Security Medium — The Efail Email Encryption Vulnerability
The latest bug with a cool name and a cute logo is Efail, a mashup of the words email and fail. The bug affects encrypted email sent with both of the common email encryption protocols S/MIME & PGP/GPG.
Under certain circumstances, the bug allows an attacker to trick email clients into sending a copy of the decrypted versions of encrypted emails to a server of their choice. The bug is triggered in the client, so it affects every email opened by the client, regardless of when it was sent, so this bug could allow an attacker to read encrypted emails arbitrarily far back in time.
On Chit Chat #533, Bart did a deep dive into how the Domain Name System works and in that session, he suggested a hybrid approach where your mobile devices had the improved DNS along with your home router.
It turns out it’s not possible to set system-wide DNS settings on iOS or Android. This means that the Hybrid Approach we described of setting a third-party DNS on your home router and then also hard-coding it on your mobile devices remains the best advice, but it’s not possible to do on iOS or Android devices. Annoyingly, that means there is no good solution to protect these devices 🙁. Thanks very much to Allister Jenks for drawing our attention to this in our Google Plus Community.
Bart Busschots stands in for a vacationing Allison Sheridan. Since the show is recorded on St. Patrick’s Day, Bart starts with a recipe for an Irish hot whiskey. Then we have a review of MFi Hearing Aids from listener Gretchen, an interview with Wonder Workshop recorded by Allison & Steve at CES earlier this year, an AppleTV & AirPod dumb question & answer from listener Dick, an iCloud Photo library syncing story from Allison, a review of Mylio from listener Tom, and finally a solo Security Bits from Bart.
Microsoft have removed the special registry flag which prevented the Spectre/Meltdown patches being applied on machines without AV that explicitly declares itself compatible with the patch. This approach made sense early in the response to these bugs, but it did have an undesirable side-effect, a machine with no AV would never get patched. That’s no longer the case now — arstechnica.com/…
On February 15 Google’s Chrome browser gained a nice new feature for controlling ads. It’s been reported on as an ad blocker, but that coverage misses a very important subtlety. Google itself calls the feature ad filtering, and an ad filter describes this feature very well indeed.
Google is an advertising company, it is not in their interest to destroy the advertising industry. They’re trying to solve a subtly different problem — the rise of ad blockers!
Security Medium — Strava Heatmaps have Unintended Consequences
The popular exercise tracking app Strava regularly produces a really cool heat-map that shows where most people run, cycle, swim etc.. The data is anonymised, so it all seems like some innocent fun. The latest version of the heatmap was published back in November, and no one thought it was a problem.
Steve Gibson of GRC (author of ShieldsUp & SpinRite) has released InSpectre, a free Windows app which clearly communicates your PC’s current level of protection against Meltdown & Spectre, and what kind of a performance hit you should expect — www.grc.com/…
RedHat have withdrawn their microcode patch for Spectre after it caused some systems to become unbootable (Linux supports dynamic updating of CPU microcode without the need for a BIOS update) — www.theregister.co.uk/…
A great post on the official Raspberry PI blog that primarily aims to explain why the Raspberry PIs are not vulnerable to Spectre, but in the process, explain Spectre in clearest and most understandable way I’ve yet seen — www.raspberrypi.org/…