Security Bits – 19 February 2023

Feedback & Followups

• Following on from the warning linked last time about the dangers of using AirTags to track pets, The Mac Observer have some recommendations for trackers that are specifically designed to safely track pets — www.macobserver.com/…

❗ Action Alerts

• The Valentine’s Day Patch Tuesday was a big one: Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs — nakedsecurity.sophos.com/…
• iOS 16.3.1, iPadOS 16.3.1, macOS 13.2.1 Ventura, watchOS 9.3.1, tvOS 16.3.2, and HomePod Software 16.3.2 Fix Bugs and Security Vulnerabilities — tidbits.com/…
  • The patches include a fix for a critical zero-day exploit — nakedsecurity.sophos.com/…
  • 🧯 Contrary to some reporting, there was no iOS bug leaking location data — appleinsider.com/…

Worthy Warnings

• If you’re running VMWare’s ESXi (perhaps on a home NAS or similar), be sure it’s patched, it’s being very actively exploited ATM — nakedsecurity.sophos.com/…
• OpenSSL, probably the most prolific open source implementation of the TLS protocol that puts the S in HTTPS, has received a significant patch including fixes for critical bugs. Now would be an excellent time to check that your IoT devices are all patched, and if you run your own web server, that it is too — nakedsecurity.sophos.com/…
• 🧯 Reddit suffered a data breach, but the attackers never gained access to the production system, or any user data — nakedsecurity.sophos.com/…

Notable News

• Tile have added an anti-theft mode that intentionally makes their tracker undetectable by others, and the only protection they are adding is a need to register with the company with photo ID before it can be enabled — appleinsider.com/… (Editorial by Bart: this seems wrong-headed and dangerous to be — we know tracker stalking is a problem because of how well Apple’s protection work, making a tracker designed not to be discoverable and pretending that having to register so you can be tracked when you’re caught makes no sense to me!)
• Twitter disable SMS 2FA signup for all but Twitter Blue customers, and existing non-Blue users have 30 days to migrate or their account will lose 2FA protection — blog.twitter.com/…
  • The motivation appears to be SMS-based fraud rather than the fact that SMS is the least secure form of 2FA (thanks to Ed Ross in the NosillaCast slack for the tip) — twitter.com/…
  • Related Tip: Setting up iOS’s two-factor authentication for Twitter — sixcolors.com/…
• 🇪🇺 The European Union’s Digital Services Act starts to feel real as tech companies start reporting their active user numbers to the EU. The threshold for coming under the act’s purview is 45M active European users, and we now know Apple, Google, Meta & Twitter surpass that — appleinsider.com/…

Top Tips

• Apple has used European Safer Internet Day as an opportunity to highlight its child protection features, and to launch some new resources for parents including a Today at Apple session named ‘Your Kids and Their Devices’ — appleinsider.com/…
  • Apple’s Families page — www.apple.com/…
  • Apple’s press release — www.apple.com/…
  • Related Tip: How to Set Up an iPad for a Child — www.macobserver.com/…
• Apple Shares Five Security Steps for Apple Card — www.macobserver.com/…

Excellent Explainers

• CGP Grey explains why we don’t know how machine learning algorithms work. This video is 5 years old but it holds up. How AIs, like ChatGPT, Learn

Palate Cleansers

• Bart: 🎦 This thoughtful video doesn’t answer the deep questions raised by the current surge in AI brings (nothing can), but it’s given me a much better framework for thinking about it: I tried using AI. It scared me. — youtu.be/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.