Open post
Security Bits Logo

Security Bits – Google’s Ad Filter, iBoot Leak, iOS Teluga Text Bug

Security Medium 1 — Google’s Ad Filter

On February 15 Google’s Chrome browser gained a nice new feature for controlling ads. It’s been reported on as an ad blocker, but that coverage misses a very important subtlety. Google itself calls the feature ad filtering, and an ad filter describes this feature very well indeed.

Google is an advertising company, it is not in their interest to destroy the advertising industry. They’re trying to solve a subtly different problem — the rise of ad blockers!

Continue reading “Security Bits – Google’s Ad Filter, iBoot Leak, iOS Teluga Text Bug”

Open post
Security Bits Logo

Security Bits – Spectre/Meltdown Update, Strava Heat Maps

Followup — Spectre & Meltdown News

Security Medium — Strava Heatmaps have Unintended Consequences

The popular exercise tracking app Strava regularly produces a really cool heat-map that shows where most people run, cycle, swim etc.. The data is anonymised, so it all seems like some innocent fun. The latest version of the heatmap was published back in November, and no one thought it was a problem.

Continue reading “Security Bits – Spectre/Meltdown Update, Strava Heat Maps”

Open post
Security Bits Logo

Security Bits – Spectre & Meltdown Update (Again), Dark Caracal, chaiOS

Meltdown & Spectre Update

  • Steve Gibson of GRC (author of ShieldsUp & SpinRite) has released InSpectre, a free Windows app which clearly communicates your PC’s current level of protection against Meltdown & Spectre, and what kind of a performance hit you should expect — www.grc.com/…
  • RedHat have withdrawn their microcode patch for Spectre after it caused some systems to become unbootable (Linux supports dynamic updating of CPU microcode without the need for a BIOS update) — www.theregister.co.uk/…
  • A great post on the official Raspberry PI blog that primarily aims to explain why the Raspberry PIs are not vulnerable to Spectre, but in the process, explain Spectre in clearest and most understandable way I’ve yet seen — www.raspberrypi.org/…

Continue reading “Security Bits – Spectre & Meltdown Update (Again), Dark Caracal, chaiOS”

Open post
Security Bits Logo

Security Bits – Password Trackers, IOHIDeous, Meltdown & Spectre

Security Bits – 5 Jan 2018

Security Medium 1 — Password Managers as Trackers

Security researchers have found that less-reputable tracking firms have deployed JavaScript which uses invisible forms to trick password managers into entering information which can then be used as a kind of super-cookie that users cannot delete, and hence, track them around the web.

This problem affects all features that auto-fill usernames and passwords, whether or not they are native to the browser, or, provided by third-party plugins, so this affects everyone who saves passwords in their browser in any way.

Continue reading “Security Bits – Password Trackers, IOHIDeous, Meltdown & Spectre”

Open post
Security Bits Logo

Security Bits – 08 December 2017 – macOS Root Bug, HomeKit Bug, iOS Backup Encryption

Security Medium 1 — macOS High Sierra Root Bug

A nasty bug was found in macOS 10.13 High Sierra — it was possible to cause the root account to become enabled, and to do so with a blank password.

To trigger this bug all you had to do was go into the control panel, click the padlock to un-lock the sensitive settings, change the username to root, enter no password, then hit enter. At this point the authentication would fail, but, the root account would have been made active. Hit enter again, and root with a blank password will be accepted as valid. At this point you can do anything in the control panel, no matter how restricted your account is in theory, and, anything you can get full terminal access as root.

Continue reading “Security Bits – 08 December 2017 – macOS Root Bug, HomeKit Bug, iOS Backup Encryption”

Open post
Security Bits Logo

Security Bits – 26 November 2017 – FaceID Isn’t Broken, USB Bugs in Linux Kernel, Vulnerability in Intel Chips

Security Medium 1 — No, FaceID isn’t Broken, but it Does Have Limits

A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.

What the hackers really found was that it’s bloody difficult to trick FaceID — it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.

Continue reading “Security Bits – 26 November 2017 – FaceID Isn’t Broken, USB Bugs in Linux Kernel, Vulnerability in Intel Chips”

Open post
Security Bits Logo

Security Bits – 22 October 2017

Security Medium 1 – WPA WiFi Encryption Develops KRACKs

This week started with a big security news announcement (responsibly disclosed, which is nice). Security researchers at the Belgian university KU Leuven revealed a collection of related attacks against the WPA2 protocol (WiFi Protected Access version 2). The problem at the root of these attacks was not related to any specific implementation of the spec, but with the spec itself, so every manufacturer who implemented the spec correctly would have introduced these vulnerabilities into their WiFi drivers. Because you have to give a bug a fancy name to get any media attention these days, it was given the somewhat strained pseudo-acronym KRACKs, from key reinstallation attacks.

We’re not going to go into the technical minutia here, but I have included links to some good explanations below. I do want to give a high-level overview of the problem though.

Continue reading “Security Bits – 22 October 2017”

Security Bits – 15 October 2017

Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only

A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.

Here is a nice article showing how to control the feature in the two OSes that do support it: www.macobserver.com/….

Continue reading “Security Bits – 15 October 2017”

Security Bits – 30 September 2017

From Allison: I’ve just decided that it might be a nice enhancement to the podcast and blog if you could see Security Bits as a stand-alone blog post. Makes it easier to find and more importantly easier to reference when sharing with others. Bart will be shown as the author (since he IS the author) but I’ll write the excerpt for each post.

In this week’s action-packed Security Bits, Bart brings some follow-up on the Equifax breach and more details about Apple’s Face ID. We have three security mediums this week. We cover the CCleaner compromise which infected over 2 million machines. Then we talk about the macOS Keychain vulnerability that was announced this week for macOS (something for everyone). In the third “medium” Bart explains cookies from inception and why they’re needed, through their evolution to help us into something that can track us. He walks us through all of this so we can understand how the changes Apple made in Safari 11 are reducing the tracking and why it’s making some types of advertisers cranky at Apple. Finally, Bart goes through Notable Security Updates, Notable News, Suggested Reading and has a couple of nice palette cleansers. Continue reading “Security Bits – 30 September 2017”

Posts navigation

1 2 3
Scroll to top