Security Bits — 12 December 2021

Feedback & Followups

• 🇺🇸 🇺🇬 Apple informed the US State Department that at least 9 iPhones used by their staff were infected with the NSO Group’s Pegasus malware. It’s not clear which NSO Group customer is responsible, but all the iPhones had Ugandan or other East-African SIM cards, so suspicion has fallen on the Ugandan government — www.reuters.com/…
  • Related: “I am hacker NSO Group,” New Email Scam Leverages Controversial Pegasus Malware — www.intego.com/…
• More details have come to light on the Ubiquiti hack from late last year – it was an inside-job: Former Ubiquiti dev charged for trying to extort his employer — www.bleepingcomputer.com/…
• 🇮🇪 Ireland’s Health Service Executive (HSE) have published the findings of a detailed investigation into the Conti Ransomware that crippled Irish healthcare for months, starting in March this year — www.rte.ie/…
  > PwC said the HSE is operating on a frail IT estate that has been lacking investment over many years to maintain a secure infrastructure and does not have the required cyber security to protect the operation of the health services.
  >
  >It also said it is lacking the expertise and resources to detect, prevent or respond to a cyber attack of this scale.
  >
  > It recommended the creation of two new key roles – a chief technology and transformation officer and chief information security officer – along with 24/7 monitoring.
• 🇬🇧 A multi-billion lawsuit against Google in the UK over its bypassing of Safari privacy protections back in 2011 & 2012 has come to an ignominious end – killed on a technicality — www.imore.com/…
• Social Media Developments
  • Meta:
    • 🇬🇧 The UK Competition & Markets Authority have ordered Meta (née Facebook) to sell Giphy. Facebook are looking into how they can fight the decision — www.imore.com/…
    • Facebook Will Force More At-Risk Accounts to Use Two-Factor — www.wired.com/…
    • 🇬🇧 🇺🇸 Facebook sued for $150bn by Rohingya over Myanmar hate speech — www.imore.com/…
    • Instagram unveils time limit controls for teens in new ‘stricter approach’ — www.imore.com/…
    • Researchers from KU Leuven 🇧🇪 & New York University 🇺🇸 found that Facebook’s algorithm gets it wrong up to 83% of the time when classifying ads as political or not brusselstimes.com/…
      > Between July 2020 and February 2021, the KU Leuven and NYU co-authors examined 33.8 million Facebook ads. The subset that was of particular interest consisted of 189,000 ads that Facebook or the researchers deemed political.
      >
      > The researchers found that in this category, Facebook had missed about 117,000 political ads (62%) that ran but should have been taken down in line with its own political ad policy. Conversely, Facebook had flagged approximately 40,000 non-political ads as political (21%). Facebook was, in other words, found wrong on 83% of these 189,000 ads.
  • Twitter expands safety policy, bans posting images of people without their consent — techcrunch.com/…

❗ Action Alerts

• Firefox 95 is out with a bunch of important security fixes, but also a new sandboxing technology to better isolate code running in separate tabs, even when it uses shared libraries — nakedsecurity.sophos.com/…
  • Firefox 95 for Mac adds performance and security improvements to the popular browser — www.imore.com/…
• Expect a lot of software updates for internet-connected apps because Mozilla have patched a critical bug dubbed BigSig in their NSS (Netscape Security Suite) open source crypto library — nakedsecurity.sophos.com/…

Worthy Warnings

• Tile’s new owner is selling its customer’s location data — www.imore.com/…
• 🇺🇸 The LA-branch of Planned Parenthood leaked 400K patient records including name and one or more of “address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information” — www.washingtonpost.com/…
• 🇺🇸 Verizon overrides users’ opt-out preferences in push to collect browsing history — arstechnica.com/…

Notable News

• Apache have patched a critical zero-day dubbed Log4Shell in the very widely used logging library Log4J. Log4J is an open source Java library that’s used very heavily in Java-based enterprise apps, and on the platforms powering major cloud services. This is not something end-users can fix, but something sysadmins around the world are now scrambling to fix on their servers. Best you can do is buy any affected sysadmins a much-needed coffee! — www.wired.com/… & nakedsecurity.sophos.com/…
• The Financial Times is reporting that Apple have ‘loosened’ their anti-tracking policies — www.imore.com/…
  • Editorial by Bart: From my reading of this I’m not seeing any ‘there’ there. Aggregated anonymised data is not tracking banned under Apple’s policy, and it’s what Apple themselves provide via their own ad effectiveness reporting APIs. This has the whiff of ‘clickbait’ to me.
• 🇬🇧 The UK government have published a draft Product Security and Telecommunications Infrastructure (PSTI) bill that would set a security floor on IoT devices, default credentials would be banned, there would be a duty to notify users of vulnerabilities, and the packaging would have to state the length of time security updates will be available — nakedsecurity.sophos.com/…

Interesting Insights

• A fascinating look at a simple logic bug that cost millions: Cryptocurrency startup fails to subtract before adding, loses $31m — nakedsecurity.sophos.com/…

Palate Cleansers

• 🎧 Business Wars has just finished another mini-series the NosillaCastaways might enjoy: Blackberry vs iPhone — overcast.fm/…
• 🎧 One of my favourite science podcasts, The Curious Cases of Rutherford & Fry, has started a new mini-series on living with AI. The first episode is out: AI in Warfare — overcast.fm/…
• 🎧 Code Newbie interviews iAsia Brown, a military veteran and programmer who is now a programmer at Microsoft and is very compelling on how to transition from the military to life in tech www.codenewbie.org/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.