nuclear weapons program.

More than 100 carriers will participate in the test, FEMA said.

Three years later, Let’s Encrypt has issued over 380 million HTTPS certificates

Bon anniversaire, Let’s Encrypt!

The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate.

Since then, the numbers have exploded. To date, more than 380 million certificates have been issued on 129 million unique domains. That also makes it the largest certificate issuer in the world, by far.

Now, 75 percent of all Firefox traffic is HTTPS, according to public Firefox data — in part thanks to Let’s Encrypt. That’s a massive increase from when it was founded, where only 38 percent of website page loads were served over an HTTPS encrypted connection.

“Change at that speed and scale is incredible,” a spokesperson told TechCrunch. “Let’s Encrypt isn’t solely responsible for this change, but we certainly catalyzed it.”

HTTPS is what keeps the pipes of the web secure. Every time your browser lights up in green or flashes a padlock, it’s a TLS certificate encrypting the connection between your computer and the website, ensuring nobody can intercept and steal your data or modify the website.

But for years, the certificate market was broken, expensive and difficult to navigate. In an effort to “encrypt the web,” the EFF and others banded together to bring free TLS certificates to the masses.

That means bloggers, single-page websites and startups alike can get an easy-to-install certificate for free — even news sites like TechCrunch rely on Let’s Encrypt for a secure connection. Security experts and encryption advocates Scott Helme and Troy Hunt last month found that more than half of the top million websites by traffic are on HTTPS.

And as it’s grown, the certificate issuer has become trusted by the major players — including Apple, Google, Microsoft, Oracle and more.

A fully encrypted web is still a ways off. But with close to a million Let’s Encrypt certificates issued each day, it looks more within reach than ever.

UK warns of satellite and space program problems in case of Brexit ‘no deal’

The UK government says that access to satellites and space surveillance programs will suffer in the event of a “no deal” departure from the European Union .

Britain has less than six months to go before the country leaves the 28 member state bloc, after a little over half the country voted to withdraw membership from the European Union in a 2016 referendum. So far, the Brexit process has been a hot mess of political infighting and uncertainty, bureaucracy and backstabbing — amid threats of coups and leadership challenges. And the government isn’t even close to scoring a deal to keep trade ties open, immigration flowing, and airplanes taking off.

Now, the government has further said that services reliant on EU membership — like access to space programs — will be affected.

The reassuring news is that car and phone GPS maps won’t suddenly stop working.

But the government said that the UK will “no longer play any part” of the European’s GPS efforts, shutting out businesses, academics and researchers who will be shut out of future contracts, and “may face difficulty carrying out and completing existing contracts.”

“There should be no noticeable impact if the UK were to leave the EU with no agreement in place,” but the UK is investing £92 million ($120m) to fund its own UK-based GPS system. The notice also said that the UK’s military and intelligence agencies will no longer have access to the EU’s Public Regulated Service, a hardened GPS system that enhances protections against spoofing and jamming. But that system isn’t expected to go into place until 2020, so the government isn’t immediately concerned.

The UK will also no longer be part of the Copernicus program, a EU-based earth observation initiative that’s a critical asset to national security as it contributes to maritime surveillance, border control and understanding climate change. Although the program’s data is free and open, the UK government says that users will no longer have high-bandwidth access to data from the satellites and additional data, but admits that it’s “seeking to clarify” the terms.

Although this is the “worst case scenario” in case of no final agreement on the divorce settlement from Europe, with just months to go and a distance to reach, it’s looking like a “no deal” is increasingly likely.

Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data

Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says.

In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested “does a good enough job” of preventing data theft.

F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put “nearly all” laptops and desktops — both Windows and Mac users — at risk.

The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again.

“It takes some extra steps,” said Segerdahl, but the flaw is “easy to exploit.” So much so, he said, that it would “very much surprise” him if this technique isn’t already known by some hacker groups.

“We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us,” he said.

It’s no secret that if you have physical access to a computer, the chances of someone stealing your data is usually greater. That’s why so many use disk encryption — like BitLocker for Windows and FileVault for Macs — to scramble and protect data when a device is turned off.

But the researchers found that in nearly all cases they can still steal data protected by BitLocker and FileVault regardless.

After the researchers figured out how the memory overwriting process works, they said it took just a few hours to build a proof-of-concept tool that prevented the firmware from clearing secrets from memory. From there, the researchers scanned for disk encryption keys, which, when obtained, could be used to mount the protected volume.

It’s not just disk encryption keys at risk, Segerdahl said. A successful attacker can steal “anything that happens to be in memory,” like passwords and corporate network credentials, which can lead to a deeper compromise.

Their findings were shared with Microsoft, Apple, and Intel prior to release. According to the researchers, only a smattering of devices aren’t affected by the attack. Microsoft said in a recently updated article on BitLocker countermeasures that using a startup PIN can mitigate cold boot attacks, but Windows users with “Home” licenses are out of luck. And, any Apple Mac equipped with a T2 chip are not affected, but a firmware password would still improve protection.

Both Microsoft and Apple downplayed the risk.

Acknowledging that an attacker needs physical access to a device, Microsoft said it encourages customers to “practice good security habits, including preventing unauthorized physical access to their device.” Apple said it was looking into measures to protect Macs that don’t come with the T2 chip.

When reached, Intel would not to comment on the record.

In any case, the researchers say, there’s not much hope that affected computer makers can fix their fleet of existing devices.

“Unfortunately, there is nothing Microsoft can do, since we are using flaws in PC hardware vendors’ firmware,” said Segerdahl. “Intel can only do so much, their position in the ecosystem is providing a reference platform for the vendors to extend and build their new models on.”

Companies, and users, are “on their own,” said Segerdahl.

“Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case,” he said.

The best security and privacy features in iOS 12 and macOS Mojave

September is Apple hardware season, where we expect new iPhones, a new Apple Watch and more. But what makes the good stuff run is the software within.

First revealed earlier this year at the company’s annual WWDC developer event in June, iOS 12 and macOS Mojave focus on a running theme: security and privacy for the masses.

Ahead of Wednesday big reveal, here’s all the good stuff to look out for.

macOS Mojave

macOS Mojave will be the sixth iteration of the Mac operating system, named after a location in California where Apple is based. It comes with dark mode, file stacks, and group FaceTime calls.

Safari now prevents browser fingerprinting and cross-site tracking

What does it do? Safari will use a new “intelligent tracking prevention” feature to prevent advertisers from following you from site to site. Even social networks like Facebook know which sites you visit because so many embed Facebook’s tools — like the comments section or the “Like” button.

Why does it matter? Tracking prevention will prevent ad firms from building a unique “fingerprint” of your browser, making it difficult to serve you targeted ads — even when you’re in incognito mode or private browsing. That’s an automatic boost for personal privacy as these companies will find it more difficult to build up profiles on you.

Camera, microphone, backups now require permission

What does it do? Just like when an app asks you for access to your contacts and calendar, now Mojave will ask for permission before an app can access your FaceTime camera and microphone, as well as location data, backups and more.

Why does it matter? By expanding this feature, it’s much more difficult for apps to switch on your camera without warning or record from your microphone without you noticing. That’s going to prevent surreptitious ultrasonic ad tracking and surveillance by malware that hijack your camera. But also asking permission for access to your backups — often unencrypted — will prevent malware or hackers from quietly stealing your data.

iOS 12

iOS 12 lands on more recent iPhones and iPads, but will bring significant performance boosts to older supported devices, new Maps, smarter notifications and updated AIKit .

Password manager will warn of password reuse

What does it do? iOS 12’s in-built password manager, which stores all your passwords for easy access, will now tell if you’re using the same password across different sites and apps.

Why does it matter? Password reuse is a real problem. If you use the same password on every site, it only takes one site breach to grab your password for every other site you use. iOS 12 will let you know if you’re using a weak password or the same password on different sites. Your passwords are easily accessible with your fingerprint or your passcode.

Two-factor codes will be auto-filled

What does it do? When you are sent a two-factor code — such as a text message or a push notification — iOS 12 will take that code and automatically enter it into the login box.

