Feedback & Followups
- Ransomeware-related developments:
- The apparent return of the BlackCat ransomeware gang after their recent law enforcement take-down appears to have been short-lived, with the group collapsing with an apparent exit scam: BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare — krebsonsecurity.com/…
- While much of the ransomware industry has switched focus to large organisations, home users are still being targeted, and StopCrypt, the most prolific ransomware that targets home users has just been updated to get better at evading AV software — www.bleepingcomputer.com/…
- A good indication of why GitHub are enabling Push Protection by default: https://www.bleepingcomputer.com/news/security/over-12-million-auth-secrets-and-keys-leaked-on-github-in-2023/
-
Signal’s phone-number protection feature roles out — signal.org/…
- Don’t think of Signal usernames like traditional usernames — they don’t become your identity on the platform, they just act as an alias for your phone number that you can give to people to let them start a conversation with you without them ever knowing your number
- Note from Bart: I set it up on my account and it was very easy
- 🇪🇺 More DMA compliance details & changes:
- Apple News & Changes:
-
Apple released a support document with more details on the EU App Store, including how eligibility is determined — support.apple.com/…
To reflect the Digital Markets Act’s changes, users in the European Union are able to install alternative app marketplaces and install apps offered through alternative app marketplaces in iOS 17.4 or later. The country or region of your Apple ID must be set to one of the countries or regions of the European Union, and you must physically be located in the European Union.
Your device eligibility for alternative app marketplaces is determined using on-device processing with only an indicator of eligibility sent to Apple. To preserve your privacy, Apple does not collect your device’s location.
If you leave the European Union, you can continue to open and use apps that you previously installed from alternative app marketplaces. Alternative app marketplaces can continue updating those apps for up to 30 days after you leave the European Union, and you can continue using alternative app marketplaces to manage previously installed apps. However, you must be in the European Union to install alternative app marketplaces and new apps from alternative app marketplaces.
- More tweaks to the rules for EU developers — sixcolors.com/…
- Single-vendor 3-party app stores are OK after all (i.e. Epic can make a store just for Epic games)
- Links to external payments can be customised after all, Apple’s templates are now mere suggestions
- Sufficiently large developers in sufficient standing will be able to distribute notarised apps directly from their own web pages (were it not for the need for notarisation and for the developer account to be marked as authorised, this would be full side-loading, it’s certainly closer than most expected Apple to get)
- Apple’s first DMA compliance report contains an interesting tidbit – Apple will provide a tool for easily moving from iOS to Android by fall 2025 — www.macobserver.com/…
-
Related: Brave: Sharp increase in installs after iOS DMA update in EU — www.bleepingcomputer.com/…
-
Meta Details WhatsApp and Messenger Interoperability to Comply with EU’s DMA Regulations — thehackernews.com/… (Please use open protocols like Signal & XMPP)
-
Google’s EU Choice Screens for Android, for Default Browser and Default Search Within Chrome, Only Show Up on New Devices — daringfireball.net/… (Apple is showing them to all Europeans when they upgrade to iOS 17.4)
-
Related: an excellent overview of the compliance changes from all the gate keepers — arstechnica.com/…
-
🇺🇸 The US FTC continues to target online fraud: Tech support firms Restoro, Reimage fined $26 million for scare tactics — www.bleepingcomputer.com/…
- > Restoro and Reimage used online ads and pop-ups that impersonated Microsoft Windows pop-ups and system warnings, saying that the consumers’ computers were infected with malware, had various performance issues, and needed urgent attention to avoid harm.
Deep Dive — Tesla AiTM & ‘Watering Hole Attacks’
Note: AiTM is the new term for what we previously referred to as MiTM. That is to say, we now talk about Adversary in The Middle attacks, not Man in The Middle Attacks. This change has been adopted for two reasons — it’s obviously free from gender baggage, but more importantly, many adversaries in the middle are not human at all, they’re software of some kind!
TL;DR: until Tesla make some changes to nip this attack in the bud, do not enter your Tesla account details on any Wifi network you do not know to be safe, expectably not in a place that is likely to attract Tesla owners like a Tesla Super Charger!
Tesla have made it easier to add phone keys to their cars, and, researchers have discovered that you can intercept Tesla login details, even on accounts with MFA enabled (Tesla do not support phishing-resistant MFA like FIDO2 or Passkeys yet), and silently add a phone to a Tesla as a key. For this to work the attackers need to trick a Tesla owner into logging in to a fake Tesla portal, and they way they suggest that could be easily done would be to set up a WiFi network named Tesla at a Tesla Supercharger and pop up a captive portal login screen as is quite common on wifi networks.
The researchers propose two sensible fixes:
- Require the phone to be in the car to be paired (I remember it used to be this way, and I think this is the part Tesla want to remove to make it easier to give others access to your car, so this seems unlikely to me)
- Add an alert in the car to say a phone has been added, with an easy button to see the details and remove it (This seems like a no-brainer to me, no loss of ease of use, but solves the problem of the key being silently added, 🤞 Tesla do this soon)
You can read more details here — www.bleepingcomputer.com/…
What are ‘Watering Hole Attacks’?
The reason I wanted to make this pretty straightforward story a deep dive is that it offers a good excuse to explain a cybersecurity term we haven’t talked about in detail before — Watering Hole Attacks.
