I got to be on Clockwise again with Jason Snell, Dan Moren and Mikah Sargent. At CES, we interview Jessica Lane as she tells us about PAI Technologies interactive clay toys for kids and talk to CMRA about their camera band for the Apple Watch. I have a special Public Service Announcement urging everyone to nag companies if you see them doing things not as securely as you would hope. It features my father-in-law, who is my hero at pushing companies. Bart Busschots joins us for another scary episode of Security Bits.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday February 19, 2017 and this is show number 615.
Chit Chat Across the Pond
In Chit Chat Across the Pond, Bart continues his current dual path of teaching JavaScript while also learning more about html forms. This week, we learn how to compare JavaScript objects (spoiler, you can’t use == or === to do it). After that he teaches us how using WAI-ARIA as we develop our code will make it accessible to screen readers and other assistive devices. We don’t do any real coding in this section; instead he explains the foundation for what we’ll be doing in the future.
Clockwise
This week I got to be on the Clockwise Podcast again over at relay.fm/clockwise. They somehow managed to get me and Mikah Sargent on the show again together and it was awesome. We talked about wireless charging and whether we really think it’s a good idea, we talked about (and to) our virtual assistants, we shared bad Kickstarter projects and we talked about the hardest technical thing we’d done lately to stretch our brains. Can you tell which was my question? If you haven’t heard of Clockwise before, it’s a super crisp show. It’s always exactly 30 minutes, there are always four hosts and four topics, one chosen by each host. I love the show and I hope you’ll go check it out, especially episode #176 with Mikah and Allison.
Blog Posts
This next interview from CES is really near and dear to Steve and my hearts. The person you’re about to hear interviewed is Jessica Lane. She just happens to be the wife of a prominent NosillaCastaway, Shai Yammanee. Shai has been on the show several times, and a bunch of NosillaCastaways have recently been to see him performing in Mamma Mia. Jessica is delightful and the products she’s going to tell you about are enchanting for children. After we got done with the interview, she pointed out that she has been to two CESs and Shai has been to a total of zero, so we have officially accepted her as an honorary NosillaCastaway. With that introduction complete let’s let her tell us about PAI Technology.
CES 2017: PAI Technology
IPv6 Link Local Addresses – 64 or 48-bit MAC Addresses?
CES 2017: CMRA Band for Apple Watch
I’m not sure about this CMRA watch band. It was curious that they couldn’t demo it and yet I see ads for it everywhere, as though it’s a real product that’s for sale. Louis V made a comment on the video that I think I agree with. He said, “I have to clear my browser cache in order to stop seeing their embedded ads everywhere. In some way, I think this is fake and it is just viral campaign.” I’ll be watching closely to see if Louis is right!
Nag Companies About Their Security
Patreon and Amazon
As you’ve probably noticed, this podcast doesn’t have a preroll ad. It doesn’t have an interstitial ad. In fact, there’s not even an ad that plays after the music ends. This podcast is entirely supported by two things. The generous folks who have gone over to podfeet.com/patreon and pledged a weekly or monthly amount and by those who remember to start their Amazon purchases by clicking any of the Amazon links in the shownotes (or even the banner in the left sidebar). I really appreciate all of you who support the show in any way you can.
Security Bits
Security Medium – Vizio and their Spying TVs
The US Federal Trade Commission has announced that they have settled with Vizio for $2.2M for collecting viewing data from 11 million devices without the viewer’s knowledge or consent and then selling that data. Vizio measured the value of key pixels and compared that to a known database of content to determine what people were watching second-by-second, and then beamed all that data back to their servers. Once they had they data, they sold it to un-named third parties for audience measurement, analysis, and tracking.
The company went further than just tracking what people watched, they used IP data to associate information like age, sex, income, marital status, household size, education level, home ownership, and home values with the viewing habits. The company point out that they did not attach ‘personally identifiable information’ to the tracking.
The euphemism the company used to hide this creepy feature in the settings screen was “Smart Interactivity” which the screen said “enables program offers and suggestions”. No mention in the settings screen of recording and reporting absolutely everything you ever watched.
The tracking started in February 2014, but not only on devices sold after that date, the tracking features was retro-fitted to older Vizio TVs dating back as far as 2010. If you have a long memory you may remember that Vizio got in some hot water back in 2015 when it was found that they did not bother to properly check HTTPS certs, so they were not even securely transmitting the results of their secret data gathering.
As part of the settlement Vizio have agreed to delete all the data collected before the 1st of March 2016, and to change their settings screen so users can make informed decisions about the feature.
Bart’s Personal Take: I utterly detest companies that double-dip by selling you a product, and then selling you as a second product. It’s one thing to choose to exchange your privacy for a free product like FaceBook or Gmail, but to pay to have your privacy stolen, that rankles something serious! Even here, when the company has theoretically been tackled on this by a supposed regulator, they are only being forced to pay a fine that amounts to a pathetic $0.20 per TV sold. The financial bottom line could not be clearer – if you spy on people and sell their data for a few years, you’ll make massive profits and only suffer a token slap on the wrist that doesn’t even begin to dent your bottom line. Does that seem like a viable deterrent? Not to me it doesn’t. This is also not an isolate incident. Other vendors of smart TVs have been caught spying on customers too, or, failing utterly to secure their internet-connect junk. It pains me to say it, but if you connect your TV to the internet, the kindest thing I can think to say is that you are endearingly naive. Give me a dumb TV any day, and let me choose what smarts to give it by connecting a box to it from a vendor I trust not to sell my privacy up the creek.
Links:
- Coverage of the story from Ars Technica – arstechnica.com/…
- iMore’s coverage of the story – www.imore.com/…
- TMO’s scathing coverage of the story – www.macobserver.com/…
- The press release on the settlement from the US FTC – www.ftc.gov/…
- How to Stop Your New TV From Spying On You – www.macobserver.com/…
- How to Turn Off Smart TV Snooping Features – www.consumerreports.org/…
Followup
- Last time we covered a story that a new open source tool for testing printer security found that the state of printer security today is very poor indeed. As if to prove the point, grey-hat hackers hacked 150,000 printers around the world and made them print out a message to say they were hacked. The printers included models by major manufacturers including HP, Brother, Dell, Canon, Samsung, Epson, Lexmark, Oki and Ricoh (Editorial by Bart: if your printers are accessible from the internet, you’re doing it wrong!) – nakedsecurity.sophos.com/…
Important Security Updates
- Apple has patched an arbitrary code execution bug in GarageBand – make sure you are on version 10.1.6 – support.apple.com/…
- Adobe have released security updates for Flash, Digital Editions, and Campaign – www.us-cert.gov/…
Important Security News
- Google is warning developers that it will be purging the PlayStore of apps that don’t have a privacy policy – nakedsecurity.sophos.com/…
- Security researchers find 76 popular iOS apps using TLS, but not checking the certificates they receive. This makes their implementation of TLS completely useless. They names are not being released yet to give app developers time to fix their apps – arstechnica.com/…
- Security researchers have found that iCloud is saving cleared browser histories for longer than seems reasonable. Because syncing is hard, it’s reasonable to keep cleared data for a while, so you know what to clear from other devices as they come online, but it seems the data is not getting deleted from iCloud at all. Thankfully, this data is not leaking to anyone, it can only be accessed with the user’s username and password – www.macobserver.com/… & www.theverge.com/…
- The US House of Representatives has passed the Email Privacy Bill – legislation designed to plug a loophole accidentally left behind in the 1980s when no one really understood how important email would become. Without this bill, email left on a server for more than 180 days does not need a court-approved order to be searched. Unfortunately, expectations are that the bill will have a hard time in the senate, and even if it were to pass there, it seems in danger of getting Vetoed by President Trump (Editorial by Bart: if you live in the US, and care about privacy, this would be a great time to let your Senator and your President know that you want this bill to become law) – krebsonsecurity.com/…
- Despite the precedent set in the Microsoft case just weeks ago, a US Magistrate has ordered Google that it must turn over emails to the FBI, regardless of where in the world they are stored. The big difference between Google and Microsoft is that Google do not promise to keep your data in any one jurisdiction, instead, they warn you that it will get shipped all over the world as an when it suits Google – nakedsecurity.sophos.com/…
- Security Researchers demonstrate new techniques for tracking users across multiple browsers on the same computer, by focusing on hardware and OS-level features that are invariant across browsers – this development has obvious privacy implications – simply using multiple browsers no longer provides any privacy protection (Editorial by Bart: while the article doesn’t explicitly say so, it seems clear to me this also affects private browsing modes, which is effectively using a separate browser on the same hardware) – arstechnica.com/…
- New research has found a fundamental flaw in how CPUs are designed that effectively ends Address Space Layout Randomisation (ASLR) as an effective defence against exploitation. The problem is that caching, and effective ASLR are mutually exclusive, and our modern CPUs are heavily dependent on caching. The researchers recommend “ASLR to no longer be trusted as a first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block”. ASLR is supposed to make it harder to turn a vulnerability like a stack overflow into arbitrary code execution, unfortunately, the researchers demonstrate how they can use JavaScript to bypass ASLR and much more easily turn a browser bug into a remove code execution vulnerability – arstechnica.com/…
- PSA – if you have a WordPress site, update it! Attacks on out-dated WordPress sites are growing at a massive rate, with over 2 million pages defaced already – arstechnica.com/…
Notable Breaches
- Yahoo has started informing some users that it believes forged cookies were used to access their accounts without their passwords in 2015 and 2016 by probably state-actors – arstechnica.com/…
- InterContinental Confirms Breach at 12 Hotels – krebsonsecurity.com/…
- Fast Food Chain Arby’s Acknowledges Breach – krebsonsecurity.com/…
Suggested Reading
- Beware the latest tax-season spear-phishing scam – nakedsecurity.sophos.com/…
- Keeping your data safe when crossing borders – www.imore.com/…
- Fake news: what can we all do to play our part in combating it? – nakedsecurity.sophos.com/… – “If a story appeals to your feelings, be they anger or rejection, and not your thoughts, then you have to check it”
- Ticketbleed – an HTTPS vulnerability in expensive enterprise load balancers and firewalls from F5 leaves almost 1,000 major sites vulnerable – arstechnica.com/…
- AKBuilder is the latest exploit kit to target Word documents, spread malware – nakedsecurity.sophos.com/…
- Twitter says it’s cracking down on abuse (again) – www.usatoday.com/…
- [A rash of invisible, fileless malware is infecting banks around the globe
- PayPal, this is the wrong way to do password security – www.imore.com/…
- Amnesty International uncovers phishing campaign against human rights activists – arstechnica.com/…
- Fancy Bear: who’s behind the group implicated in so many political hacks? – nakedsecurity.sophos.com/…
- Enhanced Analysis of GRIZZLY STEPPE – www.us-cert.gov/…
- Russians Who Hacked DNC Now Targeting Macs – www.macobserver.com/… & New Mac malware pinned on same Russian group blamed for election hacks – arstechnica.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show like Russ did tonight for the first time, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.