{"id":14210,"date":"2018-01-19T17:53:43","date_gmt":"2018-01-20T01:53:43","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=14210"},"modified":"2018-01-21T17:41:27","modified_gmt":"2018-01-22T01:41:27","slug":"sb-01-19-2017","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/01\/sb-01-19-2017\/","title":{"rendered":"Security Bits &#8211; Spectre &#038; Meltdown Update (Again), Dark Caracal, chaiOS"},"content":{"rendered":"<h3>Meltdown &amp; Spectre Update<\/h3>\n<ul>\n<li>Steve Gibson of GRC (author of ShieldsUp &amp; SpinRite) has released <em>InSpectre<\/em>, a free Windows app which clearly communicates your PC\u2019s current level of protection against Meltdown &amp; Spectre, and what kind of a performance hit you should expect \u2014 <a href=\"https:\/\/www.grc.com\/inspectre.htm\">www.grc.com\/\u2026<\/a><\/li>\n<li>RedHat have withdrawn their microcode patch for Spectre after it caused some systems to become unbootable (Linux supports dynamic updating of CPU microcode without the need for a BIOS update) \u2014 <a href=\"https:\/\/www.theregister.co.uk\/2018\/01\/18\/red_hat_spectre_firmware_update_woes\/\">www.theregister.co.uk\/\u2026<\/a><\/li>\n<li>A great post on the official Raspberry PI blog that primarily aims to explain why the Raspberry PIs are not vulnerable to Spectre, but in the process, explain Spectre in clearest and most understandable way I\u2019ve yet seen \u2014 <a href=\"https:\/\/www.raspberrypi.org\/blog\/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown\/\">www.raspberrypi.org\/\u2026<\/a><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Security Medium 1 \u2014 <em>Dark Caracal<\/em><\/h3>\n<p>This story is breaking as we record, so the details are still a bit sketchy.<\/p>\n<p>A security research firm, <em>Lookout Security<\/em>, in conjunction with the EFF, have released a report on their investigation into a hacking group they have dubbed <em>Dark Caracal<\/em>. The report can be downloaded for free: <a href=\"https:\/\/www.lookout.com\/info\/ds-dark-caracal-ty\">www.lookout.com\/\u2026<\/a><\/p>\n<p>The malware deployed by this team is not particularly sophisticated \u2014 it uses known vulnerabilities and is delivered via Spear Phishing. Attacks have used malware for many OSes including Windows and MacOS, but the vast bulk of the malware used in these attacks has been for Android phones. The attackers used these tools and techniques to spy on thousands of carefully chosen targets in 21 different countries.<\/p>\n<p>What makes this series of attacks significant is that the malware is sending all the data to servers in a building belonging to the Lebanese government! Even more interestingly, the researchers believe this is not simply an internal Lebanese government program, but a new spyware-as-a-service offering available to other governments, including those who would not have the resources to develop their own such tools.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.theverge.com\/2018\/1\/18\/16905464\/spyware-lebanon-government-research-dark-caracal-gdgs\">Researchers have discovered a new kind of government spyware for hire \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.theinquirer.net\/inquirer\/news\/3024762\/dark-caracal-government-spyware-targets-android-users-worldwide\">Dark Caracal: Government spyware targets Android users worldwide \u2014 www.theinquirer.net\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 <em>chaiOS<\/em><\/h3>\n<p>An extremely annoying iOS &amp; macOS <em>text bomb<\/em> is doing the rounds. A bug has been found in the way Apple\u2019s Messages app processes messages. The bug allows attackers to crash a victim\u2019s devices simply by sending them a message that contains a link to an intentionally malformed web page. The recipient doesn\u2019t even have to open the message to get hit by this, as soon as the OS tries to read the message and generate its preview, it runs into problems.<\/p>\n<p>According to reporting, the only way to recover from receiving a message like this on an iOS devices is to do a factory restore, destroying all your local data that is not in the cloud.<\/p>\n<p>This is a denial-of-service problem, not an exploitation problem, so while it\u2019s not a catastrophe, it still have the potential to do harm, and, at the very least, to be very darned annoying!<\/p>\n<p>Thankfully the bug was already patched in the latest iOS 11 beta, and Apple have promised to get the patch released to general public next week.<\/p>\n<p>The immediate danger has also been somewhat lessened with a take-down of the website that was hosting the attack link, and the removal of the GitHub account that was hosting the source code for the malicious website. However, the code was public on GitHub for some time, so it seems unlikely no one has a copy.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/imessage-text-bomb-floating-around-can-freeze-your-iphone\">An iMessage \u2018text bomb\u2019 is floating around that can freeze your iPhone \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/psa-chaios-web-link-crashes-messages-iphone-ipad-mac\/\">PSA: chaiOS Web Link Crashes Messages on iPhone, iPad, and Mac \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.buzzfeed.com\/nicolenguyen\/chaios-imessage-bug#.rorLDYv6e\">https:\/\/www.buzzfeed.com\/nicolenguyen\/chaios-imessage-bug \u2014 www.buzzfeed.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Patch Tuesday has been and gone, and Adobe released a critical security update for Flash \u2014 <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb18-01.html\">helpx.adobe.