{"id":16571,"date":"2018-10-05T17:59:12","date_gmt":"2018-10-06T00:59:12","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=16571"},"modified":"2018-10-05T18:01:48","modified_gmt":"2018-10-06T01:01:48","slug":"sb-2018-10-05","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/10\/sb-2018-10-05\/","title":{"rendered":"Security Bits &#8211; Facebook Token Hack, Bloomberg Amazon &#038; Apple Servers &#038; China, Facebook Uses 2FA Numbers for Advertising"},"content":{"rendered":"<h1>Security Bits \u2013 5 October 2018<\/h1>\n<h3>Followups<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; The CA IoT security law discussed previously has been signed into law \u2014 <a href=\"https:\/\/www.theverge.com\/2018\/9\/28\/17874768\/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law\">www.theverge.com\/\u2026<\/a><\/li>\n<li>Google have announced plans to further limit what browser plugins can do in an attempt to crack down on the explosion in plugin-based malware we talked about last time \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1386063\">arstechnica.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/03\/googles-new-rules-for-developers-make-chrome-extensions-safer-for-all\/\">nakedsecurity.sophos.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Security Medium 1 \u2014 The Facebook Hack<\/h3>\n<p>Facebook surprised 90 million users by logging them out of Facebook completely as part of their response to a security vulnerability. Facebook didn&#8217;t just log people out of the web, they logged people out of connected devices and apps too. How? By disabling all active tokens for the affected users.<\/p>\n<p>Why did Facebook do this? Because they became aware of a vulnerability that would allow an attacker to generate a valid token for <strong>any Facebook user of their choice<\/strong>, and, that the vulnerability had definitely been used against 50 million accounts, and possibly used against another 40million!<\/p>\n<p>It&#8217;s hard to over-estimate the seriousness of this vulnerability \u2014 it effectively allowed attackers to become any Facebook users they wished! Data leaks only contain important accounts by accident, this vulnerability allowed attackers to pick and choose their victims at will.<\/p>\n<p>Facebook have patched the vulnerability, and have gone back through their logs to find those who were affected, or who may have been affected, and then invalidated all tokens for those accounts.<\/p>\n<p>Because Facebook is an OAuth identity provider (i.e. because the <em>Login with your Facebook Account<\/em> feature exists), attackers could theoretically user this vulnerability to access 3rd-party apps and sites too, but Facebook say they&#8217;ve found no evidence of this having happened.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/28\/big-facebook-breach-50-million-accounts-affected\/\">Big Facebook data breach: 50 million accounts affected \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/09\/facebook-security-bug-affects-90m-users\/\">Facebook Security Bug Affects 90M Users \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/04\/facebook-finds-no-evidence-that-attackers-accessed-third-party-apps\/\">Facebook finds \u201cno evidence\u201d attackers accessed third-party apps \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/facebook-hack-single-sign-on\/\">The Facebook Hack Betrays Trust in Single Sign On Services \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2013 Chinese Government Hardware Hack?<\/h3>\n<p>Bloomberg published a story this week they have been working on for over a year \u2014 it describes a disturbing world, one where the Chinese government managed to sneak spying hardware the size of a grain of rice onto the motherboards of servers built by the company Supermicro and sent to foreign customers including 30 US companies, some of which had US government contracts. The reports doesn&#8217;t name most of the companies, but it does refer to <em>&#8220;a major bank&#8221;<\/em>, and it does name Apple and Amazon specifically.<\/p>\n<p>When it comes to Apple, the report cites <em>&#8220;Three senior insiders at Apple&#8221;<\/em> who told Bloomberg that Apple had found spying hardware in servers from Supermicro in 2015. The report further states that Apple ended their relationship with Supermicro a year later, and cite Apple as saying it was for unrelated reasons. Apple has strongly contradicted the report, saying very plainly that it is factually incorrect, that Apple did not find a spying chip on any servers in 2015. They did find one issue with a driver on Supermicro server in 2016, but that was fully investigated and found to be a mistake rather than a targeted attack against Apple. Apple assume Bloomberg&#8217;s reporters are conflating that incident with hardware boobytrapping of servers in their data centres which Apple explicitly and clearly deny ever having discovered.