Security Bits — 12 November 2023

Feedback & Followups

• Attackers continue to succeed in getting Google to host their malicious ads: Google ads push malicious CPU-Z app from fake Windows news site — www.bleepingcomputer.com/…
• A final twist in the SolarWinds mega-hack saga: SEC sues SolarWinds for misleading investors before 2020 hack — www.bleepingcomputer.com/… (SEC is the Securities & Exchange Commission)
• The scurge of spying tools like the NSO Group’s infamous Pegasus continues: Apple sends iPhone threat alerts to India opposition politicians — appleinsider.com/…

Deep Dive(s)

❗ Action Alerts

• QNAP Releases Patch for 2 Critical Flaws Threatening Your NAS Devices — thehackernews.com/…
• If, despite Allison’s warnings about their past security track record, you’re using Wyse cameras, be sure they are fully patched, because reserachers have relased a Proof-of-Concept exploit for a vulnerability Wyse patched on the 22nd of October — www.bleepingcomputer.com/…

Worthy Warnings

• One of the most famous hotels in the world has had a spectacularly large breach: Marina Bay Sands discloses data breach impacting 665,000 customers — www.bleepingcomputer.com/… (Affected their MBS loyalty program, and no passwords of payment cards were leaked, so the big danger is targeted phishing)
• A timely reminder that whenever something is in the news, someone will try abuse that publicity to make a quick buck: Apple and Google host fake xAI Grok chat-bot apps in their App Stores — www.intego.com/… (Editorial by Bart: it’s a shame Apple consider Trade Mark infringement a non-security issue, and don’t prevent it in app review, leaving it to the trademark owner to complain instead.)

Notable News

• The Forum of Incident Response and Security Teams (FIRST) have released the spec for version 4 of their CVSS vulnerability scoring system, the new version aims to tweak the scoring system to better reflect modern threats and help security teams triage vulnerabilities — www.bleepingcomputer.com/…
  • Editorial by Bart: when you hear things like critical bug, those are not arbitrary terms, they come from the CVSS scoring system, so critical actually means a CVSS score of 9.0 or greater (the scale goes from zero to 10)
• Microsoft have launched a new company-wide security drive they’ve dubbed their Secure Future Initiative — www.helpnetsecurity.com/… (Microsoft’s announcement)
  • Editorial by Bart:
  • These kinds of things are often more PR sparkle than real change, so I was very skeptical, but even in just the last week we’ve seen substantive changed happening, so I’ve shifted to cautiously optimistic
  • To make the anti-Microsoft case, at least one of the announcements in a blog post launching the intitiative reeks of spin — Microsoft will start to store all signing keys in Hardware Security Modules (HSMs, think Secure Enclaves for data centres). They should already have been doing this, and the fact that they weren’t led to the Chinese government successfully hacking some US government Office365 accounts last year. In my opinion, the correct response here is finally, not well done!

  • Related Concrete news:

  • Microsoft are adding base-line secure-by-default MFA policies into Office365 tenancies so that unless organisations proactively downgrade their settings, all Office365 tenancies will be protected by strong MFA soon — www.bleepingcomputer.com/…
  • Microsoft have added some very clever new AI-driven logic to prevent attackers from spamming users with MFA push notifications in the Microsoft Authenticator app — www.bleepingcomputer.com/…
  • Starting with the next release of Windows 11, enabling file and print sharing won’t open the legacy SMB 1 ports anymore (137, 138 & 139), it will only open the modern, more secure port 445 — www.bleepingcomputer.com/…

• Some nice security enhancements from Google:

  • Google Chrome now automatically tries to upgrade insecure HTTP connections to secure HTTPS ones, only falling back to HTTP when HTTPS fails — www.bleepingcomputer.com/…
  • Google Play adds security audit badges for Android VPN apps — www.bleepingcomputer.com/… (apps must be independently audited against the Mobile App Securirity Assesment, or MASA standard)
• Meta’s attempts to avoid changing thier business model despite the GDPR has taken another turn — the European Data Protection Board has upheld a July ruling by the Norwegian Data Protection Commissioners which found that Meta’s current user consent processes for targetd ads do not comply with the GDPR, and the Irish Data Protection Commissioners have been ordered to order Meta to stop using targeted ads on Facebook and Instagram in Eurpope — www.bleepingcomputer.com/…
  • Related: Meta Launches Paid Ad-Free Subscription in Europe to Satisfy Privacy Laws — thehackernews.com/…
  • Related: Google has joined forces with EU cellphone carriers to presure the European Commission into designating iMessage a Gatekeeper in an attempt to force Apple to open the iMessage protocol for 3rd-party interoperability — appleinsider.com/…
  • Related: Apple admits third-party App Stores in Europe are inevitable — appleinsider.com/… (in a US financial filing)
• FTC orders non-bank financial firms to report breaches in 30 days — www.bleepingcomputer.com/… (FTC is the Federal Trade Commission)

• WhatsApp Introduces New Privacy Feature to Protect IP Address in Calls — thehackernews.com/… (Calls get routed through Meta’s servers, but that’s safe thanks to End-to-End encryption)

Top Tips

• In iOS 17 you can configure regular tabs to have protections previously only available in private tabs: How to Enable Advanced Tracking and Fingerprinting Protection for Normal Browsing on iOS 17 — www.macobserver.com/… (Same feature is available in Safari on macOS Sonoma under Settings → Advanced)

Palate Cleansers

• Know a Little More about ALOHAnet — shows.acast.com/… (ALOHAnet is the precursor to Ethernet, and its innovations continue to power our networks today)

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.