Feedback & Followups
- Zoom continues to respond positively to problems with and criticisms of their platform:
- Zoom announces 5.0 update with tougher encryption and new security features — www.imore.com/…
- Last time Bart was not sure of the exact detail of how Zoom’s region controls worked, iMore have the details: Zoom has fixed one of the biggest complaints about its platform — www.imore.com/…
- 🎧 Steve Gibson gave their efforts an enthusiastic 👍: Security Now Episode 763: The COVID Effect — overcast.fm/…
- Related: Zoom now has more than 300 million daily users — www.imore.com/…
- COVID-19 Contact Tracing/Exposure Notification
- Apple & Google have updated their API a little in response to feedback. None of the fundamentals have changed, but there has been a big re-branding from the scary and privacy-invading-sounding term ‘Contact Tracing’ to the more accurate, and friendlier sounding, term ‘Exposure Notification’:
- Apple and Google Strengthen Privacy of COVID-19 Exposure Notification System, Targeting Next Week for Beta Release — www.macrumors.com/…
- Apple and Google will disable COVID-19 tracing when pandemic ends — www.imore.com/…
- Apple has added “COVID-19 Exposure Notifications” in the iOS 13.5 beta — www.imore.com/…
- Cartoon graphic explaining how Exposure Notification can work: ncase.me/…
- Nate Lanxon explains Apple/Google’s Exposure Notification on Tech’s Message Podcast using “Jeff” and “Boat-Shaped Head”: www.uktechshow.com/…
- Related: How a handful of Apple and Google employees came together to help health officials trace coronavirus — www.cnbc.com/…
- Cellebrite Pitches its iPhone Hacking Tools as COVID-19 Surveillance Solution — www.macobserver.com/…
- Editorial by Bart: Lots of countries are wrestling with the decision of how to proceed — centralise and send all the data to the government, or, distribute, so the data remains on-device and private. More data is better for scientists and health officials, but very open to abuse and will deter users, and these apps are only useful when lots of people use them, so in democracies, I think decentralised is the only way to go, and Germany’s U-turn adds credence to that.
- 🇫🇷 🇬🇧 Apple & Google’s refusal to make exceptions to their security and privacy protections is causing problems for countries like France and the UK that want to go with a centralised approach: www.ft.com/… & France claims Apple’s privacy policy is blocking its contact tracing app — www.imore.com/…
- 🇬🇧 Regardless of what Apple & Google say or do, the UK is pressing ahead with a centralised app:
- The UK has rejected Apple and Google’s contact tracing program — www.imore.com/…
- UK Coronavirus Contact Tracing App Could be Rolled Out in Two-Three Weeks — www.macobserver.com/…
- Privacy Advocates Raise Concerns About UK COVID-19 Contact Tracing App — www.macobserver.com/…
- The NHS says despite not following Apple and Google, its contact tracing app will work — www.imore.com/…
- 🇩🇪 Germany reverses course, supports Apple/Google’s contact tracing approach — www.imore.com/… & Coronavirus tracking tool from Apple and Google embraced by Germany — nakedsecurity.sophos.com/…
- 🇺🇸 The CDC’s guidance on contact tracing apps align with Apple and Google — www.imore.com/…
- Related: 🇺🇸 U.S. Senators propose COVID-19 data privacy bill — www.imore.com/…
- Related: 🇺🇸 Half of Americans won’t trust contact-tracing apps, new poll finds — arstechnica.com/… & U.S. poll suggests Americans sharply divided on use of contact tracing apps — www.imore.com/…
- Editorial by Bart: the questions in this poll were poorly worded, so this result may not be as meaningful as it could be. John Gruber explains the problem succinctly: Regarding the Washington Post’s Poll on Americans’ Willingness to Use Smartphone Apps for Exposure Notification — daringfireball.net/…
- 🇨🇦 Contact tracing stirs debate in Canada — www.imore.com/…
- 🇮🇪 Irish government confirms it will use de-centralized contact tracing model — www.imore.com/…
- Related: an excellent explainer covering the what, the how, and the why: Contact tracing: A guide to one possible pandemic solution — www.imore.com/…
- 🎧 An in-depth discussion of this issue: The Real Story: Coronavirus – Is mass surveillance here to stay? — overcast.fm/…
- Apple & Google have updated their API a little in response to feedback. None of the fundamentals have changed, but there has been a big re-branding from the scary and privacy-invading-sounding term ‘Contact Tracing’ to the more accurate, and friendlier sounding, term ‘Exposure Notification’:
- Social Media companies continue to respond to the COVID-19 crisis
- Facebook to alert us if we’ve been exposed to fake coronavirus news — nakedsecurity.sophos.com/…
- Facebook Removes ‘Pseudoscience’ Category for Targeted Ads — www.macobserver.com/…
- Facebook launches Messenger Rooms to compete with FaceTime and Zoom — www.imore.com/…
- New WhatsApp beta expands group call limit to eight people — www.imore.com/…
- Google are continuing the fight against dangerous browser extensions: Google fights spammy extensions with new Chrome Web Store policy — nakedsecurity.sophos.com/…
- 🎧 We wondered last time where on earth the COVID-19 5G conspiracy came from, the wonderful RESET podcast has the answer: RESET: The 5G coronavirus conspiracy theory — overcast.fm/…
🧯 Deep Dive — The iOS Mail Bug
TL;DR — don’t panic, there is no immediate danger, and a patch is on the way 🙂
Security researchers found a pair of bugs in Apple’s Mail app on iOS that would cause the app to crash when trying to load a maliciously crafted mail. Importantly, the bugs can’t be used to actually exploit a device without being paired with other bugs in an exploit chain. This makes the bugs useful building-blocks for an attacker, but not a problem in isolation. Basically — Apple’s multi-layered security system is doing what it should and protecting us all from this bug!
The security researchers claimed they had evidence that the bug was being actively exploited in the wild, but on further inspection those claims seem very suspect. Perhaps the most charitable thing you could say is that they are circumstantial at best. The emails they found could be evidence of failed attempted exploits, or, they could be perfectly normal MIME-encoded data, a given that MIME is used to send email attachments, that definitely seems the more likely explanation to me 🙂
Apple have also responded to the claims stating they can find no evidence of these bugs every having been exploited in the wild, and pointing out that the bugs can’t be used to exploit an iPhone directly.
The bugs have been patched in the latest iOS betas.
Links
- iPhone zero day – don’t panic! Here’s what you need to know — nakedsecurity.sophos.com/…
- iOS Mail Exploits Serious but Unlikely to Affect Normal Users — tidbits.com/…
- A new security vulnerability has been discovered in the default Mail app — www.imore.com/…
- iPhone Zero Day Found, Will Be Patched in iOS 13 — www.macobserver.com/…
- Apple responds to claim of Mail app exploit in iOS 13 — www.imore.com/…
- Apple strongly denies that iPhone Mail vulnerabilities have been exploited — 9to5mac.com/…
❗ Action Alerts
- Patch now! Microsoft issues unexpected Office fix — nakedsecurity.sophos.com/…
- Bumper Adobe update fixes flaws in Magento, Bridge and Illustrator — nakedsecurity.sophos.com/…
Worthy Warnings
- Nintendo Switch data leak exposes 160,000 users by impersonating NNID — www.imore.com/…
- Warning! Fake Zoom “HR meeting” emails phish for your password — nakedsecurity.sophos.com/…
- New sextortion scam: “High level of risk. Your account has been hacked.” — nakedsecurity.sophos.com/…
- Google’s project Zero has released details of bugs patched in recent versions of Apple’s OSes, so if you haven’t patched yet, do! — Google reveals zero-click bugs that Apple has patched in recent weeks — www.imore.com/…
- 309 million Facebook users’ phone numbers found online — nakedsecurity.sophos.com/… (No passwords, but enough data to automate convincing phishing scams)
- Password-free database of exercise app Kinomap leaks 42m user records — nakedsecurity.sophos.com/… (No passwords, but enough data to automate convincing phishing scams)
- Netatmo Patches Security Hole in Indoor Camera — www.pcmag.com/…
- Attention WordPress Users — there’s a vulnerability in the obsolete theme OneTone being exploited in the wild to take over wordpress sites — nakedsecurity.sophos.com/…
- Related: there was also a security update to WordPress itself to patch a critical bug, but if your site is properly configured, it should have auto-installed itself: wordpress.org/…
- Attention Ruby Developers — beware of typo-squatting malware in the RubyGems repository: Trove of RubyGems malware highlights software supply chain issues — nakedsecurity.sophos.com/…
Notable News
- A strange new iOS bug has surfaced that causes devices to freeze when they meet a certain sequence of emoji. If it happens to you, the fix is to reboot your phone: This bizarre text bomb is crashing iOS devices — www.imore.com/… & iPhone “word of death” could crash your phone – what you need to know — nakedsecurity.sophos.com/…
- Eight-year-old discovers iPhone Screen Time workaround to watch more YouTube — www.inputmag.com/…
- Twitter turns off SMS-based tweeting in most countries — nakedsecurity.sophos.com/…
- Epic Games launches Fortnite on the Google Play Store and they’re not happy about it — techcrunch.com/…
- You Can Now Check If Your ISP Uses Basic Security Measures | WIRED
Top Tips
- Best File Transfer Services in 2020 — www.imore.com/…
- “Zero-click” mobile phone attacks – and how to avoid them — nakedsecurity.sophos.com/…
Excellent Explainers
- How online ads can endanger your security — www.intego.com/…
- A superb human-friendly explanation of a now-patched iOS bug: daringfireball.net/…
- A fascinating deep-dive in to how the recently patched Safari web cam bug worked and was found: Webcam Hacking: www.ryanpickren.com/…
Just Because it’s Cool 😎
Palate Cleansers
- Join Meetings from A Galaxy Far, Far Away with These Star Wars Backgrounds — www.starwars.com/…
- 🎦 Some excellent (and playfully delivered) advice from the wonderful CGP Grey for managing life during lockdown: Lockdown Productivity: Spaceship You – YouTube — www.youtube.com/…
- 🎦 From Allison: Build Your Own Magically Floating Lego Tensegrity Sculpture — kottke.org/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |