{"id":15670,"date":"2018-06-29T17:24:21","date_gmt":"2018-06-30T00:24:21","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=15670"},"modified":"2018-06-29T17:28:20","modified_gmt":"2018-06-30T00:28:20","slug":"sb-mostly-good-news","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/06\/sb-mostly-good-news\/","title":{"rendered":"Security Bits &#8211; Mostly Good News"},"content":{"rendered":"<h3>Followup<\/h3>\n<ul>\n<li>Following on from security breaches at the 3rd-party companies all American cell phone companies were sharing real-time location data with, Verizon have announced they are ceasing all location data sharing (the other carriers have ended their relationships with some specifics companies, but not globally like this) \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/06\/verizon-to-stop-sharing-customer-location-data-with-third-parties\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>GDPR Fallout &amp; Experiences:\n<ul>\n<li>The <em>Norwegian Consumer Council<\/em> has issued a report detailing how the wording chosen by Facebook, Google &amp; Microsoft (to a lesser extent) in their GDPR popups and notifications uses so-called <em>dark-patterns<\/em> to psychologically bias users towards choosing to give up their privacy. They go so far as to accuse the companies of breaching GDPR by not giving users <em>&#8216;meaningful choices&#8217;<\/em> as is required \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/29\/facebook-and-google-accused-of-manipulating-us-with-dark-patterns\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Allison:<\/strong> <a href=\"https:\/\/twitter.com\/podfeet\/status\/1012525277916753920\">twitter.com\/\u2026<\/a><\/li>\n<li><strong>Bart:<\/strong> Apart from losing Instapaper, I&#8217;m seeing very little GDPR fall-out, with one exception \u2014 I&#8217;m noticing a lot of recipe websites are choosing not to comply with GDPR and instead, block Europeans &#x1f641;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Notable News<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; The US Supreme Court has ruled that police do need a warrant to access mobile location data \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/06\/supreme-court-police-need-warrant-for-mobile-location-data\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/supreme-court-rules-police-need-warrants-get-phone-location-info\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The <em>California Consumer Privacy Act of 2018<\/em> has passed the CA legislature and is expected to be signed into law by the governor soon. The law gives Californian&#8217;s more rights over their data, and could have nation-wide positive ripple-effects \u2014 <a href=\"https:\/\/www.macobserver.com\/analysis\/california-privacy-bill\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Google has promised to update their software to fix a location data leak found in their Chromecast dongles and Google Home smart speakers \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/20\/google-chromecast-and-home-speaker-can-leak-location-data-to-websites\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/krebsonsecurity.com\/2018\/06\/google-to-fix-location-data-leak-in-google-home-chromecast\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Developers from the OpenBSD project have removed support for hyper threading from their OS to mitigate against yet another data leak bug in Intel CPUs. This time it&#8217;s data leaking between processes sharing a physical core but running on separate logical cores that&#8217;s the problem. They dubbed the bug <em>TLBleed<\/em>, and full detailed are to be announced at an up-coming conference. Since most modern CPUs have many physical cores, the real-world performance cost for most people of losing hyper threading is very small. Also, this bug is not particularly dangerous for home users because it requires a locally running process, but its a much bigger deal for server farms or anyone running virtualisation \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1336327\">arstechnica.com\/\u2026<\/a><\/li>\n<li>WPA3 officially launches, but expect it to be a slow rollout \u2014 <a href=\"https:\/\/www.imore.com\/wpa3-officially-rolling-out-replace-14-year-old-wpa2\">www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related Analysis Piece:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/27\/wpa3-is-here-but-how-will-it-make-wi-fi-more-secure\/\">WPA3 is here but how will it make Wi-Fi more secure? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Obsolete browsers that don&#8217;t support modern versions of TLS will find themselves unable to connect to e-commerce websites after the 30th of June. Why? Because after that date e-commerce sites can&#8217;t support SSL or the early versions of TLS without violating the PCI security rules all credit card processors have to abide by &#8211; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/21\/why-you-may-want-to-update-your-browser-in-the-next-9-days\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Following Let&#8217;s Encrypt&#8217;s success at moving websites to HTTPS for free, the EFF has launched a new initiative try do the same for SMTP, the protocol used to send emails between mail servers. Playing on the SMTP command for enabling encryption, they&#8217;ve named this new project <em>STARTTLS Everywhere<\/em> \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/27\/safer-hops-for-email-effs-plan-to-cut-down-on-email-snooping\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Twitter have added support for hardware tokens like YubiKeys for multi-factor authentication \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/28\/twitter-introduces-another-way-for-you-to-better-secure-your-account\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>In