Security Bits — 17 January 2021

Feedback & Followups

• COVID Update:
  • Apple have released iOS 12.5.1, bug-fix for the un-expected iOS 12.5 recently released to add COVID exposure tracking to older iPhones — www.macobserver.com/…
  • Yelp have added fields to allow reviewers to mark whether or not an establishment is following COVID guidelines — www.imore.com/…
• More SolarWinds fallout:
  • Sealed U.S. Court Records Exposed in SolarWinds Breach — krebsonsecurity.com/…
  • CISA has released a new document describing how organisations affected by the SolarWinds attack can check that the attack did not spread into their Office365 tenancies — us-cert.cisa.gov/…
  • SolarWinds have released details of how they were attacked, and warned that what happened to them could very easily happen to other vendors — krebsonsecurity.com/…
• Back in November we did a deep dive into the firewall bypass list in macOS Big Sur. At the time Apple were allow-listing many of their apps, and we came to the conclusion they would need to whittle that list down to the bare minimum, and that’s what Apple have done in the latest Bigsur beta — www.imore.com/…
  • The original episode: Security Bits — 22 November 2020 — www.podfeet.com/…

❗ Action Alerts

• Last Tuesday was Patch Tuesday, and Microsoft’s suite of updates contained a fix for a zero-day in Windows Defender that is being actively exploited in the wild — krebsonsecurity.com/…
• Zyxel hardcoded admin password found – patch now! — nakedsecurity.sophos.com/…
• Ubiquiti: Change Your Password, Enable 2FA — krebsonsecurity.com/…

Worthy Warnings

• As of the end of 2020 Flash is EOL (End of Life), it’s not going to get security updates from Adobe anymore, so if you still have it installed, get rid of it before it bites!
  • The end of 2020 also brought the official end of Adobe Flash — www.imore.com/…
  • How to Uninstall Flash Player – The Mac Security Blog — www.intego.com/…
• The company that processes payments for Amazon and Swiggy has reported a data leak of over 100 million debit and credit cardholders — www.businessinsider.in/… (Actual credit card numbers are not leaked, just masked versions, so the biggest threat is targeted phishing attacks)
• (From Allison) Amazon’s Ring Neighbors app exposed users’ precise locations and home addresses — techcrunch.com/…

Notable News

• WhatsApp have updated their terms of service, and users have been forced to accept the changes to continue using the app. Thew new TOS allows for sharing of data with Facebook — www.macobserver.com/… & www.imore.com/…
  • WhatsApp tries to reassure users following Facebook data sharing backlash — www.imore.com/…
  • Related: Facebook revamps Access Your Information in the name of transparency — www.imore.com/…
• 🇺🇸 Following the violent insurrection on January 6th, tech companies have taken action against President Trump, QAnon, and other extremist groups:
  • Facebook implements new moderation policies in response to U.S. violence — www.imore.com/…
  • President Trump is banned from just about everything:
    • Facebook suspends President Trump ‘indefinitely’ — www.imore.com/…
    • Shopify Takes Trump Organization and Campaign Stores Offline – WSJ — www.wsj.com/…
    • TikTok is taking down videos of Trump’s speech to U.S. Capitol rioters — www.imore.com/…
    • Twitch Suspends Donald Trump’s Channel To Prevent Him From Inciting ‘Further Violence’ — kotaku.com/…
    • Snapchat has also locked down President Trump’s account — www.imore.com/…
    • Twitter has permanently suspended Donald Trump’s account — www.imore.com/… * Twitter Has Banned Michael Flynn, Sidney Powell, And Ron Watkins For Spreading QAnon Delusions — www.buzzfeednews.com/…
  • Parler gets shut down
    • Apple Removes Parler From App Store Due to ‘Inadequate’ Measures to Address Dangerous Content — www.macrumors.com/…
    • Amazon cuts off Parler’s web hosting following Apple, Google bans — arstechnica.com/…
    • Tim Cook: Parler can come back ‘if they get their moderation together’ — www.imore.com/…
    • Related: Before Amazon shut them down, white/grey hat security researchers downloaded almost every post ever made, included deleted ones. This was possible because Parler used sequential IDs, so they could be enumerated, and clearly did not implement adequate throttling (rookie mistakes):
      • Every Deleted Parler Post, Many With Users’ Location Data, Has Been Archived — gizmodo.com/…
      • Parler users unknowingly gave away their personal data in videos they uploaded illegally storming Capitol Hill — www.independent.co.uk/…
    • Related: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess — www.wired.com/…
    • Tom Merritt explains Amazon’s decision to stop hosting Parler and a little of what he thinks of it. www.patreon.com/…
• Intel Releases ‘RealSense ID’ Facial Authentication Technology — www.macobserver.com/…
• New facial recognition tech from Japanese firm NEC can identify people wearing masks — www.bbc.co.uk/…
• Mozilla VPN Arrives on macOS and Linux — www.macobserver.com/…
• 🇬🇧 The UK Competition & Markets Authority (CMA) has opened an anti-trust investigation into Google over concerns that it’s privacy improvements in Chrome might harm competitors — www.macobserver.com/…
• 🇺🇸 (From Allison) California Company Settles FTC Allegations It Deceived Consumers about use of Facial Recognition in Photo Storage App — www.ftc.gov/…
  • The Original Story: Millions of people uploaded photos to the Ever app. Then the company used them to develop facial recognition tools — www.nbcnews.com/…
• 🇺🇸 Secretary of State Mike Pompeo has created a new Bureau of Cyberspace Security and Emerging Technologies (CSET) within the State Department to inform cybersecurity in US foreign policy — www.macobserver.com/…

Top Tips

• Home schooling – how to stay secure — nakedsecurity.sophos.com/…

Excellent Explainers

• An excellent explanation of a new Amazon scam named Brushing: Mysterious Packages Showing Up on Doorsteps — www.nbcwashington.com/…

Interesting Insights

• 🎧 A great explanation of the storied Pwn2Own competition: Darknet Diaries 82: Master of Pwn — overcast.fm/…

Palate Cleansers

• A very relevant dive into the XKCD archives: xkcd.com/…

  

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.