Security Bits — 19 September 2021

Feedback & Followups

• The NSO Group/Pegasus Saga:
• Apple have patched the vulnerability used by the NSO Group to deploy their Pegasus spyware, and the Citizens Lab have published a report on their discovery of the vulnerability which they’ve named FORCEDENTRY — citizenlab.ca/… & arstechnica.com/… & nakedsecurity.sophos.com/…
• 🇩🇪 Germany Secretly Purchased NSO Group Spyware ‘Pegasus’ — www.macobserver.com/…
• Social Media Improvements:
• WhatsApp announces end-to-end encrypted backups on iCloud — www.imore.com/…
• Related Analysis: A good reminder that end-to-end encryption does not protect the data at either end, just as it moves between ends: Remember, Communication Services Cannot Guarantee Privacy — tidbits.com/…
• The WSJ has reported that Instagram internal research shows Instagram can be harmful to teenagers with body image issues — www.theguardian.com/…
• Editorial by Bart: This has generally been reported in a very negative way, presumably to get more clicks, but I see this as a very positive thing. Instagram are pro-actively studying the unwanted side-effects of their platform and working to address them. I found the interview Instagram head Adam Mosseri did with Vox very illuminating. The studies didn’t actually say what many media reports implied they did (they asked different questions so the data had intentional selection biases), and the context he provided made sense to me.
• Related: 🎧 Mosseri’s interview with Vox: Recode Daily: Instagram is bad for teens’ self-esteem, and it knows it— overcast.fm/…

❗ Action Alerts

• Patch Tuesday was this week, and it’s an important one, including an IE/MSHTML zero-day that’s being actively exploited — krebsonsecurity.com/…
• Details on the Zero-day: krebsonsecurity.com/… & nakedsecurity.sophos.com/…
• Remember to apply those NSO Apple Patches for everything!

Notable News

• A report from the UN HCR (Human Rights Council) calls for governments to pause the use of facial recognition and some other AI system until safeguards can be developed and deployed — www.brusselstimes.com/…
• Facebook And Ray-Ban Released Some Camera Glasses and Everyone is Freaking Out — www.macobserver.com/…
• 🇺🇸 Health Apps Must Warn Users of Data Breaches, Says FTC — www.macobserver.com/…
• ‘GetHealth’ Leaks Apple HealthKit Data With 61 Million Records www.macobserver.com/…

Interesting Insights

• Common Sense Media analysed streaming hardware and apps from a privacy POV, and only one product and one service received a passing grade — the AppleTV hardware, and the AppleTV+ streaming service — Every Streaming Company Not Named Apple Receives A Lousy Grade On Privacy www.techdirt.com/…
• A 2-page PDF poster of the findings — www.commonsensemedia.org/…
• Infosec researchers say Apple’s bug-bounty program needs work — arstechnica.com
• A long but fascinating read: Ex-NSA cyberspies reveal how they helped hack foes of UAE — www.reuters.com/…
• This is Security adjacent, but an excellent analysis IMO: Google Is Getting Caught in the Global Antitrust Net — www.wired.com/…

Palate Cleansers

• From Allison: I saw an awesome billboard on the freeway today. It was by DuckDuckGo and all it said was, “Be a stranger”.

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.