A media report today revealed details of a significant supply chain attack which appears to be one of the largest corporate espionage and hardware hacking programs from a nation-state.

According to a lengthy report published today by Bloomberg, a tiny surveillance chip, not much bigger than a grain of rice, has been found hidden in the servers used by nearly 30 American companies, including Apple and Amazon.

The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.

The report, based on a 3-year-long top-secret investigation in the United States, claims that the Chinese government-affiliated groups managed to infiltrate the supply chain to install tiny surveillance chips to motherboards which ended up in servers deployed by U.S. military, U.S. intelligence agencies, and many U.S. companies like Apple and Amazon.

"Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline," the report said.

"Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code."

The chips suspected to have been added to help Chinese government spy on American companies and their users—basically a "hardware hack" that according to the publication is "more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get."

Apple, Amazon, and Super Micro Refute the Bloomberg Report

Apple told Bloomberg that the company has never found malicious chips, "hardware manipulations," or vulnerabilities purposely planted in any of its servers, or it "had any contact with the FBI or any other agency about such an incident."

Apple ended its relationship with Super Micro in 2016. To its best guess, Apple said that the Bloomberg reporters confused their story with a previously-reported 2016 incident in which the company found an infected driver on a single Super Micro server in one of its labs.

Amazon also says it is "untrue" that the company knew of "a supply chain compromise," or "servers containing malicious chips or modifications in data centers based in China," or that it "worked with the FBI to investigate or provide data about malicious hardware."

Meanwhile, Supermicro and Chinese Ministry of Foreign Affairs have also strongly denied Bloomberg's findings by releasing lengthy statements. Here you can find a full list of official statements from Amazon, Apple, Supermicro and Chinese Ministry of Foreign Affairs.

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts, including phone numbers and emails, on a locked iPhone XS and other recent iPhone models.

Rodriguez, who also discovered iPhone lock screen hacks in the past, has posted two videos (in Spanish) on his YouTube channel under the account name Videosdebarraquito demonstrating a complicated 37-step iPhone passcode bypass process.

The iPhone authorization screen bypass flaw works on the latest iPhones, including the iPhone XS, running Apple's latest iOS 12 beta and iOS 12 operating systems.

Video Demonstrations: Here's How to Bypass iPhone Passcode

As you can watch in the video demonstrations, the iPhone hack works provided the attacker has physical access to the targeted iPhone that has Siri enabled and Face ID either disabled or physically covered.

Once these requirements are satisfied, the attacker can begin the complicated 37-step iPhone passcode bypass process by tricking Siri and iOS accessibility feature called VoiceOver to sidestep the iPhone's passcode.

This iPhone passcode bypass method potentially allows the attacker to access the contacts stored in the iPhone, including phone numbers and email addresses, and to access Camera Roll and other photo folders, by selecting a contact to edit and change its image.

Though Apple has some built-in security measures to prevent this from happening, Rodriguez found a way to bypass those security barriers, as you can see in the video.

Here's how to Fix the iPhone Passcode Bypass Bug

The passcode bypass methods work on all iPhones including the latest iPhone XS lineup, but the company does not appear to have patched the vulnerabilities in the latest iOS 12.1 beta.

Until Apple comes up with a fix, you can temporarily fix the issue by just disabling Siri from the lockscreen. Here's how to disable Siri:

• Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under "Allow access when locked."

Of course, disabling Siri would cripple your iOS 12 experience, but would prevent attackers from abusing the feature and breaking into your iPhone.

Meanwhile, just wait for Apple to issue a software update to address the issue as soon as possible.

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.

In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.

The company said it was just beginning its investigation, and that it doesn’t yet know some basic facts about the incident, such as whether these accounts were misused, if any private information was accessed, or who might be responsible for these attacks.

“We have invalidated data access for third-party apps for the affected individuals,” the spokesperson said, referring to the 90 million account that were forcibly logged out today and presented with a notification about the incident at the top of their feed.

Free credit freezes

Security freezes, also known as credit freezes, restrict access to your credit file, making it harder for identity thieves to open new accounts in your name. Starting September 21, 2018, you can freeze and unfreeze your credit file for free. You also can get a free freeze for your children who are under 16. And if you are someone’s guardian, conservator or have a valid power of attorney, you can get a free freeze for that person, too.

How will these freezes work? Contact all three of the nationwide credit reporting agencies – Equifax, Experian, and TransUnion. If you request a freeze online or by phone, the agency must place the freeze within one business day. If you request a lift of the freeze, the agency must lift it within one hour. If you make your request by mail, the agency must place or lift the freeze within three business days after it gets your request. You also can lift the freeze temporarily without a fee.

