Feedback & Followups
- Developments in the Avast Browser History Data Sales story:
- 🇺🇸 US charges four Chinese military members with Equifax hack — nakedsecurity.sophos.com/…
- 🇺🇸 Class action suit against Clearview AI cites Illinois law that cost Facebook $550M — techcrunch.com/…
- 🇺🇸 Another twist in the net neutrality saga in the US: FCC forced by court to ask the public (again) if they think tearing up net neutrality was a really good idea or not — www.theregister.co.uk/…
- Related: 🎧 A very informative and fair interview with FCC chair Ajit Pai: Freakonomics Radio: Can You Hear Me Now? — overcast.fm/…
- The perennial internet regulation issue continues to develop:
- Google continues to fight back against malicious apps and browser plugins on its various platforms:
- FIDO support continues to expand:
- OpenSSH eases admin hassles with FIDO U2F token support — nakedsecurity.sophos.com/…
- Apple has joined the FIDO Alliance — www.imore.com/… & www.forbes.com/…
Deep Dives
Deep Dive 1 — The Sweyntooth Bluetooth Bugs
Security researchers have released details on a whole family of loosely related BlueTooth bugs which they’ve named after Sweyn, the son of the Danish king Harold Bluetooth, after whom the wireless standard is named (and who’s rune is used as the Bluetooth icon).
These bugs exist in the firmware for countless Bluetooth devices, and their effects vary from locking up the devices or forcing them to reboot all the way to full security bypasses allowing unauthorised pairing and full control of the devices and access to all data stored on them. Thankfully all these bugs require attackers to be within Bluetooth range of vulnerable devices.
At the root of the problem are a host of similar bugs in the Software Development Kits (or SDKs) provided by at least seven system-on-a-chip (SOC) vendors to allow Bluetooth device manufacturers build firmwares for their devices.
Imagine you want to build a Bluetooth headset. You would source a Bluetooth SOC, then you would write the firmware for your device, and you would do that using an SDK provided to you by the company that makes the SOC you have chosen to use. If you used a vulnerable SDK you would need to update your copy of the SDK, re-build your firmware, then make it available to all your customers.
The good news is that security researchers have been working with vendors since last summer to responsibly disclose the bug and get patches out, but that can only possibly help protect users of devices that actually get firmware updates, and even then, many devices have no mechanism for alerting users that an update exists, so many potential updates will never get applied. The inevitable end result will be millions of vulnerable Bluetooth devices out there for years to come 🙁
One important silver lining here is that the more high-end and advanced the device, the more likely it is to get patched. This won’t be a problem for things like high-end smartphones under active support, or high-end headphones like Air Pods. Instead, it’s going to be a bigger issue for cheaper less advanced devices, and they are less likely to be involved with very sensitive information.
What can you do to protect yourself? You can’t practically protect yourself fully, but you can limit your exposure by:
- Only buying Bluetooth devices from reputable firms.
- Installing all firmware updates available.
- Being aware that anything you do over a Bluetooth you don’t know has been properly secure could well be insecure.
Link
Deep Dive 2 — More Malware on Macs than Windows? Really?
AV vendor Malware bytes made a big splash when they released a report stating they had blocked more malware per-end-point on Macs than PCs in 2019.
The problem with this approach is that it inherently assumes that all threats are equal — that plugin that injects ads into your browser is the same as ransomware that encrypts all your files and extorts you for millions!
Unsurprisingly, what we find is that the problems affecting Mac users are generally self-inflicted, being trojans rather than viruses or worms and that Apple’s default settings and protections would protect users just as well as an AV product does!
This story isn’t the paradigm-shifting change the headlines might have led you to believe. I’ve not changed my calculus on running AV on Macs — I don’t, and I don’t recommend others do either. AV runs at a very high privilege level and is very complex code — that’s a really dangerous mix for introducing security vulnerabilities. IMO the risks posted by running AV on Macs still out-weight the very small potential benefits. Much more important is to keep the default settings preventing the execution of unsigned apps and enabling automatic updating of XProtect settings from Apple daily.
