Security Bits — 21 December 2024

Feedback & Followups

• Following the FBI earlier in the month, and following the revelation that 8 major US telcos were compromised by the Chinese government, the US Cybersecurity & Infrastructure Security Agency (CISA) has joined the FBI in recommending the use of End-to-End Encrypted messaging apps, giving special a special mention to Signal as a good choice — www.bleepingcomputer.com/…
  • CISA’s advisory — www.cisa.gov/…
• Inflammatory headline is really about compliance: Government to ban WhatsApp for official business

Action Alerts

• Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws — www.bleepingcomputer.com/…
• Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS) – SANS Internet Storm Center — isc.sans.edu/…
  • Apple also released Safari 18.2 for macOS 14 Sonoma and macOS 13 Ventura to fix five security vulnerabilities — tidbits.com/…

Worthy Warnings

• Reminder — always check NPM and other repository names from a trusted source, never just guess: Thousands Download Malicious npm Libraries Impersonating Legitimate Tools — thehackernews.com/…
• Those “Apple Approval Notice” SMS messages are a scam — www.macobserver.com/…
• Rest assured, these scary viral TikTok videos are utter fiction: (in case you or your family hear about them)
  • TikTok videos claim anyone can steal your credit cards with AirDrop — appleinsider.com/…
  • No, iOS Photos isn’t telling you who last looked at your messages — appleinsider.com/…
• An Illustrative example of how attackers are using legitimate features on popular sites to send more believable phishing emails (in this case, Google Forms to phish pretending to be Google’s security team): How to Lose a Fortune with Just One Bad Click — krebsonsecurity.com/…
• Similarly, attackers are turning more and more to sending entirely genuine invoices for utterly fictitious produces/service using popular Software-as-a-Service platforms: Money request and invoice scams via PayPal, Venmo, and Docusign — www.intego.com/…
  • Lots of nice detailed advice in the article
  • Top-takeaway — don’t trust any information in a field controlled by the sender rather than the service, like sender/seller/vendor comment/note/message

Notable News

• A wise move to counter stigma against victims: Interpol replaces dehumanizing “Pig Butchering” term with “Romance Baiting” — www.bleepingcomputer.com/…
• The GDPR continues to have teeth — notice that the fines are not for being breached as such, but for not taking the appropriate actions before and after:
  • Ireland fines Meta $264 million over 2018 Facebook data breach — www.bleepingcomputer.com/…
  • The fine is not for being breached, but for not having notified affected users clearly and promptly
  • The fine is also for negligence in Facebook’s under-the-hood design
  • Dutch DPA Fines Netflix €4.75 Million for GDPR Violations Over Data Transparency — thehackernews.com/…
  • The fine is for not having clear and accurate data policies
  • The fine is also for not responding honestly to subject data requests filed by EU users
• The US Office of the Inspector General (OIG) has determined that the Trump US Department of Justice (DOJ) wrongly subpoenaed Apple for call and message data relating to opposition lawmakers, their aides, and families — appleinsider.com/…
• US Authorities are launching an investigation into Chinese router maker TP-Link for a possible ban due to security risks. Most popular home internet routers in US may be banned as national security risk — www.9to5mac.com
  • While an investigation isn’t a ban Tom Merritt on the Daily Tech News Show explains why a ban is essentially inevitable: DTNS 4918 for 18 December 2024 on YouTube
  • If you own a TP-Link router, consider flashing it with dd-wrt firmware if you don’t want to throw it in the bin.
• An interesting example of nation-state-level cybersecurity defences: Germany blocks BadBox malware loaded on 30,000 Android devices — www.bleepingcomputer.com/…

Top Tips

• How to Add a Legacy Contact to Your Apple Account | Full guide — www.macobserver.com/… (just in time for all those holiday visits with the family you tech-support )
• Good advice for how US users can protect themselves from SIM swapping from the AARP (recommended by listener Lynn on the Podfeet Slack) — www.aarp.org/…

Palate Cleansers

• From Bart: An excellent telling of the true story of how a suite of Apps myself and Allison and countless other podcasters almost died, but has instead come back to life better than ever in 2024: The Developers Who Came in From the Cold — weblog.rogueamoeba.com/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
	A link to audio content, probably a podcast.
	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
	A link to graphical content, probably a chart, graph, or diagram.
	A story that has been over-hyped in the media, or, “no need to light your hair on fire”
	A link to an article behind a paywall.
	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
	A tip of the hat to thank a member of the community for bringing the story to our attention.
	A link to video content.