DNS Correction
On Chit Chat #533, Bart did a deep dive into how the Domain Name System works and in that session, he suggested a hybrid approach where your mobile devices had the improved DNS along with your home router.
It turns out it’s not possible to set system-wide DNS settings on iOS or Android. This means that the Hybrid Approach we described of setting a third-party DNS on your home router and then also hard-coding it on your mobile devices remains the best advice, but it’s not possible to do on iOS or Android devices. Annoyingly, that means there is no good solution to protect these devices . Thanks very much to Allister Jenks for drawing our attention to this in our Google Plus Community.
Followups
- The Facebook/Cambridge Analytica Kerfuffle:
- Far more than 87m Facebook users had data compromised, MPs told — www.theguardian.com/…
- Facebook’s Product Management Director David Baser explains why Facebook track non-users — nakedsecurity.sophos.com/…
- Facebook to put 1.5 billion users out of reach of new EU privacy law — www.reuters.com/…
- Twitter sold user data to Cambridge Analytica’s Aleksandr Kogan — nakedsecurity.sophos.com/…
- Facebook announces a new Clear History button — nakedsecurity.sophos.com/…
- Related: The Father of the Web is Backing a Private Social Network — www.macobserver.com/… & Review: MeWe is a Private Social Network Taking on Facebook — www.macobserver.com/…
- Related: WhatsApp founder plans to leave after broad clashes with parent Facebook — www.washingtonpost.com/…
- Opinion: Ignore Mark Zuckerberg – His promise that new EU data privacy guidelines will be “rolled out” to American users is misleading — slate.com/…
- Opinion: Facebook, This Is Not What “Complete User Control” Looks Like | Electronic Frontier Foundation — www.eff.org/…
- Opinion: A flaw-by-flaw guide to Facebook’s new GDPR privacy changes — social.techcrunch.com/…
- Data Analytics firm SCL Group and its affiliate Cambridge Analytica has shut down.
However, the chairman and chief data officer have set up anothercompany called Emerdata with former Cambridge Analytica CEO Alexander Nix as a director. Emerdata’s address is the same as SCL Group’s. arstechnica.com/…
- GDPR
- Instagram rolls out user data export feature — nakedsecurity.sophos.com/…
- Apple roll out a new user data export feature for European users (for now, coming world-wide soon) — www.macobserver.com/…
- Twitter has rolled out updated terms to come into compliance with the GDPR — help.twitter.com/…
Notable Security Updates
- Apple releases a number of security updates
- MacOS 10.13.4 & macOS Security Update 2018–001 (includes a fix of the APFS encryption password leak we mentioned recently) — www.macobserver.com/… & nakedsecurity.sophos.com/…
- iOS 11.3.1 (fixes the QRCode URL parsing bug mentioned on previous Security Bits) — www.macobserver.com/… & www.intego.com/…
- Safari 11.1 — support.apple.com/…
- Drupal have patched another ‘highly critical’ vulernability that is being actively exploited — www.drupal.org/…
Notable News
- Poor configuration leaves controversial GreyShift iOS cracking boxes exposed to the internet. It seems it’s easy for police departments who buy these boxes to accidentally leave them in an insecure state. Also, someone tried to extort the makers of the boxes with a threat to release the source code. (Editorial by Bart: this just proves yet again that you can’t keep any back door secret so that only good guys can use it) — www.macobserver.com/…, www.macobserver.com/… & motherboard.vice.com/…
- Security researchers have found a new way to abuse UPnP (Universal Plug and Play) to subvert routers with UPnP exposed on the WAN side into becoming proxies for malicious use. This bug has been given the name UPnProxy (Editorial by Bart: now would be a great time to check and see if you have UPnP disable on your router or not) — searchsecurity.techtarget.com/…. Too test your router, run Steve Gibson’s Shields Up and then look for the UPnP test: grc.com/…
- Security researchers warn of the dangers of iOS trustjacking. Bottom line, never trust a computer you don’t actually trust, because using wifi sync, it could remotely trigger a backup of all your personal data at any future time! — www.intego.com/…
- Tracking protection in Firefox for iOS now on by default – why this matters — nakedsecurity.sophos.com/…
- Keep an eye out for firmware patches for your Intel CPUs, Intel have patched a firmware bug that could allow locally running malware to alter your firmware and cripple your computer in a kind of suicidal denial of service (DOS) attack — nakedsecurity.sophos.com/…
- The Russian government has obtained a court order requiring Telegram be blocked within the country — www.reuters.com/…
- Apple and Microsoft in Talks with UAE to End Ban on FaceTime and Skype — www.macobserver.com/…