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>The WiFi Alliance have announced that they will be releasing WPA3 later in 2018 (Editorial: I share Steve Gibson\u2019s concern that this is yet another vitally important security specification developed in complete secrecy and isolation by the WiFi Alliance. This is the same approach that was used by the WiFi Alliance to develop the catastrophically flawed WEP and WPS standards.) \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/wi-fi-alliance-working-new-wi-fi-security-standard-wpa3\/\">www.macobserver.com\/\u2026<\/a>, <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/10\/wi-fi-security-overhaul-coming-with-wpa3\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"http:\/\/tidbits.com\/article\/17719\">tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Well-known electronic toy manufacturer VTech has settled for $650,000 with the US FTC over alleged violations of child privacy protections enshrined in COPPA (a US law) following a high-profile data breach in 2015 \u2014 <a href=\"https:\/\/www.theverge.com\/2018\/1\/8\/16865652\/vtech-connected-toy-ftc-fine-child-privacy\">www.theverge.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/10\/smart-toymaker-vtech-fined-over-charges-of-violating-child-privacy-law\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>macOS hit with another embarrassing password bug \u2014 you can unlock the App Store preference pane with any password. A fix is already included in the latest beta, so it will be out soon, and this bug requires the attacker already be logged in to your computer, and even then, it doesn\u2019t give them much power. So, no reason to panic, but it sure looks like Apple\u2019s QA could do with some TLC! \u2014 <a href=\"https:\/\/www.macrumors.com\/2018\/01\/10\/macos-high-sierra-app-store-password-bug\/\">www.macrumors.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/mac-app-store-preferences-bug-already-patched-beta-still-dumb\">www.imore.com\/\u2026<\/a><\/li>\n<li>The latest preview version of Skype moves the app over to the open-source Signal protocol, providing cryptographically secure end-to-end encryption \u2014 <a href=\"https:\/\/arstechnica.com\/gadgets\/2018\/01\/skype-finally-getting-end-to-end-encryption\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Security researcher have found a flaw in how WhatsApp administers group chats, but thankfully, it can\u2019t be practically exploited, so while it does need fixing, there\u2019s no need to panic \u2014 <a href=\"https:\/\/www.imore.com\/heres-what-you-need-know-about-whatsapp-group-chat-security-flaw\">www.imore.com\/\u2026<\/a><\/li>\n<li>Apple have updated their excellent <a href=\"https:\/\/www.apple.com\/business\/docs\/iOS_Security_Guide.pdf\">iOS 11 Security Guide<\/a>, adding information and guidance regarding new features like FaceID and Apple Pay Cash and more \u2014 <a href=\"https:\/\/www.imore.com\/apples-new-security-guide-covers-face-id-apple-pay-cash-autofill-and-more\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Brian Krebs warns that there seems to be an on-going wave of attempted bitcoin extortion via snail-mail (traditional post) in the US ATM \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/01\/bitcoin-blackmail-by-snail-mail-preys-on-those-with-guilty-conscience\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Naked Security are warning that they are seeing a rise in social engineering attacks exploiting the current media hype around cryptocurrencies to try to trick users into opening malicious files emailed to them \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/12\/cryptocurrency-as-the-lure-an-iso-as-the-attachment-why-not-open-it\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-secure-your-iphone-and-ipad-against-backdoors-and-other-risks\">How to better protect your iPhone and iPad against hacks and other security and privacy risks \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-set-apples-two-factor-authentication\">How to set up Apple\u2019s two-factor authentication \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/01\/some-basic-rules-for-securing-your-iot-stuff\/\">Some Basic Rules for Securing Your IoT Stuff \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-change-or-reset-your-macs-account-password\">How to change or reset your Mac\u2019s account password \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/iphone-x-how-stop-accidentally-calling-911-emergency-sos-auto-call\">iPhone X: How to stop accidentally calling 911 and emergency contacts \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/15\/how-to-set-up-2fa-on-your-facebook-account\/\">How to set up 2FA on your Facebook account \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/18\/blackwallet-cryptocurrency-site-loses-users-money-after-dns-hijack\/\">BlackWallet cryptocurrency site loses users\u2019 money after DNS hijack \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ee;&#x1f1f3; Aadhaar, India\u2019s national biometrics DB, and the largest such DB in the world was easily breached by two independent sets of journalists \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/09\/aadhaar-breaches-fuelled-by-rogue-admin-accounts\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/09\/facebook-bug-could-have-exposed-your-phone-number-to-marketers\/\">Facebook bug could have exposed your phone number to marketers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/19\/virtual-reality-porn-app-sinvr-exposes-details-of-20000-customers\/\">Virtual reality porn app SinVR exposes details of 20,000 customers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x1f1fa;&#x1f1f8; The