Why does it matter? Two-factor authentication is good for security — it adds an extra layer of protection on top of your username and password. But adoption is low because two-factor is cumbersome and frustrating. This feature keeps the feature security intact while making it more seamless and less annoying.

USB Restricted Mode makes hacking more difficult

What does it do? This new security feature will lock any accessories out of your device — including USB cables and headphones — when your iPhone or iPad has been locked for more than an hour.

Why does it matter? This is an optional feature — first added to iOS 11.4.1 but likely to be widely adopted with iOS 12 — will make it more difficult for law enforcement (and hackers) to plug in your device and steal your sensitive data. Because your device is encrypted, not even Apple can get your data, but some devices — like GrayKeys — can brute-force your password. This feature will render these devices largely ineffective.

Apple’s event starts Wednesday at 10am PT (1pm ET).

more iPhone Event 2018 coverage

A year later, Equifax lost your data but faced little fallout

A lot can change in a year. Not when you’re Equifax.

The credit rating giant, one of the largest in the world, was trusted with some of the most sensitive data used by banks and financiers to determine who can be lent money. But the company failed to patch a web server it knew was vulnerable for months, which let hackers crash the servers and steal data on 147 million consumers. Names, addresses, Social Security numbers and more — and millions more driver license and credit card numbers were stolen in the breach. Millions of British and Canadian nationals were also affected, sparking a global response to the breach.

It was “one of the most egregious examples of corporate malfeasance since Enron,” said Senate Democratic leader Chuck Schumer at the time.

Yet, a year on from following the devastating hack that left the company reeling from a breach of almost every American adult, the company has faced little to no action or repercussions.

In the aftermath, the company’s response to the breach was chaotic, sending consumers scrambling to learn if they were affected but were instead led into a broken site that was vulnerable to hacking. And when consumers were looking for answers, Equifax’s own Twitter account sent concerned users to a site that easily could have been a phishing page had it not been for a good samaritan.

Yet, the company went unpunished. In the end, Equifax was in law as much a victim as the 147 million Americans.

“There was a failure of the company, but also of lawmakers,” said Mark Warner, a Democratic senator, in a call with TechCrunch. Warner, who serves Virginia, was one of the first lawmakers to file new legislation after the breach. Alongside his Democratic colleague, Sen. Elizabeth Warren, the two senators said their bill, if passed, would hold credit agencies accountable for data breaches.

“With Equifax, they knew for months before they reported, so at what point is that violating securities laws by not having that notice?,” said Warner.

“There was a failure of the company, but also of lawmakers.”
Sen. Mark Warner (D-VA)

“The message sent to the market is ‘if you can endure some media blowback, you can get through this without serious long-term ramifications’, and that’s totally unacceptable,” he said.

Lawmakers held hearings and grilled the company’s former chief executive, Richard Smith, who retired with his full $90 million retirement package, adding insult to injury. Equifax further shuffled its executive suite, including the hiring of a new chief information security officer Jamil Farshchi and former lawyer turned “chief transformation officer” Julia Houston to oversee “the company’s response to the cybersecurity incident.”

Equifax declined to make either executive available for interview or comment when reached by TechCrunch, but Equifax spokesperson Wyatt Jefferies said protecting customer data is the company’s “top priority.”

But there’s not much to show for it beyond superficial gestures of free credit monitoring — provided by Equifax, no less — and a credit locking app which, unsurprisingly, had its own flaws. In the year since, the company has spent more than $240 million — some $50 million was covered by cyber-insurance. That’s a drop in the ocean to more than $3 billion in revenue in the year since, according to quarterly earnings filings — or more than $500 million in profits. And although Equifax’s stock price initially collapsed in the weeks following, the price bounced back.

Financially, the company looks almost as healthy as it’s ever been. But that may change.

Former Equifax chief executive Richard Smith prepares to testify before the lawmakers. Smith later retired after hackers broke into the credit reporting agency and made off with the personal information of nearly 145 million Americans.

