Feedback & Followups
- NSO Group/Pegasus:
- Google’s Project Zero has released a very detailed report into how the ForcedEntry zero-click iMessage bug exploited by Pegasus worked — it’s deep deep reading, but this analysis highlights the key point well; there was some very impressive engineering powering this exploit — daringfireball.net/…
- Bloomberg is reporting that the NSO group are reportedly losing money fast, and considering closing or selling off the Pegasus product, possibly to a company that will convert it to a defensive tool — www.imore.com/…
- The Financial Times & ArsTechnica published a report detailing how the NSO group struck a deal with Uganda which seems to have resulted in Pegasus being deployed against US State Department officials — arstechnica.com/…
- Apple have released the promised Android app for locating unknown AirTags that have been following you — www.imore.com/…
- Related: we’re starting to see anecdotal evidence of AirTags being abused (and a lot of evidence of Apple’s protections working too), e.g. Driver finds a hidden AirTag in his car ahead of likely theft attempt — www.imore.com/…
- Troy Hunt has pushed some of the promised changes to Have I Been Pwned live — there is now a mechanism for law enforcement to push data from breaches they find into HIBP, and the code for the HIBP API has been published as open source — www.troyhunt.com/…
- Social Media Updates:
Deep Dive — Log4J
The last time we recorded Log4J was breaking news, and I predicted it would be a really big deal for corporate IT, and that’s definitely proven to be the case. In the US an emergency directive has been issued requiring all federal agencies to deal with Log4J before the holidays, so definitely buy and sysadmins you know who work for a US federal agency a coffee!
Things have been quite chaotic over the last 2 weeks with the initial patching having been be patched at least 2 more times!
As more details come to light, this remains, as I suspected, a headache for corporate IT rather than for regular folks. Log4J is primarily an enterprise tool, and while there might be the odd instance of home devices or software having Log4J embedded in them, no clear avenue of attack against home users has become apparent, and at least for now, attackers are not focusing on home users, directing their energies instead to the easiest to exploit and most financially valuable large targets.
For home users, the standard advice continues to apply — if there are security updates for your hardware or software, apply them!
What I have seen a lot of is confusion, particularly around the Apache name.
Officially, the situation is very clear-cut, the Apache Foundation runs a number of open source projects, including The Apache HTTP Server, and Log4J. Because Log4J is an Apache Foundation project, it’s often referred to as Apache Log4J. Because the Apache HTTP server (AKA httpd) is the longest-running Apache Foundation project, predating the existence of the foundation, people often refer to the web server as simply Apache. So, Apache Log4J sounds like it’s related to the Apache HTTP Server, but it isn’t.
Lots of sysadmins wasted a lot of time explaining to half-informed managers that no, the fact that they run the Apache web server does not mean they have to patch against Log4J.
With all the confusion, something that’s gotten lost is that there are some totally unrelated security updates for the Apache HTTP server that really should be applied too!
Links
- The best explainer I found: Log4Shell explained – how it works, why you need to know, and how to fix it — nakedsecurity.sophos.com/…
- 🇺🇸 Emergency Directive 22-02: Mitigate Apache Log4J Vulnerability — www.cisa.gov/…
- 🎦 An excellent video showing the vulnerability in action: Log4Shell: The Movie… a short, safe visual tour for work and home — nakedsecurity.sophos.com/…
- Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report — www.securityweek.com/…
- Related: Apache’s other product: Critical bugs in ‘httpd’ web server, patch now! — nakedsecurity.sophos.com/…
❗ Action Alerts
- Microsoft’s December Patch Tuesday updates are out, and include fixes for bugs being actively exploited in the wild — krebsonsecurity.com/…
- Apple have released updates for almost all their OSes: Apple Releases iOS 15.2, iPadOS 15.2, macOS 12.1 Monterey, watchOS 8.3, and tvOS 15.2 — tidbits.com/…
- iOS 15.2 also contains security-related feature updates:
- Account Recovery Contacts (so family/friends can help you get back in if you forget your password): How to set up Account Recovery contacts on iPhone and iPad — www.imore.com/…
- Legacy Contacts (so your family/friends can access your iCloud data when you’re gone): How to set up a Legacy Contact on iPhone and iPad — www.imore.com/… & Apple Digital Legacy: Everything you need to know! — www.imore.com/…
- App Privacy Report (opt-in feature to enable detailed app activity log, primarily aimed at security researchers, but fun for nerds): Understanding iOS and iPadOS App Privacy Report — www.intego.com/…
- Siri & iMessage Child Protection Features (the two non-controversial ones)
- Related: Apple updated their website to only list the live features, a bunch of sites assumed that meant CSAM detection was dead, Apple responded to say their plans were unchanged — www.theverge.com/…
- iOS 15.2 also contains security-related feature updates:
Worthy Warnings
- Fisher-Price’s Chatter phone has a simple but problematic Bluetooth bug — techcrunch.com/…
- Believing in conspiracy theories can be dangerous to your health: Anti-5G necklaces found to be radioactive — www.bbc.co.uk/…
Notable News
- 🇬🇧 The UK Competition & Markets Authority (CMA) has released an interim report on the state of the mobile ecosystem, and while it’s strongly critical of Google & Apple, it doesn’t actually recommend any action be taken — www.imore.com/…
Interesting Insights
- A thought-provoking essay by Troy Hunt. The essay takes you on quite a long journey to get to its final recommendation, but it’s worth the ride. The piece convinced me that Troy’s simple suggested definition for a breach is the right approach: When is a Scrape a Breach? — www.troyhunt.com/…
> “A data breach occurs when information is obtained by an unauthorised party in a fashion in which it was not intended to be made available” - 🎧 Kara Swisher interviews the Facebook whistleblower Frances Haugen: Sway: Why Facebook Whistle-Blower Frances Haugen Thinks She’ll Outlast Mark Zuckerberg — overcast.fm/…
Excellent Explainers
- My bank, AIB, sent out one of the best security reminder explanations I’ve seen in a very long time: “Don’t Gift a Criminal This Christmas”.
Palate Cleansers
- iPhone 13 Pro Schematics wallpapers — basicappleguy.com/…
- 🎄🎦 🎧 Watch/listen to a recording of the live-streamed Carol Service from Maynooth (🇮🇪) — www.youtube.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |