Security Bits — 21 March 2021

Feedback & Followups

• An interesting timeline of the Microsoft Exchange mega-attack discussed last time (Editorial by Bart: it really begs the question ‘what took Microsoft so long?’) — krebsonsecurity.com/…
• Bloomberg Report that when Parler (the social media app that powered the failed US insurrection on January 6th) came back online they applied to be re-listed on the iOS AppStore, but Apple rejected them for ‘highly objectionable content’ — www.imore.com/…
• Apple launches a single hub for privacy labels on its own native apps — www.imore.com/…
• Apple’s up-coming App Tracking Transparency feature:
  • Facebook & ATT:
    • Former Facebook employees say Facebook’s argument that Apple’s privacy changes will damage small businesses don’t stack up, they suggest Facebook is only worried about Facebook — www.imore.com/…
    • Mark Zuckerberg changes his tune on ATT, in a Clubhouse chat he suggested that if it becomes harder to track people across apps, more companies may want to work directly with Facebook so their interactions are first-party — Zuckerberg now says Facebook may benefit from iOS 14 privacy changes — www.imore.com/…
  • Reports of a Chinese government-sponsored tool for cross-app tracking that avoids iOS’s IDFA (ID For Advertisers), the ID ATT protects, surface, with the Chinese government apparently encouraging Chinese app makers to use this new technology to keep tracking users across apps without consent when ATT is enforced later this spring — arstechnica.com/…
  • Apple warned developers not to try work around ATT — www.imore.com/…

Privacy Mini — That T-Mobile Tracking Story (by Allison)

Last week a big news story was that T-Mobile was going to start tracking users for advertising on their phones. I posted the story in our Slack from BGR where they showed how to opt-out

I was all smug and happy that I didn’t have T-Mobile, when Sandy pointed out that most cell companies in the US do this and she was glad that at least T-Mobile notified users (and there was a way to opt out).

I then dug into the privacy settings on AT&T’s site and disabled “relevant ads” on all of our cell phones. I also had a friend of mine figure out how to do it on her Verizon account. Verizon had three toggles she was able to turn off: “customer proprietary network info”, “business and marketing insights” and “relevant mobile advertising”.

I KNOW you’ve told us they do this before but what we’ve learned about what they do with this tracking lately made this much more front of mind and now I took it seriously.

❗ Action Alerts

• New Apple security updates ‘recommended for all users’ — www.imore.com/… (iOS 14, watchOS 7 & macOS Big Sur)
• March’s patch Tuesday saw Microsoft fix 82 flaws, 10 rated critical, one of which is being actively exploited in the wild — krebsonsecurity.com/…

Worthy Warnings

• A bug in a popular iPhone app exposed thousands of call recordings — techcrunch.com/… (the app is called ACR Call Recorder)
  • A technical deep-dive into the bug: How confidential are your calls? This iPhone app shared them with everyone — nakedsecurity.sophos.com/…
• (Via Listener Lynda) Hack of video security company Verkada exposes footage from 150,000 connected cameras — www.cbsnews.com/…
• Two very disturbing (but excellently researched and written) reports from Vice on security and privacy:
  • A Hacker Got All My Texts for $16 — www.vice.com/…
  • (Via Listener George) Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military — www.vice.com/…

Notable News

• Apple agrees to pre-install apps on Russian devices — www.imore.com/…
• TikTok is changing the options it gives users regarding ads on April 15th. All users will get personalised ads (they can currently opt out), but they will retain the option not to be tracked across apps and websites. So, a user’s ads will be based on just their TikTok activity, or, their TikTok activity combined with 3rd-party tracking. This brings TikTok into line with other social media apps — www.theverge.com/…
• Social Media Apps Continue to Improve their Security
  • Instagram will prevent people DMing under 18s who don’t follow them — www.imore.com/…
  • Facebook to ban users who break group rules — www.imore.com/…
  • Twitter Announces Multiple Security Key Support for Accounts — www.macobserver.com/…
  • Facebook expands support for security keys on iPhone — www.imore.com/…
• Linux Foundation announces new open-source software signing service — www.zdnet.com/… (think Let’s Encrypt for Code Signing)

Excellent Explainers

• 🎧 Tom Merrit expertly explains blockchains and their hot new application, NFTs: Know a Little More: About Blockchain — overcast.fm/…
  • 🎧 Related: An excellent explanation of the economics of NFTs: Planet Money: The $69 Million JPEG — overcast.fm/…
• Serious Security: Webshells explained in the aftermath of HAFNIUM attacks — nakedsecurity.sophos.com/…

Interesting Insights

• Why Google is immune to Apple’s Privacy Protections — www.imore.com/…

Palate Cleansers

• Encode your own Perseverance Rover parachute message — projects.noahliebman.net/…

• Photographer Spends 12 Years, 1250 Hours, Exposing Photo of Milky Way — petapixel.com/…
  • There’s a free, one-day Open Source 101 conference on Tuesday 30 March that might be fun. Register at allthingsopen.6connex.com/… Mike Price alerted us to their superb harassment policy for the conference:

All Things Open Conference is dedicated to providing a harassment-free conference experience for everyone regardless of gender identity, sexual orientation, disability, physical appearance, body size, race, religion, operating system or text editor of choice.

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.