Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 12 November 2023

Feedback & Followups

Deep Dive(s)

❗ Action Alerts

Worthy Warnings

Notable News

  • The Forum of Incident Response and Security Teams (FIRST) have released the spec for version 4 of their CVSS vulnerability scoring system, the new version aims to tweak the scoring system to better reflect modern threats and help security teams triage vulnerabilities —…
    • Editorial by Bart: when you hear things like critical bug, those are not arbitrary terms, they come from the CVSS scoring system, so critical actually means a CVSS score of 9.0 or greater (the scale goes from zero to 10)
  • Microsoft have launched a new company-wide security drive they’ve dubbed their Secure Future… (Microsoft’s announcement)
    • Editorial by Bart:
    • These kinds of things are often more PR sparkle than real change, so I was very skeptical, but even in just the last week we’ve seen substantive changed happening, so I’ve shifted to cautiously optimistic
    • To make the anti-Microsoft case, at least one of the announcements in a blog post launching the intitiative reeks of spin — Microsoft will start to store all signing keys in Hardware Security Modules (HSMs, think Secure Enclaves for data centres). They should already have been doing this, and the fact that they weren’t led to the Chinese government successfully hacking some US government Office365 accounts last year. In my opinion, the correct response here is finally, not well done!

    • Related Concrete news:

    • Microsoft are adding base-line secure-by-default MFA policies into Office365 tenancies so that unless organisations proactively downgrade their settings, all Office365 tenancies will be protected by strong MFA soon —…
    • Microsoft have added some very clever new AI-driven logic to prevent attackers from spamming users with MFA push notifications in the Microsoft Authenticator app —…
    • Starting with the next release of Windows 11, enabling file and print sharing won’t open the legacy SMB 1 ports anymore (137, 138 & 139), it will only open the modern, more secure port 445 —…
  • Some nice security enhancements from Google:

  • Meta’s attempts to avoid changing thier business model despite the GDPR has taken another turn — the European Data Protection Board has upheld a July ruling by the Norwegian Data Protection Commissioners which found that Meta’s current user consent processes for targetd ads do not comply with the GDPR, and the Irish Data Protection Commissioners have been ordered to order Meta to stop using targeted ads on Facebook and Instagram in Eurpope —…
  • FTC orders non-bank financial firms to report breaches in 30 days —… (FTC is the Federal Trade Commission)

  • WhatsApp Introduces New Privacy Feature to Protect IP Address in Calls —… (Calls get routed through Meta’s servers, but that’s safe thanks to End-to-End encryption)

Top Tips

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 12 November 2023

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top