Links
- Malwarebytes: Malware threats per endpoint on Mac double that of Windows — www.imore.com/…
- Research: Macs Saw Almost Twice as Much Malware as Windows PCs in 2019 — www.tomshardware.com/…
- Malware threats on Macs outpace Windows for first time ever — www.loopinsight.com/…
- Related Opinion: The State of Scamware on the Mac — daringfireball.net/…
❗ Action Alerts
- This month’s Patch Tuesday saw security updates from Microsoft and Adobe, including a fix for a zero-day being actively exploited in IE. Be sure to apply these patches promptly! — krebsonsecurity.com/…
- Adobe released further out-of-band patches a week after Patch Tuesday: Adobe fixes critical flaws in Media Encoder and After Effects — nakedsecurity.sophos.com/…
- Dell has patched a critical bug in a support app it ships with most of its Windows computers. If you own a Dell you should be sure it has all the latest updates from Dell — nakedsecurity.sophos.com/…
- Critical bugs have been found in two very popular WordPress plugins:
- A critical bug has been patched in the very popular GDPR Cookie Consent plugin WordPress plugin — nakedsecurity.sophos.com/…
- A critical bug has been patched in the popular Demo Importer plugin from ThemeGrill — nakedsecurity.sophos.com/…
Worthy Warnings
- Be careful where you (and your friends/family/acquaintances) post WhatsApp private group chat invite links — if they appear on the public web, they will be indexed by search engines, and can the found with easy searches. Security researchers have found that Google has indexed almost half a million such invite links: Google Is Letting People Find Invites to Some Private WhatsApp Groups — www.vice.com/…
- Notable Data Breaches:
- Private photos leaked by PhotoSquared’s unsecured cloud storage — nakedsecurity.sophos.com/…
- Details of 10.6 million MGM hotel guests posted on a hacking forum — www.zdnet.com/… (No financial data, so the biggest danger would be well targeted believable phishing attacks)
- PSA: Double-Check Your iPhone’s Medical ID Emergency Contacts — tidbits.com/…
Notable News
- Two major IoT vendors move to force 2FA for all users:
- Google made use of Safer Internet Day to announce plans to force app Nest users to enable 2FA on their accounts — nakedsecurity.sophos.com/…
- Ring makes 2FA mandatory to keep hackers out of your doorbell account — nakedsecurity.sophos.com/…
- Western government agencies warn of nation-state-sponsored attacks on western IT infrastructure:
- 🇺🇸 FBI director warns of sustained Russian disinformation threat — nakedsecurity.sophos.com/…
- 🇺🇸 Officials raise alarm about Chinese hacking — nakedsecurity.sophos.com/…
- 🇺🇸 US Cyber Command, DHS, and FBI expose new North Korean malware — www.zdnet.com/…
- 🇺🇸 🇬🇧 US and UK call out Russian hackers for Georgia attacks — nakedsecurity.sophos.com/…
- Governments abusing private corporations to get spy tools into foreign countries appear to be both real and nothing new:
- US says it can prove Huawei has backdoor access to mobile-phone networks — arstechnica.com/…
- German/US spies owned encryption company used by allies and adversaries — www.stuff.co.nz/… (Editorial by Bart: I get why the US are so sure China uses private companies to spy on their adversaries now — they’re doing it, so of course everyone else must be too!)
- 🇺🇸 The FBI have released their 2019 annual cybercrime report. There were about 1,300 cybercrimes per day in the US, costing victims about $3.5Bn. The age group to suffer most was the over 60s, being defrauded for over $835K — nakedsecurity.sophos.com/…
- Download the full report in PDF format — pdf.ic3.gov/…
- Microsoft have released a preview version of their enterprise Advanced Threat Protection end-point for Linux, and let it be known that there is a version of Defender ATP on the way for iOS & Android. At the moment there are no details of who this product is even targeted at, let alone what it can do, but there will be more details released at the RSA Conference in SF next week. (Editorial by Bart: to date everything branded with ATP has been aimed at corporate IT, not home users, my expectation is the same will be true of these new products) — www.macrumors.com/…
- Don’t feel too bad if you make a security boo boo, it happens to the big-boys too: Facebook’s Twitter and Instagram accounts hijacked — nakedsecurity.sophos.com/…
Top Tips
- The 11th of February was Safer Internet Day, resulting in some nice pithy advice articles, ideal for sharing with less tech-savvy friends and family:
- Looking for a new Backup drive? Check to see which ones are living longest in the real world: Backblaze Hard Drive Stats for 2019 — www.backblaze.com/…
Excellent Explainers
Interesting Insights
- Why Amazon knows so much about you — www.bbc.co.uk/…
- How Big Companies Spy on Your Emails — www.vice.com/… (Particularly relevant to users of the popular Edison email app)
- 🇺🇸 Leaked Document Shows How Big Companies Buy Credit Card Data on Millions of Americans — www.vice.com/…
- 🇺🇸 Household Names: How Tetrad Exposed Data on 120 Million Consumers — www.upguard.com/…
Palate Cleansers
- 🎧 The first half-hour-ish of this episode excellently explains the important difference between Machine Learning (ML) and true Artificial Intelligence (AI): Apple Context Machine Ep. 525: AI vs. Machine Learning, Our New Macs, Oak Island — overcast.fm/…
- 🎧 World Wise Web is a new BBC World podcast series where youngsters interview important people from the history of tech about their life’s work. The episodes are short (~10mins), and so far I can recommend them all. This is a great taster episode, interviewing the mother of the internet Radia Perlman, the inventor of the Spanning Tree routing protocol that keeps so many of our IP networks functioning day-in-day-out: World Wise Web: Internet networks — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a pay-wall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |