{"id":14332,"date":"2018-02-04T10:55:58","date_gmt":"2018-02-04T18:55:58","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=14332"},"modified":"2018-02-04T11:34:17","modified_gmt":"2018-02-04T19:34:17","slug":"sb-02-02-2017","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/02\/sb-02-02-2017\/","title":{"rendered":"Security Bits &#8211; Spectre\/Meltdown Update, Strava Heat Maps"},"content":{"rendered":"<h3>Followup \u2014 Spectre &amp; Meltdown News<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.reuters.com\/article\/us-cyber-intel\/intel-asks-customers-to-stop-using-faulty-patches-idUSKBN1FB2M9\">Intel asks customers to halt patching for chip bug, citing flaw \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/gadgets\/2018\/01\/new-windows-patch-disables-intels-bad-spectre-microcode-fix\/\">New Windows patch disables Intel\u2019s bad Spectre microcode fix \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/macos-sierra-os-x-el-capitan-updates-patch-meltdown-flaw\/\">macOS Sierra, OS X El Capitan Updates Patch Meltdown Flaw \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/25\/apple-offers-another-meltdown-fix-for-mac-users\/\">Apple offers another Meltdown fix for Mac users\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium \u2014 Strava Heatmaps have Unintended Consequences<\/h3>\n<p>The popular exercise tracking app Strava regularly produces a really cool heat-map that shows where most people run, cycle, swim etc.. The data is anonymised, so it all seems like some innocent fun. The latest version of the heatmap was published back in November, and no one thought it was a problem.<\/p>\n<p><!--more--><\/p>\n<p>That all changed this week when an Australian security researcher noticed that there are some places where anonymisation doesn&#8217;t work like you might expect because of strong selection effects.<\/p>\n<p>The most dangerous of these effects is tracks in areas where the majority of users are US military personnel. In NYC you can&#8217;t tell which of the millions of tracks is by soldiers, but in rural Afghanistan, you effectively can, because the locals are not big Strava users, so just about every track is US milliary personel! Just imagine how useful that heat map is to terrorists planning attacks!<\/p>\n<p>Sharing of anonymised data is the default in Strava, but it&#8217;s not required to use the app. There is a private mode, and private data is not included in the heatmaps. Having said that, Strava have promised to simplify their privacy settings so users can more easily understand what they are and are not sharing.<\/p>\n<p>IMO there are two leasons to be taken from all this:<\/p>\n<ol>\n<li>Vulnerable users in dangerous places need to use the privacy features provided, and the organisations that put them in harm&#8217;s way need to help them understand the risks and the actions they need to take to mitigate them.<\/li>\n<li>Companies releasing data need to be more aware of selection effects which can make seemingly anonymous data anything but. That means being more selective about what gets released \u2014 parts of a dataset that are very sparse should be redacted. If Strava had only published heatmaps in countries with a lot of Strava users this would have been much less of a problem.<\/li>\n<\/ol>\n<h4>Links<\/h4>\n<ul>\n<li>The heatmap at the heart of all this \u2014 <a href=\"https:\/\/labs.strava.com\/heatmap\/#7.00\/-120.90000\/38.36000\/hot\/all\">labs.strava.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/social.techcrunch.com\/2018\/01\/28\/strava-exposes-military-bases\/\">Fitness app Strava exposes the location of military bases \u2014 social.techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/30\/secret-military-bases-revealed-by-fitness-app-strava\/\">Secret military bases revealed by fitness app Strava \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2018\/01\/29\/strava-simplify-privacy-options-review-features\/\">Strava says it will simplify privacy settings and review app features after exposing military bases \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.forbes.com\/sites\/sethporges\/2018\/01\/29\/strava-was-just-the-beginning-even-seemingly-innocent-data-can-be-weaponized\/#66aec0b8126f\">Strava Was Just The Beginning: Even Seemingly Innocent Data Can Be Weaponized \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Apple released security updates for macOS (El Capitan, Sierra &amp; High Sierra), iOS, watchOS, tvOS &amp; Safari \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/01\/23\/Apple-Releases-Multiple-Security-Updates\">www.us-cert.gov\/\u2026<\/a>\n<ul>\n<li>As mentioned above, this includes Meltdown patches for El Capitan &amp; Sierra, and further mitigations for High Sierra<\/li>\n<li>The updates include fixes for the <em>ChaiOS<\/em> iMessage flaw we mentioned last time \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/apple-fixes-imessage-order-bug-macos-high-sierra-10-13-3\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Adobe warn of a Flash Zero-day that is being actively exploited in the wild. They promise a patch next week. The vector for the exploit is Flash embeded in MS Office documents, so until the patch is out, be very wary of opening Office Documents from un-trusted sources \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/02\/attackers-exploiting-unpatched-flaw-in-flash\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Security researchers find Tinder&#8217;s apps don&#8217;t properly encrypt traffic, allowing attackers on the same ethernet network to determine which way you swiped on who \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/24\/tinder-user-lack-of-encryption-means-stalkers-can-watch-you-at-it\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>In preparation for the GDPR (strong new EU data protection rules that come into effect on May 1st this year) Facebook will role out a new and improved privacy control centre tool their uses globally \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/25\/facebook-to-give-you-more-control-over-your-data\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Reddit introduces 2FA \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/26\/reddit-users-2fa-is-here-now-turn-it-on\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple to add a privacy icon to iOS to counter iCloud phishing attacks \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apple-add-privacy-icon-ios-stop-icloud-phishing\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/31\/ransomware-makes-it-into-the-oxford-english-dictionary\/\">Ransomware makes it into the Oxford English Dictionary \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-encrypt-email-with-any-email-provider\/\">How to Encrypt Email with Any Email Provider \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-add-emergency-contacts-iphone-apple-watch\">How to add emergency contacts to your iPhone or Apple Watch \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/what-you-need-know-about-health-records-ios-113\">What you need to know about Health Records in iOS 11.3 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2018\/01\/file-your-taxes-before-scammers-do-it-for-you\/\">File Your Taxes Before Scammers Do It For You \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/take-control-facebook-privacy-settings\/\">How to Take Control of Your Facebook Privacy Settings \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/secure-twitter-privacy-settings\/\">How to Secure Your Twitter Privacy Settings \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/secure-instagram-privacy-settings\/\">How to Secure Your Instagram Privacy Settings \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/osxdaily.com\/2018\/01\/27\/determine-iphone-new-refurbished-replaced\/\">How to Check if iPhone is New, Refurbished, or Replacement | OSXDaily \u2014 osxdaily.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/29\/lyft-investigates-allegations-of-employees-snooping-on-riders\/\">Lyft investigates allegations of employees snooping on riders \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/23\/twitter-will-email-677775-users-who-engaged-with-russian-election-trolls\/\">Twitter will email 677,775 users who engaged with Russian election trolls \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/24\/serious-category-one-cyberattack-not-far-off-warns-security-chief\/\">Serious \u2018category one\u2019 cyberattack not far off \u2013 warns security chief \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/25\/babies-data-being-sold-to-tax-fraudsters-on-the-dark-web\/\">Babies\u2019 data being sold to tax fraudsters on the dark web \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/30\/secret-service-warning-jackpotting-atm-attacks-reach-the-us\/\">Secret Service warning: Jackpotting ATM attacks reach the US \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Related: <a href=\"https:\/\/krebsonsecurity.com\/2018\/01\/drug-charges-tripped-up-suspects-in-first-known-atm-jackpotting-attacks-in-the-us\/\">Drugs Tripped Up Suspects In First Known ATM \u201cJackpotting\u201d Attacks in the US \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/31\/bitcoin-payments-used-to-unmask-dark-web-users\/\">Bitcoin payments used to unmask dark web users \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/02\/01\/over-700000-bad-apps-removed-from-google-play-store-in-2017\/\">Over 700,000 bad apps removed from Google Play store in 2017 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/a-look-back-at-the-top-mac-security-stories-of-2017\/\">A Look Back at the Top Mac Security Stories of 2017 \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>ZDNet made waves by describing Uber&#8217;s human-friendly approach to 2FA as <em>&#8216;useless&#8217;<\/em>, but as this article explains, that&#8217;s a totally unfair criticism, they&#8217;ve actually implemented 2FA in a very sensible way \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/22\/uber-hit-with-criticism-of-useless-two-factor-authentication\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/31\/ban-facebook-messenger-for-kids-urge-childrens-health-advocates\/\">Ban Facebook Messenger for Kids, urge children\u2019s health advocates \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/23\/how-a-teen-used-social-engineering-to-take-on-the-fbi-and-cia\/\">How a teen used social engineering to take on the FBI and CIA \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/26\/ai-fake-porn-could-cast-any-of-us\/\">AI fake porn could cast any of us \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Related: <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/30\/deepfakes-ai-celebrity-porn-channel-shut-down-by-discord\/\">Deepfakes AI celebrity porn channel shut down by Discord \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Teritory\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/01\/29\/researchers-warn-of-invisible-attacks-on-electrical-sensors\/\">Researchers warn of invisible attacks on electrical sensors \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>The RFID blocker I mentioned recently \u2014 <a href=\"https:\/\/www.amazon.co.uk\/Blocking-Contactless-Protection-Batteries-Fuss-Free\/dp\/B073TWK7KR\">www.amazon.co.uk\/\u2026<\/a><\/li>\n<li>LuLu \u2013 an interesting free and open source firewall for the Mac that&#8217;s currently in alpha \u2014 <a href=\"https:\/\/objective-see.com\/products\/lulu.html\">objective-see.com\/\u2026<\/a><\/li>\n<li>Burger King explain net neutrality with Whoppers \u2014 <a href=\"https:\/\/www.youtube.com\/watch?time_continue=5&amp;v=ltzy5vRmN8Q\">www.youtube.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followup \u2014 Spectre &amp; Meltdown News Intel asks customers to halt patching for chip bug, citing flaw \u2014 www.reuters.com\/\u2026 New Windows patch disables Intel\u2019s bad Spectre microcode fix \u2014 arstechnica.com\/\u2026 macOS Sierra, OS X El Capitan Updates Patch Meltdown Flaw \u2014 www.intego.com\/\u2026 Apple offers another Meltdown fix for Mac users\u2026 \u2014 nakedsecurity.sophos.com\/\u2026 Security Medium \u2014 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":13191,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[2238,972,2080,50,569,2239,574,2081,2237],"class_list":["post-14332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-data-mining","tag-exercise","tag-meltdown","tag-security","tag-security-bits","tag-security-updates","tag-sharing","tag-spectre","tag-strava"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2017\/10\/security_bits_logo_300px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=14332"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14332\/revisions"}],"predecessor-version":[{"id":14511,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14332\/revisions\/14511"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/13191"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=14332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=14332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=14332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}