{"id":16180,"date":"2018-08-25T10:51:02","date_gmt":"2018-08-25T17:51:02","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=16180"},"modified":"2018-08-25T10:52:33","modified_gmt":"2018-08-25T17:52:33","slug":"sb-zeroday-macos-fb-trustworthiness-fb-vpn-google-tracks-teenager-hacks","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/08\/sb-zeroday-macos-fb-trustworthiness-fb-vpn-google-tracks-teenager-hacks\/","title":{"rendered":"Security Bits &#8211; Zero-Day on macOS, Facebook Rates User Trustworthiness, Facebook&#8217;s VPN Was Tracking Users, Excessive Google Tracking, Teenager Hacks Apple"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li>More speculation-based flaws in Intel Chips (<strong>Editorial by Bart:<\/strong> as with other recent Spectre\/Meltdown variants, there&#8217;s no need for home users to panic, just keep your OSes patched. It&#8217;s cloud providers that really need to worry about these flaws.)\n<ul>\n<li><em>L1 Terminal Fault<\/em> AKA <em>L1TF<\/em> \u2013 Intel have released mitigations, and they don&#8217;t have significant performance impacts \u2014 <a href=\"https:\/\/www.intel.com\/content\/www\/us\/en\/architecture-and-technology\/l1tf.html\">www.intel.com\/\u2026<\/a><\/li>\n<li><em>Foreshadow<\/em> \u2013 This new variant is noteworthy because it allows attackers to bypass the security that is supposed to protect SGX (Software Guard eXtensions), Intel&#8217;s secure enclave. Again, updated microcode has been released \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1358223\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Patch Tuesday has been and gone with critical security updates being released by Microsoft and Adobe, including patches to zero-day flaws \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/08\/patch-tuesday-august-2018-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Adobe released an out-of-band patch to fix a critical vulnerability in Photoshop CC \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/23\/patch-time-adobe-issues-unexpected-critical-fix-for-photoshop-cc\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>At the DefCon security conference security researchers released details of vulnerabilities in the fax-feature of many network-connected HP multi-function devices that are putting many business and households around the world at risk. If affected devices are connected to both the network and the phone system then a malicious fax can be sent to the device in order to break into the network. HP have released patches. The researchers warn that other vendors are probably similarly vulnerable, so expect more reports and patches soon. (<strong>Editorial by Bart:<\/strong> if you have one of these devices and don&#8217;t actually need faxing functionality, now might be a good time to just pull the plug!) \u2014 <a href=\"https:\/\/blog.checkpoint.com\/2018\/08\/12\/faxploit-hp-printer-fax-exploit\/\">blog.checkpoint.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/exclusive-hp-leaves-mac-users-vulnerable-to-fax-hacks\/\">Intego Exclusive: HP Leaves Mac Users Vulnerable to Fax Hacks \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Also at the DefCon security conference a researcher released details of a zero-day privilege escalation attack against MacOS. The attack allows malware already running on your Mac to click through security dialogues on your behalf, hence gaining more privileges than they should have. The bug appears not to be present in Mac OS Mojave (<strong>Editorial by Bart:<\/strong> no need to panic here, if you have malware already running on your system you have bigger problems!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/14\/apple-mac-zero-day-hack-lets-you-sneakily-click-ok\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A 20-year-old bug with some security implications has been patched in OpenSSH, the most commonly used SSH library. The bug caused SSH to respond at a different speed if authentication failed because a user account did not exist at all, or, did exist but the authentication failed. This allowed attackers to test if a given username exists on a system, and hence speed up brute-force attacks. (<strong>Editorial by Bart:<\/strong> no need to panic here, the patch is out, and even on an un-patched device you&#8217;re still safe as long as you have a strong password\/SSH key.) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/23\/vulnerability-in-openssh-for-two-decades-no-the-sky-isnt-falling\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Facebook have revealed that they have been working on an algorithm to rate their user&#8217;s trustworthiness for many years. The hope is that this algorithm will help them fight so-called <em>fake news<\/em> on their platform \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/23\/facebooks-rating-you-on-how-trustworthy-you-are\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>At Apple&#8217;s request, Facebook has removed it&#8217;s Onavo VPN app from the iOS App Store. Apple asked for the removal because Facebook&#8217;s VPN tracked all user activity carried out over the VPN, something Apple considers a privacy violation \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2018\/08\/22\/facebook-onavo-app-store\">daringfireball.net\/\u2026<\/a><\/li>\n<li>Security researchers have found that alterations made to Android by many hardware makers and cell carriers are adding security vulnerabilities into Android, resulting in millions of brand new Android devices being vulnerable right out of the box \u2014 <a href=\"https:\/\/www.wired.com\/story\/android-smartphones-vulnerable-out-of-the-box\/\">www.wired.com\/\u2026<\/a><\/li>\n<li>Google got into hot water after it was discovered that turning off a setting labelled <em>Location History<\/em> didn&#8217;t actually stop Google storing a history of your locations! Rather than deal with the underlying problem, Google chose to update the text on the setting&#8217;s label to explain that it doesn&#8217;t do what it says on the proverbial tin:\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/18\/08\/16\/google-confirms-it-tracks-users-even-when-location-history-setting-is-disabled\">Google confirms it tracks users even when &#8216;Location History&#8217; setting is disabled \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/how-to-stop-google-tracking-location\/\">Here\u2019s How to Stop Google from Tracking Your Location \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>Fun commentary on this kerfuffle from John Gruber \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2018\/08\/13\/douglas-adams-plans\">daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>An Australian teenager hacked Apple and stole 90GB of <em>&#8216;secure files&#8217;<\/em>. Apple say no user data was compromised \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/17\/apple-gets-cored-90gb-of-secure-files-stolen-by-high-schooler\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/news\/apple-data-not-compromised-teen-hacking\/\">Apple Says Customer Data Wasn\u2019t Compromised in Teen Hacking Case \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/22\/microsoft-disrupts-fancy-bear-election-meddlers\/\">Microsoft disrupts Fancy Bear election meddlers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/15\/the-sextortionists-are-back-this-time-with-your-phone-number-as-proof\/\">Beware! &#8216;Porn&#8217; scam uses your phone number to blackmail you \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-add-two-factor-authentication-your-epic-account\">How to add two-factor authentication to your Epic account \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/how-to-enable-instagram-two-factor-authentication\/\">How to enable Instagram Two-Factor Authentication &#8212; www.macobserver.com\/\u2026<\/a><\/li>\n<li>The <em>Missouri Education Watchdog<\/em> warns schools that using Google&#8217;s Apps for schools may result in more data being collected and stored than they realise \u2014 <a href=\"http:\/\/missourieducationwatchdog.com\/whats-stored-in-your-school-google-drive-account-you-might-be-surprised\/\">missourieducationwatchdog.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/23\/babysitting-app-suffers-temporary-data-breach-of-93000-users\/\">Babysitting app suffers \u2018temporary data breach\u2019 of 93,000 users \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (the app in question is Sitter)<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/facebook-mypersonality-misused-personal-data\/\">Facebook Says myPersonality App Misused 4M Users Personal Data \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/21\/twitch-admits-exposing-user-messages-after-archiving-error\/\">Twitch admits exposing user messages after archiving error \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/24\/t-mobile-suffers-data-breach-affecting-2-2-million-customers\/\">T-Mobile suffers data breach affecting 2.2 million customers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/16\/sacramento-admits-to-tracking-welfare-recipients-license-plates\/\">Sacramento admits to tracking welfare recipients\u2019 license plates \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x1f1fa;&#x1f1f8; At the DefCon security conference, an 11 year old successfully hacked a duplicate of the real Florida elections website and altered election results \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/14\/11-year-old-hacker-changes-election-results\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Also at the DefCon security conference, security researchers released details of attacks against a number of body cameras coming in use by US police departments \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/14\/police-body-cameras-open-to-attack\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>At the Black Hat security conference researchers announced that despite having more than 18 months notice, medical device manufacturer Medtronic has yet to fix dangerous security flaws in many of its products, including pacemakers \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/14\/pacemaker-controllers-still-vulnerable-18-months-after-flaws-reported\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/15\/your-smart-air-conditioner-could-contribute-to-mass-power-outages\/\">Your smart air conditioner could contribute to mass power outages \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e6;&#x1f1fa; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/16\/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail\/\">Australians who won\u2019t unlock their phones could face 10 years in jail \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e6;&#x1f1fa; <a href=\"https:\/\/www.macobserver.com\/columns-opinions\/australian-encryption-spell\/\">Australian Lawmakers Join Forces to Cast Magic Encryption Spell \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/17\/us-rolls-back-cyberwarfare-rules\/\">US rolls back cyberwarfare rules \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/20\/adblocking-and-browser-privacy-can-be-bypassed-researchers-find\/\">Adblocking and browser privacy can be bypassed, researchers find \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/24\/dnc-spearphishing-attack-was-actually-a-test\/\">DNC <em>&#8216;spearphishing attack&#8217;<\/em> was actually a test \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1e6; <a href=\"https:\/\/www.macobserver.com\/link\/canadas-police-chiefs-want-easy-personal-data-access-with-us\/\">Canada\u2019s Police Chiefs Want Easy Personal Data Access with US \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; A study by researchers at Vanderbilt University has found that Android Apps hoover up about ten times as much personal data as iOS apps \u2014 <a href=\"https:\/\/www.imore.com\/android-sucks-10x-more-data-iphone\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/08\/experts-urge-rapid-patching-of-struts-bug\/\">Experts Urge Rapid Patching of \u2018Struts\u2019 Bug \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/21\/serious-security-how-to-stop-dodgy-http-headers-clogging-your-website\/\">Serious Security: How to stop dodgy HTTP headers clogging your website \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/23\/how-an-uploaded-image-could-take-over-your-website-and-how-to-stop-it\/\">How an uploaded image could take over your website, and how to stop it \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/15\/are-your-android-apps-listening-to-you\/\">Are your Android apps listening to you? \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (a nerdy how-to)<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/wi-fi-tsa-body-searches\/\">Maybe Wi-Fi Could Replace Invasive TSA Body Searches \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/13\/in-flight-satellite-comms-vulnerable-to-remote-attack-researcher-finds\/\">In-flight satellite comms vulnerable to remote attack, researcher finds \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/miss-windows-95-theres-app\">Miss Windows 95? There&#8217;s an app for that. \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>From David Hay:\n<p><img decoding=\"async\" src=\"https:\/\/imgs.xkcd.com\/comics\/automation.png\" alt=\"Automation\" title=\"https:\/\/xkcd.com\/1319\/\" \/> \u2014 <a href=\"https:\/\/xkcd.com\/1319\/\">xkcd.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followups More speculation-based flaws in Intel Chips (Editorial by Bart: as with other recent Spectre\/Meltdown variants, there&#8217;s no need for home users to panic, just keep your OSes patched. It&#8217;s cloud providers that really need to worry about these flaws.) L1 Terminal Fault AKA L1TF \u2013 Intel have released mitigations, and they don&#8217;t have significant [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[2756,156,1359,170,117,1104,50,569,142,2003,1968],"class_list":["post-16180","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-defcon","tag-facebook","tag-google","tag-hack","tag-hp","tag-macos","tag-security","tag-security-bits","tag-vpn","tag-vulnerabilities","tag-zero-day"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=16180"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16180\/revisions"}],"predecessor-version":[{"id":16184,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16180\/revisions\/16184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=16180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=16180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=16180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}