In this week’s episode I’ll tell you about an awesome free training site called CodeCademy where I’m supplementing my JavaScript training for Programming By Stealth. Then I’ll tell you about Together, an app from Reinvented Software that might be the Evernote alternative you’ve been looking for. Then I’ll go on a bit of a rant about all the whining I’ve been hearing on other tech podcasts about the Mac App Store and its pricing model. Then Bart Busschots will join us with this week’s edition of Security Bits.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday July 24, 2016 and this is show number 585.
Blog Posts
CodeCademy + PBS to Learn JavaScript
Let’s take a little break and chat about how much value you get out of the podcast and blog, I’m just guessing that you really wish there was some way you could help the show yourself. There’s a lot of ways to do it. You could simply push the giant Ways to Help the Show button and then push the Paypal Donate button, or you could use the Amazon link on podfeet.com and anything you buy from there on out sends a small percentage to the show. Maybe you’re not feeling flush with cash right now, that’s ok! For no money at all you can drop a review into iTunes to help get the show more visibility. I’d really appreciate the help. Ok, back to our regularly scheduled programming!
Together Might be the Evernote Alternative You’re Looking For
Mac App Store Rant
Security Bits with Bart Busschots
Pokémon Go
This game is all the rage, and on the whole, it's a bit of innocent nerdy fun that will actually get you outside and exercising. However, there are some things to be aware of:
- The initial iOS version of Pokémon Go granted full access to your Google account if you authenticated with Google – arstechnica.com/…
- This was a bug, and was addressed quickly – www.imore.com/…
- There are a lot of fake Pokémon apps out there trying to trick people into installing malware on their devices – be careful! (this was a bigger problem while the app was limited to just a few countries, and people were being advised to side-load the app onto their Android devices) – www.imore.com/…, nakedsecurity.sophos.com/… & arstechnica.com/…
- If your house or other property you own has become a PokéStop or Gym, and you don't like the attention it's bringing with it, you can have it removed – www.imore.com/…
- A nice guide for parents from iMore – www.imore.com/…
Important Security Updates
- Patch Tuesday has been and gone, and both MS and Adobe released security updates for their products, including Flash, Adobe Reader, and Windows – krebsonsecurity.com/…
- A 20 year old bug in Windows allows printers (or any networked devices pretending to be printers) to install malware when ever someone connects to the printer. The malware gets to install itself with full administrative privileges, and without invoking UAC. Microsoft could not fix the problem without breaking backwards compatibility, so the fix is to pop up a message asking if you are OK with the printer installing a driver (editorial by Bart: this design dates back to when MS utterly did not get security, it was an insane thing to do even 20 years ago, and this 'fix' is not going to be much help, because people will just click past the dialogue unthinkingly) – arstechnica.com/…
- Apple patch iTunes, Safari, tvOS, Watch OS, iOS & OS X – www.us-cert.gov/…
- The iOS update (9.3.3) fixes a bug that allowed attackers to eavesdrop on FaceTime calls – www.intego.com/…
- Both the iOS and OS X updates fix a bug in Apple's core media library – this is being described as similar to Stage Fright, which it is, but, the big difference is that it is easy for all Apple users to patch themselves because there are no middlemen in the way – nakedsecurity.sophos.com/…
Important Security News
- It was inevitable, but there is now "ransomware" in the wild that deletes your files, and then extorts you for money on the promise of restoring them, but of course, does no such thing (Editorial by Bart: this is the very thing 'honest' ransomware authors have been afraid of, it's probably the end of people paying ransoms) – arstechnica.com/…
- Security researchers find a way to use 'hidden' (ish) commands in videos to trigger voice assistants like Siri (editorial by Bart: this only works if your device is always listening, this is why I much prefer systems where you do something to make the device listen, like raise your wrist on the Apple Watch) – nakedsecurity.sophos.com/…
- FIAT Chrysler is launching the first bug bounty program for car hackers – nakedsecurity.sophos.com/…
- Microsoft have won a very important court case (though the ruling could of course be appealed) relating to US jurisdiction over data in Irish data centres. MS had argued that a US warrant did not cover their Irish data centres, which are bound by EU law, and that an Irish warrant was needed. The US government disagreed, but have now lost the case. (Editorial by Bart: this is very important for European customers of US corporations. It makes it possible for Microsoft to offer Europeans services where their data is protected by European law, and protects Europeans from the excesses of the US government's information greed) – nakedsecurity.sophos.com/…
- The UK Information Commissioner’s Office has issued a warning about web-connected baby monitors and cameras, noting that it is easy to find publicly visible streams from these devices online, because users are not securing them properly, and because many manufacturers default to insecure configurations – nakedsecurity.sophos.com/…
- HTTPoxy – meet the latest vulnerability with a cool name! This is not something users can do anything about, it affects websites that are built in a certain way, and only the owner of a website can fix the problem (Editorial by Bart: since there is nothing users can do to protect themselves from this bug, I'd suggest not loose sleep over it. This is one for the sysadmins and web developers to fix) – nakedsecurity.sophos.com/…
- another nasty bug has been detected in one of the protocols underlying mobile phone networks across the world. (Editorial by Bart: again, there is nothing we can do to fix this or protect ourselves, so it's not worth loosing sleep over. Just remember that cellular communications are not secure, and don't retreat them as if they are. Also, if you have the choice of doing 2FA over SMS or some other way, the other way may well be more secure) – arstechnica.com/…
- A baseball scout in the US has been sentenced to 46 months in jail for guessing a rival team's password and using it to access confidential data in an attempt to gain an advantage for his own team (Editorial by Bart: this serves as a good reminder that in the US the Computer Fraud and Abuse Act, or CFAA makes it is illegal to gain unauthorised access to a computer system, it doesn't matter how you gain that access, it's illegal to exceed your authorisation) – nakedsecurity.sophos.com/…
- France's Privacy Watch Dog CNIL has given Microsoft three months to fix a number of privacy and security issues in Windows 10, including "Irrelevant or excessive data collected", a lack of security because PIN attempts are not limited, and a lack of individual consent because an advertising ID is activated by default during the install, allowing Windows user to be tracked by apps – nakedsecurity.sophos.com/…
- FireFox will start filtering more uses of Flash in August, as a move towards a goal of having no flash run at all without being activated by a click from the user – tidbits.com/…
Notable Breaches
- Security researcher Chris Vickery has found yet another unsecured database exposed to the internet, this time exposing Oklahoma police and at least one OK bank (Editorial by Bart: this guys name should be familiar to you by now, it seems that hardly a month goes by that he does not expose an idiotically unsecured DB with sensitive data in it. How can people keep being caught out like this?) – nakedsecurity.sophos.com/…
- CiCi's pizza have acknowledged the credit card breach that had been previously reported by Brian Krebs – it affected more than 135 of their locations – krebsonsecurity.com/…
- Unencrypted CDs with health data on almost all Danes were accidentally delivered to the Chinese government – www.databreaches.net/…
Suggested Reading
- Brain Krebs reveals the value of a hacked company to bad guys – malware is all about the money, so understanding the economics is important – krebsonsecurity.com/…
- Newly released numbers show that cyber crime has overtaken non-cyber crimes in the UK – krebsonsecurity.com/…
- Controversial company Mac Keeper go after a 14 year old blogger who gave their product a bad review on YouTube – appleinsider.com/…
- A nice article from Naked Security explaining why you should use a password manger (one to bookmark for 'that conversation' with relatives) – nakedsecurity.sophos.com/…
- CA state legislators start work on an anti-ransomware bill – nakedsecurity.sophos.com/…
- A new command line tool called Shard has been released to test passwords against known breaches. It can be used to test your own passwords, but, it can also be abused by attackers – nakedsecurity.sophos.com/…
- Report finds that Chinese hackers hacked the US FDIC, and their CEO covered it up – arstechnica.com/…
- Another flaw left users of Juniper network equipment vulnerable to eavesdropping – arstechnica.com/…
- Another WhatsApp shutdown in Brazil – nakedsecurity.sophos.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community and our Facebook group at podfeet.com/facebook. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.