The idea comes from nature, where some hunters go looking for prey, while others go somewhere they know the prey will come to, and simply wait for dinner to arrive! In arid regions, watering holes inevitably attract lots of animals, so they’re a great place for predators to hang out and wait.
You can do the same thing for cyberattacks when your desired victims have something in common that will pull them towards some digital or physical place. Developers are very often targeted in watering hole attacks, with baddies making use of software repositories like JavaScript’s Node Package Manager (NPM) or Python’s PyPi package repository to typo-squat package names to spread malicious code.
In this case, the researchers suggest a physical place where potential targets would be likely to assemble to launch a digital attack that requires physical proximity — a malicious wifi network.
❗ Action Alerts
- Apple Updates just about everything:
- iOS 17.4 & iPadOS 17.4 contained more than just the European DMA changes, they also patched 2 zero-days in Safari (patches also released as iOS/iPadOS 16.7.6) — www.bleepingcomputer.com/…
- Apple Releases macOS 14.4, watchOS 10.4, tvOS 17.4, HomePod Software 17.4, and visionOS 1.1 — tidbits.com/…
- Apple patches security flaw in GarageBand 10.4.11 for macOS Sonoma, Ventura — www.intego.com/…
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs — www.bleepingcomputer.com/…
- QNAP warns of critical auth bypass flaw in its NAS devices — www.bleepingcomputer.com/…
Worthy Warnings
- A new call feature on X is on by default, and you should probably turn it off — appleinsider.com/… (Any X user can voice-call you by default!)
- A good reminder to always check the address bar before downloading: Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware — thehackernews.com/…
- 🇫🇷 Another massive data breach in France (43M, even more than the recent 33M from 2 health insurance companies), this time it’s the government employment agency, and it covers 20 years of data including social security numbers. The danger of identity theft and phishing is very real, so at this stage the majority of French people need to be extra-suspicious of everything from now on — www.bleepingcomputer.com/…
Notable News
-
A novel new attack against un-patched WordPress sites is acting as a WordPress worm: Hacked WordPress sites use visitors’ browsers to hack other sites — www.bleepingcomputer.com/… (If you run a WordPress sites, keep auto-update on, and enable it on all your plugins!)
-
A good reminder to everyone everywhere to always remain vigilant, because unfortunately, cybercrime really pays 🙁: 🇺🇸 FBI: U.S. lost record $12.5 billion to online crime in 2023 — www.bleepingcomputer.com/…
IC3’s 2023 Internet Crime Report highlights four online crimes that caused the most financial losses in the United States last year: Business Email Compromise (BEC), investment fraud, ransomware, and tech/customer support and government impersonation scams.
- 🇺🇸 The US House of Representatives has passed an act that would require Bytedance to sell TikTok or be banned in the US (still needs to pass the Senate and be signed by the President, though President Biden has supported the bill) — www.bbc.com/…
- Related Explanation: 🎧 Know a Little More: About ByteDance — overcast.fm/…
- Related Discussion: 🎧 The Real Story: Should we be afraid of TikTok? — overcast.fm/…
- Bart’s (loosely held) Opinion: this law wouldn’t effectively tackle any of the real problems with social media, so it seems to be more about politicians wanting to look like they’re doing something rather than wanting to actually do something about a really complex and difficult problem 🙁
- Google Chrome gets real-time phishing protection later this month — www.bleepingcomputer.com/…
- Malicious sites are often very short-lived now, so even daily updates to block lists are not enough anymore, hence this real-time protection makes sense, where the browser checks URLs when the browser navigates to them
- Google are doing these real-time checks in a privacy-safe way using the Oblivious HTTP service from Fastly (same double-proxy concept as iCloud Private Relay)
- Firefox currently downloads fresh block-lists to the browser every 30 minutes, and it’s not clear what Apple do in Safari
- 🇺🇸 U.S. sanctions Predator spyware operators for spying on Americans — www.bleepingcomputer.com/…
- Not the NSO group, but similar companies, including two based in Ireland 🙁
- More Technical Details — thehackernews.com/…
Excellent Explainers
- 🎧 An excellent exploration of the current cybercrime landscape for a popular audience: The Naked Scientists Podcast: Cyber crimes in cyber times — overcast.fm/…
Palate Cleansers
- From Bart:
- 🎧 The story of the life of the world’s first computer programmer, and namesake of Allison’s cat: Noble Blood: How Ada Lovelace Constructed Her Wings — overcast.fm/…
- 🎧 An interviewer with the YouTuber who now makes his living scamming the scammers back to both distract them from doing actual harm, and, entertain us: Darknet Diaries: 143- Jim Hates Scams — overcast.fm/… (and as an added bonus on Paddy’s day, he’s Irish! 😀☘️)
- An excellent read for anyone who enjoys comics, and a chance to support Glenn Fleishman’s next book: Newspaper Cartoonists Rely on Digital Tools, but Not as You’d Expect — tidbits.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
Apropos of your palate cleansers, have you ever encountered the graphical novel work of Sydney Padua? She has created a whole series of Ada Lovelace and Charles Babbage graphical adventures (this combines your Ada Lovelace history and your Glenn Fleishmann treatise on comics!). She is truly a gem of a humorist! Sadly, it appears that her web site is currently misconfigured, so I will have to point you to the latest working capture from archive.org:
https://web.archive.org/web/20240229042533/https://www.2dgoggles.com/