Security Bits — 22 March 2020

Feedback & Followups

• Following on from the iOS clipboard security weakness discussed in the previous instalment, security researchers have now observed many popular iOS apps periodically polling the clipboard for no apparent reason, and it’s not known what the apps do with the data they find there. Apps observed polling the clipboard include TikTok and a whole raft of news apps including ABC News, CBS News, CNBC, Fox News, New York Times, Reuters and the WSJ — www.imore.com/…
• The bug in Zyxel products we discussed in the previous instalment is now being actively exploited to build a botnet. If you have a Zyxel router, VPN, or Firewall, you really do need to make sure it’s patched! — krebsonsecurity.com/…
• Grey-hat security company Grayshift has been forced to raise it’s prices because iPhones & iPads are getting ever more secure, or, as they put it “Forensic Access to iOS continues to increase in difficulty and complexity” — www.macobserver.com/…
• Last time we warned that malefactors would abuse the COVID-19 crisis to extort people, sadly, that is indeed coming to pass: Android malware uses coronavirus for sextortion and ransomware combo — nakedsecurity.sophos.com/…

❗ Action Alerts

• Microsoft have issued an out-of-band patch for Windows 10 to patch the wormable vulnerability named SMBGhost — nakedsecurity.sophos.com/…
• Delayed Adobe patches fix a long list of critical flaws — nakedsecurity.sophos.com/…

Worthy Warnings

• Confessions app Whisper spills almost a billion records — nakedsecurity.sophos.com/…

Notable News

• 🇺🇸 Senator Lindsay Graham tries to sneak the anti-encryption EARN IT act through by not mentioning encryption and moving the bill forward during the COVID-19 crisis — nakedsecurity.sophos.com/… (Frivolous Editorial by Bart: a great example of the art of the backronym, standing for Eliminating Abusive and Rampant Neglect of Interactive Technologies)
• 🇺🇸 Uber is filing a lawsuit against Los Angeles to protect its users from what the company and privacy advocates consider a privacy-invading demand by the city for real-time user location data access — nakedsecurity.sophos.com/…

Top Tips

• Andrew Orr at TMO linked to a nice open-source Safari extension for stripping tracking parameters from URLs (Editorial by Bart: ironically TMO use tracking parameters in their URLs, I’ve been manually stripping the UTM header from TMO links in these show notes for years!) — github.com/…
• Apple are pro-actively curating COVID-19 information sources:
  • The App Store is fast-tracking approval of coronavirus apps from reputable sources — www.imore.com/…
  • Apple updates Podcasts app with Coronavirus content from trusted sources — www.imore.com/…
  • Siri has been updated to answer your questions about the coronavirus — www.imore.com/…
• Not security-related, but important in these unusual times:
  • Best tips for remote work and working from home — www.imore.com/…
  • Tips for the Mac user new to working from home — www.macworld.com/…
  • Bonus Tip from Bart: IMO it’s really important to keep a clear distinction between I’m working and I’m home time, even when those are not sharing the one physical space. If at all possible I strongly suggest using a separate computer at a separate desk for your work. If you can’t use a separate computer, use a separate user account so you can fully switch between work and not-work contexts.

Excellent Explainers

• The History of the URL — blog.cloudflare.com/…

Palate Cleansers

• 🎧 🎵 12 of the best Apple Music playlists for working from home — www.imore.com/… (These show notes were powered by the ‘Unplugged: Acoustic Hits’ playlist)
• 🎧 Darknet Diaries Samy about hacker Samy Kamkar.
• Los Angeles Times declares Podcasts as essential services — www.latimes.com/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a pay-wall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.