case you only heard the incorrect original story, the heavily reported iPhone passcode bypass vulnerability using external keyboards proved not to be real, so don&#8217;t worry about it! \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/iphone-passcode-attempt-limit-flaw-debunked\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>The GitHub repositories for Gentoo Linux have been hacked, and all code within them should be considered compromised. Thankfully GitHub is not the primary Gentoo code repository, it&#8217;s just a mirror, so it&#8217;s still safe to use Gentoo Linux as a user \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/29\/linux-distro-hacked-on-github-all-code-considered-compromised\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>Intego are warning of a phishing campaign that leaves scary-sounding automated voice mail messages in an attempt to trick people into handing over their iCloud logins \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/terrifying-spam-call-leaves-voicemail-phishing-for-icloud-logins\/\">www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macworld.com\/article\/3279732\/macs\/what-you-need-to-do-when-you-inherit-a-mac.html\">What you need to do when you inherit a Mac \u2014 www.macworld.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-secure-your-home-router\/\">How to Secure Your Home Router \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.wired.com\/story\/exactis-database-leak-340-million-records\/\">Marketing Firm <em>Exactis<\/em> Leaked a Personal Info Database With 340 Million Records\u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/28\/ticketmaster-breach-what-happened-and-what-to-do\/\">The Ticketmaster breach \u2013 what happened and what to do \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2018\/06\/22\/facebook-analytics-leak\/\">Facebook mistakenly leaked developer analytics reports to testers \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/ios-12-precise-location-911-calls\/\">iOS 12 to Give First Responders Precise Location Data for 911 Calls \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/21\/offline-android-apps-get-new-security-check\/\">Offline Android apps get new security check \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/26\/mozilla-tests-new-firefox-privacy-monitor-tool\/\">Mozilla tests new Firefox Privacy Monitor tool \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/28\/us-legislators-put-industrial-control-system-security-on-the-map\/\">US legislators put industrial control system security on the map \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.nytimes.com\/2018\/06\/23\/technology\/smart-home-devices-domestic-abuse.html\">Thermostats, Locks and Lights: Digital Tools of Domestic Abuse \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1ea;&#x1f1fa; <a href=\"https:\/\/tidbits.com\/2018\/06\/25\/new-eu-copyright-regulations-threaten-the-internet\/\">New EU Copyright Regulations Threaten the Internet \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/20\/the-girls-who-used-whatsapp-to-learn-under-the-noses-of-is\/\">The girls who used WhatsApp to learn under the noses of IS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A patent filing by FaceBook for some very creepy-sounding snooping technology has sparked off controversy. Facebook say they are filing the patent to block anyone from ever doing this, and that they don&#8217;t never never will use it in their products:\n<ul>\n<li><a href=\"https:\/\/mashable.com\/2018\/06\/28\/facebook-patent-secret-audio-recordings\/\">Facebook seeks patent on tech that turns on your smartphone microphone \u2014 mashable.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/28\/are-you-happy-with-this-technology-that-facebooks-developing\/\">Are you happy with this technology that Facebook\u2019s developing? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/28\/windows-10-security-can-be-bypassed-by-settings-page-weakness\/\">Windows 10 security can be bypassed by Settings page weakness \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/06\/25\/terrible-passwords-outlawed-in-microsofts-new-azure-tool\/\">Terrible passwords outlawed in Microsoft\u2019s new Azure tool \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><strong>Allison:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2011\/08\/25\/password-joke-named-funniest-at-edinburgh-fringe\/\">Password joke named funniest at Edinburgh Fringe \u2014 nakedsecurity.sophos.com\/\u2026<\/a>: &#8220;Give a man a fish and you feed him for a day. Teach a man to phish and he&#8217;ll use your credit card to pay for dinner.&#8221;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followup Following on from security breaches at the 3rd-party companies all American cell phone companies were sharing real-time location data with, Verizon have announced they are ceasing all location data sharing (the other carriers have ended their relationships with some specifics companies, but not globally like this) \u2014 krebsonsecurity.com\/\u2026 GDPR Fallout &amp; Experiences: The Norwegian [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2650,114,50,569],"class_list":["post-15670","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-breach","tag-privacy","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/15670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=15670"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/15670\/revisions"}],"predecessor-version":[{"id":15673,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/15670\/revisions\/15673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=15670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=15670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=15670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}