Data Security

Deepfake Ransomware Threat Highlighted 

Multinational IT security company ‘Trend Micro’ has highlighted the future threat of cybercriminals making and posting or threatening to post malicious ‘deep fake’ videos online in order to cause damage to reputations and/or to extract ransoms from their target victims.

What Are Deepfake Videos?

Deep fake videos use deep learning technology and manipulated images of target individuals (found online), often celebrities, politicians, and other well-known people to create an embarrassing or scandalous video such as pornography or violent behaviour. The AI aspect of the technology means that even the facial expressions of those individuals featured in the video can be eerily accurate, and on first viewing, the videos can be very convincing.

An example of the power of deepfake videos can be seen on the Mojo top 10 (US) deep fake video compilation here: https://www.youtube.com/watch?v=-QvIX3cY4lc

Audio Too

Deepfake ‘ransomware’ can also involve using AI to manipulate audio in order to create a damaging or embarrassing recording of someone, or to mimic someone for fraud or extortion purposes.

A recent example was outlined in March this year, when a group of hackers were able to use AI software to mimic (create a deep fake) of an energy company CEO’s voice in order to successfully steal £201,000.

Little Fact-Checking

Rik Ferguson, VP of security research and Robert McArdle, director of forward-looking threat research at Trend Micro recently told delegates at Cloudsec 2019 that deepfake videos have the potential to be very effective not just because of their apparent accuracy, but also because we live in an age when few people carry out their own fact-checking.  This means that by simply uploading such a video, the damage to reputation and the public opinion of the person is done.

Scalable & Damaging

Two of the main threats of deepfake ransomware videos is that they are very flexible in terms of subject matter i.e. anyone can be targeted, from teenagers for bullying to politicians and celebrities for money, and they are a very scalable way for cybercriminals to launch potentially lucrative attacks.

Positive Use Too

It should be said that deepfakes don’t just have a negative purpose but can also be used to help filmmakers to reduce costs and speed up work, make humorous videos and advertisements, and even help in corporate training.

What Does This Mean For Your Business?

The speed at which AI is advancing has meant that deepfake videos are becoming more convincing, and more people have the resources and skills to make them.  This, coupled with the flexibility and scalability of the medium, and the fact that it is already being used for dishonest purposes means that it may soon become a real threat when used by cybercriminals e.g. to target specific business owners or members of staff.

In the wider environment, deepfake videos targeted at politicians in (state-sponsored) political campaigns could help to influence public opinion when voting which in turn could have an influence on the economic environment that businesses must operate in.

Penetration Testing Specialists Who Broke Into US Courthouse Claim It Was Part of Security Assessment

Two security specialists who performed a physical break-in on the US courthouse that hired their company for a penetration test have claimed that their break-in was part of their assessment of security.

What Happened?

Dallas’ State Court Administration (SCA) is reported to have hired security company Coalfire Labs to conduct testing of the security of the court’s electronic records at the Dallas County Courthouse in the town of Adel, around 20 miles west of Des Moines.

The police were called to the courthouse just after midnight on the 11 September where two men, who had been seen walking around on the third floor, came to the door to meet the police.  When the two men, named as Justin Wynn and Gary Demercurio came to the door they were allegedly carrying multiple burglary tools, and allegedly claimed that they had been ‘contracted’ to break into the building and to check courthouse alarm system, and how responsive the police were.  The two men were promptly arrested, jailed and released on a $50,000 bond.

No Knowledge

It has been reported that, at the time, Dallas County claimed to have no knowledge of the security company or their plans, but Iowa’s State Court Administration did later release a statement confirming that it hired the company Coalfire Labs to test the security of the court’s electronic records.

The State Court Administration did, however say that, although it has asked the company to attempt unauthorised access to court records through various means to learn of any potential vulnerabilities, it didn’t intend or expect those means to include forced entry to the building, an act that it couldn’t not condone (certainly for cyber testing!).

Would A Physical Break-In Be Part of a Pen Test?

Some tech commentators have speculated that some cybercrimes require the criminal to be physically close to target devices, which would, therefore, require companies and organisations to perhaps consider investing in physical defences as well as cyber defences.

Coalfire

Coalfire Labs, the global company that was hired to carry out pen testing assessment, and is reported to have carried out hundreds of assessments for government agencies in the past, has been unable to comment on this particular case due to the confidential nature of its work, security and privacy laws, and the fact that a legal case is active.

Similar?

One thing that may not be good news for the two penetration testers is that there have been reports that a break-in at the Polk County Historic Courthouse in nearby Polk County on 9 Sept was apparently similar in nature to the Dallas County Courthouse break-in.

What Does This Mean For Your Business?

Physical security is, of course, an important part of protecting the whole business, but under GDPR data security should not involve leaving personal data anywhere that it could easily be accessed by unauthorised persons, whether its in a physical or virtual location.

Penetration testing is a legitimate and valuable way for companies and organisations to assess where more work needs to be done to ensure the safety of all digital data and information that they hold, but it is unlikely that many UK businesses would consider a physical break-in to be a legitimate part of what is usually and electronic-based assessment.  It remains to be seen what happens in the US court case.

Less Than Half of Small Businesses Ready For No-Deal Brexit

Research from techUK shows that less than half of small UK businesses consider themselves to be ready to face a no-deal Brexit on 31 October, whereas 87% of larger businesses think they are prepared.

Small and Medium

The techUK research shows that only 43% of UK small businesses think they are ready for the prospect of a no-deal Brexit, which is not too different to the mere 50% of medium-sized companies that expressed readiness.

Not Up To Date With Government Guidance

The survey revealed that although most enterprises are aware that the government has given guidance on getting ready for a no-deal Brexit, only 30% of small businesses and 33% of medium-sized businesses regard themselves as being up to date with that guidance.

Popular Concerns

In addition to the impact on the UK economy, some of the popular concerns that many businesses have about a no-deal Brexit include how they stand in terms of regulatory and any extra regulatory barriers that may hinder trade compliance, and difficulty in finding staff after an end to freedom of movement (there is already a tech skills shortage and tech ‘brain drain’).  Also, businesses are clearly worried about post-Brexit relationships with suppliers, whether contracts will need to be updated, and whether they will have enough of the right raw materials and parts to keep production running smoothly and meet their customer demands while keeping their costs and prices down.

Data Protection Guidance For Brexit

As far as being prepared to stay compliant with data protection laws, the ICO has recently stated that if a UK business or organisation already complies with the GDPR and has no contacts or customers in the EEA, that business or organisation doesn’t need to do much more to prepare for data protection compliance after Brexit.

The latest guidance for businesses facing a no-deal Brexit can be found on the website here: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/

What Does This Mean For Your Business?

It doesn’t take a study to find out that there is still a great deal of uncertainty about trading post-Brexit, particularly after the impact of a no-deal Brexit. As the businesses in the study indicated, many are aware that there is guidance available from government sources and that SMEs don’t appear to be up to date with that guidance.  It is good, at least, that the ICO has issued clear, easily accessible guidance on its website to help companies prepare to remain GDPR compliant after Brexit. Other Brexit guidance for small businesses can be found on the FSB website here https://www.fsb.org.uk/standing-up-for-you/brexit/resources  and on the main UK government website here https://www.gov.uk/find-eu-exit-guidance-business.

Autonomous AI Cyber Weapons Inevitable Says Security Research Expert

Speaking at a recent CloudSec event in London, Trend Micro’s vice-president of security research, Rik Ferguson said that AI cyberattacks operated autonomously are an inevitable threat that security professionals must adapt to tackling.

If Leveraged By Cybercriminals

Mr Ferguson said that when cybercriminals manage to leverage the power of AI, organisations may find themselves experiencing attacks that happen very quickly, contain malicious code, and can even adapt themselves to target specific people in an organisation e.g. impersonating senior company personnel in order to get payments authorised, pretending to be a penetration testing tool, or finding ways to motivate targeted persons to fall victim to a phishing scam.

AI Vs AI

Mr Ferguson suggested that the inevitability of cybercriminals developing autonomous AI-driven attack weapons means that it may be time to be thinking in a world of AI versus AI.

Example of Attack

One close example given by Ferguson is the Emojet Trojan.  This malware, which obtains financial information by injecting computer code into the networking stack of an infected Microsoft Windows computer, was introduced 5 years ago but has managed to adapt and cover its tracks even though it is not even AI-driven.

AI Launching Own Attacks Without Human Intervention

Theresa Payton, who was the first women to be a White House CIO (under president George W Bush) and is now CEO of security consultancy Fortalice, has been reported as saying that the advent of genuine AI has posed serious questions, that the cybersecurity industry is falling behind, and that we may even be facing a situation where AI will be able to launch its own attacks without human intervention.

Challenge

One challenge to responding effectively to AI cyber-attacks is likely to be that cybersecurity and law enforcement agencies must move at the speed of law, particularly where procedures must be followed to request help from and arrange coordination between foreign agencies.  The speed of the law, unfortunately, is likely to be much slower than the speed of an AI-powered attack.

What Does This Mean For Your Business?

It is a good thing for all businesses that the cybersecurity industry recognises the inevitability of AI-powered attacks, and although it fears that it risks falling behind, it is talking about the issue, taking it seriously, and looking at ways in which it needs to change in order to respond.

Adopting AI Vs AI thinking now may be a sensible way to help security professionals, and those in charge of national security to focus thinking and resources on finding ways to innovate and create their own AI-based detection and defensive systems and tools, and the necessary strategies and alliances in readiness for a new kind of attack.

Joker Malware Found In 24 Apps In Google Play Store

Security researcher Aleksejs Kuprins of CSIS cybersecurity services company has discovered 24 apps which have been available for download in the Google Play Store that contain ‘Joker’ malware.

What Is Joker Malware?

Joker malware is a spy and premium subscription bot that makes money by simulating clicks. If, for example, a Joker infected app is downloaded, the malware delivers a second-stage component which silently simulates the interaction with advertisement websites, and steals the victim’s SMS messages, their contact list and their device information.

One of the silent automated interactions with advertisement websites includes simulation of clicks and entering of the authorisation codes for premium service subscriptions.

One specific example of what Joker can do, given by Mr Kuprins on the CSIS tech blog is that in in Denmark, Joker can silently sign a victim up for a 50 DKK (6,71 EUR) per week service by automating interaction with a premium offer’s webpage, entering the offer code, waiting for a SMS message with a confirmation code and extracting it, and finally submitting the code to the offer’s webpage to authorise the premium subscription.

Which Apps?

The 24 apps harbouring the ‘Joker’ malware, which have been installed more than 472,000 times are: Advocate Wallpaper, Age Face, Altar Message, Antivirus Security – Security Scan, Beach Camera, Board picture editing, Certain Wallpaper, Climate SMS, Collate Face Scanner, Cute Camera, Dazzle Wallpaper, Declare Message, Display Camera, Great VPN, Humour Camera, Ignite Clean, Leaf Face Scanner, Mini Camera, Print Plant scan, Rapid Face Scanner, Reward Clean, Ruddy SMS, Soby Camera and Spark Wallpaper.

Only Targets Certain Countries

The good news is that ‘Joker’ malware only attacks targeted countries and that most of the infected apps contain a list of these targeted Mobile Country Codes (MCC) meaning that the victim has to be using a SIM card from one of these countries to receive the second stage payload.  The bad news is that the UK is one of those targeted countries.

Google On Top Of Things

Despite there being 24 apps identified so far, Mr Kuprins has reported that Google has stayed on top of things during his investigation and has been removing all the offending apps without the need for prompting.

Not The First Time

Back in January last year, Security researchers discovered 36 fake and malicious apps for Android that could harvest data and track a victim’s location, masquerading as security tools in the trusted Google Play Store.

What Does This Mean For Your Business?

Google Play is a trusted source for apps, and it’s worrying that hundreds of thousands of customers may have the affected apps from Google Play.  In this case, Google has responded relatively quickly and has deleted infected apps where they have been found.

The obvious advice to android phone users is to check the list of infected apps and delete any on your phone that match. If you think you may have been affected by Joker via an app it may be a good idea to check your Google Play account for any unauthorised subscriptions, check your credit card or bank statements as far back as June of this year, and let your contacts know that you may have been infected (because Joker steals your phone’s contact list).

To minimise the risk of falling victim to damage caused by fake apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.

This latest discovery of infected apps on Google’s Play Store should prompt the company to make even greater efforts to police the apps that it offers there.

Report Shows That 99% of Cyber Attacks Now Involve Social Engineering

The Human Factor report from Proofpoint shows that almost all cyber-attacks, at some stage, involve the exploitation of human error in the form of social engineering.

What Are Social Engineering Attacks?

Social engineering attacks involve the manipulation and deception of people into performing actions such as transferring money to criminal accounts or divulging confidential information.

What Kind of Attacks?

The Proofpoint Human Factor report makes the point that as many as 99% of cyber-attacks now involve social engineering through cloud applications, email or social media.  Social engineering attacks can also involve cybercriminals making phone calls to key persons in an organisation.

Easier and More Profitable

These attacks are designed to enable a macro, or trick people into opening a malicious file or follow a malicious link through human error, rather than the cyber attacker having to face the considerable and time-consuming challenge of trying to hack into the (often well-defended) systems and infrastructure of enterprises and other organisations. Social engineering attacks are, therefore, easier, less costly, more profitable, and more likely to be successful than having to create an exploit to try and gain access to company systems.

Targets – “Very Attacked People”

Cybercriminals are looking for money and valuable data and information. The Proofpoint report, which was based on 18 months of data analysis collated from across the company’s global customer base, highlights the fact that the gatekeepers of money and data in target organisations become the “very attacked people” (VAP) i.e. the most often approached targets. These VAPs are often identified by attackers using information from sources such as corporate websites, social media, trade publications, and search engines.

Patterns & Routines

The report also revealed how attacks involving email messages can be made to mimic standard business routines and legitimate email traffic patterns e.g. downtime at weekends and spikes on Mondays.  Also, malware tends to be evenly distributed over the first three days of the working week, and attacks in the Middle East and Europe appear to be more likely to succeed after lunch.

What Does This Mean For Your Business?

The fact that many businesses and organisations are taking cyber defence seriously and have improved their system defences means that cybercriminals are moving into social engineering attacks.

Businesses and organisations can protect themselves against such attacks through staff training (particularly for guardians of funds and data), keeping anti-virus and online filtering up to date, using encryption e.g. VPNs for certain employees, having clear policies and procedures in place with built-in verification and authorisation for money and data requests, and being careful about publicly-visible employee information that could be used to target key staff members.

AI Mimics CEO’s Voice To Steal Over £200,000

A recent Wall Street Journal report has highlighted how, in March this year, a group of hackers were able to use AI software to mimic an energy company CEO’s voice in order to steal £201,000.

What Happened?

Reports indicate that the CEO of an unnamed UK-based energy company received a phone call from someone that he believed to be the German chief executive of the parent company.  The person on the end of the phone ordered the CEO of the UK-based energy company to immediately transfer €220,000 (£201,000) into the bank account of a Hungarian supplier.

The voice was reported to have been so accurate in its sound, that the CEO of the energy company even recognised what he thought was the subtleties of the German accent of his boss, and even “melody” of the accent.

The call was so convincing that the energy company made the transfer of funds as requested.

Fraudster Using AI Software

The caller, who was later discovered to have been a fraudster using AI-base voice-altering software to simulate the voice of the German boss, called 3 times.  In the first call, the fraudster requested the transfer, in the second call they (falsely) claimed that the transfer had been reimbursed, and in the third call the fraudster requested an additional payment. It was this third call that aroused suspicion, partly based on the fact that the telephone number appeared to indicate that the caller was in Austria and not Hungary.

Money To Hungary, Mexico and Beyond

Unfortunately, the money had already been transferred to a Hungarian account after the first call, and it has since been discovered that money was immediately transferred from the alleged supplier’s Hungarian bank account to an account in Mexico, and then further disbursed to accounts in other locations, thereby making it very difficult for authorities to follow the trail.

What Sort of Software?

The kind of software used in this attack may have been similar in its output to that demonstrated by researchers from Dessa, an AI company based in Toronto.  Dessa has produced a video of how this kind of software has been able to produce a relatively accurate simulation of the voice of popular podcaster and comedian Joe Rogan – see: https://www.youtube.com/watch?time_continue=1&v=DWK_iYBl8cA

What Does This Mean For Your Business?

It is known that cybercriminals, deterred by improved and more robust enterprise security practices have decided to look for human error and concentrate more on social engineering attacks, a category that this voice simulation attack (via phone calls) fits into. The fact that this attack has taken place and been successful shows that some cybercriminals are already equipped with the computing power and most up-to-date machine-learning AI technology that they are clearly capable of using.

This means that companies and organisations (particularly larger ones), may now be at risk of facing more sophisticated deception and phishing attacks. The AI company Dessa has suggested that organisations and even individuals could expect to face future threats such as  spam callers impersonating relatives or spouses to obtain personal information, impersonations intended to bully or harass, persons trying to gain entrance to high security clearance areas by impersonating a government officials, and even an ‘audio deepfake’ of a politician being used to manipulate election results or cause a social uprising.

Companies should try to guard against social engineering attacks by educating all staff to the risks and having clear verification procedures (and not just relying on phone calls), tests, and chain of command authorisation in place for any requests for funds.

Leaving Your Job? Don’t Take Personal Data With You Warns ICO

The Information Commissioner’s Office (ICO) has warned those retiring or taking a new job that under the Data Protection Act 2018, employees can face regulatory action if they are found to have retained information collected as part of their previous employment.

Old Investigation

The renewed warning was issued following the regulator concluding its dealings in an old investigation of two (former) police officers interviewed (by the media) about an historic case they’d worked on as serving officers involving an MP, and had been accused of disclosing details about the case to the media.

In this case, the investigation appears to have related to police handling of personal data such as notebooks and the fact that measures need to be put in place to ensure that these are not retained when officers leave the service.

The ICO investigation, brought about under the previous Data Protection Act 1998 legislation (because the alleged disclosure occurred before the DPA 2018 and GDPR’s introduction) may have resulted in no enforcement action being taken against the two officers, but prompted the ICO to issue a reminder that data protection laws have been toughened in this area.

“Knowingly or Recklessly Retaining Personal Data”

The warning in the ICO’s recent statement is that the Data Protection Act 1998 has since been strengthened through the Data Protection Act 2018, to include a new element of knowingly or recklessly retaining personal data without the consent of the data controller (see section 170 of the DPA 2018).

The only exceptions to this new part of the new Act are when it is necessary for the purposes of preventing or detecting crime, is required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or whether it is justified as being in the public interest.

Retiring or Taking a New Job

The ICO has warned that anyone who deals with the personal details of others in the course of their work, private or public sector, should take note of this update to the law, especially when employees are retiring or taking on a new job. Those leaving or retiring should also take note that they will be held responsible if the breach of personal data from their previous employer can be traced to their individual actions.

Examples

Examples of where the ICO has prosecuted for this type of breach of the law include a charity worker who, without the knowledge of the data controller, Rochdale Connections Trust, sent emails from his work email account (in February 2017) containing sensitive personal information of 183 people.  Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

What Does This Mean For Your Business?

This latest statement from the ICO should remind all businesses and organisations, whether in the private or public sectors, that reasonable measures or procedures need to be put in place to ensure that anyone retiring or leaving for another job cannot take personal details with them that should be under the care of the data controller i.e. you and your company/organisation.

Failure to take this facet of current data law into account could result in fines from the regulator for those individuals responsible, potential legal action from the victims of any breach against your organisation, some bad and potentially damaging publicity, and costly and long-lasting damage to reputation.

Student Textbooks Malware Threat

Kaspersky’s blog is warning students who are about to go back after the summer holidays to beware of the risk of malware that’s masked as textbooks and essays online.

Students Targeted

According to Kaspersky, K-12 and college students who may want to save money on textbooks by seeking online essays and study materials may end up unwittingly downloading malware instead.

A study by the security company of school and student-related filenames over the past academic year has revealed that out of 356,000 attempted attacks on Kaspersky users, 233,000 cases involved malicious essays that were downloaded to computers owned by more than 74,000 people (which the company claims its software blocked).

Kaspersky’s figures indicate that 122,000 of those attacks were by malware disguised as textbooks which more than 30,000 users tried to open.

Targeted Popular and Less Popular Subjects

The study revealed that cybercriminals haven’t just been focusing on popular subjects for attacks. For example, even though English textbooks hiding malware had 2,080 attempted downloads and maths textbooks hiding malware had 1,213 downloads, malicious textbooks for natural sciences also manage to fool 18 users.

The Four Most Popular Types of Malware

Kaspersky lists the four most popular types of Malware attacks disguised as online study materials as:

1. School spamming using the Stalk worm

This has claimed the greatest number of victims and is the preferred method by which the Worm.Win32 Stalk.a worm is spread.  Once downloaded to a school computer Stalk penetrates all devices that are connected to it, will infect USB sticks used by students, will spread across the whole network, can spread to the email contacts of students, and can download other malicious applications to the infected device

2. Win32.Agent.ifdx malware downloader

This downloader program is disguised as textbooks or essays in DOC, DOCX or PDF formats. Once launched it opens a text file so that the victim does not realise that anything suspicious is going on, but it is designed to download many other bad things onto the victim’s computer which can be modified to become cryptominers, banking trojans (to steal; bank details) and ransomware.

3. The WinLNK.Agent.gen downloader

WinLNK.Agent.gen downloader is hidden in archives e.g. zip or rar files and uses a shortcut to a text file to open the document itself and launch the attached malware components. This can result in cryptominers, adware, and more damaging programs being loaded onto and slowing down the victim’s computer.

4. The MediaGet torrent application downloader

This is disguised by ‘Free Download’ buttons and will download a torrent client that the user does not need.

What Does This Mean For Your Business?

Colleges and schools are known to be popular targets for cybercriminals because they have large numbers of users spread across many different departments, and sometimes across different facilities, making admin and IT security very complicated.  Also, valuable intellectual property, student and staff personal data, and the chance to use the processing power of many computers within their systems can make schools and colleges tempting targets for cybercriminals.

Part of the prevention of the kinds of attacks identified by Kaspersky can be achieved by educating students (and staff) about threats, and how to spot them and deal with them, as well as making sure that antivirus protection and patches are all up to date across school and college systems.

Kaspersky’s advice to students for avoiding the malware threat includes searching for in books you need in physical or online libraries, paying attention to what type of site is hosting the textbook download, not using outdated versions of operating systems and other software, being wary of email attachments (even those sent from acquaintances), and paying attention to the download file extensions e.g. don’t open .exe files.

iPhone Attack Lasting More Than 2 Years Discovered

A Google security researcher has discovered a sustained and indiscriminate hacking attack on iPhones that is believed to have been going on for more than two years.

Google Project Zero

Details of the attack are outlined on Google’s ‘Project Zero’ blog (https://googleprojectzero.blogspot.com) by security researcher Ian Beer.

Using Hacked Websites For The Attack

On the blog, Mr Beer highlights how Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites that were being used in indiscriminate ‘watering hole’ attacks against their visitors, using iPhone 0-day.  Watering hole attacks are where the browsing patterns of particular groups are observed in order to lay a trap e.g. hack a website that the particular group visits and 0-day vulnerabilities in software are those that are either unknown or known and not patched.

Mr Beer’s TAG team noted that there has been no target discrimination for the attack but a simple visit to a hacked website appears to be enough for the exploit server to attack a person’s device, leading to the installation of a monitoring implant.

How Many iPhone Users Have Been Affected?

Mr Beer’s team estimate that the hacked websites receive thousands of visitors per week.  Also, given that the hack has been operating for more than two years, and that TAG was able to identify five separate, complete and unique iPhone exploit chains that cover almost every version from iOS 10 through to the latest version of iOS 12, large numbers of iPhone users could potentially be affected.

12 Security Flaws

Mr Beer’s team identified 12 separate security flaws (mostly bugs within the Safari default web browser on Apple products) that could be used to compromise the Apple devices.

Reported To Apple – Patch Released

The TAG researchers reported the issues to Apple with a 7-day deadline on 1 February 2019 and shared the complete details of the research with Apple.  This led to the release of the security update iOS 12.1.4 on 7 Feb 2019.

What Does This Mean For Your Business?

It is worrying to think that this kind of hack has been going on for years before it was discovered, and owners of Apple devices may be particularly surprised given the security features of their phones and Apple’s reputation for offering relative safety from concerns about viruses and hacking.

If you have an iPhone, the advice is to make sure that it is running the latest version of iOS. Go to ‘Settings’, tap ‘General’, and under ‘Software Update’ check that you are be running iOS 12.4.1. which has the fix.