Security Bits – 1 Nov 2019

Notable Security Updates

• Apple updates just about everything:
  • Everything you need to know about iOS and iPadOS 13.2 — arstechnica.com/…
    • Some users experiencing bricked HomePod after updating to iOS 13.2 [Update: pulled] — 9to5mac.com/…
    • Related: Apple resumes human reviews of Siri audio with iPhone update — apnews.com/…
    • Related: iOS 13.2: How to Turn off Siri Grading so Audio Snippets Won’t be Shared — www.macobserver.com/…
  • Apple releases macOS Catalina 10.15.1 and watchOS 6.1 — arstechnica.com
  • Apple Releases macOS 10.15.1 Catalina, watchOS 6.1, and tvOS 13.2 — tidbits.com/…
  • Security Update 2019-001 (Mojave) and 2019-006 (High Sierra) — tidbits.com/…
  • Safari 13.0.3 — tidbits.com/…
  • Got an early iPhone or iPad? Update now or turn it into a paperweight — nakedsecurity.sophos.com/…
• PHP team fixes nasty site-owning remote execution bug — nakedsecurity.sophos.com/…
  

Notable News

• WhatsApp have filed suit against grey-hat security firm NSO group for selling a hacking tool that was briefly able to exploit a bug in WhatsApp to install spyware on victim devices. The hacking tools were used against military and government officials from US allies — nakedsecurity.sophos.com/… & www.macobserver.com/…
• Apple have removed at least 17 apps that contained ad-clicking malware from the iOS app store. ad-clickers don’t attack the device they’re installed on, but instead defraud ad networks by automatically loading web pages and clicking on ads. While malware of this kind doesn’t attack the users who install it, it does affect them by draining their battery — www.imore.com/…
• Twitter will stop selling political ads — www.nbcnews.com/…
  • Related: Facebook Employees Write to Mark Zuckerberg Over Political Ads — www.macobserver.com/…
  • Related: 🇪🇺 EU Tells Facebook, Google, Twitter to do More to Fight Fake News — www.macobserver.com/…
  • Related: 🇬🇧 UK Lawmaker Demands Answers From Facebook on Political Ads and Messaging Encryption — www.macobserver.com/…
  • Related: Facebook pulls fake news networks linked to Russia and Iran — nakedsecurity.sophos.com/…
  • Related Opinion/Analysis Piece: How Facebook Can Use International Law in Content Moderation — www.lawfareblog.com/…
• As well as fixing security vulnerabilities, FireFox 70 has improved privacy protections and added a nice new UI for showing how often you are tracked online — www.imore.com/…, nakedsecurity.sophos.com/… & tidbits.com/…

Suggested Reading

• PSAs, Tips & Advice
  • ⭐️ How macOS Catalina’s New Security Features Work — www.howtogeek.com/… & What are all those macOS Catalina security alerts? — www.intego.com/…
  • ⭐️ Storing your stuff securely in the cloud — nakedsecurity.sophos.com/…
• Notable Breaches & Privacy Violations
  • ⭐️ Adobe have leaked personal information on 7.5m Creative Cloud users. The data did not include passwords in any form, nor any payment information, but it did contain email addresses & subscription details, making it extremely useful for creating convincing phishing attacks — www.imore.com/… & nakedsecurity.sophos.com/…
  • ⭐️ Breaches at NetworkSolutions, Register.com, and Web.com — krebsonsecurity.com/…
  • Trend Micro tools tossed from Apple’s Mac App Store after spewing fans’ browser histories — www.theregister.co.uk/…
  • Popular VPN provider NordVPN suffered a breach — www.macobserver.com/… & nakedsecurity.sophos.com/…
  • NordVPN users’ passwords exposed in mass credential-stuffing attacks — arstechnica.com/…
  • Travel database exposed PII on US government employees — nakedsecurity.sophos.com/…
• Notable IoT Vulnerabilities
  • ⭐️ Alexa and Google Home phishing apps demonstrated by researchers — nakedsecurity.sophos.com/…
  • ⭐️ Vatican launches smart rosary – complete with brute-force flaw — nakedsecurity.sophos.com/…
• News
  • ⭐️ New BBC ‘dark web’ Tor mirror site aims to beat censorship — nakedsecurity.sophos.com/…
  • ⭐️ 🇺🇸 Uber sues LA in bid to protect scooter riders’ geolocation data — nakedsecurity.sophos.com/…
  • Facebook News:
    • ⭐️ New Facebook AI fools facial recognition — nakedsecurity.sophos.com/…
    • ⭐️ Instagram Strengthens Rules on Self-Harm and Suicide Content — www.macobserver.com/…
    • 🇬🇧 Facebook agrees to pay Cambridge Analytica fine to UK — www.bbc.co.uk/…
    • 🇺🇸 Libra’s woes continue as Zuckerberg testifies before the House Financial Services Committee — pxlnv.com/…
  • 🇦🇺 Home Affairs pushes its face-matching service for porn age verification — www.zdnet.com/…
  • 🇺🇸 ACLU Sues FBI Over Facial Recognition — www.macobserver.com/…
  • 🇺🇸 TikTok says no, senators, we’re not under China’s thumb — nakedsecurity.sophos.com/…
• Opinion & Analysis
  • ⭐️ Under digital surveillance: how American schools spy on millions of kids | World news — www.theguardian.com/…
  • ⭐️ DOJ’s Latest Child Porn Site Takedown Shows Encryption Isn’t Really Stopping The Feds From Fighting Child Porn — www.techdirt.com/…
  • ⭐️ FBI general counsel who fought Apple over encryption has had a rethink — www.imore.com/…
  • 🇺🇸 The four main US carriers have agreed to move forward with RCS as a more modern cross-platform and cross-carrier replacement for SMS, but it does not look like it will bring the privacy and security improvements some had hoped:
    • New Messaging Standard RCS Won’t Have Encryption — www.macobserver.com/…
    • AT&T, Verizon, Sprint, and T-Mobile have finally agreed to replace SMS with a new RCS standard — www.theverge.com/…
  • Linux maintainer: Patching side-channel flaws is killing performance — nakedsecurity.sophos.com/…
• Propellor Beanie Territory
  • Vulnerability in content distribution networks found by researchers — nakedsecurity.sophos.com/…

Palate Cleansers

• 🎦 A great video from CGP Grey asking a question you may well think you know the answer to, but you probably don’t: ‘which is our nearest planetary neighbour?’ — www.cgpgrey.com/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.