Followups
- Andrew Orr at TMO got a bit of a sneak-peak at Cloudflare’s soon-to-be released Warp VPN (Editorial by Bart: support for a split tunnel is a nice touch) — www.macobserver.com/…
- Security researchers have found that there are still nearly a million devices out there on the internet vulnerable to the BlueKeep RDP vulnerability Microsoft recently patched in older versions of Windows (including XP & Server 2003) — nakedsecurity.sophos.com/…
- Security researchers have been finding the bug extremely easy to exploit, so the danger is very real. The common joke in the security community ATM is that RDP now stands for Really Do Patch!
- Microsoft issues second warning about patching BlueKeep as PoC code goes public — www.zdnet.com/…
- Apple wrote a letter to GCHQ responding to their proposal for a Ghost Key to bypass end-to-end encryption in messaging services, and Google, Microsoft, & WhatsApp co-signed the letter. The original proposal was made last November in a Lawfare article
Security Medium 1 — Mobile App Tracking in the Spotlight
An article from the Washington Post has shone a fresh spotlight on something we’ve known about, and talked about, for a long time — many mobile apps sell your data to data aggregators and advertisers. This tracking is not news, but it sure got a lot of attention this week, with some in the media reacting as if the Washing Post made some kind of earth-shattering discovery.
The core problem is real — if you follow the money it is in fact inevitable. Free apps from for-profit companies must be making their money by selling your attention and/or your information. As a society we seem to want everything for no financial cost, and the only way that works if we pay in some other way, so of course that’s what’s happening.
I quibble with the article’s definition of trackers though. Not everything that sends information across the internet is in any way nefarious or creepy! There is a world of difference between an app sending data to a software-as-a-service QA tool to monitor how their UI and UX are performing, and a company selling your personal information to 3rd parties for re-sale! The article conflates these two things to imply Microsoft’s OneDrive is the same as apps that sell your location data and browsing history for profit.
A lot of people are also blaming Apple for this, but IMO that’s unreasonable. The majority of our apps are windows into the cloud, so apps making network connections are not only not rare, they’re the absolute norm! Apple could not possibly block all network access, nor could it realistically break TLS/SSL to look into the data and block certain types of data flowing. For a start, that would be a massive invasion of privacy, and secondly, the same data can be exactly what users want to send, or totally creepy. When a cycle tracking app sends regular GPS position updates to the cloud that’s the app doing what I want it to do, but that would look no different to an app being really creepy!
What Apple can do is insist in their rules that developers have to have accurate privacy statements, and respond when developers break that rule. And, Apple do that.
An argument I would make is that Apple could do a little more by enforcing a rule that every app that sells data to aggregators or advertisers must have a badge in the app store that makes it clear that the app is paid for by tracking. Then users could more easily make a more informed choice.
If you value your privacy, know that free stuff from for-profit companies comes at a cost, and make your app choices accordingly! I choose to buy apps from developers I trust, and to steer clear of free stuff. Maybe you might want to start thinking that way too? Or maybe you’re happy to pay with your data and/or attention? Either way is fine, just make sure it’s a conscious choice!
One final note — I strongly advise against disabling following the ‘advice’ some news sites are peddling to disable iOS’s Background App Refresh feature. That feature exists for a really important reason, it massively improves your phone’s battery life by managing how all apps talk to the internet. Disabling it makes as much sense as disabling wifi and cellular data in response to this!
Links
- The WP article that triggered the interest in this topic this week: It’s the middle of the night. Do you know who your iPhone is talking to? — www.washingtonpost.com/…
- Opinion: iOS Apps Grossly Abusing Background App Refresh for Tracking Purposes — daringfireball.net/…
Security Medium 2 — Apple’s Privacy Preserving Ad Click Attribution Proposal
Apple have announced Privacy Preserving Ad Click Attribution, a new protocol which they’re working towards developing into a standard through the W3C Web Platform Incubator Community Group (WICG). The aim of this protocol is to facilitate a privacy-respecting mechanism for tracking online ad effectiveness.
Apple have made a lot of moves in their browsers to stop ad networks tracking users across the internet. These privacy-protecting features are a massive boost for users, but they are hurting the advertising industry quite badly. As well as hampering the ad and data aggregation companies ability to track all of us as we surf the web, these protections also impede ad buyers and sellers ability to measure the effectiveness of ad campaigns. For online advertising to be an effective way to monetise financially free content it has to be possible to measure the value produced by a given ad buy, and right now, browser privacy protections are making that very difficult, if no impossible.
This new technology would allow ad buyers and sellers to continue to measure the conversion rates for their ads (what percentage of the people who clicked on an ad actually bought something), but without compromising our privacy. Basically, if I bought ads I’d know how many conversion I got, but not who the individual people were.
