Followup — Spectre & Meltdown News
- Intel asks customers to halt patching for chip bug, citing flaw — www.reuters.com/…
- New Windows patch disables Intel’s bad Spectre microcode fix — arstechnica.com/…
- macOS Sierra, OS X El Capitan Updates Patch Meltdown Flaw — www.intego.com/…
- Apple offers another Meltdown fix for Mac users… — nakedsecurity.sophos.com/…
Security Medium — Strava Heatmaps have Unintended Consequences
The popular exercise tracking app Strava regularly produces a really cool heat-map that shows where most people run, cycle, swim etc.. The data is anonymised, so it all seems like some innocent fun. The latest version of the heatmap was published back in November, and no one thought it was a problem.
That all changed this week when an Australian security researcher noticed that there are some places where anonymisation doesn’t work like you might expect because of strong selection effects.
The most dangerous of these effects is tracks in areas where the majority of users are US military personnel. In NYC you can’t tell which of the millions of tracks is by soldiers, but in rural Afghanistan, you effectively can, because the locals are not big Strava users, so just about every track is US milliary personel! Just imagine how useful that heat map is to terrorists planning attacks!
Sharing of anonymised data is the default in Strava, but it’s not required to use the app. There is a private mode, and private data is not included in the heatmaps. Having said that, Strava have promised to simplify their privacy settings so users can more easily understand what they are and are not sharing.
IMO there are two leasons to be taken from all this:
- Vulnerable users in dangerous places need to use the privacy features provided, and the organisations that put them in harm’s way need to help them understand the risks and the actions they need to take to mitigate them.
- Companies releasing data need to be more aware of selection effects which can make seemingly anonymous data anything but. That means being more selective about what gets released — parts of a dataset that are very sparse should be redacted. If Strava had only published heatmaps in countries with a lot of Strava users this would have been much less of a problem.
Links
- The heatmap at the heart of all this — labs.strava.com/…
- Fitness app Strava exposes the location of military bases — social.techcrunch.com/…
- Secret military bases revealed by fitness app Strava — nakedsecurity.sophos.com/…
- Strava says it will simplify privacy settings and review app features after exposing military bases — techcrunch.com/…
- Strava Was Just The Beginning: Even Seemingly Innocent Data Can Be Weaponized — www.forbes.com/…
Notable Security Updates
- Apple released security updates for macOS (El Capitan, Sierra & High Sierra), iOS, watchOS, tvOS & Safari — www.us-cert.gov/…
- As mentioned above, this includes Meltdown patches for El Capitan & Sierra, and further mitigations for High Sierra
- The updates include fixes for the ChaiOS iMessage flaw we mentioned last time — www.macobserver.com/…
Notable News
- Adobe warn of a Flash Zero-day that is being actively exploited in the wild. They promise a patch next week. The vector for the exploit is Flash embeded in MS Office documents, so until the patch is out, be very wary of opening Office Documents from un-trusted sources — krebsonsecurity.com/…
- Security researchers find Tinder’s apps don’t properly encrypt traffic, allowing attackers on the same ethernet network to determine which way you swiped on who — nakedsecurity.sophos.com/…
- In preparation for the GDPR (strong new EU data protection rules that come into effect on May 1st this year) Facebook will role out a new and improved privacy control centre tool their uses globally — nakedsecurity.sophos.com/…
- Reddit introduces 2FA — nakedsecurity.sophos.com/…
- Apple to add a privacy icon to iOS to counter iCloud phishing attacks — www.macobserver.com/…
- Ransomware makes it into the Oxford English Dictionary — nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- How to Encrypt Email with Any Email Provider — www.intego.com/…
- How to add emergency contacts to your iPhone or Apple Watch — www.imore.com/…
- What you need to know about Health Records in iOS 11.3 — www.imore.com/…
- 🇺🇸 File Your Taxes Before Scammers Do It For You — krebsonsecurity.com/…
- How to Take Control of Your Facebook Privacy Settings — www.macobserver.com/…
- How to Secure Your Twitter Privacy Settings — www.macobserver.com/…
- How to Secure Your Instagram Privacy Settings — www.macobserver.com/…
- How to Check if iPhone is New, Refurbished, or Replacement | OSXDaily — osxdaily.com/…
- Notable Breaches & Privacy Violations
- News
- Twitter will email 677,775 users who engaged with Russian election trolls — nakedsecurity.sophos.com/…
- 🇬🇧 Serious ‘category one’ cyberattack not far off – warns security chief — nakedsecurity.sophos.com/…
- 🇺🇸 Babies’ data being sold to tax fraudsters on the dark web — nakedsecurity.sophos.com/…
- 🇺🇸 Secret Service warning: Jackpotting ATM attacks reach the US — nakedsecurity.sophos.com/…
- Bitcoin payments used to unmask dark web users — nakedsecurity.sophos.com/…
- Over 700,000 bad apps removed from Google Play store in 2017 — nakedsecurity.sophos.com/…
- Opinion & Analysis
- A Look Back at the Top Mac Security Stories of 2017 — www.intego.com/…
- ZDNet made waves by describing Uber’s human-friendly approach to 2FA as ‘useless’, but as this article explains, that’s a totally unfair criticism, they’ve actually implemented 2FA in a very sensible way — nakedsecurity.sophos.com/…
- Ban Facebook Messenger for Kids, urge children’s health advocates — nakedsecurity.sophos.com/…
- How a teen used social engineering to take on the FBI and CIA — nakedsecurity.sophos.com/…
- AI fake porn could cast any of us — nakedsecurity.sophos.com/…
- Propellor Beanie Teritory
Palate Cleansers
- The RFID blocker I mentioned recently — www.amazon.co.uk/…
- LuLu – an interesting free and open source firewall for the Mac that’s currently in alpha — objective-see.com/…
- Burger King explain net neutrality with Whoppers — www.youtube.com/…