<\/p>\n<p>With regards to Amazon the story focuses in on Amazon&#8217;s purchase of the company <em>Elemental<\/em>. Servers from elemental were installed into US Government data centres by Amazon. The report claims Amazon discovered the hardware hacks during investigations as part of their due diligence for the acquisition. Amazon deny they found any hardware issues during these investigations.<\/p>\n<p>When it comes to Amazon&#8217;s AWS server farms the sourcing is noticeably less strong IMO <em>&#8220;people inside AWS&#8221;<\/em>, note the absence of the word <em>senior<\/em> this time. Like Apple, Amazon have strongly and clearly disputed the facts as put forward by the story.<\/p>\n<p>To throw more confusion on the whole thing, Bloomberg also cite <em>&#8220;six current and former senior national security officials&#8221;<\/em> as having described US government investigations into these hacks to them, but there is no official confirmation that these investigations exist, let alone that they found evidence of 30 companies being hacked. It&#8217;s also interesting to note that Bloomberg explicitly say that only four of the six named Apple. Finally, they say they have a total of 17 sources for their story.<\/p>\n<p>Here&#8217;s the core of Amazon&#8217;s rebuttal:<\/p>\n<blockquote><p>\n  It\u2019s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It\u2019s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware<\/p>\n<p>  &#8230;<\/p>\n<p>  The pre-acquisition audit described four issues with a web application (not hardware or chips) that SuperMicro provides for management of their motherboards. All these findings were fully addressed before we acquired Elemental.\n<\/p><\/blockquote>\n<p>And here&#8217;s the core of Apple&#8217;s rebuttal:<\/p>\n<blockquote><p>\n  Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg\u2019s story relating to Apple.<\/p>\n<p>  On this we can be very clear: Apple has never found malicious chips, \u201chardware manipulations\u201d or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.<\/p>\n<p>  &#8230;<\/p>\n<p>  We are deeply disappointed that in their dealings with us, Bloomberg\u2019s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple\n<\/p><\/blockquote>\n<p>The UK&#8217;s GCHQ (similar to the NSA in the US) has cast doubt on the report:<\/p>\n<blockquote><p>\n  We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple.\n<\/p><\/blockquote>\n<p>The WSJ is also reporting that their sources within the US intelligence community are casting doubts on the story.<\/p>\n<p>Bloomberg are no fly-by-night operation, so it&#8217;s hard to imagine they do not believe their sources. Similarly, Apple and Amazon are being so clear in their denials with so little wiggle-room that they too must surely believe what they are saying. It seems to me that either the sources are honestly mistaken, or someone is lying to Bloomberg.<\/p>\n<p>There is just no way for any of us to know what&#8217;s going on here, it just comes down to who we trust. For what it&#8217;s worth, I&#8217;m inclined to believe Apple, but you&#8217;ll have to make up your own minds.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li>The original Bloomberg report \u2014 <a href=\"https:\/\/www.bloomberg.com\/news\/features\/2018-10-04\/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies\">www.bloomberg.com\/\u2026<\/a><\/li>\n<li>A detailed rebuttal published on Apple&#8217;s website \u2014 <a href=\"https:\/\/www.apple.com\/newsroom\/2018\/10\/what-businessweek-got-wrong-about-apple\/\">www.apple.com\/\u2026<\/a><\/li>\n<li>A detailed blog post from Stephen Schmidt, Amazon&#8217;s <em>Chief Information Security Officer<\/em>, on the AWS security blog \u2014 <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article\/\">aws.amazon.