Happy 11th anniversary to the NosillaCast! You can listen to the first show that aired on Sunday May 15, 2005. I’ll tell you about EasilyDo Email which might just make your life easier, and then I have a review of the new Ricoh Theta S 360 degree camera. Bart is back with Security Bits (spoiler: there’s updates to everything!)
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday May 15, 2016 and this is show number 575. And guess what else it is? It’s the 11 year anniversary of the NosillaCast! On May 13th, 2005, I recorded the first episode, not realizing what I was getting into and how much fun Steve and I would have with this community. Following on with tradition, I put a link in the shownotes to the first episode if you want some comedy.
In Chit Chat Across the Pond this week, Bart Busschots and I get back to work in Programming By Stealth Episode 14 of x. This week he teaches me about Arrays and Loops in JavaScript. It’s starting to get more challenging but he promises next time will be a bit easier. Remember to subscribe in your podcatcher of choice to Chit Chat Across the Pond.
iTunes Reviews
I saw a post in Google+ about a tool called PodBuzz that helps podcasters see an aggregated view of all of the iTunes reviews they’ve received from all countries (normally you can only see your own country). I realized looking at it that I hadn’t asked you guys to provide feedback in a really long time! I know it’s hard to remember to do it, and I forget for a long time on shows I listen to so I thought it wouldn’t hurt to drop a reminder in here. It helps the show get noticed to have fresh, new reviews so I’d really appreciate it. Note that I didn’t say it had to be a good review, although it wouldn’t make me sad to hear the good ones too! There’s one very honest review in there that says I’m annoying, and that she skips forward to Bart’s Security Bits. That’s cool, at least she gets the part she does like, right? I did laugh at one thing she said though, she said that when I don’t get my way in an argument I make a raspberry sound and that it’s childish. I laughed because that’s EXACTLY how I mean it! It usually means the other person has made a terrific point and that I don’t like it so I’m going to pout. Anyway, go off and shoot a review in iTunes if you have some time, I’d really appreciate it!
Blog Posts
EasilyDo Email for IOS and Android Might Make Your Life Easier
Ricoh Theta S “360” Camera Review
Security Bits
Some Followups
- Apple have released an updated version of Xcode which patches the GIT vulnerabilities Bart mentioned in the last Security Bits – www.intego.com/…
- What's App were clearly listening to Allison when she bemoaned the fact that there were no native OS X or Windows clients – they've just released some! – www.macobserver.com/…
Encryption Wars Update
- The FBI has formally decided not to share the details of the hack they used to crack the San Bernardino iPhone with Apple – www.reuters.com/…
- On April 14th the FBI used the White House's new process for sharing vulnerabilities with vendors to share details of an old vulnerability with Apple – this was the first time the FBI used the process to disclose a vulnerability to Apple. The vulnerability was not the one used against the San Bernardino iPhone – www.reuters.com/…
- James Comey was wrong when he put a round-about value on the San Bernardino hack that comes out to over $1.3M – an FBI source has clarified that the price paid was under $1M – www.imore.com/…
- At the request of the US DOJ, the US Supreme Court has updated Rule 41, making easier for the US government to legally hack into computers (connecting to a VPN or to TOR would be enough to brand you a criminal) – congress have the power to step in and stop the change going into effect – nakedsecurity.sophos.com/… & www.macobserver.com/…
- A judge in LA has forced a woman to unlock her iPhone with her fingerprint – nakedsecurity.sophos.com/…
- A Brazilian Judge ordered Whats App to be blocked (again) for 72 hours for not handing over data they do not have (it was overturned after 12 hours by a higher court) – www.reuters.com/… & nakedsecurity.sophos.com/…
- The FBI hacked into an iPhone 5S, but it's not as big a story as it sounds, because the phone was running iOS 7 – www.latimes.com/…
- India says it can decrypt iPhones, but is very light on the details – www.imore.com/… & www.macobserver.com/…
- General Michael Hayden (former CIA and NSA director) tells the FBI to stop obsessing about content, and focus on metadata – strong Encryption is not going away, and attempting to ban it would be dangerous and counter productive – www.macobserver.com/…
- Motherboard highlight an interesting possible constitutional right to bear encryption – the US government have a history of considering encryption as arms, so the second amendment to the US constitution could be argued to protect the right to use strong encryption (Editorial by Bart: not sure how you get a well organised militia of encryptors though) – motherboard.vice.com/…
Important Security Updates
- Microsoft and Adobe released important security updates on Patch Tuesday – products patched include PDF Reader, Flash, IE, Office & Windows. The patches to Windows include a fix for a bug that was a Zero-day, and is being actively exploited, and the Office patches are also for Mac users – krebsonsecurity.com/…, arstechnica.com/… & www.intego.com/…
- Adobe released a separate patch to Flash to fix a zero-day bug being actively exploited – nakedsecurity.sophos.com/…
