Security Bits Logo

Security Bits – Facebook/Cambridge Analytica, GDPR, Security Updates, Greyshift Backdoor, UPnProxy

DNS Correction

On Chit Chat #533, Bart did a deep dive into how the Domain Name System works and in that session, he suggested a hybrid approach where your mobile devices had the improved DNS along with your home router.

It turns out it’s not possible to set system-wide DNS settings on iOS or Android. This means that the Hybrid Approach we described of setting a third-party DNS on your home router and then also hard-coding it on your mobile devices remains the best advice, but it’s not possible to do on iOS or Android devices. Annoyingly, that means there is no good solution to protect these devices 🙁. Thanks very much to Allister Jenks for drawing our attention to this in our Google Plus Community.

Followups

Notable Security Updates

Notable News

  • Poor configuration leaves controversial GreyShift iOS cracking boxes exposed to the internet. It seems it’s easy for police departments who buy these boxes to accidentally leave them in an insecure state. Also, someone tried to extort the makers of the boxes with a threat to release the source code. (Editorial by Bart: this just proves yet again that you can’t keep any back door secret so that only good guys can use it) — www.macobserver.com/…, www.macobserver.com/… & motherboard.vice.com/…
  • Security researchers have found a new way to abuse UPnP (Universal Plug and Play) to subvert routers with UPnP exposed on the WAN side into becoming proxies for malicious use. This bug has been given the name UPnProxy (Editorial by Bart: now would be a great time to check and see if you have UPnP disable on your router or not) — searchsecurity.techtarget.com/…. Too test your router, run Steve Gibson’s Shields Up and then look for the UPnP test: grc.com/…
  • Security researchers warn of the dangers of iOS trustjacking. Bottom line, never trust a computer you don’t actually trust, because using wifi sync, it could remotely trigger a backup of all your personal data at any future time! — www.intego.com/…
  • Tracking protection in Firefox for iOS now on by default – why this matters — nakedsecurity.sophos.com/…
  • Keep an eye out for firmware patches for your Intel CPUs, Intel have patched a firmware bug that could allow locally running malware to alter your firmware and cripple your computer in a kind of suicidal denial of service (DOS) attack — nakedsecurity.sophos.com/…
  • The Russian government has obtained a court order requiring Telegram be blocked within the country — www.reuters.com/…
  • Apple and Microsoft in Talks with UAE to End Ban on FaceTime and Skype — www.macobserver.com/…
  • Welsh police manage to identify a drug dealer from his fingerprints in a WhatsApp photo — www.macobserver.com/… & nakedsecurity.sophos.com/…
  • Security researchers discover Mettle, a Mac version of the popular hacking tool Metterpreter (Editorial by Bart: this is no cause for panic, but it’s yet more evidence that cyber criminals are turning their attention towards the Mac) — www.intego.com/…
  • A report into Android apps published to the Play Store as part of Google’s Designed for Families (DFF) program by the International Computer Science Institute find serious problems including the fact that 40% of the tested apps did not properly secure communications between the apps and back-end servers, and that 57% of the apps were in breach of the US COPPA law — nakedsecurity.sophos.com/…
  • DNA from a Genealogy database leads to the arrest of a suspected serial killer (Editorial by Bart: this story is interesting because of the ethical questions it raises, if I choose to give away my DNA, I’m also effectively giving away most of the DNA for my close relatives, should I need their consent for that?) — nakedsecurity.sophos.com/…
  • Google have announced that they will be improving their OAuth-based Single Sign On (SSO) offering to make it more secure, and to make phishing attacks like the infamous one against Google Docs users last year impossible in future — nakedsecurity.sophos.com/…
  • Research by security journalist Brian Krebs shows that employees in many companies are inadvertently publishing passwords through services like Trello, and that they can be systematically searched for with Google. Beware what you and your employees share! — krebsonsecurity.com/…
  • The Reform Government Surveillance coalition (which includes tech giants like Apple, Google, Microsoft, Dropbox, Snap, Evernote, LinkedIn, & Facebook) have released a statement condemning moves towards compulsory backdoors and governments hacking backwww.macrumors.com/… & nakedsecurity.sophos.com/…
  • 465K patients need a firmware update for their Abbots (formerly St Jude Medical) pacemaker. Without the update they’re at risk of cyber security attack and sudden battery loss — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top