Security Update 2019-001 for macOS Sierra & HighSierra — tidbits.com/…
Safari 12.0.3 for macOS Sierra & High Sierra — tidbits.com/…
Drupal have fixed critical bugs in the 7.x, 8.5.x, and 8.6.x branches of their CMS — www.us-cert.gov/…
Notable News
🇺🇸 The CISA (the Cybersecurity and Infrastructure Security Agency under the DHS) issued their first Emergency Directive, ordering all government agencies to take immediate action to protect their DNS records:
🇺🇸 The government shutdown has resulted in security certificates not getting renewed before they expire on a number of government websites. On sites that enable HSTS (HTTP Strict Transport Security), which should be most of them, this results in security errors users cannot get past — nakedsecurity.sophos.com/…
🇺🇸 The Supreme Court has rejected taking up the Yelp case, allowing the lower-court’s ruling that the company is not liable for defamatory comments published on the service to stand. Had this case gone ahead it could have threatened the safe harbour that makes it viable for review services like Yelp to continue to exist — nakedsecurity.sophos.com/…
🇺🇸 A federal judge has ruled against a warrant that requested the right to seize all phones found at a property, regardless of who owned them, and force their owners to unlock them using biometrics. The judge described the request as over-broad and violating the 4th and 5th amendments to the US constitution — arstechnica.com/… & nakedsecurity.sophos.com/…
🇪🇺 🇫🇷 The French Data protection commissioners have fined Google €50M (~$57M) for GDPR breaches. The fine was for not giving sufficiently clear disclosure of how user data is collected and used. This is the biggest fine yet issues under the GDPR — www.macobserver.com/… & nakedsecurity.sophos.com/…
🇫🇷 Florence Parly, France’s Secretary of Defence, used a presentation to the Forum International de Cybersecurite to announce that cyber weapons are now part of France’s arsenal and ready to be used in war. She also announced that France will be starting a military bug bounty program — www.macobserver.com/…
Security researchers have uncovered a novel malware campaign that used a new technique to sneak malicious JavaScript into ads served over 5 million times on 25 of the top 100 sites on the net. The ad used steganography to sneak JavaScript past the ad network’s malware detectors. This JavaScript then popped up a fake message that Flash needed to be updated, and offered the user a malicious download which they could then use to infect themselves with malware. The campaign ran for two days from the 11th to the 13th of January — arstechnica.com/…
The NYT reports that Facebook is working on integrating Instagram, WhatsApp and Facebook Messenger. The three apps will continue to exist as separate apps on the front end, but will have a unified backend. The silver lining is that all three services will get end-to-end encryption — www.nytimes.com/…
🇺🇸 Tim Cook wrote a guest editorial in Time magazine calling on the US government to pass laws enshrining 4 data privacy rights (minimisation, knowledge, access & security), and to regulate data brokers:
Because Edge on iOS and Android ships with NewsGuard installed, users are not getting a warning that they are visiting an untrustworthy site when they visit the websites for the UK tabloid The Daily Mail (Editorial by Bart: great to see bad journalism not get a pass just because it’s published by a large corporation) — nakedsecurity.sophos.com/…
Following a frightening anecdote where a family’s Nest camera was made broadcast a frightening message that a Nuclear strike was under way by unknown attackers, some media reporting implied there was some kind of Nest vulnerability that was exploited, but this does not seem to be the case, instead, it seems to be yet another example of the dangers of password re-use — nakedsecurity.sophos.com/…
Contrary to much speculation in the media, Facebook’s Ten Year Challenge is almost certainly not any kind of nefarious scam — nakedsecurity.sophos.com/…
⭐️ Troy Hunt (from Have I Been Pwned) has published information on a large cache of breached passwords which he’s named Collection #1. The collection contains 773M email addresses and 21M passwords. The data is not from a new breach, but is collated from thousands of smaller breaches which occurred about 2 to 3 years ago. The collection appears to have been for sale on underground forums since last year, but has only become public knowledge now. There are also Collections 2 through 5, but those have not been analysed yet. — krebsonsecurity.com/…, nakedsecurity.sophos.com/… & www.intego.com/…
⭐️ A senior Amazon technical expert discovered a flaw in WhatsApp’s use of phone numbers as unique identifiers – when she logged into WhatsApp on a new phone she got someone else’s messages! — nakedsecurity.sophos.com/…
⭐️ Intel have released fixes for a security flaw found in their Secure Guard Extensions (SGX). This is Intel’s equivalent of Apple’s Secure Enclave. Unfortunately, end-users can’t protect themselves directly, it’s up to hardware manufacturers to create and issue patches to their users — nakedsecurity.sophos.com/…