If we assume the ad industry is being genuine when it says it needs privacy-invading tracking because that’s the only way to measure ad effectiveness and make the financially-free internet possible, then they should welcome this with open arms. This really is a win-win for everyone. It remains to be seen just how the ad industry will react, and for this to really make a big difference, other browser vendors would need to adopt the standard too.
Links
- Apple’s very human-friendly description of Privacy Preserving Ad Click Attribution — webkit.org/…
- Safari test points to a future with tracker-free ads — nakedsecurity.sophos.com/…
- Opinion: daringfireball.net/…
Security Medium 3 — The US Casts a Cloud of Doubt over Huawei Phone Users
As part of the Trump administration’s on-going antagonism with China the US government has banned US companies from selling hardware or software to Huawei. Initially the ban was total and immediate, but the US government has backed off a little, allowing security updates until at least the 19th of October. It’s not clear what happens then.
In theory this whole Huawei ban is about ensuring security, but it seems the end result might be massive insecurity for all western Huawei phone users. If Huawei can’t get Android security updates, then all Huawei phones have just become un-securable, and hence, impossible to use safely.
For now, Huawei phone users know they can stay patched and stay secure until October. Maybe things will get onto a firmer footing by then. Either way, if you have a Huawei phone, you need to watch how this story develops, because you may be forced to bin your phone in a few months!
Links
- Google suspends some business with Huawei after Trump blacklist — uk.reuters.com/…
- Google suspends Huawei’s non-open source Android license — www.loopinsight.com/…
- U.S. eases curbs on Huawei; founder says clampdown underestimates Chinese firm — uk.reuters.com/…
Notable Security Updates
- FireFox 67 has been released, it patches two critical bugs, and also brings along some nice privacy improvements — nakedsecurity.sophos.com/…
- Improved fingerprinting protection
- Cryptominer blocking
- Control over which plugins & passwords are available in private browsing mode
- Apple have released a firmware update for their now discontinued AirPort line of routers — support.apple.com/…
- Thousands of vulnerable TP-Link routers at risk of remote hijack — techcrunch.com/…
Notable News
- Beware Nokelock smart padlocks, security researchers find massive security vulnerabilities in these products, despite some of them being Amazon’s Choice — nakedsecurity.sophos.com/…
- A security researcher has demonstrated a phishing technique that can be used to trick users into bypassing Gatekeeper and running a malicious app. The attack starts by tricking a user into opening a malicious ZIP file, so the standard advice not to open files from un-trusted sources applies. Apple have not fixed the underlying problems yet. — 9to5mac.com/…
- Security researchers have found that over a quarter of iPhones can be accessed with one of the most popular 20 PINs (Editorial by Bart: If you use a PIN, make sure it is not on the list. I’d suggest going further though, and using a true alphanumeric password. With TouchID and FaceID massively reducing how often you need your passcode, that’s now a very practical option) — www.cultofmac.com/…
- 🇺🇸 Facebook have not had a good two weeks in the Delaware Chancery Court where they are defending a share-holder lawsuit over the Cambridge Analytica scandal:
- Facebook ordered by U.S. judge to turn over data privacy records — www.reuters.com/…
- While defending the company in this case, Facebook attorney Orin Snyder argued that Facebook could not be guilty of invasion of privacy because its users “have no expectation of privacy”, so “There is no invasion of privacy at all, because there is no privacy”t (Editorial/Snark by Bart: I guess we should applaud this rare moment of honesty!) — www.dailydot.com/…
- The Intercept is reporting that Facebook offers cell carriers around the world extra data pulled from users phones by their mobile apps (Facebook, WhatsApp & Instagram) — theintercept.com/…
- Google recalls Titan Bluetooth keys after finding security flaw — nakedsecurity.sophos.com/…
- Following FTC complaint, Google rolls out new policies around kids’ apps on Google Play — techcrunch.com/…
- A new academic study has found that while advertisers pay about 2½ as much for a behaviourally targeted (creepy) ad as compared to a regular ad, behaviourally targeted ads are only 4% more effective (Editorial by Bart: if this study is backed up by further research then the argument that we need creepy tracking to fund the free internet falls apart) — www.wsj.com/…
