Feedback & Followups
- An excellent writeup detailing the fascinating story of the XZUtils compromise we discussed last time — arstechnica.com/… (Editorial by Bart: Definitely one of the nearest misses we’ve had in the supply chain for some time, hopefully, it focuses some more eyes on the importance of supporting important open source projects that underpin many systems)
- 🇺🇸 AT&T have not yet explained how they were breached, but they have now admitted the breach was bigger than they first realised, and have now notified 51M current and past customers — www.bleepingcomputer.com/…
- The Sunbird iMessage client for Android is back, but while the glaring security bugs may be gone, the fundamental problem m remains – you need to give the app your Apple ID users and password for it to work — www.macobserver.com/… (Editorial by Bart: don’t, just don’t!)
- Supply-chain attacks targeting developed continue – attackers have been discovered gaming the GitHub search rankings to boost their malicious packages up the rankings — www.bleepingcomputer.com/… (Editorial by Bart: my advice remains the same, start on the project’s website, don’t search on NPM or GitHub or anywhere like that, you can’t trust the results)
- When given a choice, Europeans seem to prefer privacy-focused browsers: Report: People are bailing on Safari after DMA makes changing defaults easier — arstechnica.com/… (Based on reporting and a survey carried out by Reuters)
- 🧯 There is another new variant of the Spectre 2 attack against the Linux kernel, it is more potent than the original Spectre 2 attacks, but it’s still not relevant to home users, and the major Linux distros used to power the cloud are on it — www.bleepingcomputer.com/…
Deep Dive(s)
❗ Action Alerts
-
Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs — www.bleepingcomputer.com/…
- Google fixes one more Chrome zero-day exploited at Pwn2Own — www.bleepingcomputer.com/…
- Google fixes two Pixel zero-day flaws exploited by forensics firms — www.bleepingcomputer.com/… (Not a general Android problem, specific to the Pixel boot loader & firmware)
- Telegram fixes Windows app zero-day used to launch Python scripts — www.bleepingcomputer.com/… (Editorial by Bart: A good illustration of why deny listing is an inherently bad idea in cybersecurity, if you’re building anything new, always use an allow listing approach!)
- Over 90,000 LG Smart TVs may be exposed to remote attacks — www.bleepingcomputer.com/… (There is a patch, but automatic updates are not enabled by default)
- Another illustrations of why it is not safe to run hardware that’s no longer under support: Over 92,000 exposed D-Link NAS devices have a backdoor account — www.bleepingcomputer.com/… & Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks — www.bleepingcomputer.com/…
Worthy Warnings
- Shopping platform PandaBuy data leak impacts 1.3 million users — www.bleepingcomputer.com/… (The site owners have not reacted, so it appears affected users have not been notified)
- 🇺🇸 FBI warns of massive wave of road toll SMS phishing attacks — www.bleepingcomputer.com/…
Notable News
-
Lots of Google-related news:
- Google have launched their Find My Device network which appears to be as technologically similar to Apple’s Find My network as its name implies, including the strong cryptographically enforced privacy protections, and it implements the new cross-platform anti-stalking protection protocol — www.cultofmac.com/…
- How we built the new Find My Device network with user security and privacy in mind — security.googleblog.com/…
-
Google now blocks spoofed emails for better phishing protection — www.bleepingcomputer.com/… (IPs sending more than 5K emails to Gmail per day need to implement the standard email validation protocols — SPF/DKIM & DMARC)
- Google followed through on their recent settlement of the ‘Incognito Mode’ class action suit in the US, and deleted billions of browsing records collected from Incognito Mode users before it clarified its screens in January this year — www.theguardian.com/…
- Google Chrome Adds V8 Sandbox – A New Defense Against Browser Attacks — thehackernews.com/…
- Google has started testing new technology it hopes to develop into an open standard that will cryptographically tie session cookies to specific devices, stopping one of the most common attacks in use today, session hijacking, in its tracks — thehackernews.com/… (Editorial by Bart: this is a very elegant solution to a very real problem, so I hope that succeed in getting this adopted as a standard, and, more importantly, adopted by website owners, epically Single-Sign-on providers like Google, Microsoft, Apple, Meta, etc.)
- Google Workspace rolls out multi-admin approval feature for risky changes — www.bleepingcomputer.com/… (Editorial by Bart: not enabled by default, but a very clever feature IMO, definitely worth enabling if your family or small business use Google Workspace)
-
Apple have had a program for notifying users it has reason to believe have been targeted by state-level attackers for some time, but that’s now been expanded to include mercenary ransomware (stuff like infamous Pegasus from the NSO group), and they’ve just sent notifications to users in 92 countries — thehackernews.com/… & techcrunch.com/…
- A timely reminder that impersonation attacks are going to keep getting better as AI improves: 🇺🇸 FTC: Americans lost $1.1 billion to impersonation scams in 2023 — www.bleepingcomputer.com/…
- X launches passkey support for iOS app users worldwide — appleinsider.com/… (Tap on your icon in the top-left corner, then expand Settings and Support, then navigate to Settings & Privacy → Security and account access → Security, and finally toggle the Passkey switch)
- DuckDuckGo launches a premium Privacy Pro VPN service — www.bleepingcomputer.com/… (🇺🇸 US only for now, uses Wireguard, and priced at $9.99/month or $99.99/year)
- Monday may be a good day to buy your friendly neighbourhood sysadmin a coffee: Palo Alto Networks zero-day exploited since March to backdoor firewalls — www.bleepingcomputer.com/… (No patch yet, but there is a workaround. Unlikely home users will be affected, but a very popular network hardware vendor in the corporate world)
Excellent Explainers
Interesting Insights
- A nice overview of Mac malware for the first quarter of 2024 — www.intego.com/… (for the most part, not pirating software, steering clear of crypto currency, and being careful in the App Store still keeps you safe)
Just Because it’s Cool 😎
- A wonderfully geeky post from The Eclectic Light Company explaining just how macOS decides what app to open when you double-click on a file in the Finder — eclecticlight.co/…
Palate Cleansers
- From Bart:
- A timely XKCD making a point I make over and over again – seeing a 99% total solar eclipse is cool, but it’s absolutely nothing like a total eclipse, if you haven’t experienced totality, you have no idea what an amazing experience it is! — xkcd.com/…
- From Allison:
xckd on clouds and eclipses: m.xkcd.com/… - 🎧 A short new weekly podcast I’ve been enjoying a lot, and now they’ve tackled a NosillaCast-adjacent topic: The Economics of Everyday Things: 43. Top-Level Domains — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |