Feedback & Followups
- Following on from Apple’s choice to settle a US class action suit over privacy breaches caused by accidental Siri activations, Apple released a press release confirming my interpretation of the case, and verifying that the more conspiratorial allegations that some media reporting chose to focus on were not true — www.apple.com/…
- This might be one to bookmark for sharing with worried friends or family who were spooked by some of the more sensationalist reporting on this case by some of the less scrupulous news outlets, or by some of the conspiratorial nonsense on social media.
- Related: 🧯 In case friends or family get scared by this sensationalist nonsense spreading on social media: No, Siri’s “Learn from this app” Setting Is Not Sending Data From Your Apps to Third Parties — www.intego.com/…
- 🇨🇳 The recent Salt Typhoon spate of hacks of Western telecommunications companies by Chinese state actors continues to evolve:
- 🇺🇸 Two more US telcos have been confirmed compromised (Charter & Windstream) — Chinese hackers also breached Charter and Windstream networks — www.bleepingcomputer.com/…
- 🇺🇸 FCC orders telecoms to secure their networks after Salt Typhoon hacks — www.bleepingcomputer.com/…
- 🇺🇸 🇨🇳 The FBI has followed French law enforcement’s lead and pro-actively reached in and removed PlugX malware infections connected to Chinese state actors from US computers in the US — www.bleepingcomputer.com/…
- These actions were all taken with now un-sealed approval from US courts
- The FBI has let US ISPs know which IP addresses were cleaned up so they can inform the affected customers
- 🇫🇷 We covered France taking this dramatic action on the eve of the Paris Olympics last summer
Deep Dive 1 — Data Breach Exposes Elicit Location Tracking via Ad Auctions
TL;DR — if you see an ad in an app it can track you, and your only effective defence is avoiding all apps with ads.
A data breach at a data broker has has exposed a nefarious abuse of the real time bidding system used by ad brokers to sell ad spots in apps. This technique allows malicious ad agencies to disregard user preferences and track smart phone user’s location as they used apps with ads without the app developers’ awareness, let alone consent. In fact, the ad agencies didn’t even need to win the auctions to steal the data, they just had to bit on the ad slots.
The key to this tracking technique is capturing the data and metadata presented to ad brokers during the auctions. This data includes the name of the app, and the IP address of the device running the app. With all the other data these ad brokers have about users they were able to join the dots and add more or less accurate locations to the profiles they build on users, which they could then sell to location brokers.
Because this is happening within the ad industry’s back-end, not collaboration is required from app developers (other than choosing to embed ad). There are no explicit API calls to the data brokers, and it’s not even that location tracking API calls have been snuck into other useful code libraries. From the app’s point of view they’re just sending entirely normal ad placement offers to their ad broker and receiving the ads that win the bid in response.
Because the developers are out of the loop, the leaked data reveals that really major apps are being abused to track users without their consent including:
- CandyCrush
- Temple Run
- My Fitness Pal
- My Period Calendar & Tracker
- Tinder
- Tumblr
- Office365 apps
- Yahoo Email
- FlightRadar24
- Various Christian & Muslim prayer book apps
- Many VPN apps
The ad companies have no permission or consent to do any of this, they just abuse any and all crumbs of data and metadata the can glean from the massive back-end the powers the modern ad ecosystem to track users anyway.
How Can we Defend Ourselves?
Note that this attack vector is specific to ads in apps, so our exiting browser protections and ad blocking plugins are not in play here.
It’s important to underscore the fact that this is happening within the advertising industry’s back-end, not on user devices, so things like iOS App Tracking Transparency and App Store review processes can’t stop this (at least not with anything short of OS-level blocking of all connections to ad-related IP addresses which is not practical or realistic!)
That said iOS can dent the effectiveness of these attacks using App Tracking Transparency because when you ask an app not to track the OS stops the app from using the location services API to add explicit location data to the ad metadata, limiting the malicious trackers to approximate location data inferred from your IP address.
At this stage we simply have to assume that every ad we see in any app is an opportunity for hostile actors to track us, so the best we can do is avoid all in-app ads by not using apps that monetise with ads, or upgrading to ad-free versions with in-app purchases or paid memberships/subscriptions.
Links
- A nice short summary: Advertisers are hijacking apps to beat Apple and developers’ privacy efforts — appleinsider.com/…
- A detailed report: Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location — www.wired.com/…
- An important observation: Why the latest location data leak won’t hit iPhone users as hard — www.cultofmac.com/…
Deep Dive 2 — A Massive New Password Leak and an Important New Feature in Have I Been Pwned (HIBP)
Data stealer malware is on the rise, and, one of the kinds of data these malicious tools steal is login information. By various means including keyboard loggers, scans of files, and browser hacks, attackers build up databases of website, email address, and password records, which they can then sell on the dark web.
Like all organisations, cybercrime gangs make mistakes, so from time to time these databases of stolen passwords leak. That happened recently when 71 million login credentials were leaked to Troy Hunt’s Have-I-Been-Pwnd service.
The problem for Troy was that this new type of data breach didn’t fit nicely into HIBP’s original design. The service was designed to let people know when a specific website lost their details, so each breach was tied to a single website implicitly. If you were in one of the LinkedIn breaches then it was your LinkedIn account that was compromised!
Stealer logs break this one-to-one mapping between websites and data breaches. Knowing that an account with your email address was included in a database of username and password pairs for millions of sites is not really that useful, the obvious next question has to be “on what sites?”!
That’s the problem HIBP have just addressed with a new set of related features for individuals and organisations:
- Individuals can now see the websites their email address was associated with in any stealer logs added to HIBP. This new functionality has simply been added to the existing free report anyone can get for an email address they have access to — simply request a report for your email address, complete the ownership verification challenge, and see just how pwned your address is 🙂
- Organisations with paid subscriptions (not the free up-to-10-compromised-users tier) can access this updated information via a new API end-point for all email addresses on all domains they have proven ownership of and added to their accounts.
If you haven’t done so already, I’d recommend signing up for free breach notifications on your primary email address or addresses using the Notify Me button on the banner at the top of the Have-I-Been-Pwnd home page. While you’re there you might want to see your current report by entering your address into the giant big search box at the top of this page.
Links
- Troy Hunt’s explanation of why HIBP needed this new feature, and how it works — www.troyhunt.com/…
❗ Action Alerts
- January Microsoft Patch Tuesday has been and gone, and it was a big one!
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws — www.bleepingcomputer.com/…
- Microsoft: Happy 2025. Here’s 161 Security Updates — krebsonsecurity.com/…
- Microsoft January 2025 Patch Tuesday — isc.sans.edu/…
- Related: The patches include a fix for this nasty bug with Windows: New UEFI Secure Boot flaw exposes systems to bootkits, patch now — www.bleepingcomputer.com/…
- Owners of Samsung Android devices, be sure you’re patched – Google’s Project Zero have released the details of a nasty zero-day they found and responsibly disclosed which was patched in December 2024 — thehackernews.com/…
- Mac users should double-check they’re fully patched, Microsoft have released details of a bug they responsibly disclosed to Apple which was patched in December: macOS flaw that allowed attackers to bypass core system protections is now fixed — appleinsider.com/…
- Listeners running an rsync server (most likely on a NAS, Linux VM or Linux VPS) beware: Over 660,000 Rsync servers exposed to code execution attacks — www.bleepingcomputer.com/…
Worthy Warnings
- Cybersecurity experts are warning of a new tactic being used in smishing (phishing over SMS) attacks to trick iPhone users into disabling a security feature in the Messages app — www.bleepingcomputer.com/…
- To fight phishing, Apple’s messages app disables links in messages coming from people that you’ve not interacted with before
- These new phishing attacks tell users to reply
Yand then click the link - The act of replying with anything at all is interaction, and that will remove the link block
- 🇺🇸 US Tax Payers Pay Heed: Scammers file first — Get your IRS Identity Protection PIN now — www.bleepingcomputer.com/…
- 🇺🇸 US drivers take note:
- Allstate car insurer sued for tracking drivers without permission — www.bleepingcomputer.com/… (suit filed by the Texas Attorney General)
- “Allstate collected trillions of miles worth of location data from over 45 million consumers nationwide and used the data to create the world’s largest driving behavior database … When a consumer requested a quote or renewed their coverage, Allstate and other insurers would use that consumer’s data to justify increasing their car insurance premium.” — Court Filings
- FTC orders GM to stop collecting and selling driver’s data — www.bleepingcomputer.com/…
- OnStar was collecting driver behaviour and location data every 3 seconds and setting it to insurance companies without informed consent from users
- This data was used by insurance companies to raise premiums and even deny some drivers cover
Notable News
- 🧯 Security researchers have found a critical vulnerability in a proprietary USB-C controller Apple use in many of their devices. But, at least for now, attacks are not practical, so there’s nothing regular users need to do — appleinsider.com/…
- As the bug is now known Apple are likely to at least try to patch it
- It’s possible additional weaknesses or exploit techniques will be discovered, making this a real concern for regular users in the future, and if that happens we’ll flag that in a future Security Bits
- For now, the most likely outcome may be new tethered iPhone jail breaks
- 🇺🇸 The US government has launched the US Cyber Trust Mark smart device certification promised in 2023 — thehackernews.com/… (cybersecurity baseline for internet-connected devices)
- > Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product’s minimum support period, and a notification if the manufacturer does not offer updates for the device.
- 🇺🇸 Biden signs executive order to bolster national cybersecurity — www.bleepingcomputer.com/…
- Boring but important basics to give US government agencies more tools for fighting back, including sanctioning malicious attack groups
- Not a new order but an update to an existing order from the Obama administration — not controversial, so unlikely to be rolled back by the new administration
- 🇺🇸 FTC orders GoDaddy to fix poor web hosting security practices — www.bleepingcomputer.com/…
-
🇮🇳 India moves closer to becoming the next major market to pass broad data protection laws with the opening up for public comment of the proposed Digital Personal Data Protection (DPDP) Rules — thehackernews.com/… (quite GDPR-like all in all laying out responsibilities for those holding personal data)
Top Tips
- Given some recent moderation changes and the general state of polarisation ATM, you might be in the Mood to start the new year with a few fewer social media accounts: How to Delete Your Social Media Accounts: Facebook, X, Instagram, TikTok, and More — www.intego.com/…
- Note from Bart: I recommend not actually deleting accounts unless they are completely anonymous, but going dormant by simply removing the app from your home screens and disabling notifications. You don’t want others to be able to steal your digital identity by re-creating an account with the same username!
- Related: Mastodon have formally moved their copyrights, other intellectual property, and other assets into a European non-profit (making sure the Mastodon creator Eugen Rochko can’t do a Mulleweg and get Mastodon into the kind of mess WordPress is now in) — blog.joinmastodon.org/…
Interesting Insights
- The Mac and iPhone malware of 2024—and what to expect in 2025 — www.intego.com/…
- More stealer malware as it seems to have been profitable for cybercriminals in 2024
- More fraudulent apps sneaking into the official Apple & Google app stores, or bypassing them completely by side loading/3rd-party stores, especially in Europe
Palate Cleansers
- From Nosillacastaway Jonathan Wessler on Slack: 1Crossword: crosswords for your password manager · eieio.games — eieio.games/…
- From Bart: the fascinating story of how the first version of the Dock came into being 25 years ago – turns out it was written by James Thompson of PCalc fame from Cork in Ireland while he and his manager were pretending to Steve Jobs that he’d moved to California: I Live My Life a Quarter Century at a Time — tla.systems/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |