Security Bits – 1 December 2019

Followups:

• DNS over HTTPS: DNS-over-HTTPS is coming to Windows 10 — nakedsecurity.sophos.com/…
  • Related: 🎧 Steve Gibson reports the Windows 10 story, and uses it as a transition into a deep-dive into some of the exceptionally cool possible improvements HTTPS + HTTP2 & HTTP3 could bring to DNS — Security Now Episode 742: Pushing “DoH” — overcast.fm/…
• iOS13’s Problematic Release: According to reports, Apple have briefed their iOS development team on significant changes to their software development process aimed at making iOS 14 go a lot smoother than iOS 13 did — www.bloomberg.com/…
  

Security Medium — The Android Camera Bug

A bug was found in the camera app that ships on many Android phones that allowed third-party apps with permission to use external storage to silently enable the camera and mic, to access the photo library, and, to read geolocation data from the images in the library. Malicious apps could enable the camera and mic even when the phone was locked and the screen is off. Access to storage is one of the most common permissions, so the permission would not look suspicious.

The bug was responsibly disclosed, so both Google and Samsung have already patched the camera apps on their phones. Google patched their app via the Play store in July, and while Samsung say their app is now patched, they did not give a date for when it was released.

The security researchers who discovered the bug believe it affects apps by other manufacturers too, but while Google say they are working with manufacturers, we have no official confirmation that other phones were or are vulnerable. Frustratingly, this means owners of non-Google or Samsung devices simply don’t know whether or not they are exposed to this dangerous vulnerability. For now, it seems there are no wide-spread exploits in the wild, but that could change very quickly.

Links

• Google & Samsung fix Android spying flaw. Other makers may still be vulnerable — arstechnica.com/…
• Android camera bug could have turned phones against their users — nakedsecurity.sophos.com/…
• Android Camera Bug Allowed Attackers to Access Camera and Microphone Surreptitiously, Without Permission — daringfireball.net/…

Notable Security Updates

• Apple releases iOS and iPadOS 13.2.3 — arstechnica.com
• Update WhatsApp now: MP4 video bug exposes your messages — nakedsecurity.sophos.com/…

Notable News

• A security researcher found a 4TB database containing 1.2 billion aggregated stolen user records on the dark web. The data does not contain passwords or payment information, but could be very helpful in crafting targeted attacks — www.wired.com/…
• Security researchers find significant problems with 3rd-party Android modifications and apps:
  • Security researchers found 146 known vulnerabilities on 29 out-of-the-box Android phones including models from Samsung & Xiaomi. The source of the problem is custom software added to the core OS by the hardware manufacturers (Editorial by Bart: yet another reason to confine stick to Android phones from Google, you get official Android, and only official Android!) — nakedsecurity.sophos.com/…
  • Thousands of Android apps have old security flaws lurking inside — www.wired.co.uk/…
• Twitter continues to add more control for users to protect themselves from abuse on the platform:
  • Twitter launches a way to report abusive use of its Lists feature — techcrunch.com/…
  • Twitter announces new controls for conversations, available globally now — www.imore.com/…
  • Twitter now supports two-factor authentication without a phone number — www.imore.com/…
    • Related: Police arrest alleged Chuckling Squad member who hijacked @Jack Dorsey — nakedsecurity.sophos.com/…
  • Twitter delays its deletion of inactive accounts until it memorializes deceased users — www.imore.com/…
• Sir Tim Berners-Lee publishes plan to save the web from ‘digital dystopia’ — nakedsecurity.sophos.com/…
• 🇺🇸 The Pennsylvania Supreme Court has ruled that passwords are protected by the 5th amendment to the US constitution — nakedsecurity.sophos.com/…
• 🇺🇸 Think of the children: FBI sought Interpol statement against end-to-end crypto — arstechnica.com/…
  • 🇪🇺 Related: EU raises eyebrows at possible US encryption ban — nakedsecurity.sophos.com/…
• 🇺🇸 NSA won’t collect phone location data, promises US government — nakedsecurity.sophos.com/…

Suggested Reading

• PSAs, Tips & Advice
  • ⭐️ PSA: Adobe Acrobat & Reader 2015 are now end-of-life, you need to un-install them to remain secure — nakedsecurity.sophos.com/…
  • ⭐️ Some advice from Naked Security for staying safe as you do your holiday shopping online: Ho Ho OUCH! There are 4x more fake retailer sites than real ones — nakedsecurity.sophos.com/…
  • ⭐️ 🎧 Vector: 10 iPhone Privacy Hacks in 3 Minutes — vector.libsyn.com/…
  • ⭐️ Mozilla have launched this year’s *Privacy not included annual privacy-aware gift guide — blog.mozilla.org/…
  • ⭐️ Best Password Manager Apps for Mac in 2019 — www.imore.com/…
  • ⭐️ Advice for parents on the importance of teaching kids about privacy: We street-proof our kids. Why aren’t we data-proofing them? — theconversation.com/…
• Notable Breaches & Privacy Violations
  • 🇺🇸 4 million stolen payment details have been offered for sale on the dark web. The records come from compromises of four US restaurant chains (Krystal, Moe’s, McAlister’s Deli & Schlotzsky’s) — krebsonsecurity.com/…
  • Adobe’s Magento Marketplace suffers data breach — nakedsecurity.sophos.com/…
  • Official Monero site delivers malicious cash-grabbing wallet — nakedsecurity.sophos.com/…
• Notable IoT Vulnerabilities
  • Security researchers have found critical security and privacy bugs in the SMA M2 kids’ smartwatch — nakedsecurity.sophos.com/…
• News
  • ⭐️ Jimmy Wales (WikiPedia co-founder) launched a privacy-respecting new donation-supported social media network — nakedsecurity.sophos.com/…
  • ⭐️ DuckDuckGo has added a new feature for automatically switching insecure pages to HTTPS when possible to their plugins and browsers, and open-sourced the code — www.wired.com/…
  • ⭐️ Startpage News Tab Gives You ‘Unprofiled’ News — www.macobserver.com/…
• Opinion & Analysis
  • ⭐️ A great article that explains the history and detail of how browser fingerprinting works, and what Mozilla is doing to fight it — nakedsecurity.sophos.com/…
  • ⭐️ The chain of trust in Apple’s devices — www.intego.com/…
  • Why cryptocoin scams work, and how to avoid them — nakedsecurity.sophos.com/…
  • The Washington Post: 1,500 instances of ‘unwanted sexual approaches’ uncovered in App Store reviews of random chat apps — www.imore.com/…
  • 🇺🇸 It’s Way Too Easy to Get a .gov Domain Name — krebsonsecurity.com/…
• Propellor Beanie Territory
  • ⭐️ GitHub launches Security Lab to boost open source security — nakedsecurity.sophos.com/…
  • Google plans to take Android back to ‘mainline’ Linux kernel — nakedsecurity.sophos.com/…
  • Ad-blocking companies block ‘unblockable’ tracker — nakedsecurity.sophos.com/…

Suggested Listening

• 🎧 A nice in-depth analysis of the potential dangers posed by the rapidly expanding use of algorithms in our modern world: The Real Story: Can algorithms be trusted? — overcast.fm/…

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.