Security Bits — 9 February 2020

Feedback & Followups

• 🧯Intel have released a fix for yet another named bug in performance-enhancing features of their CPUs. This one is named CacheOut because it involves cache evictions. The key takeaway is that like the other Spectre/Meltdown-like bugs, this one can only be exploited in situations where processes belonging to different users share a CPU. This is a big deal for cloud hosting providers (who are busy patching it), but not for regular PC users — nakedsecurity.sophos.com/…
• Social media companies continue in their on-going struggle to tackle the myriad problems on their services:
  • Tinder to get panic button, catfish-fighting facial recognition — nakedsecurity.sophos.com/…
  • Twitter bans deepfakes, but only those ‘likely to cause harm’ — nakedsecurity.sophos.com/…
  • Facebook have added a new interface for show users’ ‘Off Facebook Activity’
    • How to view and edit your Off-Facebook Activity — www.intego.com/…
    • A good explainer: Facebook knows a lot about your online habits – here’s how to stop it — nakedsecurity.sophos.com/…
    • Related: 🇺🇸 Facebook to pay $550m to settle face-tagging suit — nakedsecurity.sophos.com/…
    • Related: ‘This doesn’t sound right’: Mastercard’s CEO ditched Facebook’s Libra after multiple red flags — markets.businessinsider.com/…
      

      “When you don’t understand how money gets made, it gets made in ways you don’t like”

• Browsers continue to fight abuses in their browsers and plugin ecosystems:
  • Mozilla bans Firefox extensions for executing remote code — nakedsecurity.sophos.com/…
  • Fraud spike prompts Chrome developer lock-out — nakedsecurity.sophos.com/…
  • Google’s Chrome 80 clamps down on cookies and notification spam — nakedsecurity.sophos.com/…
• Google continue their fight to secure their app store: Android pulls 24 ‘dangerous’ malware-filled apps from Play Store — nakedsecurity.sophos.com/…
• Google have launched an open-source project for creating FIDO2/WebAuthn security tokens — nakedsecurity.sophos.com/…
• 🇺🇸 In a letter to congress the head of the FCC has revealed that more than one of the cell phone carriers being investigated for selling real-time data violated federal law. The FCC have not yet decided whether or not to prosecute the companies involved. The letter doesn’t name the companies being investigated, let alone which of them broke the law, but the reporting last year that triggered the investigation showed T-Mobile, Sprint, and AT&T were selling real-time location data — www.imore.com/…
• 🇪🇺 The Irish Data Protection Commissioner has launched an investigation into Google to determine whether or not their processing of location data complies with the GDPR — www.macobserver.com/…

Deep Dive 1 — Hardware & Software Caught Spying on Users and Selling Their Data

Since our last instalment a whole bunch of hardware and software vendors has been caught with their fingers in the proverbial user data cookie jar.

The first company to make the news was Ring (now owned by Amazon). The EFF published their research on the Ring app for Android which showed the app sends personally identifiable information (PII) to at least four trackers.

This research only covered Ring’s Android app and did not test their iOS app, so I simply don’t know if Apple’s more strenuous rules were enough to prevent the same behaviour on iOS.

The other hardware vendor to make the news for all the wrong reasons was Wacom — the driver for some of their drawing tablets was caught phoning home with a list of every app opened on machines with the driver installed. The reason this tracking came to light is interesting. A user was installing the driver and was about to just click by the privacy statement when they were struck by the obvious question — ‘Why does a device that is essentially a mouse need a privacy policy?’

After the story broke Wacom clarified that the data being collected is used purely to help them improve the app, is not sold, and does not contain any PII. Wacom also apologised for not being more up-front about this and pointed out that users can opt out at any time.

Based on the data being collected, and the fact that the collection was discovered in the product’s actual privacy statement, I (Bart) don’t think there was any intention to deceive here — I think it was just a simple lack of awareness of the importance of data transparency on the modern world.

Moving over to software, the first big story to break was a joint investigation by Motherboard and PCMag which revealed that AV firm Avast were collecting very detailed browsing data from their AV users (including browser plugin users) and selling it through a subsidiary named Jumpshot. Avast claim there was consent, but it seems it was not informed consent. After the article was published Avast announced it would wind down Jumpshot. It seems unlikely Avast is the only AV vendor doing this. This is a particular concern with any free or under-priced product that has privileged access to your computer — remember to follow the money to make sure stuff is not FreePI!

Finally, While a photo editing app has a lot fewer privileges on your system so it can gather and sell a lot less than an AV can, it turns out even photo editors can get up to some creepy stuff — listener @zkarj highlighted an article from Peta Pixel on the Podfeet Slack which shows that Limuinar 4 sends user data to Facebook among others.

Links

• The original Ring article: Ring Doorbell App Packed with Third-Party Trackers — www.eff.org/…
• Wacom:
  • The original article: Wacom drawing tablets track the name of every application that you open | Robert Heaton — robertheaton.com/…
  • Wacom apologizes for confusion regarding data collection — www.imore.com/…
  • Wacom driver caught monitoring third-party software use — nakedsecurity.sophos.com/…
• Avast:
  • The original article: Leaked Documents Expose the Secretive Market for Your Web Browsing Data — www.vice.com/…
  • An interesting post from competitor Intego (including a screenshot of the install-time consent screen used by Avast): When free means “collects your browser history” — www.intego.com/…
• The Luminar article: Luminar 4 Sends Data to Facebook in the Background — petapixel.com/… (🎩 @zkarj on Podfeet Slack)

The Clearview AI Controversy

A US startup named Clearview AI has sparked a lot of controversy in recent weeks. The company has built an AI-powered search engine which allows photos to be matched to social media profiles. You give the search engine a photo of a random person, and if they are in the DB you’ll get back all their social media profiles.

Clearview AI are not making this very powerful search tool available to the general public, but are instead selling access to it, including to law enforcement agencies. This has raised privacy concerns and gotten the attention of civil liberties groups.

The database was built up by scraping social media sites, a direct violation of those sites’ terms of service, and hence, of the US Computer Fraud & Abuse Act. Unsurprisingly, the large social media companies are suing Clearview AI.

Links

• Facial recognition firm sued for scraping 3 billion faceprints — nakedsecurity.sophos.com/…
• Facebook, Google, YouTube order Clearview to stop scraping faceprints — nakedsecurity.sophos.com/…

❗ Action Alerts

• Apple have released patches for all their OSes including many critical security fixes — nakedsecurity.sophos.com/…
  • iOS & iPad OS 13.3.1 include a fix for the bypass found in the new parental controls introduced in iOS 13.3.0 — www.macobserver.com/…
  • iOS & iPad OS 13.3.1 include a new toggle switch to fully disable location services, even for controlling the U1 chip (with location services off the chip can’t function) — tidbits.com/…
  • ‘Sudo’ Flaw Found and Patched in macOS Terminal — www.macobserver.com/…
• Critical Android flaws patched in February bulletin — nakedsecurity.sophos.com/…
• Update now – WhatsApp flaw gave attackers access to local files — nakedsecurity.sophos.com/… & WhatsApp for Mac update patches security flaw — www.imore.com/…
• Make sure you Philips Hue bulbs are fully patched — Philips Hue vulnerability lets hacker control bulbs, could escalate to network — 9to5mac.com/…

Worthy Warnings

• Twitter released details of abuses to their API which allowed third parties to map phone numbers to Twitter usernames. This puts users who added phone numbers to their Twitter accounts and left matching based on phone number enabled in their privacy in danger of phishing or even spear-phishing. Now would be a good time to check your privacy settings as described in the linked Naked Security Article, and if you were exposed, be on your guard!
  • Twitter’s announcement — privacy.twitter.com/…
  • Naked Security’s Explain with instructions for checking your settings: Twitter admits to raid on users’ phone numbers — nakedsecurity.sophos.com/…
• A timely warning to be sure to properly configure your Trello boards so you don’t accidentally expose sensitive data to the world: Trello exposed! Search turns up huge trove of private data — nakedsecurity.sophos.com/…
• If you use Google Photos be aware that your photos or videos may have been shared with others improperly: Google Photos Emailed Users’ Videos to Strangers — www.macobserver.com/…
• PayPal SMS scams – don’t fall for them! — nakedsecurity.sophos.com/…
• Be extra vigilant when it comes to emails or other messages about Coronavirus, scammers are preying on people’s fears, e.g.: Coronavirus “safety measures” email is a phishing scam — nakedsecurity.sophos.com/…
• 🇺🇸 Sprint Exposed Customer Support Site to Web — krebsonsecurity.com/…

Notable News

• Apple engineers have a proposal to standardize two-factor authentication messages, and Google is on board — www.imore.com/…
• Amazon’s 2019 Transparency Report Shows Slight Decline in Government Requests — www.macobserver.com/…
• 🇺🇸 The DHS has used a questionable legal interpretation/loophole to bypass a court ruling against government use of location data and bought access to a commercial cellphone location tracking service — www.imore.com/… & www.macobserver.com/…

Top Tips

• January 28th was Data Privacy Day, so there were lots of good tips posted for keeping your data safe:
  • 5 ways to be a bit safer this Data Privacy Day — nakedsecurity.sophos.com/…
  • 5 Things You Should Do on your Mac (and One Thing You Shouldn’t) To Keep Your Data Safe — www.imore.com/…
  • iPhone Privacy: How to lock down and delete threats to your online information — www.imore.com/…
• Alternative Ways to Protect Yourself from Being Spearfished — tidbits.com/…

Excellent Explainers

Interesting Insights

• I Monitor My Teens’ Electronics, and You Should Too — www.wired.com/…
• Apple security in 2019: year in review — www.intego.com/…
• Researchers Find ‘Anonymized’ Data Is Even Less Anonymous Than We Thought — www.vice.com/…
• Securing iCloud: Why it’s time for an end-to-end encryption option for our backups — www.imore.com/…

Palate Cleansers

• 🎧 The Command Line Heroes podcast from RedHat is back with a new season. The first episode is out: Minicomputers: The Soul of an Old Machine — overcast.fm/…

Legend

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a pay-wall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.