Earlier this year, the company asked a federal judge to reject claims from dozens of banks and credit unions for costs taken to prevent fraud following the data breach. The claims, if accepted, could force Equifax to shell out tens of millions of dollars — perhaps more. The hundreds of class action suits filed to date have yet to hit the courts, but historically even the largest class action cases have resulted in single dollar amounts for the individuals affected.

And when the credit agent giant isn’t fighting the courts, federal regulators have shown little interest in pursuit of legal action.

An investigation launched by a former head of the Consumer Financial Protection Bureau, responsible for protecting consumers from fraud, sputtered after the new director reportedly declined to pursue the company. And, although the company is under investigation by the Federal Trade Commission for the second time this decade, fines are likely to be limited — if levied at all.

Warren sent a letter Thursday to the heads of both agencies lamenting their lack of action.

“Companies like Equifax do not ask the American people before they collect their most sensitive information,” said Warren. “This information can determine their ability to access credit, obtain a job, secure a home loan, purchase a car, and make dozens of other transactions that are critical to their personal financial security.”

“The American people deserve an update on your investigations,” she said.

To date, only the Securities and Exchange Commission has brought charges — not for the breach itself, but against three former staffers for allegedly insider trading.

Escaping any local action, Equifax agreed with eight states, including New York and California, to take further cybersecurity steps and measures to prevent another breach, escaping any fines or financial penalties.

“The American people deserve an update on your investigations”
Sen. Elizabeth Warren (D-MA)

Warner blamed much of the inaction to the patchwork of data breach laws that vary by state.

“We’ve got different laws and you don’t have any standard, and part of the challenge around the data breach is that every industry wants to be exempted,” said Warner. It’s not a partisan issue, he said, but one where every industry — from telecoms to retail — wants to be exempt from the law.

“If we really want to improve our business cyber-hygiene, you have got to have consequences for failing to keep up those cyber-hygiene standards,” he said.

It’s a tough sell to posit Equifax, which fluffed almost every step of the breach process, before and after its disclosure, as a victim. While the millions affected can take solace in the beating Equifax got in the press, those demanding regulatory action might be in for a disappointingly long wait.

Dozens of popular iPhone apps caught sending user location data to monetization firms

A group of security researchers say dozens of popular iPhone apps are quietly sharing the location data of “tens of millions of mobile devices” with third-party data monetization firms.

Almost all require access to a user’s location data to work properly, like weather and fitness apps, but share that data often as a way to generate revenue for free-to-download apps.

In many cases, the apps send precise locations and other sensitive, identifiable data “at all times, constantly,” and often with “little to no mention” that location data will be shared with third-parties, say security researchers at the GuardianApp project.

“I believe people should be able to use any app they wish on their phone without fear that granting access to sensitive data may mean that this data will be quietly sent off to some entity who they do not know and do not have any desire to do business with,” said Will Strafach, one of the researchers.

Using tools to monitor network traffic, the researchers found 24 popular iPhone apps that were collecting location data — like Bluetooth beacons to Wi-Fi network names — to know where a person is and where they visit. These data monetization firms also collect other device data from the accelerometer, battery charge status and cell network names.

In exchange for data, often these data firms pay app developers to collect data and grow their databases and often to deliver ads based on a person’s location history.

But although many claim they don’t collect personally identifiable information, Strafach said that latitude and longitude coordinates can pin a person to a house or their work.

To name a few:

ASKfm, a teen-focused anonymous question-and-answer app, has 1,400 ratings on the Apple App Store and touts tens of millions of users. It asks for access to a user’s location that “won’t be shared with anyone.” But the app sends that location data to two data firms, AreaMetrics and Huq. When reached, the app maker said it believes its location collection practices “fit industry standards, and are therefore acceptable for our users.”

NOAA Weather Radar has more than 266,000 reviews and has millions of downloads. Access to your location “is used to provide weather info.” But an earlier version of the app from March was sending location data to three firms, Factual, Sense360 and Teemo. The code has since been removed. A spokesperson for Apalon, which built the app, said it “conducted a limited, brief test with a few of these providers” earlier this year.

