Security Bits – Child Smart Watches, IRS Not Worried about Equifax, Microsoft Office DDE, Eltima Hacked

Notable News

• A report from the Norwegian Consumer Council finds that smart watches aimed at kids are a security and privacy train wreck — nakedsecurity.sophos.com/…
• The head of the IRS in the US tells reporters Americans should assume their identity has been stolen and act accordingly — nakedsecurity.sophos.com/…
• IRS freezes its fraud prevention contract with Equifax — engadget.com/…
• Security researchers warn of a new way to abuse the DDE (Dynamic Data Exchange) Microsoft Office feature to get macro-less remote code execution. TL;DR – don’t click on links in emails and be suspicious of office documents you didn’t expect to receive:
  • MS Office Built-in Feature Allows Malware Execution Without Macros Enabled — thehackernews.com/…
  • Office DDE attack works in Outlook too – here’s what to do — nakedsecurity.sophos.com/…
  • Just say “No!” – how to stop the DDE email attack — nakedsecurity.sophos.com/…
• The download server for another Mac software developer, Eltima, have been hacked, and malware was injected into the non-App-Store versions of Elmedia Player (a media player) & Folx (a download manager) — www.intego.com/…

Suggested Reading

• PSAs, Tips & Advice
  • How to manage privacy and security settings in Safari on iPhone and iPad — www.imore.com/…
  • How to customize security on iPhone and iPad — www.imore.com/…
  • How to restrict content by age ratings, block websites, and hide explicit language with restrictions for iPhone or iPad — www.imore.com/…
• Notable Breaches & Privacy Violations
  • Dell Lost Control of Key Customer Support Domain for a Month in 2017 — krebsonsecurity.com/…
• News
  • Reaper: Calm Before the IoT Security Storm? — krebsonsecurity.com/…
  • US-CERT: hackers are targeting our critical infrastructure — nakedsecurity.sophos.com/…
  • Google wants you to hack Play Store apps, and it’s paying — nakedsecurity.sophos.com/…
  • Bad Rabbit ransomware outbreak — nakedsecurity.sophos.com/…
• Opinion & Analysis
  • What You Need to Know about the iOS Camera Access Privacy Loophole — www.macobserver.com/… (Editorial: I don’t get why this is news – granting access to the camera grants access to the camera, is that not how it’s supposed to work? I guess an indicator in the menubar next to the clock would do no harm, but ultimately, you should never grant access to an app you don’t trust!)
  • No, Apple’s Machine Learning Engine can’t surface your iPhone’s secrets — www.imore.com/…
  • The FaceID ‘controversy’ (Editorial: I don’t see any ‘there’ in this story – IMO the John Gruber’s analysis on his Daring Fireball blog is spot-on):
    • Face ID FUD — daringfireball.net/…
    • Apple denies it reduced accuracy of Face ID to aid iPhone X production — appleinsider.com/…
    • Apple: Bloomberg’s Face ID claim is completely false — www.imore.com/…
  • The Facebook Security Chief’s ‘College Campus’ comment ‘controversy’ (Editorial: I don’t see what all the fuss is about — I think that in context, his comments were insightful and confidence-inspiring)
    • Leaked: Facebook security boss says its corporate network is run “like a college campus” — www.zdnet.com/…
    • Facebook security chief stands by “college campus” comments — nakedsecurity.sophos.com/…
• Propellor Beanie Teritory
  • Android takes aim at ISP surveillance with DNS privacy — nakedsecurity.sophos.com/…
  • Your DNS settings may be giving up your privacy — www.imore.com/…
  • Stealing sensitive browser data with the W3C Ambient Light Sensor API — blog.lukaszolejnik.com/…