- Welsh police manage to identify a drug dealer from his fingerprints in a WhatsApp photo — www.macobserver.com/… & nakedsecurity.sophos.com/…
- Security researchers discover Mettle, a Mac version of the popular hacking tool Metterpreter (Editorial by Bart: this is no cause for panic, but it’s yet more evidence that cyber criminals are turning their attention towards the Mac) — www.intego.com/…
- A report into Android apps published to the Play Store as part of Google’s Designed for Families (DFF) program by the International Computer Science Institute find serious problems including the fact that 40% of the tested apps did not properly secure communications between the apps and back-end servers, and that 57% of the apps were in breach of the US COPPA law — nakedsecurity.sophos.com/…
- DNA from a Genealogy database leads to the arrest of a suspected serial killer (Editorial by Bart: this story is interesting because of the ethical questions it raises, if I choose to give away my DNA, I’m also effectively giving away most of the DNA for my close relatives, should I need their consent for that?) — nakedsecurity.sophos.com/…
- Google have announced that they will be improving their OAuth-based Single Sign On (SSO) offering to make it more secure, and to make phishing attacks like the infamous one against Google Docs users last year impossible in future — nakedsecurity.sophos.com/…
- Research by security journalist Brian Krebs shows that employees in many companies are inadvertently publishing passwords through services like Trello, and that they can be systematically searched for with Google. Beware what you and your employees share! — krebsonsecurity.com/…
- The Reform Government Surveillance coalition (which includes tech giants like Apple, Google, Microsoft, Dropbox, Snap, Evernote, LinkedIn, & Facebook) have released a statement condemning moves towards compulsory backdoors and governments hacking back — www.macrumors.com/… & nakedsecurity.sophos.com/…
- 465K patients need a firmware update for their Abbots (formerly St Jude Medical) pacemaker. Without the update they’re at risk of cyber security attack and sudden battery loss — nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- Here’s What You Can Do When You See Suicide Threats on Social Networks — www.macobserver.com/…
- 5 Private Chat Apps and How They Compare With Each Other — www.macobserver.com/…
- Stolen iPhone Guide: What You Can Do if Your iPhone is Stolen — www.macobserver.com/…
- Gmail users, here’s how (and why) you should set up prompt-based 2FA — nakedsecurity.sophos.com/…
- Be on the lookout for this WhatsApp scam — imore.com/…
- How to edit your Mac’s Hosts file and why you would want to — www.imore.com/…
- Notable Breaches & Privacy Violations
- More fallout form the Yahoo Mega-breach:
- Twitter are asking all users to reset their passwords after the accidentally wrote them to an internal log in plain text — nakedsecurity.sophos.com/… & krebsonsecurity.com/…
- Ride-hailing service Careem lost 14 million users’ data in January — nakedsecurity.sophos.com/…
- US medical transcription firm MEDantex leaked patient records from thousands of US doctors — krebsonsecurity.com/…
- LinkedIn patches serious leak in its AutoFill plugin — nakedsecurity.sophos.com/…
- News
- Microsoft have released a Windows Defender Browser Protection Chrome extension — arstechnica.com/… & nakedsecurity.sophos.com/…
- Volkswagen and Audi car infotainment systems hacked remotely — nakedsecurity.sophos.com/…
- Medical devices vulnerable to KRACK Wi-Fi attacks — nakedsecurity.sophos.com/…
- Infamous revenge porn site Anon-IB seized by police — nakedsecurity.sophos.com/…
- US and UK government agencies have issued a joint warning about worrying Russian cyber activity — www.us-cert.gov/… & www.macobserver.com/…
- Opera are shutting down their in-browser VPN service — www.macobserver.com/…
- Law enforcement agencies from around the world cooperated to take down the world’s largest DDOS-for-hire service Webstresser — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
- How porn bots abuse government websites — nakedsecurity.sophos.com/…
- A new grey-hat security firm is offering millions for bugs that it then sells for profit, much more than vendors are offering as part of their official bug bounty programs — www.macobserver.com/…
- Google Maps open redirect flaw abused by scammers — nakedsecurity.sophos.com/…
- Opinion & Analysis
- Propellor Beanie Teritory
- Breakthrough pushes Quantum Key Distribution beyond 500km — nakedsecurity.sophos.com/…
- Introducing Asylo: an open-source framework for confidential computing — cloudplatform.googleblog.com/…
- Intel, Microsoft to use GPU to scan memory for malware — arstechnica.com/…
- Google and Amazon put an end to censorship-dodging domain fronting — nakedsecurity.sophos.com/…
- New OSX/Shlayer Malware Variant Found Using a Dirty New Trick — www.intego.com/…