- If you run your own website, you might want to make sure it does not use the open-soucre image editing library Image Magick, or, that you have patched Image Magick on your server – a nasty, but now patched, vulnerability is being exploited in the wild – nakedsecurity.sophos.com/… & arstechnica.com/…
- If you run your own WordPress site, make sure it has been updated to at least version 4.5.1, which patched a nasty, actively exploited, vulnerability – www.us-cert.gov/…
Important Security News
- Opera adds a sorta-kinda VPN to it's browser (Editorial by Bart: better than nothing, but really not a replacement for a proper VPN) – nakedsecurity.sophos.com/…
- There are attacks in the wild against older versions of Android – may devices that cannot be updated are at risk – arstechnica.com/…
- The US military go public with plans for cyberwar against ISIS (and ISIS fight back) – arstechnica.com/… & arstechnica.com/…
- A fake DDOS company has been able to earn about $100,000 worth of bitcoins simply by threatening to DDOS – they appear to have no capability to actually DDOS anything – arstechnica.com/…
- The American Dental Association says it may have accidentally mailed malware-ridden USB thumb drives to thousands of dental offices in the US (Editorial by Bart: goes to show, it's not just thumb drives you find in the parking lot you need to be wary of!) – krebsonsecurity.com/…
- The US house of representatives has unanimously passed a bill requiring law enforcement get a warrant before searching people's email – the bill still needs to pass the senate before being sent to the President for his signature – www.macobserver.com/…
- The EU has updated the rules EuroPol operates under to allow more data sharing – this was called for in the wake of the Paris attacks – arstechnica.com/…
- Researchers discover fundament design flaws in Samsung's SmartThings IoT framework – allows attackers to do things like make their own keys for your front door – arstechnica.com/…
- Senator Charles Schumer asks the US FTC to investigate 'spying billboards' (billboards that use wireless MAC addresses to track people without their concent) – nakedsecurity.sophos.com/…
- Microsoft are discontinuing Wifi Sense, their controversial wifi password sharing feature – nakedsecurity.sophos.com/…
- The US FCC & FTC are launching a probe into the availability of security updates for smartphones – www.imore.com/…
- Sophos finds malware in the Google Play store masquerading as games. Five days after reporting the malware to Google, the offending apps were still available in the store – nakedsecurity.sophos.com/…
- Microsoft has brought in a total ban on ads for online tech support services on Bing – this is a response to rampant tech support scams plaguing the world – nakedsecurity.sophos.com/…
Notable Breaches
- Dating site BeautifulPeople.com has lost control of 1M user records, including details like sexual orientation, marital status, income, DOB, and email address. No financial data was stolen, and the passwords were hashed (though we don't know the details) – nakedsecurity.sophos.com/…
- 7 million usernames and BADLY hashed (MD, no salt) passwords have been stolen from LifeBoat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app (Editorial by Bart: if you use this service and re-used the password anywhere else, reset it EVERYWHERE ASAP) – arstechnica.com/…
- Pwndlist, a site that collects data so that users can check if they have been breached has itself been breached – krebsonsecurity.com/…
- Mainstream news was awash with reports of 272 million hacked accounts on services like mail.ru, yahoo mail, and Gmail. The whole thing smelled fishy from the start, but that didn't stop the media spreading the sensational 'news'. A little testing proved what most educated people expected, the stolen credentials were almost entirely bogus – arstechnica.com/…
- Guessable default PINs at credit monitoring firm Equifax appear to have exposed W-2 tax forms for many employees of US companies who use Equifax to attackers – krebsonsecurity.com/…
- 5% of Wendy's restaurants hit by credit card breach – krebsonsecurity.com/… & nakedsecurity.sophos.com/…
Suggested Reading
- A timely warning from Sophos about the dangers of running (double-clicking) JavaScript files sent via email (not talking about JavaScript on web pages here) – nakedsecurity.sophos.com/…
- A 10 year old from Sweden has been awarded $10,000 through Facebook's bug bounty program for finding and reporting a bug in Instagram – arstechnica.com/…
- Researchers find that chocolate makes people more susceptible to social engineering – nakedsecurity.sophos.com/…
- Apple have released their latest transparency report – www.imore.com/…
- A nice description of some of the advanced techniques used by the PLATINUM hacking group, including live-patching the Windows kernel – arstechnica.com/…
- A computer controlling the fuel rods in a German Nuclear power plant was found to be swarming with malware – arstechnica.com/…
- A US Judge is holding a man in prison indefinitely because he will not tell police his password – he is claiming his 5th amendment rights, the judge is calling his silence contempt of court – nakedsecurity.sophos.com/…
- Many companies are accidentally publishing their Slack keys in GitHub – just another reminder not to check passwords and keys into source control – arstechnica.com/…
- Microsoft speeding up the depreciation of SHA1 certs – arstechnica.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community and our Facebook group at podfeet.com/facebook. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.