Feedback & Followups
- Correction: — the microphone cut-off switch in the new iPad Pros is not a physical disconnect, but it is completely independent of iOS and can’t be affected by malware because it’s in the T2 security chip — nakedsecurity.sophos.com/…
- Zoom continue to improve their security and privacy:
- An excellent follow-up piece from Glenn Fleishman laying out the progress as well as he initially laid out the problems: Zoom Repairs Flaws and Improves Privacy — tidbits.com/…
- Zoom announces collaboration with security experts from Netflix, Uber, EA and more — www.imore.com/…
- Zoom improves password requirements and introduces longer meeting IDs in latest update — www.imore.com/…
- Unsurprisingly, Zoom seems to be under attack, so if you re-used a password from somewhere else on Zoom, you should probably update your Zoom password to a unique one. Presumably re-used Zoom passwords are appearing for sale on the dark web — nakedsecurity.sophos.com/… & www.macobserver.com/…
- Zoom security: Your meetings will be safe and secure if you do these 10 things — www.zdnet.com/…
- 🎧 A good discussion of some of Zoom’s responses: Security Now 762: Virus Contact Tracking — overcast.fm/… (starting at 00:12:27)
- Google is engaging with Apple to progress their proposed standard for reducing the insecurity of SMS-based 2 factor authentication — www.macobserver.com/…
- Facebook have abandoned their attempts to start a crypto currency, instead, Libra will become yet another regular digital wallet ala Apple Pay, Google Pay, PayPal, etc. — www.macobserver.com/…
- Location data privacy continues to be an issue during the pandemic:
Deep Dive — Apple & Google’s Privacy-Protecting COVID-19 Contact Tracing API
Apple and Google have partnered to develop on an API for tracking close personal contacts in an attempt to fight the COVID-19 pandemic. Unlike other solutions rolled out by some more authoritarian governments, this is a de-centralised solution designed from the ground up to prevent it’s use for tracking.
The solution makes use low energy bluetooth rather than GPS for recording close physical contacts, and it uses a combination of public-key crypto and one-way hashing functions to generate anonymous ephemeral tokens that each participating phone broadcasts. As users move around their phone records the ephemeral tokens for all phones it comes close to, and keeps a lot for a few weeks. If a participating user gets tested positive, they can choose to instruct their phone to tell a server that they have tested positive, and upload all their ephemeral keys. Participating devices will periodically check to see if any of the known-infected keys are in their cache, and if they are, alert the user that they have potentially been exposed.
The key point is that the tokens change regularly, so the same phone does not have the same token for long. This means you can’t use the tokens to track people. Also, the tokens cycle in sync with the randomisation of Bluetooth MAC addresses, so the tokens can’t be used to un-do the tracking protection provided by MAC address randomisation.
Apple and Google insist their API will always be opt-in, and that there will need to be some kind of validation of diagnoses to avoid trolling. There will not be a single global server all phones check for positive tokens, instead, separate countries or regions will run their own servers, and the operators of those servers will put in the appropriate safeguards to validate positive diagnoses.
Initially this will be available as an API developers can incorporate into 3rd-party apps, but Apple and Google plan to add the functionality into iOS and Android in the coming months.
Links
- An excellent explainer of how the technology works by Matthew Panzarino — techcrunch.com/…
- Apple and Google Partner for Privacy-Preserving COVID-19 Contact Tracing and Notification — tidbits.com/…
- Apple and Google detail bold and ambitious plan to track COVID-19 at scale — arstechnica.com/…
- Apple’s contact tracing system requires verification to report infection — www.imore.com/…
- Apple sends letter to senators in response to privacy concerns about its coronavirus app — www.imore.com/…
- 🎧 An excellent not-overly-technical description of what Apple & Google have designed: Reset: Contact Tracing, Explained — overcast.fm/…
- 🎧 A good (relatively) human-friendly description of the nuts-and-bolts of the solution: Security Now Episode 762: Virus Contact Tracking — overcast.fm/… (starting at 01:19:09)
- 🇪🇺 EU hints at adoption of Apple and Google’s contact tracing solution — www.imore.com/…
- 🇬🇧 The UK’s NHS will add Apple and Google’s coronavirus tracing API to its app — www.imore.com/…
- 🇬🇧 NHS in standoff with Apple and Google over coronavirus tracing — www.theguardian.com/…
❗ Action Alerts
- Microsoft Patch Tuesday, April 2020 Edition — krebsonsecurity.com/…
- Critical bug in Google Chrome – get your update now — nakedsecurity.sophos.com/…
- Update Firefox again – more RCEs and an Android “takeover” bug too — nakedsecurity.sophos.com/…
- Linksys asks users to reset passwords after hackers hijacked home routers last month — www.zdnet.com/… (Only affects Linksys Smart WiFi users)
- Apple have released a critical security update for XCode — support.apple.com/…
Worthy Warnings
- Security researchers are warning users of Apple’s App Store to be aware of a new risk — extortionately priced subscriptions, or, as they named them, Fleeceware. When signing up for any subscription, always check both the price, and, the renewal period! — www.imore.com/…
- TikTok users beware: Hackers could swap your videos with their own — nakedsecurity.sophos.com/…
- Sextortion emails and porn scams are back – don’t let them scare you! — nakedsecurity.sophos.com/…
- GitHub users targeted by Sawfish phishing campaign — nakedsecurity.sophos.com/…
Notable News
- 🧯Contrary to come fake news that seems to have been spread maliciously, there is no evidence at all of a security problem with the popular video conferencing app HouseParty — www.imore.com/…
- Social Media companies are working hard to respond to the changes brought on by the pandemic:
- TikTok announces “Family Pairing” – bust your moves but cap the risk — nakedsecurity.sophos.com/… & TikTok expands parental controls, now automatically blocks DMs for underage users — www.imore.com/…
- WhatsApp puts limits on message forwarding to curb COVID-19 misinformation — www.imore.com/…
- Google Blocking 18m Coronavirus Scam Emails a Day — www.macobserver.com/…
- Facebook taking ‘aggressive steps’ to quash 5G conspiracy theories that could cause physical harm — www.imore.com/…
- Facebook rolls out ‘Quiet Mode’ on iOS to spend less time on Facebook — www.imore.com/…
- ecobee announces two-factor authentication to secure your smart home — www.imore.com/…
- 🧯Twitter initially warned users that a bug in FireFox was allowing some private data to be cached locally for too long, but it turns out they were not setting the correct HTTP headers! This was probably a non-issue for most people, the one exception would be users of public computers, were their DMs might have been left exposed for some time after they logged out of Twitter — nakedsecurity.sophos.com/…
Palate Cleansers
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
Keep in mind privacy considerations when using Zoom: https://sourceful.us/doc/652/a-comprehensive-guide-to-tech-ethics-and-zoom