war on Privacy continues\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/15\/house-votes-for-six-more-years-of-warrantless-surveillance\/\">House votes for six more years of warrantless surveillance \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/analysis\/fbi-director-renews-calls-magical-encryption-bypass-doesnt-believe-experts-call-impossible\/\">FBI Director Renews Calls for Magical Encryption Bypass, Doesn\u2019t Believe Experts Who Call It Impossible \u2014 www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/11\/fbi-director-says-unbreakable-encryption-is-a-public-safety-issue\/\">FBI director says \u2018unbreakable encryption is a public safety issue\u2019 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/tech-policy\/2018\/01\/fbi-security-expert-apple-are-jerks-about-unlocking-encrypted-phones\/\">FBI security expert: Apple are \u201cjerks\u201d about unlocking encrypted phones \u2014 arstechnica.com\/\u2026<\/a>, <a href=\"https:\/\/www.macobserver.com\/news\/fbi-agent-whines-ios-encryption-calling-apple-evil-geniuses-jerks\/\">FBI Agent Whines About iOS Encryption, Calling Apple \u2018Evil Geniuses and Jerks\u2019 \u2014 www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/16\/fbi-expert-calls-apple-jerks-as-encryption-tension-simmers\/\">FBI expert calls Apple \u2018jerks\u2019 as encryption tension simmers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/fbi-special-agent-charge-says-heart-apple\/\">This FBI Special Agent in Charge Says: \u2018We Heart Apple\u2019 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/09\/us-tightens-rules-on-border-search\/\">US tightens rules on border search \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/09\/coffeeminer-project-lets-you-hack-public-wi-fi-to-mine-cryptocoins\/\">CoffeeMiner project lets you hack public Wi-Fi to mine cryptocoins \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; German prosecutors use health data from a cracked iPhone as evidence in a murder trial \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/iphone-users-health-data-used-murder-investigation\/\">www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/15\/iphones-apple-health-data-used-as-evidence-in-murder-trial\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/12\/man-charged-with-spying-on-thousands-of-mac-users-for-13-years\/\">Man charged with spying on thousands of Mac users for 13 years \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.reuters.com\/article\/us-usa-internet\/senate-democrats-close-to-majority-in-drive-to-restore-net-neutrality-idUSKBN1F52JO\">21 states sue to keep net neutrality as Senate Democrats reach 50 votes \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/www.niemanlab.org\/2018\/01\/facebook-drastically-changes-news-feed-to-make-it-good-for-people-and-bad-for-most-publishers\/\">Facebook drastically changes News Feed to make it \u201cgood for people\u201d (and bad for most publishers) \u2014 www.niemanlab.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1246841\">Malicious Chrome extension is next to impossible to manually remove \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/month-in-review-apple-security-in-december-2017\/\">Month in Review: Apple Security in December 2017 \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/19\/90-of-gmail-users-could-improve-their-security-easily-but-dont\/\">90% of Gmail users could improve their security easily, but don\u2019t \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/19\/credit-card-tinfoil-hat\/\">Does your credit card need a tinfoil hat to keep it safe on the train? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/19\/the-google-play-super-antivirus-thats-not-so-super-at-all-report\/\">The Google Play \u201cSuper Antivirus\u201d that\u2019s not so super at all\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Teritory\n<ul>\n<li><a href=\"https:\/\/www.macworld.com\/article\/3245764\/macs\/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html\">The T2 chip makes the iMac Pro the start of a Mac revolution \u2014 www.macworld.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/17\/firefox-locks-down-its-future-with-https-secure-contexts\/\">Firefox locks down its future with HTTPS \u2018secure contexts\u2019 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Meltdown &amp; Spectre Update Steve Gibson of GRC (author of ShieldsUp &amp; SpinRite) has released InSpectre, a free Windows app which clearly communicates your PC\u2019s current level of protection against Meltdown &amp; Spectre, and what kind of a performance hit you should expect \u2014 www.grc.com\/\u2026 RedHat have withdrawn their microcode patch for Spectre after it [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":13191,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[515,126,51,1104,50,569,13],"class_list":["post-14210","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-android","tag-ios","tag-mac","tag-macos","tag-security","tag-security-bits","tag-windows"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2017\/10\/security_bits_logo_300px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=14210"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14210\/revisions"}],"predecessor-version":[{"id":14225,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14210\/revisions\/14225"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/13191"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=14210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=14210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=14210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}