Security Bits – Zero-Day on macOS, Facebook Rates User Trustworthiness, Facebook’s VPN Was Tracking Users, Excessive Google Tracking, Teenager Hacks Apple

Followups

• More speculation-based flaws in Intel Chips (Editorial by Bart: as with other recent Spectre/Meltdown variants, there’s no need for home users to panic, just keep your OSes patched. It’s cloud providers that really need to worry about these flaws.)
  • L1 Terminal Fault AKA L1TF – Intel have released mitigations, and they don’t have significant performance impacts — www.intel.com/…
  • Foreshadow – This new variant is noteworthy because it allows attackers to bypass the security that is supposed to protect SGX (Software Guard eXtensions), Intel’s secure enclave. Again, updated microcode has been released — arstechnica.com/…

Notable Security Updates

• Patch Tuesday has been and gone with critical security updates being released by Microsoft and Adobe, including patches to zero-day flaws — krebsonsecurity.com/…
• Adobe released an out-of-band patch to fix a critical vulnerability in Photoshop CC — nakedsecurity.sophos.com/…

Notable News

• At the DefCon security conference security researchers released details of vulnerabilities in the fax-feature of many network-connected HP multi-function devices that are putting many business and households around the world at risk. If affected devices are connected to both the network and the phone system then a malicious fax can be sent to the device in order to break into the network. HP have released patches. The researchers warn that other vendors are probably similarly vulnerable, so expect more reports and patches soon. (Editorial by Bart: if you have one of these devices and don’t actually need faxing functionality, now might be a good time to just pull the plug!) — blog.checkpoint.com/…
  • Intego Exclusive: HP Leaves Mac Users Vulnerable to Fax Hacks — www.intego.com/…
• Also at the DefCon security conference a researcher released details of a zero-day privilege escalation attack against MacOS. The attack allows malware already running on your Mac to click through security dialogues on your behalf, hence gaining more privileges than they should have. The bug appears not to be present in Mac OS Mojave (Editorial by Bart: no need to panic here, if you have malware already running on your system you have bigger problems!) — nakedsecurity.sophos.com/…
• A 20-year-old bug with some security implications has been patched in OpenSSH, the most commonly used SSH library. The bug caused SSH to respond at a different speed if authentication failed because a user account did not exist at all, or, did exist but the authentication failed. This allowed attackers to test if a given username exists on a system, and hence speed up brute-force attacks. (Editorial by Bart: no need to panic here, the patch is out, and even on an un-patched device you’re still safe as long as you have a strong password/SSH key.) — nakedsecurity.sophos.com/…
• Facebook have revealed that they have been working on an algorithm to rate their user’s trustworthiness for many years. The hope is that this algorithm will help them fight so-called fake news on their platform — nakedsecurity.sophos.com/…
• At Apple’s request, Facebook has removed it’s Onavo VPN app from the iOS App Store. Apple asked for the removal because Facebook’s VPN tracked all user activity carried out over the VPN, something Apple considers a privacy violation — daringfireball.net/…
• Security researchers have found that alterations made to Android by many hardware makers and cell carriers are adding security vulnerabilities into Android, resulting in millions of brand new Android devices being vulnerable right out of the box — www.wired.com/…
• Google got into hot water after it was discovered that turning off a setting labelled Location History didn’t actually stop Google storing a history of your locations! Rather than deal with the underlying problem, Google chose to update the text on the setting’s label to explain that it doesn’t do what it says on the proverbial tin:
  • Google confirms it tracks users even when ‘Location History’ setting is disabled — appleinsider.com/…
  • Here’s How to Stop Google from Tracking Your Location — www.macobserver.com/…
  • Fun commentary on this kerfuffle from John Gruber — daringfireball.net/…
• An Australian teenager hacked Apple and stole 90GB of ‘secure files’. Apple say no user data was compromised — nakedsecurity.sophos.com/… & Apple Says Customer Data Wasn’t Compromised in Teen Hacking Case — www.macobserver.com/…
• 🇺🇸 Microsoft disrupts Fancy Bear election meddlers — nakedsecurity.sophos.com/…

Suggested Reading

• PSAs, Tips & Advice
  • Beware! ‘Porn’ scam uses your phone number to blackmail you — nakedsecurity.sophos.com/…
  • How to add two-factor authentication to your Epic account — www.imore.com/…
  • How to enable Instagram Two-Factor Authentication — www.macobserver.com/…
  • The Missouri Education Watchdog warns schools that using Google’s Apps for schools may result in more data being collected and stored than they realise — missourieducationwatchdog.com/…
• Notable Breaches & Privacy Violations
  • Babysitting app suffers ‘temporary data breach’ of 93,000 users — nakedsecurity.sophos.com/… (the app in question is Sitter)
  • Facebook Says myPersonality App Misused 4M Users Personal Data — www.macobserver.com/…
  • Twitch admits exposing user messages after archiving error — nakedsecurity.sophos.com/…
  • T-Mobile suffers data breach affecting 2.2 million customers — nakedsecurity.sophos.com/…
  • 🇺🇸 Sacramento admits to tracking welfare recipients’ license plates — nakedsecurity.sophos.com/…
• News
  • 🇺🇸 At the DefCon security conference, an 11 year old successfully hacked a duplicate of the real Florida elections website and altered election results — nakedsecurity.sophos.com/…
  • 🇺🇸 Also at the DefCon security conference, security researchers released details of attacks against a number of body cameras coming in use by US police departments — nakedsecurity.sophos.com/…
  • At the Black Hat security conference researchers announced that despite having more than 18 months notice, medical device manufacturer Medtronic has yet to fix dangerous security flaws in many of its products, including pacemakers — nakedsecurity.sophos.com/…
  • Your smart air conditioner could contribute to mass power outages — nakedsecurity.sophos.com/…
  • 🇦🇺 Australians who won’t unlock their phones could face 10 years in jail — nakedsecurity.sophos.com/…
  • 🇦🇺 Australian Lawmakers Join Forces to Cast Magic Encryption Spell — www.macobserver.com/…
  • 🇺🇸 US rolls back cyberwarfare rules — nakedsecurity.sophos.com/…
  • Adblocking and browser privacy can be bypassed, researchers find — nakedsecurity.sophos.com/…
  • 🇺🇸 DNC ‘spearphishing attack’ was actually a test — nakedsecurity.sophos.com/…
  • 🇨🇦 Canada’s Police Chiefs Want Easy Personal Data Access with US — www.macobserver.com/…
• Opinion & Analysis
  • ⭐️ A study by researchers at Vanderbilt University has found that Android Apps hoover up about ten times as much personal data as iOS apps — www.imore.com/…
• Propellor Beanie Territory
  • Experts Urge Rapid Patching of ‘Struts’ Bug — krebsonsecurity.com/…
  • Serious Security: How to stop dodgy HTTP headers clogging your website — nakedsecurity.sophos.com/…
  • How an uploaded image could take over your website, and how to stop it — nakedsecurity.sophos.com/…
  • Are your Android apps listening to you? — nakedsecurity.sophos.com/… (a nerdy how-to)
  • Maybe Wi-Fi Could Replace Invasive TSA Body Searches — www.macobserver.com/…
  • In-flight satellite comms vulnerable to remote attack, researcher finds — nakedsecurity.sophos.com/…

Palate Cleansers

• Miss Windows 95? There’s an app for that. — www.imore.com/…
• From David Hay:

  — xkcd.com/…