Security Bits Logo

Security Bits – Mostly Good News

Followup

  • Following on from security breaches at the 3rd-party companies all American cell phone companies were sharing real-time location data with, Verizon have announced they are ceasing all location data sharing (the other carriers have ended their relationships with some specifics companies, but not globally like this) — krebsonsecurity.com/…
  • GDPR Fallout & Experiences:
    • The Norwegian Consumer Council has issued a report detailing how the wording chosen by Facebook, Google & Microsoft (to a lesser extent) in their GDPR popups and notifications uses so-called dark-patterns to psychologically bias users towards choosing to give up their privacy. They go so far as to accuse the companies of breaching GDPR by not giving users ‘meaningful choices’ as is required — nakedsecurity.sophos.com/…
    • Allison: twitter.com/…
    • Bart: Apart from losing Instapaper, I’m seeing very little GDPR fall-out, with one exception — I’m noticing a lot of recipe websites are choosing not to comply with GDPR and instead, block Europeans 🙁

Notable News

  • 🇺🇸 The US Supreme Court has ruled that police do need a warrant to access mobile location data — krebsonsecurity.com/… & www.imore.com/…
  • 🇺🇸 The California Consumer Privacy Act of 2018 has passed the CA legislature and is expected to be signed into law by the governor soon. The law gives Californian’s more rights over their data, and could have nation-wide positive ripple-effects — www.macobserver.com/…
  • Google has promised to update their software to fix a location data leak found in their Chromecast dongles and Google Home smart speakers — nakedsecurity.sophos.com/… & krebsonsecurity.com/…
  • Developers from the OpenBSD project have removed support for hyper threading from their OS to mitigate against yet another data leak bug in Intel CPUs. This time it’s data leaking between processes sharing a physical core but running on separate logical cores that’s the problem. They dubbed the bug TLBleed, and full detailed are to be announced at an up-coming conference. Since most modern CPUs have many physical cores, the real-world performance cost for most people of losing hyper threading is very small. Also, this bug is not particularly dangerous for home users because it requires a locally running process, but its a much bigger deal for server farms or anyone running virtualisation — arstechnica.com/…
  • WPA3 officially launches, but expect it to be a slow rollout — www.imore.com/…
  • Obsolete browsers that don’t support modern versions of TLS will find themselves unable to connect to e-commerce websites after the 30th of June. Why? Because after that date e-commerce sites can’t support SSL or the early versions of TLS without violating the PCI security rules all credit card processors have to abide by – nakedsecurity.sophos.com/…
  • Following Let’s Encrypt’s success at moving websites to HTTPS for free, the EFF has launched a new initiative try do the same for SMTP, the protocol used to send emails between mail servers. Playing on the SMTP command for enabling encryption, they’ve named this new project STARTTLS Everywherenakedsecurity.sophos.com/…
  • Twitter have added support for hardware tokens like YubiKeys for multi-factor authentication — nakedsecurity.sophos.com/…
  • In case you only heard the incorrect original story, the heavily reported iPhone passcode bypass vulnerability using external keyboards proved not to be real, so don’t worry about it! — www.macobserver.com/…
  • The GitHub repositories for Gentoo Linux have been hacked, and all code within them should be considered compromised. Thankfully GitHub is not the primary Gentoo code repository, it’s just a mirror, so it’s still safe to use Gentoo Linux as a user — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top