Don’t confuse freezes with locks. They work in a similar way, but locks may have monthly fees. If you want a free freeze guaranteed by federal law, then opt for a freeze, not a lock.

Year-long fraud alerts

A fraud alert tells businesses that check your credit that they should check with you before opening a new account. Starting September 21, 2018, when you place a fraud alert, it will last one year, instead of 90 days. Fraud alerts will still be free and identity theft victims can still get an extended fraud alert for seven years.

How to freeze your accounts

To file a freeze, consumers must contact each of the three major credit bureaus online, by phone or by mail. Here’s the updated contact information for the big three:

Online: Equifax Freeze Page
By phone: 800-685-1111
By Mail: Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348-5788

Online: Experian
By phone: 888-397-3742
By Mail: Experian Security Freeze
P.O. Box 9554, Allen, TX 75013

Online: TransUnion
By Phone: 888-909-8872
By Mail: TransUnion LLC
P.O. Box 2000 Chester, PA 19016

MacOS 10.14 Mojave has arrived, and it’s packed full of new goodies for Mac users to enjoy. The major update is named, as you might’ve guessed, after California’s Mojave Desert and promises to help Mac users stay organized and work more efficiently.

Mojave 10.14  is compatible with Mac systems from mid-2012 or later, as well as 2010 and 2012 Mac Pro models that include the recommended Metal-capable graphics cards. If you’re rocking one of those systems, then our pick of the macOS Mojave tips would be of great help. Below are some of the best new features.

Dark Mode

MacOS Mojave has been equipped with a true dark mode. Where High Sierra lets you turn the menu bar and Dock dark, the new OS comes with the option of turning your entire desktop dark, including the wallpaper and apps like Mail, Messages, Maps, Photos, and Calendar. And it’s all done with a simple toggle.

Stacks

A cluttered desktop is a productivity killer — that’s why “Stacks” might well be the most handy of features in new macOS Mojave. You know how a hotel cleaning service has your room looking spotless every day no matter how messy you make it? That’s what Stacks does for your Mac.

The feature takes the messy contents of your desktop and organizes them into tidy stacks (hence the name). Stacks can be organized by file type, date, tags, and more. By clicking on a stack, you’ll see its contents, from there you can double-click on whatever it is you want to open.

Group FaceTime

Group FaceTime lets you chat to up to 32 people on one FaceTime call. I’m not sure how that would work without descending into total chaos but it’s a great option to have. Participants can be added to the conversation at any time and join in via their Mac, iPhone, iPad, or Apple Watch.

iOS apps on Mac

Before you get too excited, not all iOS apps are coming to Mac, and there are no plans to merge macOS with iOS. But the apps that are Mac-bound are useful. New macOS Mojave is getting News, Home, Stocks, and Voice Memos. These apps are some of the most popular on iOS and are very welcome additions to the Mac lineup.

Continuity Camera

A completely new macOS Mojave feature is Continuity Camera, which lets you take a photo on your iPhone or iPad and have it appear instantly on your Mac.

If you’re working on a document on your Mac and need to add a photo, Continuity Camera can automatically fire up the camera on your iOS device. Snap the photo and watch in awe as it magically appears in your doc.

This works in a variety of Mac apps such as Mail, Notes, Keynotes, Pages, and Numbers and will save a lot of people a lot of time.

Redesigned Mac App Store

Apple has completely overhauled the Mac App Store for Mojave, introducing features you never knew you needed, like articles about popular apps and auto-playing app videos that give you all the information you need about an app before downloading. There are new tabs too: Discover, Create, Work, and Play — all introduced to help you find new apps and make the most of ones you’ve already installed.

Improved screenshots

macOS 10.14 has borrowed from iOS with the introduction of a new screenshot tool that includes immediate thumbnail previews for faster sharing and annotations. It's easier to record what’s on your screen too, thanks to a new screengrab menu that includes a countdown delay timer. Another nice touch is the ability to show or hide the cursor.

Improved security

MacOS has always been big on security, and Mojave is no different. With the release of the new OS come more frequent pop-ups to alert you to any apps that are trying to access your photos, microphone, or location.

Additionally, there's greater protection against social media “Like” and “Share” buttons and comment widgets that track you without permission. That's all thanks to Safari’s new Intelligent Tracking Prevention — a Mojave feature that also securely stores strong passwords when new online accounts are created and flags reused passwords, so they can be changed.