Security Bits — 22 January 2023 (Just Bart)

Feedback & Followups

• LastPass Update:
  • It gets worse, we now know there were some people with just 500 rounds of PBKDF2, and even a few with one round 🙁
  • There was a brief false dawn when some noticed wording about server-side additional rounds of PBKDF2, but that proved to be to protect user account info, not password vaults 🙁
  • 🎧 Steve Gibson does a good job explaining the latest developments: Security Now 905: LastPass Aftermath, LastPass vault de-obfuscator, LastPass iteration count folly — overcast.fm/…
  • An excellent summary of the LastPass story so far — www.intego.com/…
• 🇺🇸 U.S. Supreme Court lets Meta’s WhatsApp pursue ‘Pegasus’ spyware suit — www.reuters.com/…

❗ Action Alerts

• Patch Tuesday has been and gone, so be sure to patch your Microsoft & Adobe stuff — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • One of the Windows vulnerabilities is being exploited in the wild
  • Windows 7 extended support finally comes to an end, no matter how much you pay Microsoft, these will be the last Windows 7 updates you ever get!
  • Windows 8.1 gets its last ever updates (there’s no extended support being offered), if you’re still using it, upgrade now! (it ended on my birthday 🙂)

Worthy Warnings

• Norton LifeLock warns that password stuffing attacks were used to successfully access some users’ password vaults in December — nakedsecurity.sophos.com/…
  • If you will insist on reusing passwords, at the very least don’t re-use the password for your password manager!
  • If its relevant for your password manager, turn on 2FA!
• Note that scam ChatGPT apps are a thing ATM, this one was removed, but it shows where the baddies are focusing their attention, so be vigilant: Sketchy ChatGPT App Soars Up App Store Charts, Charges $7.99 Weekly Subscription — www.macrumors.com/…
• 🇺🇸 T-Mobile admits to 37,000,000 customer records stolen by “bad actor” — nakedsecurity.sophos.com/…
  • No payment data or SSNs leaked, just name, DOB, contact details, and contract details
  • Biggest danger seems to be targeted phishing and perhaps identity theft
• 🇺🇸 Brian Krebs has discovered yet another data breach at Experian: Identity Thieves Bypassed Experian Security to View Credit Reports — krebsonsecurity.com/…

Notable News

• 🇺🇸 President Biden wrote an op-ed in the WSJ urging congress to act against Big Tech — appleinsider.com/…
  • Calls for federal privacy protections
  • Argues companies should be responsible for the content their algorithms boost, and calls for transparency about how the algorithms work
  • Calls for more anti-trust actions to boost competition
• 🇪🇺 Multi-million investment scammers busted in four-country Europol raid — nakedsecurity.sophos.com/…

Interesting Insights

• Why actual Android security is so much worse than actual iOS security: Newest Android version installed on a mere 5% of devices vs. 74% for iOS 16 — www.cultofmac.com/…
• An excellent snapshot of the current trends in phishing: An Annotated Field Guide to Identifying Phish — tidbits.com/…
• (Riffing off a long-running gag in This Week in Science) Good News!!! breaches are now so common that we can use them to test for bots, if an email address isn’t in the Have I Been Pwned DB it’s probably a recently created bot address — www.troyhunt.com/…

Palate Cleansers

• 📊 As Karl Sagan famously said, we’re all made of star stuff, and that’s definitely part of the truth, but there’s more to it than that! This APOD shows the periodic table with each element coloured by how it was created. Did you know most of the Rhodium comes from merging neutron stars? — apod.nasa.gov/…
• 🎧 Business movers tell the story of Pixar — there was a lot more to that story than I ever realised: Business Movers: Animating Pixar — overcast.fm/…
• For those of you who like long reads:
  • Revisiting Apple’s ill-fated Lisa computer, 40 years on — arstechnica.com
  • A history of ARM, part 1: Building the first chip — arstechnica.com/…, A history of ARM, part 2: Everything starts to come together — arstechnica.com/… & A history of ARM, part 3: Coming full circle — arstechnica.com

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.