Feedback & Followups
- 🇺🇸 An update on a story Allison referenced last time: Missouri governor rebuffed: Journalist won’t be prosecuted for viewing HTML — arstechnica.com/…
- 🇮🇱 The NSO Group/Pegasus Saga: The Israeli government has opened an investigation to see if it was targeted by Pegasus — www.macobserver.com/…
- 🇺🇸 IRS To Ditch Biometric Requirement for Online Access — krebsonsecurity.com/…
- Social Media Developments
- Signal provide a mechanism for changing the cellphone number your account is tied to — www.macobserver.com/…
- Instagram has rolled two vital features out to everyone after limited availability — www.imore.com/… (Security Checkup & Your Activity)
- Snapchat Launches Location Sharing Buddy System for Safety — www.macobserver.com/…
- Snapchat will put ads within stories and share the money with creators — www.theverge.com/… (being tested with a small group of US 🇺🇸 creators for now)
- 🇺🇸 🇬🇧 🇨🇦 🇦🇺 🇳🇿 🇮🇪 Twitter is expanding it’s beta of Safety Mode to 50% of users in the US, UK, Canada, New Zealand, Australia & Ireland 😀 — www.imore.com/…
- 🇺🇸 Texas Sues Meta Over Facebook Facial Recognition — www.macobserver.com/…
- 🇪🇺 Meta threatens to pull Instagram and Facebook in Europe over privacy laws, regulators say ‘please do’ — 9to5mac.com/…
- App Tracking Transparency Fallout: Twitter profit falls but company dodges impact of iOS 14 privacy changes — www.imore.com/…
Deep Dive 1 — Apple AirTag Developments
Apple has released plans for improving their abuse protections on AirTags. There’s a mix of short-term and longer-term changes.
The simplest change will be a new privacy warning when setting up an AirTag. The warning tells users not to abuse the trackers, and that Apple know who each tracker belongs to, and will pass that information on to law enforcement when presented with an appropriate warrant. This isn’t a change in policy, Apple are simply highlighting their existing procedures.
As well as adding the warning Apple are also updating their documentation to give users more information.
At the moment the alerts you get on your phone when a FindMy device that’s not yours is moving with you don’t give any details of what the device is, and in some cases, this is causing confusion because modern AirPods are FindMy items too, as are some trackers made by other manufacturers. The warnings will be updated to be more specific.
In the longer-term Apple are going to enable precision finding on trackers are following you, tweak the warning sound to make it easier to hear, and sync the sound with the phone alerts so they happen together. Finally, Apple are going to continue to improve the algorithm for detecting suspicious movement and alert users more quickly when possible.
Meanwhile, the New York Attorney General has released a very well-written warning about the dangers of AirTag abuse, as well as some good advice for how people can protect themselves.
A point I’ve been making all along is that AirTags did not cause tracker abuse, it was happening before AirTags, and would continue even if AirTags were to vanish tomorrow, and that the reason we hear so much about AirTag tracking is that Apple added more and better protection than everyone else, and it works, so victims of AirTag abuse know about it, while victims tracked with other devices don’t.
To underline this point, the New York Times did an excellent piece where tech journalist Kashmir Hill used an AirTag, a Tile, and a GPS tracker to track her partner (with his permission), to test both their effectiveness and their protections. The bottom line is pretty clear, everyone else’s protections are ‘way worse’ than Apple’s.
Links
- Apple’s press release — www.apple.com/…
- Here’s How Apple Will Work to Fight AirTag Stalking — www.macobserver.com/…
- Stunning test reveals privacy dangers of other trackers ‘way worse’ than AirTags — www.imore.com/…
- 🇺🇸 New York Attorney General Warns of Malicious AirTag Tracking — www.macobserver.com/…
- 🇺🇸 Pennsylvania man arrested over AirTag stalking thanks to iOS alert — www.imore.com/…
Deep Dive 2 — Google’s Android Privacy Sandbox (non)Announcement
Google released a statement describing some vague possible privacy in the future, but giving no detail, and promising not to block anything advertisers can do today for at least the next 2 years. The spin Google are trying to put on this is that they are doing something as good as Apple’s App Tracking Transparency, but without hurting advertisers.