Suggested Reading
- PSAs, Tips & Advice
- Notable Breaches & Privacy Violations
- ⭐️ 🧯There was a data breach at Stack Overflow, but it was very quickly addressed, and only names, email addresses and IPs were leaked, and only of a ‘small number of users’ who have been notified by the company — techcrunch.com/…
- ⭐️ >20,000 Linksys routers leak historic record of every device ever connected — arstechnica.com
- ⭐️ 🧯Google accidentally stored some GSuite passwords in plain text for 14 years. This is not as bad as it sounds because the passwords were stored on secured servers, and only some GSuite accounts were affected, not regular Google accounts — nakedsecurity.sophos.com/…
- ⭐️ Flipboard resets passwords after data breach exposed users’ details — www.imore.com/…
- ⭐️ Consumer Reports has found that Google uses Gmail to build a database of what you buy, and that there doesn’t seem to be a way of deleting it — www.cnbc.com/…
- Millions of Canva users’ data stolen as GnosticPlayers strikes again — nakedsecurity.sophos.com/…
- Snapchat Employees Abused Data Access to Spy on Users — www.vice.com/…
- Facial recognition used to strip adult industry workers of anonymity — nakedsecurity.sophos.com/…
- Account Hijacking Forum OGusers Hacked — krebsonsecurity.com/…
- 🇺🇸 Hackers breach US license plate scanning company — nakedsecurity.sophos.com/…
- 🇺🇸 POS Malware Found at 102 Checkers Restaurant Locations — threatpost.com/…
- 🇺🇸 NY Investigates Exposure of 885 Million Mortgage Documents — krebsonsecurity.com/…
- News
- ⭐️ 🇺🇸 (Editorial by Bart: a good illustrations of why SMS is the weakest form of 2FA, though of course, still better than no 2FA)Hacking gang stole millions in cryptocurrency via SIM swaps — nakedsecurity.sophos.com/…
- Related Suggested Reading: The Most Expensive Lesson Of My Life: Details of SIM port hack — medium.com/…
- ⭐️ Thanks to Facebook, Your Cellphone Company Is Watching You More Closely Than Ever — theintercept.com/…
- ⭐️ The Irish Data Protection Commissioner have launched an investigation to see if Google’s Ad Exchange violates the GDPR — nakedsecurity.sophos.com/…
- Related: 🇺🇸 The WSJ is reporting that the Justice Department are preparing to open an anti-trust investigation into Google, but this has not been officially confirmed — www.wsj.com/…
- Tor Browser for Android 8.5 offers mobile users privacy boost — nakedsecurity.sophos.com/…
- Facebook Banned Over 2 billion Fake Accounts in Q1 2019 — www.macobserver.com/…
- Facebook bans accounts of fake news firm — nakedsecurity.sophos.com/…
- Facebook’s Face Recognition Privacy Setting Missing for Some Users — www.consumerreports.org/…
- New research generates deepfake video from a single picture — nakedsecurity.sophos.com/…
- 🇺🇸 In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc — www.nytimes.com/…
- 🇺🇸 The Senate votes to approve anti-robocalling bill — www.theverge.com/…
- 🇨🇦 Canada will be introducing a digital charter to combat hate speech & misinformation online — www.cbc.ca/…
- 🇬🇧 TfL is going to track all London Underground users using Wi-Fi — www.wired.co.uk/…
- 🇩🇪 Germany Considering Law Banning End-to-End Encryption in Chat Apps — www.macobserver.com/…
- ⭐️ 🇺🇸 (Editorial by Bart: a good illustrations of why SMS is the weakest form of 2FA, though of course, still better than no 2FA)Hacking gang stole millions in cryptocurrency via SIM swaps — nakedsecurity.sophos.com/…
- Opinion & Analysis
- ⭐️ Google’s Image search has a massive celebrity sexism problem — www.wired.co.uk/…
- ⭐️ Inside Apple’s top secret testing facilities where iPhone defences are forged in temperatures of -40C — www.independent.co.uk/…
- ⭐️ 🔈 Planet Money Episode 915: How To Meddle In An Election — overcast.fm/…
- ⭐️ 🔈 The Real Story: The new technology cold war — overcast.fm/…
- The Splinternet Is Growing — fortune.com/…
- Nancy Pelosi and Fakebook’s Dirty Tricks — www.nytimes.com/…
- What a teen grade hacker’s confession can teach us — nakedsecurity.sophos.com/…
- Propellor Beanie Territory
- Advanced Linux backdoor found in the wild escaped AV detection — arstechnica.com/…
- Unpatched Docker bug allows read-write access to host OS — nakedsecurity.sophos.com/…
- Brave browser concerned that Client Hints could be abused for tracking — nakedsecurity.sophos.com/…
- Serious Security: Don’t let your SQL server attack you with ransomware — nakedsecurity.sophos.com/…
Palate Cleansers
- 🇺🇸 Does the news reflect what we die from? – Our World in Data — ourworldindata.org/…
- A great satirical cartoon shared by NosillaCastaway Steven Goetz — twitter.com/…
Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.