Security Bits — 28 January 2021

Feedback & Followups

• The SolarWinds attack
  • Malwarebytes Reveals it Was Hacked by Nation-State Behind ‘SolarWinds’ — www.macobserver.com/…
    • Did not use SolarWinds products
    • Vector was their Office365 tenancy (Microsoft spotted suspicious activity on their account and contacted them)
    • Attackers only got access to a sub-set of company email
    • In response they audited their own source code and build environments and found no evidence of exploitation
  • 🇺🇸 CISA has released a Malware Analysis Report on the so-called Supernova malware delivered as a payload in many SolarWinds attacks — us-cert.cisa.gov/…
  • Related: (via listener Lynda) The email security vendor Minecast has revealed that the certificate its Sync and Recover, Continuity Monitor & Internal Email Protect (IEP) products used to authenticate with Office365 was compromised. There is speculation it might be the same attackers as the SolarWinds attack, but the company would not confirm that. The issue came to light when Microsoft alerted the company of suspicious activity related to its products — www.crn.com/…
• Facebook delays controversial WhatsApp privacy changes as millions flock to rival services — www.imore.com/…
  • Related: WhatsApp Web and Desktop gets extra biometric security layer — www.imore.com/…
• The end of Flash didn’t go smoothly for some: As Adobe Flash stops running, so do some railroads in China — hk.appledaily.com/…

❗ Action Alerts

• watchOS 7.3, iOS 14.4, iPadOS 14.4, and tvOS 14.4 Address Serious Security Exploit — tidbits.com/… & Apple critical patches fix in-the-wild iPhone exploits – update now! — nakedsecurity.sophos.com/…
• Thanks to Google’s Project Zero there are updates to Signal, Facebook Messenger, Google Duo, JioChat & Mocha fixing a bug that let audio and video be transmitted without permission — www.macobserver.com/…
• Linux users should patch ASAP to fix a sudo bug (named Baron Samedit) that allows any user get root privileges — www.bleepingcomputer.com/…

Notable News

• Twitter’s new Birdwatch is an attempt to crowdsource a fix for fake news — www.imore.com/…
• 🇬🇧 There’s a new way to see news on Facebook in the UK — www.imore.com/…
• Microsoft Edge Update Adds Built-in Password Manager — www.macobserver.com/…
• Apple made a big privacy push on Data Privacy Day (28 January), announcing that the next beta of iOS will require apps to implement App Tracking Transparency, and releasing an illustrative story about how tracking affects us all in our day-to-day lives as a father simply takes his daughter for a walk in the park — www.apple.com/…
  • Apple’s story: A Day in the Life of Your Data — www.apple.com/… (PDF)
  • Apple have also released more details about App Tracking Transparency — www.macobserver.com/…
    > we will enhance SKAdNetwork and add Private Click Measurement … Private Click Measurement enables the measurement of ad campaigns that direct users to websites while preserving user privacy
  • Apple Privacy Exec Jane Horvath Discusses ‘False Dichotomy’ of Free Services — www.macobserver.com/…
  • Tim Cook slams businesses built on “data exploitation” in speech — www.imore.com/…
  • Related: In their latest earnings Facebook flagged that Apple’s App Tracking Transparency feature may start affecting earning by the end of the next quarter, and Zuckerberg commented in the earnings call that Apple is mainly interested in privacy for its own interests, not those of its users — www.imore.com/…

Top Tips

• Cybersecurity tips for university students — nakedsecurity.sophos.com/…

Interesting Insights

• 🎧 (From Allison) DTNS 3952: Getting Quantum with Kiki — dailytechnewsshow.com/…
• 💵 Behind a Secret Deal Between Google and Facebook — www.nytimes.com/…
  

  Facebook was going to compete with Google for some advertising sales but backed away from the plan after the companies cut a preferential deal, according to court documents.

Just Because it’s Cool 😎

• US administration adds “subliminal” ad to White House website — nakedsecurity.sophos.com/…

• CGP Grey Video on emotions in “news”: This Video Will Make You Angry

Palate Cleansers

• From Allister in our Podfeet Slack: A 10 Billion Pixel Scan of Vermeer’s Masterpiece Girl with a Pearl Earring: Explore It Online — www.openculture.com/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.