Security Bits Logo no alpha channel

Security Bits — 26 July 2020

Feedback & Followups

Financial request to authenticate
Example of Financial Institution Authentication
  • Two weeks ago we talked about the new method of authentication I’d encountered with my bank and you had it too, where you go to log in on a website and it sends you a notification on your phone’s screen, which when tapped opens the app for the website and then does FaceID to authenticate you, and then you’re in on the Mac? The two questions that have come up from that in the last week in our Slack are:
    • From Jill – isn’t it quite possible a hacker would try to get into your account, your phone would send you the notification and you’d instinctively tap it and instantly authenticate for them?
      • Bart explained that these apps’ implementations (at least Bart and Allison’s) have one more step. After authenticating with your Face/TouchID, there is a request to authorize with a yes or no and telling you the OS and browser making the request and the approximate physical location
    • From Steve – if the site (like ours) offers you the option of this dedicated phone-based authenticated method but the other option is an SMS, isn’t your account just as susceptible to SIM swapping as if they didn’t offer the dedicated phone app?
      • Short answer is yes – the weakest link is the problem
      • The better option is if the institution allows you to disable the SMS option
  • Apple have begin shipping the special pre-rooted iPhones for security researchers announced last year. These devices mean eligible security researchers no longer need jailbreaks to get full root access to iPhones, making it much easier for them to do their invaluable research —… &…

  • COVID-related Apps
    • Apple have added symptom tracking to their Health app. It’s much broader than the current pandemic, but it may be useful to start tracking your baseline if you normally have COVID-like symptoms for other reasons, that way you have a better chance of noticing a change —…
    • 🇺🇸 Apple have added CDC travel guidance notifications into Apple Maps for US users re-entering the country —…
    • The Google/Apple API Saga continues:
      • 🇮🇪 🇬🇧 🇺🇸 Apple’s Google/Apple-based app continues it’s successful launch, and the software company who wrote it are being approached by other health authorities from around the world, including at least one US state. The same company also produced Northern Ireland’s app which is about to be launched. The app has already detected cases in Ireland. —… &…
      • 🇺🇸 The Association of Public Health Laboratories (APHL)will build a national COVID-19 exposure notification server for use by state apps using the Apple/Google’s API. It will be hosted by Microsoft —…
      • 🇦🇺 Despite counter-examples from Europe (Germany, Ireland …), Australia continues to blame Apple or their failure to build an effective app —…
  • Social Media Continues to Evolve

Deep Dive 1 — ECJ Ends EU/US Data Privacy Shield

Back in the year 2000, the European Commission created Safe Harbour, a framework that allowed companies to transfer data on EU citizens to the US. The logic was the US and EU law provided similar protections, so the transfer did not compromise EU citizens’ rights. That always stretched credulity, but the whole idea became ever more untenable as the EU moved to add ever more protections and the US didn’t. Even before the GDPR, EU citizens had much better protections than US citizens, and so the Safe Harbour was challenged in the European Court of Justice and overturned. In a bit of a mad scramble, the European Commission replaced Safe Harbour with the EU-US Privacy Shield in 2016. When the GDPR was introduced it seemed like just a matter of time until this too would fall, and that’s what happened this month. The ECJ agreed with Austrian privacy activist Max Schrems that the privacy shield is not compatible with GDPR because US law simply doesn’t provide enough protections.

This doesn’t mean that data on EU citizens can’t be transferred to the US, it just means that the 5,378 organisations that were using the privacy shield to avoid having to actually implement GDPR now have to actually ask users consent before transferring their data. Or, to put it in legalese, they need to use Standard Contractual Clauses, or SCCs.

The most important thing to note is that none of this covers information we as users enter into digital services, it’s about the data those services collect about us. If an EU citizen uploads a photo to Flickr, shares a file via DropBox or posts a Tweet, that can flow all over the world without issue. This is about what happens the data all those trackers infesting the web and our apps are hoovering up all the time.

At the end of the day, as best as I can tell, this won’t have any negative impact on users, and it just might give us all a little more control over our privacy, and at the very least, should shine a little light on some of the stuff these companies get up to.


Deep Dive 2 — The Twitter Hack

A small number of very high profile Twitter accounts were taken over and used to spread a bitcoin scam — basically “send me some bitcoin and I’ll send you back twice as much”. We now know attempts were made to take over 130 accounts, and 45 of those attempts succeeded. We also know the attackers attempted to generate GDPR-style full data exports from some of the compromised accounts.

This wasn’t a technical hack, but instead, a social engineering attack. According to media reports, we’re talking about Twitter employees with access to back-end systems being paid to take over the accounts.

Twitter responded promptly and well — locking down all verified accounts who’re passwords had been recently changed, and tweeting updates on their on-going investigation, and producing a quite detailed blog post explaining their findings.

This attack in-and-of-itself doesn’t pose a danger to us regular folk, instead it shines a bright spotlight on just how much power Twitter has in modern political discourse, and underlines the dangers these kinds of massive centralised social media services pose to democratic elections. This attack seems to have been more about the LOLs and making a quick buck, but imagine what a well-resourced nation state could do on US election day were they to get control of Twitter’s back-end system like these attackers did!


❗ Action Alerts

Worthy Warnings

Notable News

  • 🇺🇸 T-Mobile has announced updated tools for customers to help protect themselves from robocalls and scams. They’re rolling out enhanced caller ID based on STIR/SHAKEN, and adding free call blocking services they’re calling Scam…

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top