There won’t be a live show next week, and the NosillaCast will be out on Tuesday instead of Sunday (sorry guys). Check out the tutorial I did on Keep It for ScreenCasts Online at screencastsonline.com. We’ve got another of Steve’s videos from NAB, this time from Backblaze about their B2 cloud storage. Then I’ll tell you how using Airtable from airtable.com might help me finally wrap my brain around databases as I attempt to manage my bathroom remodel with it. Bart Busschots is with us for another fine edition of Security Bits about Efail, protection of the 4th Amendment, Glitch & ThrowHammer as well as Black Dot & Text-Bomb.
Security Medium — The Efail Email Encryption Vulnerability
The latest bug with a cool name and a cute logo is Efail, a mashup of the words email and fail. The bug affects encrypted email sent with both of the common email encryption protocols S/MIME & PGP/GPG.
Under certain circumstances, the bug allows an attacker to trick email clients into sending a copy of the decrypted versions of encrypted emails to a server of their choice. The bug is triggered in the client, so it affects every email opened by the client, regardless of when it was sent, so this bug could allow an attacker to read encrypted emails arbitrarily far back in time.
We’ll take a look at StepShot Guides to see if it’s a worthy replacement for Clarify after all. Then we have an interview with Monoprice from NAB where we’ll have a surprisingly interesting and funny interview about SlimRun Ethernet and HDMI cables. Bart and I haven’t talked Security Bits in ages, so we have a nice long one for you.
On Chit Chat #533, Bart did a deep dive into how the Domain Name System works and in that session, he suggested a hybrid approach where your mobile devices had the improved DNS along with your home router.
It turns out it’s not possible to set system-wide DNS settings on iOS or Android. This means that the Hybrid Approach we described of setting a third-party DNS on your home router and then also hard-coding it on your mobile devices remains the best advice, but it’s not possible to do on iOS or Android devices. Annoyingly, that means there is no good solution to protect these devices 🙁. Thanks very much to Allister Jenks for drawing our attention to this in our Google Plus Community.
- The Facebook/Cambridge Analytica Kerfuffle:
Continue reading “Security Bits – Facebook/Cambridge Analytica, GDPR, Security Updates, Greyshift Backdoor, UPnProxy”
We start with how wrong I was last week, with two huge mistakes. I posted a teaser video about a Monosnap screencast I did for ScreenCasts Online, and how I was on Daily Tech News Show #3248 where we talked about whether the announcements from Apple will help them get back in the game with education. Then I’ll walk you through the harrowing tale of how awful both iBooks Author and Pages are at creating ebooks. Then Bart joins us to give a follow up on the Cambridge Analytica/Facebook kerfuffle, he’ll tell us about two new laws in the US called SESTA/FOSTA and the CLOUD act, and he’ll tell us about the very clever fix Apple came up with for the HSTS vulnerability that’s plaguing all browsers.
- Cambridge Analytica & Facebook Kerfuffle Followup
- Additional developments:
- It’s been revealed that Facebook scraped call and text data from Android phones for years. Technically users did opt in to the collection, but it doesn’t seem to have been informed consent based on the public reaction to the reporting:
- 🇺🇸 The FTC is investigating Facebook — nakedsecurity.sophos.com/… & www.imore.com/…
The Cliff Notes Version of the Story
- Microsoft have removed the special registry flag which prevented the Spectre/Meltdown patches being applied on machines without AV that explicitly declares itself compatible with the patch. This approach made sense early in the response to these bugs, but it did have an undesirable side-effect, a machine with no AV would never get patched. That’s no longer the case now — arstechnica.com/…
- Intel outlines plans for Meltdown and Spectre fixes, microcode for older chips — arstechnica.com/…
- Intel ships (hopefully stable) microcode for Skylake, Kaby Lake, Coffee Lake — arstechnica.com/…
- Intel’s latest set of Spectre microcode fixes is coming to a Windows update — arstechnica.com/…
- In an SEC filing in the US, Intel have revealed there are now 32 lawsuits against it over Spectre & Meltdown — arstechnica.com/…
Security Medium 1 — Google’s Ad Filter
On February 15 Google’s Chrome browser gained a nice new feature for controlling ads. It’s been reported on as an ad blocker, but that coverage misses a very important subtlety. Google itself calls the feature ad filtering, and an ad filter describes this feature very well indeed.
Google is an advertising company, it is not in their interest to destroy the advertising industry. They’re trying to solve a subtly different problem — the rise of ad blockers!