Security Bits by Bart Busschots — 22 August 2021

Feedback & Followups

• Apple’s Child Protection Features
  • New Information:
    • Apple publishes Child Safety FAQ to address CSAM scanning concerns and more — www.imore.com/…
    • Apple shares a security threat review for its new CSAM detection feature — www.imore.com/…
      • An excellent summary: New CSAM Detection Details Emerge Following Craig Federighi Interview — tidbits.com/…
    • My key new learnings:
      • Apple is not just using the NCMEC database of known CSAM, they are cross-referencing it with another database (they haven’t said who’s) and only including images common to both.
      • The threshold for making it possible for Apple to know an account has been flagged is being set at about 30, at least for the initial rollout.
      • Apple will be publishing the hash of the CSAM DB with each iOS release, so any injections into the list of hashes will be detectable by 3rd parties
      • Apple have confirmed what I was pretty sure was the case, that Apple employees can never see the actual matched images, even when the threshold is met — they only see the contents of the then decrypted security vouchers which only contain low-resolution previews of the images.
  • Apple Reach Out
    • Interview: Apple’s head of Privacy details child abuse detection and Messages safety features — techcrunch.com/…
    • Apple software chief admits child protection measures have been ‘widely misunderstood’ — www.imore.com/…
  • Corellium to aid Apple CSAM security testing as part of new initiative — www.imore.com/…
    • Related: Apple Reaches Settlement With Corellium, Dropping its Lawsuit — www.macobserver.com/…
    • Related: Apple has appealed its lawsuit against Corellium — www.imore.com/…
  • The push-back continues: Apple photo-scanning plan faces global backlash from 90 rights groups — arstechnica.com
  • 🧯The version of something that looks like NeuralHash found in iOS 14, reverse engineered, and found to be poor at avoiding hashes is not the code that Apple will be using in iOS 15 despite the irresponsible assumptions of many, and the resulting breathless headlines — www.vice.com/…
  • We may have a better understanding of why Apple implemented the two features it did: Apple’s fraud chief knew it had a child porn problem, messages reveal — www.imore.com/…
• Social Media Sites are Continuing to Fight Abuses of their Platforms (and they had a good 2 weeks)
  • Facebook have improved their Facebook Transfer Tool (for migrating data easily to other platforms) to add some nice usability tweaks, two new end-points (Photobucket & Google Calendar), and a new data type (Facebook Events) – www.macobserver.com/…
  • Google have announced a suite of improvements to their child protection features (nothing earth-shattering, but lots of small improvements) — blog.google/…
  • Signal now allows you to mark your messages to automatically disappear by default — signal.org/…
  • Instagram have rolled out new tools to control abuse via DMs and comments including a new Limits feature that allows users to hide DMs and comments from people that don’t follow them or have only recently started to. They’re also adding warnings to posters if they use potentially offensive language, and a Hidden Words feature that filters off potentially offensive DMs into a separate inbox. They’re also working on detecting spikes in abusive DMs so they can pro-actively offer victims the option to turn on Limits — www.imore.com/…
  • Twitter research shows that ID verification would not stop abuses because almost all abuse is from accounts that can be linked to real people already — www.imore.com/…
  • TikTok adds new privacy features for teens, including much more restrictive defaults requiring teens to pro-actively choose to share their content more broadly, and stopping push notifications during nighttime hours — www.macobserver.com/…
  • Facebook Adds End-To-End Encryption to Messenger Calls, Instagram DMs — www.macobserver.com/…
  • Twitter testing reporting for COVID-19 misinformation — www.imore.com/…
• Firefox 91 completes the rollout of the Total Cookie Protection feature we described in a Security Bits segment back in March — www.imore.com/…
• The ground-breaking privacy docudrama The Social Dilemma is now streaming for free on YouTube — www.macobserver.com/…

❗ Action Alerts

• Another Patch Tuesday has been and gone, and one of the Windows bugs patched is now under active exploitation, so be sure to patch promptly — krebsonsecurity.com/…
• Security researchers at Tenable have found a critical bug in the firmware used in many home routers by Buffalo, and as re-badged routes from major ISPs — nakedsecurity.sophos.com/… & www.tenable.com/…

Worthy Warnings

• 🇺🇸 T-Mobile: Breach Exposed SSN/DOB of 40M+ People — krebsonsecurity.com/…
• Security researchers at Mandiant have found critical vulnerabilities in the Kaylay back-end used by many smart home devices from many vendors, including security cameras and baby monitors — nakedsecurity.sophos.com/…
• Another worrying TOS update: Ancestry.com Just Gave Itself the Rights to Your Beloved Family Photos — gizmodo.com/…

Notable News

• Cryptocurrency exchanges are clearly being targeted ATM:
  • Hacker grabs $600m in crypto cash from blockchain company Poly Networks — nakedsecurity.sophos.com/…
  • Japanese cryptocoin exchange robbed of $100,000,000 — nakedsecurity.sophos.com/…
  • Editorial by Bart: remember that the whole point of cryptocurrency is that it’s impossible to regulate, so, there are no authorities that can refund people their money when this kind of thing happens. When you trust an exchange with your cryptocurrency you are really trusting them, there is no safety net!
• Apple-backed smart home standard ‘Matter’ delayed until 2022 — www.imore.com/…
• Apple has released iCloud for Windows 12.5 with a new password manager — www.imore.com/…
• GitHub have implemented the tighter authentication policies for Git operations they announced late last year — Git actions like pushing code into a repo can’t be authenticated by passwords anymore, users have to use more secure mechanisms like SSH keys, OAuth, or personal access tokens. Because GitHub is used to manage so much open source software, this will make all of us more secure — github.blog/…

Interesting Insights

• What sites/services get targeted most by hackers? Here’s the top-10: The Biggest Cyber-Hacking Targets in the World — www.intactsoftware.com/…
• The way 5G is being rolled out at the moment, it’s actually 4G from a security POV, so while we have the speeds, we often don’t yet have the promised security and privacy: A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance — www.wired.com/…

Just Because it’s Cool 😎

• Researchers Propose New Way to Limit Location Tracking With ‘Pretty Good Phone Privacy’ — www.macobserver.com/…

Palate Cleansers

• An interesting little article connecting a blunder by Russian sensors with the strangely intertwined histories of regular expressions and AI: The Regular Expression Edition – by Guest Contributor – Why is this interesting?CommentShareCommentShare — whyisthisinteresting.substack.com/…
• Another amazing Astronomy Picture of the Day: Perseid Rain — apod.nasa.gov/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, "no need to light your hair on fire" 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.