Security Bits — 24 July 2022

Feedback & Followups

• 🇷🇺 Russia’s hostility towards western companies continues as it adds Apple to the list of companies it’s fining for not storing Russian citizens data in Russia (Twitch, Pinterest, Airbnb, UPS & Google had already been fined) — www.macobserver.com/…
  • Related: Russia Set to Fine Apple for App Store Policy’s Violation of Antitrust Laws — www.macobserver.com/…
• 🇺🇸 In the previous instalment we talked about some poor legislative proposals from US law makers in response to the overturning of Roe -v- Wade, this time it’s a very positive proposal: US Congress calls for the FTC to regulate how VPN companies operate — www.engadget.com/…
• 🇹🇭 It’s come to light that the NSO group’s Pegasus spyware was used to hack the phones of 30 pro democracy protestors in Thailand in 2000/2001 — www.macobserver.com/…
• Security researchers continue to hack AirTags, now having found a way to use spurious voltages to trip the debugging port into activating, allowing them to install custom firmware which could silence the device’s warning beeps and even clone the device — www.macobserver.com/… (Editorial by Bart: Bear in mind that it would be much easier for a malicious actor to simply buy a stealthy tracker on Amazon.com!)

Deep Dive(s)

❗ Action Alerts

• July 12th was Patch Tuesday, and Microsoft patched 86 vulnerabilities, including one in all versions of Windows being actively exploited in the wild. Adobe also patched Acrobat, Reader, Photoshop, and more — krebsonsecurity.com/…
• Apple patched just about everything on the 20th of July: iOS 15.6, iPadOS 15.6, macOS 12.5 Monterey, watchOS 8.7, tvOS 15.6, and HomePod Software 15.6 — tidbits.com/…
  • Followed 2 days later with patches for older OSes: macOS Big Sur 11.6.8 and Security Update 2022-005 Catalina — tidbits.com/… & Safari 15.6 — tidbits.com/…
  • Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge — nakedsecurity.sophos.com/…
  • 🇺🇸 Related: iOS 15.6 adds a toggle to opt-out of US government test alerts — www.macobserver.com/…

Worthy Warnings

• Earlier this year Twitter patched a vulnerability that allowed attackers to get the phone numbers and email addresses associated with accounts. The bug was quickly patched, but we didn’t know how much data has been stolen before the patch was applied – now we know that a collection of at least 4.5 million records is for sale on the dark web. There’s no way to know if you’re in the DB, so all Twitter users need to be wary of targeted phishing attacks — www.macobserver.com/…

Notable News

• Facebook have changed their URL scheme so as to replace human-readable tracking IDs in URLs with encrypted blobs, preventing privacy-conscious browsers from stripping the tracking IDs from links shared on social media etc. — tidbits.com/… (Editorial by Bart: this was unfortunately to be expected as more and more browsers started to strip tracking IDs out of URLs)
• Having briefly reversed the rollout, Microsoft have moved forward for once and for all with the change to block VBA macros by default on documents downloaded from the web — nakedsecurity.sophos.com/…
• Google have taken ChromeOSFlex out of bata with its first stable release, providing a mechanism to securely re-use old hardware no longer supported by supported versions of Windows or macOS — www.macobserver.com/…

Top Tips

• 7 cybersecurity tips for your summer vacation! — nakedsecurity.sophos.com/…

Excellent Explainers

Interesting Insights

• Massive Losses Define Epidemic of ‘Pig Butchering’ — krebsonsecurity.com/… (Long-running romance scams leading to crypto cons)

Just Because it’s Cool 😎

Palate Cleansers

• The JWST is up and running, and the early images are stunning!
  • Webb’s First Deep Field — apod.nasa.gov/…
  • Webb’s Southern Ring Nebula — apod.nasa.gov/…
  • Stephan’s Quintet from Webb, Hubble, and Subaru — apod.nasa.gov/…
  • Jupiter and Ring in Infrared from Webb — apod.nasa.gov/…
• XKCD’s celebration: xkcd.com/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.