Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 17 March 2024 ☘️

Feedback & Followups

  • Ransomeware-related developments:
  • A good indication of why GitHub are enabling Push Protection by default:

  • Signal’s phone-number protection feature roles out —…

    • Don’t think of Signal usernames like traditional usernames — they don’t become your identity on the platform, they just act as an alias for your phone number that you can give to people to let them start a conversation with you without them ever knowing your number
    • Note from Bart: I set it up on my account and it was very easy
  • 🇪🇺 More DMA compliance details & changes:
    • Apple News & Changes:

    • Apple released a support document with more details on the EU App Store, including how eligibility is determined —…

      To reflect the Digital Markets Act’s changes, users in the European Union are able to install alternative app marketplaces and install apps offered through alternative app marketplaces in iOS 17.4 or later. The country or region of your Apple ID must be set to one of the countries or regions of the European Union, and you must physically be located in the European Union.

      Your device eligibility for alternative app marketplaces is determined using on-device processing with only an indicator of eligibility sent to Apple. To preserve your privacy, Apple does not collect your device’s location.

      If you leave the European Union, you can continue to open and use apps that you previously installed from alternative app marketplaces. Alternative app marketplaces can continue updating those apps for up to 30 days after you leave the European Union, and you can continue using alternative app marketplaces to manage previously installed apps. However, you must be in the European Union to install alternative app marketplaces and new apps from alternative app marketplaces.

    • More tweaks to the rules for EU developers —…
      1. Single-vendor 3-party app stores are OK after all (i.e. Epic can make a store just for Epic games)
      2. Links to external payments can be customised after all, Apple’s templates are now mere suggestions
      3. Sufficiently large developers in sufficient standing will be able to distribute notarised apps directly from their own web pages (were it not for the need for notarisation and for the developer account to be marked as authorised, this would be full side-loading, it’s certainly closer than most expected Apple to get)
    • Apple’s first DMA compliance report contains an interesting tidbit – Apple will provide a tool for easily moving from iOS to Android by fall…

    • Related: Brave: Sharp increase in installs after iOS DMA update in EU —…

    • Meta Details WhatsApp and Messenger Interoperability to Comply with EU’s DMA Regulations —… (Please use open protocols like Signal & XMPP)

    • Google’s EU Choice Screens for Android, for Default Browser and Default Search Within Chrome, Only Show Up on New Devices —… (Apple is showing them to all Europeans when they upgrade to iOS 17.4)

    • Related: an excellent overview of the compliance changes from all the gate keepers —…

  • 🇺🇸 The US FTC continues to target online fraud: Tech support firms Restoro, Reimage fined $26 million for scare tactics —…

    • > Restoro and Reimage used online ads and pop-ups that impersonated Microsoft Windows pop-ups and system warnings, saying that the consumers’ computers were infected with malware, had various performance issues, and needed urgent attention to avoid harm.

Deep Dive — Tesla AiTM & ‘Watering Hole Attacks’

Note: AiTM is the new term for what we previously referred to as MiTM. That is to say, we now talk about Adversary in The Middle attacks, not Man in The Middle Attacks. This change has been adopted for two reasons — it’s obviously free from gender baggage, but more importantly, many adversaries in the middle are not human at all, they’re software of some kind!

TL;DR: until Tesla make some changes to nip this attack in the bud, do not enter your Tesla account details on any Wifi network you do not know to be safe, expectably not in a place that is likely to attract Tesla owners like a Tesla Super Charger!

Tesla have made it easier to add phone keys to their cars, and, researchers have discovered that you can intercept Tesla login details, even on accounts with MFA enabled (Tesla do not support phishing-resistant MFA like FIDO2 or Passkeys yet), and silently add a phone to a Tesla as a key. For this to work the attackers need to trick a Tesla owner into logging in to a fake Tesla portal, and they way they suggest that could be easily done would be to set up a WiFi network named Tesla at a Tesla Supercharger and pop up a captive portal login screen as is quite common on wifi networks.

The researchers propose two sensible fixes:

  1. Require the phone to be in the car to be paired (I remember it used to be this way, and I think this is the part Tesla want to remove to make it easier to give others access to your car, so this seems unlikely to me)
  2. Add an alert in the car to say a phone has been added, with an easy button to see the details and remove it (This seems like a no-brainer to me, no loss of ease of use, but solves the problem of the key being silently added, 🤞 Tesla do this soon)

You can read more details here —…

What are ‘Watering Hole Attacks’?

The reason I wanted to make this pretty straightforward story a deep dive is that it offers a good excuse to explain a cybersecurity term we haven’t talked about in detail before — Watering Hole Attacks.

The idea comes from nature, where some hunters go looking for prey, while others go somewhere they know the prey will come to, and simply wait for dinner to arrive! In arid regions, watering holes inevitably attract lots of animals, so they’re a great place for predators to hang out and wait.

You can do the same thing for cyberattacks when your desired victims have something in common that will pull them towards some digital or physical place. Developers are very often targeted in watering hole attacks, with baddies making use of software repositories like JavaScript’s Node Package Manager (NPM) or Python’s PyPi package repository to typo-squat package names to spread malicious code.

In this case, the researchers suggest a physical place where potential targets would be likely to assemble to launch a digital attack that requires physical proximity — a malicious wifi network.

❗ Action Alerts

Worthy Warnings

Notable News

Excellent Explainers

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 17 March 2024 ☘️

  1. PDX_Kurt - April 3, 2024

    Apropos of your palate cleansers, have you ever encountered the graphical novel work of Sydney Padua? She has created a whole series of Ada Lovelace and Charles Babbage graphical adventures (this combines your Ada Lovelace history and your Glenn Fleishmann treatise on comics!). She is truly a gem of a humorist! Sadly, it appears that her web site is currently misconfigured, so I will have to point you to the latest working capture from

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top