Security Bits — 28 May 2023

Feedback & Followups

• We now know that Pegasus was used in the war over the Nagorno-Karabakh region in Azerbaijan (an un-recognized independent republic with close ties to Armenia) from 2020 to 2022, with the Armenian foreign minister’s phone being hacked 27 times by an NSO Group customer assumed to be the Azerbaijani government — appleinsider.com/…
• 🇺🇸 Apple’s case against the Correlium security tool vendor is not over yet, but Correlium have scored an important partial victory, with a judge ruling that Cybersecurity research falls under copyright fair use. — appleinsider.com/… (Editorial by Bart: this looks like an important precedent to me, even beyond US shores thanks to WIPO)
• 🇫🇷 French regulator CNIL has imposed additional fines on ClearView AI for failing to comply with their ruling against the company last October (€20M original fine, additional €5.2M now) — nakedsecurity.sophos.com/…
  • Key points:
    • Biometrics are extra-sensitive PII, so informed consent is needed
    • Informed consent was not acquired, so the company was ordered to cease & desist collecting French data, and to delete it all
    • Company had 2 months to comply with the original order, now ruled not to have done so

Deep Dive — Google’s Release of the .zip & .mov TLDs

Since 2012 it has been possible for organisations with deep enough pockets to buy just about any top-level domain they would like. Google was one of the companies to take advantage of this new freedom, and in 2014 they registered two very generic top-level domains which are relevant to recent developments — .zip & .mov. Until now, Google have tightly controlled registrations on these TLDs, so they have been effectively unused. But that’s all changed now, and Google have opened up registrations on these TLDs to the world.

What makes these TLDs unusual is that they are also common file extensions, so it’s now possible to register a domain that looks like a filename, e.g. cryptowallet.zip or naughtymovie.mov.

The exact details will change from app to app, but it seems inevitable that attackers will find ways to leverage this ambiguity in phishing attacks — convincing users they are opening a local file or an email attachment when they are actually downloading a file from a URL. This is the kind of thing Apple’s download permission dialogue boxes in Safari will nip in the bud, but many apps and platforms are not as pro-active about alerting users to downloads.

There is zero doubt that these domains increase the theoretical risk for regular folks, but I’m not convinced that will translate into a measurable increase in real-world exploits. I was initially quite worried, but then I took the time to read Troy Hunt’s analysis, and I think he’s right — humans are already terrible at reading URLs, so the people potentially tricked by these URLs would probably also have been tricked by other URLs, so things will probably just stay the same in the real world.

There’s also a concerted move to kill the domains by block-listing them on corporate firewalls, making them effectively illegitimate, and possibly reading to the TLD’s retirement from sale. For example, the SANS institute are advising corporate sysadmins to block the TLDs whole-sale on their corporate DNS servers.

Finally, you should never have been opening email attachments you were not absolutely expecting anyway, so does not clicking on a link pretending to be the file you’re not clicking on really change anything? Don’t open email attachments, not even the fake ones 🙂

Links

• The Twitter thread with Troy Hunt’s Anaylsis — twitter.com/…
• Other News coverage & opinion:
  • Expect .zip and .mov domains to be used in phishing and malware attacks — www.intego.com/…
  • New ZIP domains spark debate among cybersecurity experts — www.bleepingcomputer.com/…
• An interesting breakdown of the current use of .zip domains by the SANS institute’s Johannes Ullrich (biggest danger is currently rickrolls!) — isc.sans.edu/…

❗ Action Alerts

• Apple have released a collection of important security updates:
  • iOS 16.5, iPadOS 16.5 and macOS Ventura 13.4 arrive — www.cultofmac.com/…
    • These updates include the two fixes from the recent Rapid Security Response, and fix an additional previously unpatched zero-day — nakedsecurity.sophos.com/…
  • iOS 15.7.6 and iPadOS 15.7.6 Incorporate Rapid Security Response Fixes — tidbits.com/…
  • macOS Monterey 12.6.6 and Big Sur 11.7.7 — tidbits.com/…
  • Safari 16.5 — tidbits.com/…

Worthy Warnings

• Researchers have found a critical bug, which they’ve named FriendlyName, in version 2 of the popular Wemo Mini Smart Plug (now on version 5) , and Belkin will not be patching it — appleinsider.com/… & nakedsecurity.sophos.com/… (Editorial by Bart: time to throw these in the bin if you have some 🙁)
  • Allison replaced her Wemo Mini with four Meross Smart plugs with HomeKit, Alexa, and Google support for $35 on Amazon (with no Thread or Matter.)
  • Instead of the Wemo Smart Plug with Thread for $30 that will never get Matter, and only supports HomeKit (no Alexa no Google).

Notable News

• Apple have shared their 2022 App Store Transparency Report — appleinsider.com/…
  • They chose to highlight blocking over $2 billion in fraudulent transactions & 1.7 million bogus apps — appleinsider.com/…
• 🇪🇺 Twitter has chosen to withdraw from the EU’s voluntary code of conduct for social media companies, but that doesn’t change the fact that they’ll soon be regulated under the EU’s Digital Services Act (DSA) — appleinsider.com/…
• 🇪🇺 The Irish Data Protection Commissioners have fined Meta a record €1.2Bn fine for continuing to transfer European data to the US under the so-called Privacy Shield which the ECJ struck down in 2020. Meta have 5 months to comply, but as expected, they plan to appeal — appleinsider.com/…
• 🇺🇸 The US Supreme Court have chosen to uphold the status quo on the widely misunderstood but very important Section 230 of the Communications Decency Act — appleinsider.com/…
  • Related and Updated Explainer: 🎧 Know a Little More: About Section 230 — overcast.fm/…
  • In talking about Know a Little More, we mentioned Dave Hamilton of the Mac Geek Gab having been on Chit Chat Across the Pond Lite to explain WiFi 6E and why you care.
• 🇺🇸 Montana have passed a law banning TikTok that will go into effect next year, and as expected, the lawsuits have started flying — appleinsider.com/…
• 🇺🇸 The US Surgeon General Dr. Vivek Murthy has released an advisory warning parents of the negative impacts social media can have on children’s mental health — appleinsider.com/…
  • Ezra Klein interviewed Jean Twenge about research trying to find a correlation between hospitalization for self harm and introductions of social media platforms: www.nytimes.com/…

Interesting Insights

• 🎧 My theory of understanding Cybersecurity is to follow the money, so I highly recommend this episode of the Malicious Life podcast: The Economics Of Cybersecurity — overcast.fm/…
• 🎧 I had no idea there was such a human cost to the training of AIs like ChatGPT: Big Technology Podcast: He Helped Train ChatGPT. It Was Traumatizing. (With Richard Mathenge) — overcast.fm/…

Palate Cleansers

• ⭐ An extremely clever piece of interactive journalism that uses your actual data from the Have-I-Been-Pwned database to generate a customised story about data theft in general, illustrated with animated representations of how you have been profiled by attackers over time: See your identity pieced together from stolen data — www.abc.net.au/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.