Feedback & Followups
- As expected, Apple quickly patched the Kernel flaw powering the Unc0ver Jailbreak: Kernel Vulnerability Causes Apple to Update All Operating Systems — tidbits.com/…
- Covid19 Exposure Notification/Contact Tracing and other Apps Continue to be developed and rolled out:
- 🇺🇸 Apple COVID-19 App and Website Adds Anonymous Symptom Tracking — www.macobserver.com/…
- 🇬🇧 Things remain confusing in the UK:
- Private companies with connections to the government are getting permanent access to health data: Under pressure, UK government releases NHS COVID data deals with big tech — www.opendemocracy.net/…
- UK ministers still considering switching NHS app to Apple and Google’s framework — www.imore.com/…
- UK COVID-19 Contact Tracing App Set to Launch in Coming Weeks — www.macobserver.com/…
- This report claims the UK are not considering Apple & Google’s API: UK to launch contact tracing app ‘when the time is right’, says Matt Hancock — www.imore.com/…
- 🇪🇺 More European Countries Moving to Apple/Google Framework For Covid-19 Contact Tracing Apps — www.macobserver.com/…
- 🇨🇭 Swiss parliament paves way for coronavirus tracing app rollout this month — uk.reuters.com/…
- 🇮🇹 Italy launches contact-tracing app based on Apple and Google’s technology — www.imore.com/…
- 🇸🇬 Singapore’s contact tracing app isn’t mandatory because it doesn’t work on iOS — www.imore.com/…
- Nintendo have admitted that the breach of their Nintendo Network IDs last April was actually worse than initially reported, affecting about twice as many accounts (140K on top of the original 160K), and they are warning that if users had PayPal accounts or credit cards linked to their accounts then attackers could have made unauthorised purchases — www.imore.com/…
- Social Media Developments:
- 17 major tech companies including Facebook, Google, Microsoft & Apple have joined a renewed industry push to combat online child abuse — www.imore.com/… & www.macobserver.com/…
- A major shake-up underway at Redit including changes on the board, and to content policies — www.reddit.com/…
- Related: 🇮🇪 the moderators of the Sub-redit for Ireland have started closing it down each night to stem a torrent of racism and other abusive posts — extra.ie/…
- Facebook to verify identities on accounts that churn out viral posts — nakedsecurity.sophos.com/…
- Facebook announces new ‘Manage Activity’ feature that lets you hide your past posts — www.imore.com/…
- Twitter now labeling all tweets linking 5G and coronavirus — www.imore.com/…
- Twitter to launch a revamped verification system with publicly documented guidelines — techcrunch.com/…
- Twitter wants to know if you meant to share that article — nakedsecurity.sophos.com/…
- Twitter discloses over 32,000 fake accounts with state links to China, Russia, and Turkey — www.imore.com/…
- Signal can now automatically blur faces in photos — and you can use the images in any app — thenextweb.com/…
- Snapchat stops promoting President Trump following violent tweets — www.imore.com/…
- TikTok joins EU’s fight against fake news — www.imore.com/…
- A mixed 2 Weeks for Zoom:
- 🎧 A good in-depth look at Zoom’s new End-to-End encryption (it seems really well designed): Security Now 769: Zoom’s E2EE Design — overcast.fm/…
- Zoom says it won’t end-to-end encrypt free calls so it can work with law enforcement — www.imore.com/…
- Zoom U-turns on decision to ban the account of U.S-based Chinese pro-democracy activists — www.imore.com/…
- Zoom says “we fell short” in explanation over banning of pro-Chinese democracy accounts — www.imore.com/…
- U.S. Lawmakers Ask Zoom About its Ties to China — www.macobserver.com/…
- WebAuthn: Google upgrades physical authentication technology for iPhone and iPad — www.imore.com/…
Deep Dive — The CallStranger UPnP Vulnerability
A security researcher has released details of a new vulnerability in the Universal Plug & Play (UPnP) specification that allows attackers to commandeer vulnerable devices for use in distributed denial of service attacks (DDoS).
For home users the big danger is routers with UPnP enabled on the internet-facing (WAN) side of the router. This won’t allow attackers to attack you, but it will allow them to use your router to attack others.