Homes.com is a popular app that asks that you switch on your location to help “find nearby homes.” But the code, thought to be old code, still sends precise coordinates to AreaMetrics. The app maker said it used AreaMetrics “for a short period” last year but said the code was deactivated.

Perfect365, an augmented reality beauty app with more than 100 million users, asks for location to “customize your experience based on your location and more,” and refers users to the privacy policy for more — which does state that location data will be used for advertising. The app was briefly pulled after a BuzzFeed News story earlier this year outed the researchers, but returned to the app store days later. The current app version contains code for eight separate data monetization firms in the latest version of the app. The app maker did not return a request for comment.

And the list goes on — including more than a hundred Sinclair-owned local news and weather apps, which share location data with Reveal, a data tracking and monetization firm, which the company says will help the media giant bolster its sales by “providing advertisers with target audiences.”

That can quickly become a lucrative business for developers with popular apps and monetization firms alike, some of which collect billions of locations each day.

Most of the data monetization firms deny any wrongdoing and say that users can opt out at any time. Most said that they demand that app makers explicitly state that they require app developers to explicitly state that they are collecting and sending data to third-party firms.

The team’s research shows that those requirements are almost never verified.

Reveal said it requires customers “state the use cases for location data in their privacy policy” and that users can opt-out at any time. Huq, like Reveal, said it carries out “regular checks on our partner apps to ensure that they have implemented” measures that explain the company’s services. AreaMetrics, which collects primarily Bluetooth beacon data from public areas like coffee shops and retail stores, says it has “no interest” in receiving personal data from users.

Sense360 said the data it collects is anonymous and requires apps to get explicit consent from its users, but Strafach said few apps he’s seen contained text that sought assurances. But the company did not answer a specific question why it no longer works with certain apps. Wireless Registry said it also requires apps seek consent from users, but would not comment on the security measures it uses to ensure user privacy. And in remarks, inMarket said it follows advertising standards and guidelines.

Cuebiq claims to use an “advanced cryptography method” to store and transmit data, but Strafach said he found “no evidence” that any data was scrambled. It says it’s not a “tracker” but says while some app developers look to monetize users’ data, most are said to use it for insights. And, Factual said it uses location data for advertising and analytics, but must obtain in-app consent from users.

When reached, Teemo did not answer our questions. SafeGraph, Mobiquity and Fysical did not respond to requests for comment.

“None of these companies appear to be legally accountable for their claims and practices, instead there is some sort of self-regulation they claim to enforce,” said Strafach.

He said there isn’t much users can do, but limiting ad tracking in your iPhone’s privacy settings can make it more difficult for location trackers to identify users.

Apple’s crackdown on apps that don’t have privacy policies kicks in next month. But given how few people read them in the first place, don’t expect apps to change their behavior any time soon.

Sonatype raises $80 million to build out Nexus platform

Sonatype, a cybersecurity-focused open-source company, has raised $80 million from investment firm TPG.

The company said the financing will help extend its Nexus platform, which it touts as an enterprise ready repository manager and library, which among other things tracks code and helps to keep everything in the devops pipeline up-to-date and secure.

It’s that kind of technology that Sonatype says can prevent another Equifax -style breach of over 147 million consumers’ data. Earlier this year, the company found over dozens of Fortune Global 100 companies that downloaded outdated and vulnerable versions of Apache Struts, which Equifax failed to patch or update.

Sonatype’s chief executive Wayne Jackson his company can help prevent those type of breaches.

“We monitor literally millions of open source commits per day,” he told TechCrunch. “Last year hundreds of billions of components were downloaded by software developers, 12 percent of which had known security defects.”

The funding will go to extend the company’s Nexus platform, Jackson said.

The company said it’s had an 81 percent increase in year-over-year sales in the first-half of the year, and 1.5 million users added to its flagship Nexus platform since January. In all, the company has more than 10 million software developers and 1,000 enterprises on Nexus worldwide.

Sonatype’s last round of funding was in 2018, led by Goldman Sachs, snagging $30 million.