In terms of actual technology, they do mention their new Topics API, and a new similar FLEDGE API for tracking users across apps and then grouping them into custom audiences for advertisers.
The big thing they’re promising is an opt-in sandboxed API ad networks could choose to use to limit what their ad code can do when embedded in apps.
Ron Amadeo’s excellent critique at Ars Technica summarises this really get to the heart of this announcement in its conclusion:
Since Google is not making any privacy changes mandatory, it is basically asking advertising companies to voluntarily stop collecting data on users. If advertisers wanted to do that, they could make that change today.
Links:
- Google’s Announcement: Introducing the Privacy Sandbox on Android — www.blog.google/…
- Ron Amadeo’s Critique: Android’s toothless “Privacy Sandbox” fails to answer iOS tracking limits — arstechnica.com/…
Deep Dive 3 — 🧯 That T2 Hack
Details are sparse, but a grey hat hacking company is now offering a solution for brute-force cracking full disk encryption on Macs with a T2 hardware security chip.
One of the T2’s most important functions is to protect the encryption key for full-disk encryption on Macs with hardware protections preventing its extraction, and limiting the speed of guesses, making even a brute-force attack impossible.
We don’t know the details, but what Passware have found is a way to bypass the rate-limiting on guesses. Their password cracking solution can now make 15 guesses a second on Macs with a T2 chip.
This means a strong password will still take millennia to crack, but a commonly used and weak password can be guessed in less than a day.
Physical access is needed to perform these kinds of attacks, so this is not something most of us have to worry about, and, even with physical access, a strong password still provides excellent protection. So, no need to panic, just use a strong password for your Mac.
Links
❗ Action Alerts
- ‼️A very important security update from Apple fixing a WebKit vulnerability being actively exploited: Apple zero-day drama for Macs, iPhones and iPads – patch now! — nakedsecurity.sophos.com/…
- ‼️Google announces zero-day in Chrome browser – update now! — nakedsecurity.sophos.com/…
- Apple releases mystery security updates for macOS Big Sur, Catalina — www.intego.com/…
- Microsoft Patch Tuesday, February 2022 Edition — krebsonsecurity.com/…
- Adobe fixes zero-day exploit in e-commerce code: update now! — nakedsecurity.sophos.com/… (the very popular open source Magento e-commerce tool & it’s paid variant Adobe Commerce)
- Irony alert! PHP fixes security flaw in input validation code — nakedsecurity.sophos.com/…
Worthy Warnings
- Zoom still using Mac microphone outside of calls despite fix, claim users — www.imore.com/…
- Appointment Booker ‘FlexBooker’ Suffers Second Data Leak — www.macobserver.com/…
- GiveSendGo Data Breach Affects Donors of ‘Freedom Convoy’ — www.macobserver.com/…
Notable News
- Microsoft adjusts the convenience/risk posture of some of its own tools:
- Microsoft have disabled the MSIX protocol which could be used to install apps directly from the web, and which was being actively abused in malware campaigns — www.zdnet.com/… & nakedsecurity.sophos.com/…
- At last! Office macros from the internet to be blocked by default — nakedsecurity.sophos.com/… (Microsoft’s announcement: techcommunity.microsoft.com/…)
- A more human-friendly way to get a patched OS only old hardware: Google brings Chrome OS to Mac with new Chrome OS Flex — www.imore.com/…
- 🇺🇸 Senators Reveal CIA Program That Collects American Data — www.macobserver.com/…
- 🇺🇸 California law makers have introduced a bill that would impose a code of conduct on tech companies limiting the data they can collect on children — arstechnica.com/…
Excellent Explainers
- A good explanation of Zero Trust security model that I’ve mentioned a few times in recent episodes: Zero Trust Architecture: Rethinking Cybersecurity for Changing Environments — er.educause.edu/…
Interesting Insights
- 🎧 An excellent description of a very likely future where our devices can give us real security without the inconvenience of FaceID or TouchID: Rene Ritchie: How Apple DESTROYS Face ID — overcast.fm/…
Just Because it’s Cool 😎
- 🇺🇸 CISA have published a big list of free cyber security tools & services: www.cisa.gov/…
Palate Cleansers
- 🎦 Another dose of physics fun from Allison’s Tiktok Feed: www.tiktok.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |