Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 26 November 2023

Feedback & Followups

  • The recent wave of malicious Google ads targeting software downloads continues, this time it’s malicious versions of the popular Secure FTP client WinSCP — thehackernews.com/…

❗ Action Alerts

Worthy Warnings

Notable News

  • Thankfully, Nothing’s catastrophically insecure iMessage bridge was very short-lived — appleinsider.com/… (users had to give the service their actual Apple ID username and password, and Nothing’s service was not properly encrypted)
  • Intel have released microcode patches for another CPU vulnerability (dubbed Reptar), but for once it’s not related to speculative execution! However, like the many speculative execution bugs in recent years, the bug is critical for cloud providers, but not a major concern for home users — thehackernews.com/… & www.bleepingcomputer.com/…
  • A security audit funded by Microsoft found hardware implementation problems with the three most common fingerprint sensors used for Windows Hello — www.bleepingcomputer.com/… & thehackernews.com/…
    • Used on some Microsoft Surface devices, Dell laptops, and Lenovo ThinkPads!
    • The attacks are not trivial, so regular users are unlikely to be targeted, but vulnerable users and high-value targets should re-evaluate their use of Windows Hello for now
    • Researchers have given hardware vendors concrete guidance for better securing future products
    • Related News: Microsoft launches Defender Bounty Program with $20,000 rewards — www.bleepingcomputer.com/… (Bugs in AV software are particularly dangerous, so this is good to see)
  • The ALPHV AKA BlackCat ransomeware gang have taken extortion up a notch by lodging US SEC complaints against victims who didn’t pay up and didn’t report their breach as required by law — www.bleepingcomputer.com/… (This adds a third layer of extortion for companies in industries with mandatory reporting rules in place — “pay us or you’ll never get your stuff back”, “pay us or we’ll publish you stuff”, and now “pay us or we’ll report you to your regulator”)

  • A letter from Senator Wyden obtained by WIRED reveals the existence of a massive, probably illegal, formerly un-known and classified surveillance program named DAS which allows low-level US law enforcement access the phone records of US citizens — www.wired.com/…
  • The US Federal Communications Commission had adopted new rules requiring carriers to enforce stricter verifications before making SIM changes — bleepingcomputer.com/… & thehackernews.com/… (An attempt to make SIM-swapping & SIM-porting attacks more difficult)
  • Some notable wins by law enforcement:

    • Police in Malaysia with help from Australian & American law enforcement have dismantled the BulletProofLink Phishing-as-a-Service organisation and arrested its operators. The service had been active since 2015 and was offering cutting-edge services like AiTM (Adversary in The Middle) session token stealing to bypass MFA/2FA — thehackernews.com/…
    • The FBI dismantled the IPStorm botnet proxy service which sold cybercriminals the ability to route their malicious traffic through compromised domestic IP addresses to make it much harder to detect and block — www.bleepingcomputer.com/…
  • Stick a pin in it, 2024 will be the year Google eliminate 3rd-party cookies in Chrome, starting with a very small trial (1% of users) in January — www.bleepingcomputer.com/…

Excellent Explainers

Palate Cleansers

  • A great tip from Bleeping Computer – since iOS 17 the AI in the Photos app detects laundry labels and lets you look up their meaning — www.cultofmac.com/…

  • An interesting two-part episode of the wonderful Malicious Life podcast that tells the story of the infamous NSO group — Part 1 & Part 2

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 26 November 2023

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top