Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 28 May 2023

Feedback & Followups

  • We now know that Pegasus was used in the war over the Nagorno-Karabakh region in Azerbaijan (an un-recognized independent republic with close ties to Armenia) from 2020 to 2022, with the Armenian foreign minister’s phone being hacked 27 times by an NSO Group customer assumed to be the Azerbaijani government — appleinsider.com/…
  • 🇺🇸 Apple’s case against the Correlium security tool vendor is not over yet, but Correlium have scored an important partial victory, with a judge ruling that Cybersecurity research falls under copyright fair use. — appleinsider.com/… (Editorial by Bart: this looks like an important precedent to me, even beyond US shores thanks to WIPO)
  • 🇫🇷 French regulator CNIL has imposed additional fines on ClearView AI for failing to comply with their ruling against the company last October (€20M original fine, additional €5.2M now) — nakedsecurity.sophos.com/…
    • Key points:
      • Biometrics are extra-sensitive PII, so informed consent is needed
      • Informed consent was not acquired, so the company was ordered to cease & desist collecting French data, and to delete it all
      • Company had 2 months to comply with the original order, now ruled not to have done so

Deep Dive — Google’s Release of the .zip & .mov TLDs

Since 2012 it has been possible for organisations with deep enough pockets to buy just about any top-level domain they would like. Google was one of the companies to take advantage of this new freedom, and in 2014 they registered two very generic top-level domains which are relevant to recent developments — .zip & .mov. Until now, Google have tightly controlled registrations on these TLDs, so they have been effectively unused. But that’s all changed now, and Google have opened up registrations on these TLDs to the world.

What makes these TLDs unusual is that they are also common file extensions, so it’s now possible to register a domain that looks like a filename, e.g. cryptowallet.zip or naughtymovie.mov.

The exact details will change from app to app, but it seems inevitable that attackers will find ways to leverage this ambiguity in phishing attacks — convincing users they are opening a local file or an email attachment when they are actually downloading a file from a URL. This is the kind of thing Apple’s download permission dialogue boxes in Safari will nip in the bud, but many apps and platforms are not as pro-active about alerting users to downloads.

There is zero doubt that these domains increase the theoretical risk for regular folks, but I’m not convinced that will translate into a measurable increase in real-world exploits. I was initially quite worried, but then I took the time to read Troy Hunt’s analysis, and I think he’s right — humans are already terrible at reading URLs, so the people potentially tricked by these URLs would probably also have been tricked by other URLs, so things will probably just stay the same in the real world.

There’s also a concerted move to kill the domains by block-listing them on corporate firewalls, making them effectively illegitimate, and possibly reading to the TLD’s retirement from sale. For example, the SANS institute are advising corporate sysadmins to block the TLDs whole-sale on their corporate DNS servers.

Finally, you should never have been opening email attachments you were not absolutely expecting anyway, so does not clicking on a link pretending to be the file you’re not clicking on really change anything? Don’t open email attachments, not even the fake ones 🙂

Links

❗ Action Alerts

Worthy Warnings

Notable News

  • Apple have shared their 2022 App Store Transparency Report — appleinsider.com/…
    • They chose to highlight blocking over $2 billion in fraudulent transactions & 1.7 million bogus apps — appleinsider.com/…
  • 🇪🇺 Twitter has chosen to withdraw from the EU’s voluntary code of conduct for social media companies, but that doesn’t change the fact that they’ll soon be regulated under the EU’s Digital Services Act (DSA) — appleinsider.com/…
  • 🇪🇺 The Irish Data Protection Commissioners have fined Meta a record €1.2Bn fine for continuing to transfer European data to the US under the so-called Privacy Shield which the ECJ struck down in 2020. Meta have 5 months to comply, but as expected, they plan to appeal — appleinsider.com/…
  • 🇺🇸 The US Supreme Court have chosen to uphold the status quo on the widely misunderstood but very important Section 230 of the Communications Decency Actappleinsider.com/…
  • 🇺🇸 Montana have passed a law banning TikTok that will go into effect next year, and as expected, the lawsuits have started flying — appleinsider.com/…
  • 🇺🇸 The US Surgeon General Dr. Vivek Murthy has released an advisory warning parents of the negative impacts social media can have on children’s mental health — appleinsider.com/…
    • Ezra Klein interviewed Jean Twenge about research trying to find a correlation between hospitalization for self harm and introductions of social media platforms: www.nytimes.com/…

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top