Security Bits – 15 December 2019

Note: This is the first of two episodes both recorded on the 15th of December 2019, but released over two weeks.

🧯Security Medium Preview 1 — VPNs Not All Hacked

We’ll dig into the details in the second part of this two-parter, but for now, I just want to set everyone’s mind at ease — there’s very little there there in the recent high-profile reports that a security flaw has been found in all VPNs on all OSes.

Security researchers did find something interesting, but there is basically nothing for regular users to worry about.

🧯Security Medium Preview 2 — Suspected Data Location Leaking Bug in iOS 13 on iPhones 11 not Real

Again, we’ll dig into the details in the second part, but for now, I just want to reassure people that the speculation that there was a privacy-leaking bug in how iOS 13 running on iPhones 11 handled location data has proven to be incorrect.

The bottom line is that there is no bug, nothing nefarious afoot, and no danger to user privacy.

Notable Security Updates

• Apple Pushes Out iOS 13.3, iPadOS 13.3, iOS 13.3 for HomePod, macOS 10.15.2 Catalina, watchOS 6.1.1, and tvOS 13.2 — tidbits.com/…
  • Apple iOS 13.3 is here, bringing support for keyfobby authentication — nakedsecurity.sophos.com/…
  • iOS 13.3 Fixed the ‘AirDoS’ Bug That Could Make Devices Unusable — www.macobserver.com/…
  • iOS 13.3 contains new parental controls to allow parents limit who children can call and message, but unfortunately security researchers quickly found bugs in the implementation, allowing resourceful kids to bypass the restrictions — arstechnica.com/…
  • Safari Now Prevents Tracking Prevention Tracking — www.macobserver.com/…
  • A new anti-SMS-spam feature in iOS is making SMS-based 2FA a little more annoying for some users (Editorial by Bart: yet another reason to switch to alternative forms of 2FA when possible!) — www.macobserver.com/…
• Patch Tuesday:
  • Microsoft has released patches for Windows that fix 7 critical bugs, and patch a vulnerability that is being actively exploited in the wild — krebsonsecurity.com/…
    • December Patch Tuesday blunts WizardOpium attack chain — nakedsecurity.sophos.com/…
    • The last ever security patches for Windows Mobile were included in this patch Tuesday, these devices are now obsolete and in-securable — nakedsecurity.sophos.com/…
  • Adobe have released security updates for Photoshop CC, Acrobat & Reader — www.us-cert.gov/…
  • Chrome 79 includes anti-phishing and hacked password protection — nakedsecurity.sophos.com/…
• Google have released the December 2019 security update for Android, and it fixes a bug described as allowing an attacker to cause a “permanent” denial of service (no details, but that sounds like actual bricking!) — nakedsecurity.sophos.com/…
• OpenBSD devs patch authentication bypass bug — nakedsecurity.sophos.com/…
• WordPress 5.3.1 has been released, fixing a critical security bug that could lead to a site-takeover — wordpress.org/…

Notable News

• Facebook will target ads based on your Oculus VR data — nakedsecurity.sophos.com/…
  • Related: 🇺🇸 Facebook users were duped by Cambridge Analytica, FTC rules — nakedsecurity.sophos.com/…
  • Related: Facebook Begins Rollout of New Photo Transfer Tool — www.macobserver.com/…
• Instagram trying to protect kids by getting dates of birth from new users — nakedsecurity.sophos.com/…
• YouTube bans malicious insults, veiled threats, harassment — nakedsecurity.sophos.com/…

Suggested Reading

• PSAs, Tips & Advice
  • FTC warns Christmas buyers that smart toys are a security risk — nakedsecurity.sophos.com/…
• Notable Breaches & Privacy Violations
  • ⭐️ 🇺🇸 More than 1 million T-Mobile customers exposed by breach — techcrunch.com/…
  • ⭐️🇺🇸 The California DMV Is Making $50M a Year Selling Drivers’ Personal Information — www.vice.com/…
  • ⭐️ Bulk SMS service TrueDialog accidentally exposed a database containing millions of SMS messages sent of behalf of various corporations including a lot of sensitive data — nakedsecurity.sophos.com/…
  • ⭐️ German call centre operator 1&1 has been fined €9.6M under the GDPR for failing to fully authenticate users making calls into their call centres — nakedsecurity.sophos.com/…
  • Yodel parcel tracking app blabs about other people’s parcels — nakedsecurity.sophos.com/…
  • Mixcloud user accounts up for sale on dark web — nakedsecurity.sophos.com/…
• News
  • ⭐️ 🇺🇸 Google submitted comments to the FTC as part of their public consultation on a review of the Children’s Online Privacy Protection Act (COPPA) requesting that the government to eliminate rules that categorise anyone watching “child-directed” content online as under 13 — www.bloomberg.com/…
  • ⭐️ 🇺🇸 Ad industry groups ask that the CCPA keep its mitts off their cookies — nakedsecurity.sophos.com/…
  • ⭐️ 🇪🇺 EU antitrust regulators say they are investigating Google’s data collection — www.reuters.com/…
  • ⭐️ 🇺🇸 House passes TRACED Act to protect consumers from illegal robocalls — www.imore.com/…
  • ⭐️ 🇺🇸 After criticism, Homeland Security drops plans to expand airport face recognition scans to US citizens — techcrunch.com/…
  • ⭐️ 🇯🇵 Osaka Metro unveils ticket gate with facial recognition tech
  • Fake Android apps uploaded to Play store by notorious Sandworm hackers — nakedsecurity.sophos.com/…
  • First-ever Uber safety report reveals 9 murders, 58 crash deaths and over 3,000 sexual assaults in 2018 — www.imore.com/…
  • FBI: Russia-based FaceApp is a ‘potential counterintelligence threat’ — nakedsecurity.sophos.com/…
  • 🇨🇳 Smartphone owners in China now need to send facial scans to the government — www.imore.com/…
  • 🇺🇸 TikTok settles class action over child privacy one day after it’s filed — nakedsecurity.sophos.com/…
  • 🇺🇸 Uncle Sam opens arms to friendly hackers — nakedsecurity.sophos.com/…
  • 🇪🇺 EU releases its 5G conclusions — nakedsecurity.sophos.com/…
• Opinion & Analysis
  • ⭐️ We need to address Libra’s privacy problems before it’s too late — www.wired.co.uk/…
  • ⭐️ The Dark Psychology of Social Networks — www.theatlantic.com/…
  • ⭐️ 50 countries ranked by how they’re collecting biometric data and what they’re doing with it — www.comparitech.com/…
• Propellor Beanie Territory
  • ⭐️ Mac users targetted by Lazarus ‘fileless’ Trojan — nakedsecurity.sophos.com/…
  • Microsoft looks to Rust language to beat memory vulnerabilities — nakedsecurity.sophos.com/…
  • Snatch ransomware pwns security using sneaky ‘safe mode’ reboot — nakedsecurity.sophos.com/…
  • Machine-raiding Python libraries squashed by community — nakedsecurity.sophos.com/…

Suggested Listening

• 🎧 I don’t want to give the game away, but trust me, it’s very relevant to computers and to stuff we talk about in this segment: Planet Money Episode 773: Slot Flaw Scofflaws — overcast.fm/…

Palate Cleansers

• Serious Security: Understanding how computers count — nakedsecurity.sophos.com/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to. When the text describing a link is not part of the link it is a description written by Bart.