Security Bits Logo no alpha channel

Security Bits — 2 May 2021

Feedback & Followups

  • Apple are letting Parler back into the iOS AppStore, they have apparently sufficiently reformed their moderation practices — www.imore.com/…
  • SolarWinds are changing their name to N-able! — www.n-able.com/…

Deep Dive(s)

❗ Action Alerts

Worthy Warnings

  • Security researchers at the Technical University of Darmstadt 🇩🇪 are warning about a significant data leak from Apple’s AirDrop when in contacts only mode, because they allow self-signed certs (dumb and easy to fix), and because they uses un-salted hashes, email addresses and phone numbers are exposed. For now, it seems best to leave AirDrop off when you don’t need it, and open to all when you do need it — nakedsecurity.sophos.com/…
    • Editorial by Bart: this is such low-hanging security fruit Apple should be utterly ashamed of themselves. Clearly, this protocol has been left languishing for far too long. I use AirDrop a lot since it actually works well these days, so I really hope Apple fix these trivial short-comings quickly. Just stop accepting self-signed certs immediately, and add some salt!
  • 🇺🇸 Experian API Exposed Credit Scores of Most Americans – Krebs on Security — krebsonsecurity.com/…

Notable News

Interesting Insights

  • The Verge tells the story of Kosta Eleftheriou’s one-man quest to draw attention to Apple’s utter failure to keep obvious scam subscriptions out of their iOS AppStore. They’re shockingly easy to find 🙁 — www.theverge.com/…
  • Security researcher extraordinaire and co-author of the Signal Protocol (powering Signal, WhatsApp, Facebook Messenger and more) Moxie Marlinspike explains the spectacular insecurities he found in Cellebrite’s iPhone data extraction tools (TL;DR – these things are so insecure their outputs can’t be used in court, and the seem to violate Apple’s IP to boot) — signal.org/…

Palate Cleansers

  • A wonderfully illustrated and animated guide to the mechanical marvel that is the internal combustion engine — ciechanow.ski/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top