If you don’t need it, I would suggest disabling UPnP on your router. This is by no means the only UPnP attack out there, so disabling UPnP has been my advice for years anyway!
The problem was in the UPnP specification, so that has been updated, and device vendors now need to create and distribute firmware updates to update their implementation of the spec.
###Links
- The vulnerability’s home page — callstranger.com/…
❗ Action Alerts
- Last Tuesday was Patch Tuesday, lots of critical updates from Microsoft & Adobe, so patch promptly! — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
- Firefox fixes cryptographic data leakage in latest security update — nakedsecurity.sophos.com/…
Worthy Warnings
- Crooks hijack “Black Lives Matter” to spread zombie malware — nakedsecurity.sophos.com/…
- Bitcoin scammers take YouTube channels for a SpaceX ride — nakedsecurity.sophos.com/…
- 🇺🇸 Amtrak breached, some customers’ logins and PII potentially exposed — nakedsecurity.sophos.com/…
- Babylon mobile health app mixes up patient consultation videos — nakedsecurity.sophos.com/…
- Privnotes.com Is Phishing Bitcoin from Users of Private Messaging Service Privnote.com — krebsonsecurity.com/…
- Botnet blasts WordPress sites with configuration download attacks — nakedsecurity.sophos.com/…
Notable News
- Facebook paid for a 0-day to help FBI unmask child predator — nakedsecurity.sophos.com/…
- 🧯Intel have patched the flaw enabling CROSSTALK, another side-channel attack against their CPUs. Like with many side-channel attacks that have been found since Spectre and Meltdown first drew the security community’s attention to Intel’s CPUs, this vulnerability breaks down the security between processes sharing a CPU. For home users that means the malware has to be running on your computer to attack you, which would add no additional value for an attacker since they’re already succeeded in running malware on your computer! Where this matters is in the cloud, where processes belonging to different organisations share hardware — nakedsecurity.sophos.com/…
- The privacy-focused commercial browser Brave got into hot water for adding trackers to links: Brave CEO apologises for adding affiliate links to URLs — nakedsecurity.sophos.com/…
- Apple’s Bug Bounty Program in Action: No password required! “Sign in with Apple” account takeover flaw patched — nakedsecurity.sophos.com/…
- IBM and Amazon pull back from using AI for facial recognition because of fears about biases, privacy concerns, and the possibility of abuses by over-reaching governments and law enforcement agencies:
- Two big companies release Open Source security libraries for developers:
- Apple open sources Password Manager Resources to help apps create strong passwords for popular websites — www.imore.com/…
- IBM have released open source toolkits to implement Fully Homomorphic Encryption (lets you process data while it’s encrypted) for iOS & macOS, and Linux & Android toolkits are on the way — www.ibm.com/…
- CloudFlare have announced two new variants of it’s free 1.1.1.1 DNS service aimed at families — to get free malware filtering use 1.1.1.2, and to get free malware filtering and adult content blocking use 1.1.1.3 — blog.cloudflare.com/…
Top Tips
- How to use the ACLU Mobile Justice app — www.imore.com/…
- The IC3, the US government’s internet security agency, have released a PSA warning of a rise in banking malware, and giving some good practical advice to keep your money safe — www.ic3.gov/…
- A nice guide on how to allow important people bypass do-not-disturb on iOS devices. This is especially important in troubled times like these: How to Let Individual Contacts Reach You When Do Not Disturb Is Turned On for All Contacts — iPhone Life
Excellent Explainers
- 🇺🇸 An excellent explainer on the important subtleties of section 230 of the US Communications Decency Act: The Internet’s most important—and misunderstood—law, explained — arstechnica.com/…
- Important if you plan to run any Apple Betas this summer: Apple reminds developers how to file bug reports ahead of iOS 14 — www.imore.com/…
Palate Cleansers
- Stonehenge livestream summer solstice event in 2020 — matadornetwork.com/…
- 🎧 An excellent warts-and-all realistic look at America’s race to the Moon in the 60s: Moonrise — overcast.fm/… &
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |