Welcome to the latest copy of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we analyze the wild world of security.

The clock is active for TikTok.

The accepted short-form video administering app, which is already banned in India, is facing a agnate roadblock in the US, where the Trump administering has escalated its threats to ban the platform along with WeChat.

Even as ByteDance and Microsoft are beating out a accessible deal, the big catechism is: should you delete TikTok off your phone?

Privacy and aegis worries about the app have run aggressive in recent weeks, with the US government warning that it puts “your clandestine advice in the hands of the Chinese Communist Party.”

To answer the question, the best way is to unpack the app itself and follow the data trail. That’s absolutely what aegis researcher Baptiste Robert (@fs0c131y) did.

And what he found is proof that the app isn’t doing annihilation altered from what other apps like Facebook are already doing.

“As far as we can see, in its accepted state, TikTok doesn’t have a apprehensive behavior and is not exfiltrating abnormal data,” Robert said. “Getting data about the user device is quite common in the mobile world and we would obtain agnate after-effects with Facebook, Snapchat, Instagram and others.”

Then beforehand this week, a Wall Street Journal assay found that it used a known artifice in Android to get the MAC abode of the device and possibly use the assiduous device identifiers for ad tracking purposes. TikTok chock-full the convenance in November 2019.

Yes, it’s a shady thing to do, as was the clipboard fiasco, but it’s far from being deemed a threat to civic security.

In fact, a recent CIA appraisal acquired by The New York Times found no affirmation that the app had been used by Chinese spy agencies to ambush data.

It’s a given when you install an app on your phone, you are agreeably signing up to be tracked and an blasphemous amount of data calm about you.

But while there’s absolutely scant affirmation that TikTok is administering your claimed advice with China, we should be wary of any authoritative attempts to ascendancy software under the garb of aloofness concerns.

What’s trending in security?

Twitter said it fixed a bug in its Android app that may have accustomed an antagonist to access a user’s clandestine Cheep direct messages, Garmin reportedly paid a multi-million dollar ransom to balance access to its systems after a ransomware attack, and the EU imposed sanctionsagainst China, Russia, and North Korea for accustomed out major cyberattacks adjoin European citizens and businesses.

  • The US appear rewards of up to $10 actor for any advice arch to the identification of any person who works with or for a adopted government for the purpose of interfering with US elections through “illegal cyber activities.” [US Dept of State]
  • How secure is the chip in your credit card? An assay of 11 chip card implementations from 10 altered banks in Europe and the US found it’s accessible to “harvest data from four of them and create cloned alluring stripe cards that were auspiciously used to place transactions.” [Brian Krebs]
  • The New York Times looked at the life of 17-year-old Florida jailbait Graham Ivan Clark, the declared “mastermind” behind the Cheep hack last month, who was arrested with two other accomplices. [The New York Times]
  • The NSA warned associates of the US aggressive and intelligence association this week that their smartphone apps could be tracking them and putting their aegis at risk. It’s cogent workers to attenuate location-sharing casework on mobile devices, grant apps as few permissions as possible, turn off ad permissions, limit mobile web browsing, adjust browser options to attenuate use of area data, and attenuate settings for tracking misplaced/stolen phone. [NSA]


  • More than 400 vulnerabilities in Qualcomm Snapdragon chips, now patched, could be exploited to bypass aegis checks and steal acute data, according to new research. [Ars Technica]
  • Anomaly Six, a architect for the US government, has anchored its SDKs in more than 500 mobile apps, acceptance it to track the movements of hundreds of millions of mobile phones worldwide. [The Wall Street Journal]
  • High-wattage affiliated accessories like dishwashers and heating systems can be recruited into botnets and used to dispense energy markets. [Georgia Tech]
  • Taiwan’s semiconductor industry was the focus of a hacking attack called “Operation Chimera” amid 2018 and 2019 by a China-based threat group with an aim to steal source code and chip designs. [CyCraft Technology]


  • A dozen vulnerabilities in a Mercedes-Benz E-Class car accustomed advisers to accidentally open its doors and start the engine. [TechCrunch]
  • At the Black Hat appointment last week, a aegis researcher appear how afraid satellite-based Internet allows attackers to snoop on companies and sometimes tamper with data. [Ars Technica]
  • Security expert Troy Hunt open-sourced data breach notification website Have I Been Pwned. To read more about how such countersign analysis tools work, here‘s an absorbing primer from Cloudflare’s Junade Ali. [Troy Hunt]
  • The fortnight in data breaches, leaks and ransomware: British Dental Association, Canon, Havenly, Intel, LG, Xerox, and Zello.

Data Point

IBM appear its annual Cost of a Data Breach Report last month, which says that the boilerplate data breach now costs $3.86 million. Although this boilerplate has decreased by 1.5% in allegory to 2019, these “mega” breaches can cost up to $392 actor to balance from, up from $388 actor in 2019.webrok

Tweet of the week

Another reason why SMS-based two-factor affidavit needs to go!

That’s it. See you all in two weeks. Stay safe!


Read next: India assuredly restores 4G in some parts of Kashmir after 376 days

Pssst, hey you!