Security Bits – 12 January 2020

Commentary by Allison — Bart is testing out a new format which in theory will cut the time it takes him to do Security Bits in half. This week is 4 weeks worth of security news so it’s not the best test case, but the new format is here. We welcome feedback on it as always!

Feedback & Followups

Listener Feedback

Hi Allison,

Just want to clarify a law in regards to the Singapore law that Bart was talking about.

The law states that if the government finds a post that is considered fake news, the original post is to remain but Facebook (or whoever) has to add a section to it stating that the Singapore government considers this fake news and the carry a link to a page that would explain why the Singapore government considers it fake.

So all Singaporeans who view this page would be allowed to read the government’s side of the story and it would be up to the user to decide who is right.

The law never state that the original post is to be edited by the author or Facebook.

If you are interested, you can have a read of this article www.straitstimes.com/…

I mean, you can look at it from a negative point of view and say that another government is treading on people’s rights. But you can also look at it from the point of view that that everyone should be give a right to read both sides of a statement and make a decision themselves.

I know that most of your listeners would believe that Singapore is an authoritarian state but if you ever live here or talk to others from USA or UK that live here, that is far from the truth. The government doesn’t listen to all conversations and does not shutdown dissent if they are allowed to rebut. Whether that is the right thing to do is another question.

And I am critical of my government but in my view this law shouldn’t be a big issue as nobody needs to change their posts if they don’t want to.

Desmond
from Singapore

And an addendum from Desmond:

Just want to make a correction in my email. It seems that there is part of the law which requires the user to take down their post but it has not been used as of now. But from the looks of it, I think this part will be used if it is somehow related to national security (an overused phrase that is so loaded). There are of course appeals to the directive the highest of which is going to court.

Updates/Developments

The human review/grading “gate” from a few months ago has developed an embarrassing sting in the tail for Microsoft – a former contractor has spilled the beans on just how badly run the program was, and how little security was in place to protect Skype and Cortana user data — www.theguardian.com/…
As part of their on-going effort to fight the trend towards malicious plugins, Mozilla has forced all add-on developers to enable 2FA — nakedsecurity.sophos.com/…
Mozilla have added NextDNS as a second built-in DOH provider — nakedsecurity.sophos.com/…
Elcomsoft have updated their iOS forensics toolkit to make use of the Checkm8 vulnerability, allowing it to extract a small amount of specific data from locked iPhones — www.imore.com/…
> … almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up
>
> It is the “almost” part of the “everything” that we target in this update. We’ve discovered that certain bits and pieces are available in iOS devices even before the first unlock. In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock. This is by design; these bits and pieces are needed to allow the iPhone to start up correctly before the user punches in the passcode.
YouTube to treat all kid-aimed videos like they’re COPPA-liable — nakedsecurity.sophos.com/…
Google have tweaked their Project Zero rules to encourage higher quality patches — nakedsecurity.sophos.com/…
🇷🇺 Russia’s nation-wide intra-net came a step closer: Russia successfully disconnected from the internet — www.zdnet.com/…
🇺🇸 If you made a claim for $125 from Equifax, you’re not getting it after court awards nearly $80 million to attorneys — www.cnbc.com/…
🇺🇸 California’s big new privacy law, the CCPA (California Consumer Privacy Act), came into force at the start of the year — www.macobserver.com/…
- 🎧 Related Podcast Suggestion: Reset: What California’s new data privacy law means for all of us — overcast.fm/…

🧯Deep Dive — Plundervolt

In December security researchers released details of a bug in some Intel CPUs that they’ve given the catch name Plundervolt.

The vulnerability uses that fact that very subtly reducing the CPU’s voltage can cause the CPU to start to make predictable mistakes when multiplying numbers together. This can be used to trick SGX (Security Guard Extensions), Intel’s equivalent of Apple’s secure enclave, into read the wrong memory address when it’s trying to read a cryptographic key. This effectively defeats SGX.

Intel have released a BIOS patch that removes the instruction for tweaking the voltage, making the attack impossible.

There’s no need for regular users to worry because most computers don’t support SGX, and those that do have it turned off by default, and very few home users would go to the trouble of opening their BIOS settings to turn it on.

Action Alerts

❗Browser zero day: Update your Firefox right now! — nakedsecurity.sophos.com/…
WhatsApp has been patched to fix a bug that could allow an attacker to permanently delete group chats and crash the app — www.zdnet.com/…
Noteworthy Breaches

Worthy Warnings

Brian Krebs warns of the rise of a particularly tricky kind of phishing – fake app permissions requests on OAuth2-based federated login systems like those offered by Office365, GSuite, Facebook & Twitter. These phishes are particularly dangerous because the permissions are not removed by changing your password! — krebsonsecurity.com/…
🇺🇸 US Government-funded Android phones come preinstalled with unremovable malware — arstechnica.com/…
🇺🇸 US warns of Iranian cyber threat — nakedsecurity.sophos.com/…
- Related: Texas Sees Surge in Iranian Cyber Attacks — www.macobserver.com/…
- Related: PSA: People Have Been Getting Fake Military Draft Texts — www.macobserver.com/…

Notable News

The FBI have sent Apple a letter asking for help cracking two iPhones belonging to the shooter who killed 3 at a naval base in Florida in December 2019. The letter makes clear that the FBI have exhausted all avenues other than Apple’s help — (Editorial Note by Bart: I make it a point to avoid naming murders who want to be infamous) — nakedsecurity.sophos.com/…
- Related: Apple privacy director says back doors to iPhone data can’t help solve crimes — www.imore.com/…
- Related Opinion: Schneier on Security — www.schneier.com/…
- Related Opinion: FBI vs. iPhone Encryption, Round Two: Pensacola Shooter — daringfireball.net/…
Security Improvements from Apple:
- Apple have published an up-dated platform security guide — www.imore.com/…
  - The Guide — support.apple.com/…
- Apple have expanded their bug bounty program to cover all their OSes and increase the maximum payout to $1M — www.imore.com/…
- Related: Apple says it’s scanning photos uploaded to iCloud to weed out child abusers — www.imore.com/…
- Related: An illustration of why Mac users can’t afford to be careless about security. Note that this malware is a so-called Trojan, so is spreads by tricking users into installing it in some way: North Korea Upgrades ‘AppleJeus’ Malware for Macs — www.macobserver.com/…
Apple, Amazon, Google, the Zigbee Alliance, and other tech companies/groups join together to form the Connected Home over IP project. The aim is to develop a single secure standard for IoT devices to interact with all smart assistants — www.imore.com/…
- Related: Apple publishes open-source version of its HomeKit Accessory Development Kit — www.imore.com/…
Microsoft’s Project Artemis Tool Will Help Find Online Predators — www.macobserver.com/…
ProtonMail Launches ProtonCalendar Beta — www.macobserver.com/…
Notable Social Media News:
- Twitter bans A[nimated]PNGs after attack on Epilepsy Foundation handle — www.theverge.com/…
- Google have rolled out a new anti-spam/phishing message validation system for SMS messages received in the Android messages app. Senders need to actively partake in the system, and its currently only available in some countries (US, the UK, Canada, Mexico, India, Brazil, France, the Philippines, & Spain), but it allows the messages app to mark known-genuine messages as such in the app — nakedsecurity.sophos.com/…
- Google voice Assistant gets new privacy ‘undo’ commands — nakedsecurity.sophos.com/…
- Facebook bans deepfakes, but not cheapfakes or shallowfakes — nakedsecurity.sophos.com/…
- Following the lead of parent company Facebook, Instagram has rolled out new features to combat fake news and hate speech, but with the same exception for politicians — www.imore.com/… & nakedsecurity.sophos.com/…
- Last month Facebook replied to questions from US senators with a reply that seemed to say they continued to track location data by non-GPS means even when users disabled location services access on the Facebook app. The senators followed up with Facebook asking for more clarification, and now Facebook’s reply has been leaked. We understood them correctly, they do indeed track location even when location services access is denied. The senators are not happy with this response. — nakedsecurity.sophos.com/…, www.imore.com/… & www.macobserver.com/…
- Facebook data misuse and voter manipulation back in the frame with latest Cambridge Analytica leaks — techcrunch.com/…
- 🇧🇷 Facebook Receives $1.6 Million Fine From Brazil Over Cambridge Analytica Case — www.macobserver.com/…
- Facebook will stop mining contacts with your 2FA number — nakedsecurity.sophos.com/…
- Twitter Removed 5,929 Accounts Linked to ‘State-Backed Information Operations’ — www.macobserver.com/…
- Fake-review purge: Facebook boots 188 groups, eBay bans 140 shills — nakedsecurity.sophos.com/…
- 🇬🇧 Google And Facebook ad Dominance Faces Scrutiny in UK — www.macobserver.com/…
- 🇺🇸 Police get “unprecedented” data haul from Google with geofence warrants — nakedsecurity.sophos.com/…

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers

🎧 I recommend this entire (sadly short) podcast series very highly. Linked is a security-related episode that I think makes the perfect introduction to the show for this audience: Cautionary Tales: The Rogue Dressed as a Captain — overcast.fm/…
🎧 Another podcast recommendation. Hackable by McAfee is a podcast series that takes a first-hand look at what it’s like to be exploited by the attacks we hear about in this segment all the time. The host invites security researchers to demonstrate threats to the audience by hacking him or one of his colleagues at McAfee. I’ve listened to every episode and they’re all superb, but I think this specific episode will serve as a particularly good introduction to the series: Hackable?: And We’re In — overcast.fm/…
🎧 A great holiday special from the wonderful Darknet Diaries podcast – the true story of a penetration test told as a classic Noir detective story (think Dixon Hill on Star Trek TNG) — Darknet Diaries 55: NoirNet — overcast.fm/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.