Security Bits Logo no alpha channel

Security Bits — 18 April 2021

Feedback & Followups

  • 🇬🇧 (🏴󠁧󠁢󠁥󠁮󠁧󠁿 & 🏴󠁧󠁢󠁷󠁬󠁳󠁿) Both Apple & Google have stopped the NHS from publishing an update to their COVID app to insert location tracking. This is expressly forbidden in their COVID exposure notification API terms of service, precisely to stop COVID apps being used for government surveillance — nakedsecurity.sophos.com/… (Editorial by Bart: The fact that they even tried this makes my 🤯)
  • Apple updates it’s A Day in the Life of Your Data’ educational report — www.imore.com/…
  • The Wall Street Journal (WSJ) is reporting that US firm Procter & Gamble helped develop the Chinese-government-sponsored CAID API designed to bypass Apple’s upcoming App Tracking Transparency — www.imore.com/…
  • Other browser makers are not signing up to FLoC (Federated Learning of Cohorts), Google’s proposed replacement for tracking cookies (that includes the other Chromium-derived browsers like Edge) — www.theverge.com/…
    • Related: The EFF have a tester that lets Chrome users know if they’re part of Google’s FloC trials (the tool is called Am I FloCed), and DuckDuckGo has a new Chrome plugin to block FloC — daringfireball.net/…
  • 🇺🇸 🇦🇺 🇮🇱 The WSJ has also found the identity of the security firm the FBI paid to hack into the San Bernardino Shooter’s iPhone — and contrary to wide-spread speculation, it was not the controversial grey-hat Israeli company Celebrite, but an Australian company named Azimuthwww.macobserver.com/…
  • 🇩🇪 German data protection officials are attempting to block Facebook’s controversial upcoming new Terms of Service which will see more data sharing between WhatsApp and Facebook — www.imore.com/…
  • 🇺🇸 Armed with a court order, the FBI hacked into hundreds of Exchange servers that had been back-doored via the recently patched Zero-day bugs to remove the backdoors — nakedsecurity.sophos.com/…

❗ Action Alerts

  • Last Tuesday was Patch Tuesday, and MS patched 19 critical bugs, including a Windows bug being actively exploited in the wild — krebsonsecurity.com/…
  • A new ‘bug cluster’ named *NAME:WRECK* has been found and patched in a DNS client implementation used in a number of OSes including FreeBSD and proprietary OSes used in many IoT devices — nakedsecurity.sophos.com/… (Editorial by Bart: this kind of bug just underscores my standard advice ‘if your IoT devices is not getting security updates anymore, bin it!’)
    • Project CHIP embraces a timeline and the blockchain – Stacey on IoT | Internet of Things staceyoniot.com/…

Worthy Warnings

Notable News

Excellent Explainers

Interesting Insights

  • 📌 🇺🇸 In an opinion on the recent US Supreme Court case regarding the @realdonaldtrump account blocking users, Justice Thomas made an interesting argument for treating large social media companies like common carriers — www.protocol.com/… (This could well become very important in future SCOTUS cases)

Palate Cleansers

From Allison

From Bart

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 18 April 2021

  1. Steve Davidson - April 20, 2021

    Regarding the ParkMobile data breach: I got an E-mail message from them today (and a pop-up in the iOS app). It contains the same information as contained on their Web page — but at least they are notifying users. Of course I had already changed my (and my wife’s) passwords.

Leave a Reply

Your email address will not be published.

Scroll to top