Feedback & Followups

• Consequences arrive for past failure:
  • 🇺🇸 AT&T pays $13 million FCC settlement over 2023 data breach — www.bleepingcomputer.com/…
  • 🇪🇺 Meta fined €91M by the Irish Data Protection Commissioners for storing over 600 million passwords in plain text back in 2019 (most limited to the ill-fated Facebook Lite service, and the passwords were not leaked, just wrongly stored and accessed by thousands of Facebook employees)
  • 🇮🇪 The press release from the Irish Data Protection Commissioners — www.dataprotection.ie/…
• 🇺🇸 Kaspersky wraps up its exit from the US with bang: Kaspersky deletes itself, installs UltraAV antivirus without warning — www.bleepingcomputer.com/…
• France’s arrest of Telegram’s founder over the company’s failure to answer valid law enforcement requests has had an effect: Telegram now shares users’ IP and phone number on legal requests — www.bleepingcomputer.com/…
• The continuing barrage of negative feedback on Microsoft’s controversial Windows Recall feature is continuing to have an effect: www.bleepingcomputer.com/…
  • Feature will be off by default
  • Feature will be completely removable
  • Data protections are being tightened yet more
  • Editorial by Bart: We’re now finally getting to the feature set that Microsoft should have come with as their first offering

Deep Dive(s)

❗ Action Alerts

• Apple release new OSes and patch the old
  • macOS 14.7 Sonoma, macOS 13.7 Ventura, iOS 17.7, and iPadOS 17.7 Provide Security Fixes — tidbits.com/…
  • Details are sparse, but some 3rd-party security tools are not working reliably on macOS 18 Sequoia — www.bleepingcomputer.com/…
  • Related: After 20 Odd Years, Apple ID Gets Replaced; Hello Apple Account — www.macobserver.com/…
• 🧯 Patch for Critical CUPS vulnerability: Don’t Panic — isc.sans.edu/…
  • Bug is on Linux’s feature for browsing the network for shared printers, Apple does use CUPS for printing in macOS, but not for finding shared printers, it uses MDNS for that, so Mac users are not affected
  • Patch is out, so do patch promptly
  • Bug is in a feature not enabled by default, and not likely to be used on servers
• D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers — www.bleepingcomputer.com/…
  • Related – a good illustration of why this matters: 🇨🇳 Chinese botnet infects 260,000 SOHO routers, IP cameras with malware — www.bleepingcomputer.com/…
• ChatGPT macOS Flaw Could’ve Enabled Long-Term Spyware via Memory Function — thehackernews.com/…

Worthy Warnings

• Beware of another new technique being used to target coders — malicious “help” in GitHub comments (one of the man repos targeted was XKPasswd-js):
  • This Windows PowerShell Phish Has Scary Potential — krebsonsecurity.com/…
  • Clever ‘GitHub Scanner’ campaign abusing repos to push malware — www.bleepingcomputer.com/…
• If you depend on TOR to protect your anonymity, you need to be aware of research from the storied Chaos Computer Club in Germany that casts doubt on TOR’s effectiveness, though their research is disputed by the TOR project: Tor says it’s “still safe” amid reports of police deanonymizing users — www.bleepingcomputer.com/…

Notable News

• 🇺🇸 NIST (National Institute on Science and Technology) has updated their guidance on passwords — arstechnica.com/… 🎉
  • This is technically a US standard that only applies to US government agencies and suppliers, but it’s commonly adopted by other organisations all over the world, and heavily influences similar standards in other countries
  • The section on end-user passwords has been strengthened to turn advice into requirements (“should” → “shall” etc.)
  • Ban periodic password reset requirements but require forced password changes when there is evidence of compromise
  • Ban on password complexity rules (in terms of composition), but all printable characters should be allowed
  • A minimum length of 8 characters must be enforced, and it’s recommended to enforce a minimum of 15
  • If there’s a maximum length enforced, it’s recommended to be at least 64 characters
  • A ban on password hints
  • A ban on knowledge-based (Mother’s maiden name etc.) authentication factors
  • Note that these rules are for people (end-users), not for non-human identities like service accounts, so forcing the rotation of passwords used by scripts and stuff is completely out of scope here (and might even be required, I didn’t check!)
• GSMA (GSM Association) Plans End-to-End Encryption for Cross-Platform RCS Messaging — thehackernews.com/…
• 🇺🇸 FTC exposes massive surveillance of kids, teens by social media giants — www.bleepingcomputer.com/…
• 🇦🇹 The vocal privacy campaign group NOYB (None of Your Business) has filed a formal complaint against Mozilla in Austria over their enabling of a browser-side collection of anonymous ad effectiveness data within the browser: www.bleepingcomputer.com/… (Editorial by Bart: this is a case of the idealists taking on the realists, not any kind of malice or malfeasance as best as I can tell)
• 🇬🇧 Is there some kind of conservation of AI training volume in the UK? 😉
  • Meta to Train AI Models Using Public U.K. Facebook and Instagram Posts — thehackernews.com/…
  • LinkedIn Halts AI Data Processing in U.K. Amid Privacy Concerns Raised by ICO — thehackernews.com/…
• 🇪🇺 Apple & Meta have opted out of the EU’s voluntary responsible AI code — appleinsider.com/…
• Some nice security-related app updates:
  • Discord rolls out end-to-end encryption for audio, video calls — www.bleepingcomputer.com/…
  • Google Password Manager now automatically syncs your passkeys — www.bleepingcomputer.com/…
  • Chrome Introduces One-Time Permissions and Enhanced Safety Check for Safer Browsing — thehackernews.com/…
  • Windows Server 2025 previews security updates without restarts — www.bleepingcomputer.com/… (Editorial by Bart: nice to see Windows Server catching up with Linux & Unix, and hopefully this makes its way down to Windows 11 soon)

Top Tips

• How to Lock and Hide Apps on iPhone and iPad to Increase Your Privacy — www.intego.com/…

Interesting Insights

• A very thoughtful discussion on why our existing laws don’t mean what we think they mean (disclosure is much less mandated than we think), and why companies should choose to disclose anyway: The Data Breach Disclosure Conundrum — www.troyhunt.com/…

Palate Cleansers

• From Bart: Winamp releases source code, asks for help modernizing the player — www.bleepingcomputer.com/…
• From Allison: Elle Cordova does very clever videos about technical and space things. Her video on digital assistants is priceless: “Server break room” on TikTok (you can also find her on Instagram.)

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.
🎦	A link to video content.