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/18\/10\/05\/uks-gchq-us-officials-cast-doubt-on-icloud-server-spy-chip-report\">UK&#8217;s GCHQ, U.S. officials cast doubt on iCloud server spy chip report \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1388447\">Bloomberg stands by Chinese chip story as Apple, Amazon ratchet up denials \u2014 arstechnica.com<\/a><\/li>\n<li><strong>Opinion:<\/strong> <a href=\"https:\/\/krebsonsecurity.com\/2018\/10\/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it\/\">Supply Chain Security is the Whole Enchilada, But Who\u2019s Willing to Pay for It? \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><strong>Opinion:<\/strong> <a href=\"https:\/\/9to5mac.com\/2018\/10\/05\/chinese-spy-chip\/\">Opinion: The five reasons I believe Apple, not Bloomberg, about the Chinese spy chip claim \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/03\/update-now-adobe-fixes-85-serious-flaws-in-acrobat-and-reader\/\">Update now: Adobe fixes 85 serious flaws in Acrobat and Reader \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Facebook admit that they use cellphone numbers used for 2FA to target ads at users (<strong>Editorial by Bart:<\/strong> given the inherent insecurity of SMS, now seems like a good time to switch your Facebook account from SMS-based 2FA to authenticator-based 2FA) \u2014 <a href=\"https:\/\/gizmodo.com\/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051\">gizmodo.com\/\u2026<\/a><\/li>\n<li>Security researchers find that password managers on Android can be tricked into auto-filling passwords into malicious apps (<strong>Editorial by Bart:<\/strong> bottom line, be careful what you download on Android) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/28\/mobile-password-managers-vulnerable-to-phishing-apps\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple&#8217;s added security and privacy features show some cracks that are in need of patching. Thankfully at their worst these problems reduce the new OSes to the level of security that existed in the previous versions:\n<ul>\n<li>Security researcher Patrick Wardle has found a way to bypass the extra privacy protections on macOS Mojave. Bear in mind that until this bug is patched things are no worse than they were on previous versions of macOS \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/mojave-system-security\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/kids-working-around-ios-12-screen-time\/\">Kids Already Working Around iOS 12 Screen Time Limitations \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A lock screen bypass has also been discovered for iOS 12, but it&#8217;s a particularly difficult one to pull off, the real-world threat is not high \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/02\/lock-screen-bypass-already-discovered-for-apples-ios-12\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The next version of WiFi has been announced and devices are expected to start shipping next year. The big changes are more speed and the introduction a whole new naming-scheme \u2014 no more hard-to-remember letters, just simple numbers. The next version of WiFi will be WiFi 6, and WiFi AC has been retro-actively named WiFi 5, and WiFi N has been retro-actively named WiFi 4 \u2014 <a href=\"https:\/\/www.theverge.com\/2018\/10\/3\/17926212\/wifi-6-version-numbers-announced\">www.theverge.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; News outlets are reporting that Police in the US forced a suspect to unlock their phone with FaceID (<strong>Editorial by Bart:<\/strong> other than click-bait, I&#8217;m not sure why this made the news. We&#8217;ve known for years that biometrics are not protect by the 5th amendment because they are <em>something you are<\/em> not <em>testimony<\/em>. This was true for TouchID, and has been true for FaceID since day-1) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/02\/suspect-forced-to-unlock-iphone-with-his-face\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Legal experts point out that if Apple Watch&#8217;s fall detection feature summons emergency services to you because it detects a fall and you fail to reply to the repeated requests for confirmation that you&#8217;re OK, police can enter your home without a warrant (<strong>Editorial by Bart:<\/strong> some people are trying to spin this as some kind of problem or scandal, but it seems to me this is very much a feature rather than a bug \u2014 the whole point of the feature is to get help!) \u2014 <a href=\"https:\/\/arstechnica.com\/tech-policy\/2018\/09\/how-the-new-apple-watch-will-call-911-after-a-fall-if-you-want-it-to\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Facebook has made it just a little harder to close your Facebook account by forcing it to continue to exist for an extra 16 days. Facebook has never allowed you to instantly delete your account, they&#8217;ve always made you wait for a 14-day <em>cooling-off<\/em> period, but now they&#8217;ve extended that to 30 days \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/05\/facebook-doubles-cooling-off-period-to-cash-in-on-your-fomo\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A French police officer has been charged with using police data as the basis for a phone tracking service he sold on the dark web (<strong>Editorial by Bart:<\/strong> just one more piece of evidence proving that point that a backdoor for <em>the good guys<\/em> can never be contained) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/04\/cop-charged-with-selling-phone-tracking-service-on-dark-web\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Mozilla has published a new site to help you leverage the <em>have I been pwned<\/em> database \u2013 <em>FireFox Monitor<\/em> (<a href=\"https:\/\/monitor.firefox.com\/\">monitor.firefox.com\/\u2026<\/a>) lets you check if an address belongs to a compromised account, and register for alerts should the address be found in a future compromise \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/27\/firefox-monitor-starts-tracking-breached-email-addresses\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/26\/microsoft-is-killing-passwords-one-announcement-at-a-time\/\">Microsoft is killing passwords one announcement at a time \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/krebsonsecurity.com\/2018\/10\/voice-phishing-scams-are-getting-more-clever\/\">Voice Phishing Scams Are Getting More Clever \u2014 krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> &#x1f508;<a href=\"https:\/\/overcast.fm\/+HuIisirmE\">Planet Money Episode 680: Anatomy of a Scam \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/01\/how-to-have-that-difficult-stay-safe-online-conversation-with-your-kids\/\">How to have that difficult \u201cstay safe online\u201d conversation with your kids \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/04\/setting-up-a-mac-for-young-children\/\">Setting up a Mac for young children \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/phys.org\/news\/2018-09-fake-apple-products-fooledand-endangeredby.html\">Fake Apple products: Here&#8217;s how to avoid being fooled \u2013 and endangered \u2013 by counterfeits \u2014 phys.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/27\/cryptojacking-coming-to-a-server-laptop-phone-near-you-and-how-to-stop-it\/\">Cryptojacking \u2013 coming to a server-laptop-phone near you (and how to stop it) \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-add-second-person-face-id\">How to add a second person to Face ID in iOS 12 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-set-1password-default-autofill-provider-ios-12\">How to set 1Password as you default AutoFill provider in iOS 12 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macworld.com\/article\/3309056\/security\/how-to-use-apple-s-new-re-used-password-warning-to-reduce-your-risk-of-account-hijacking.html\">How to use Apple\u2019s new re-used password warning to reduce your risk of account hijacking \u2014 www.macworld.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/26\/millions-of-twitter-dms-may-have-been-exposed-by-year-long-bug\/\">Millions of Twitter DMs may have been exposed by year-long bug \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1e6; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/24\/bankrupt-ncix-customer-data-resold-on-craigslist\/\">Bankrupt NCIX customer data resold on Craigslist \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/united-nations-data-breach\/\">United Nations Data Breach Leaks Passwords and Other Data \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/25\/adguard-adblocker-resets-passwords-after-credential-stuffing-attack\/\">AdGuard adblocker resets passwords after credential-stuffing attack \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/27\/malware-hits-fashion-giant-shein-6-42-million-online-shoppers-affected\/\">Malware hits fashion giant SHEIN; 6.42 million online shoppers affected \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; Microsoft extends support for Windows 7 for corporate customers prepared to pay for the pleasure \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/11\/microsoft-extends-security-patch-support-for-some-windows-7-users\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Google caused some controversy when they updated their Chrome browser so that logging into any Google property would also log you in to the browser itself. They responded by tweaking the feature a little to make it clearer what is going on, and that just being logged in does not automatically enable their browser sync feature:\n<ul>\n<li>The original blog post that triggered the community response: <a href=\"https:\/\/blog.cryptographyengineering.com\/2018\/09\/23\/why-im-leaving-chrome\/\">Why I\u2019m done with Chrome \u2013 A Few Thoughts on Cryptographic Engineering \u2014 blog.cryptographyengineering.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/25\/users-fret-over-chrome-auto-login-change\/\">Users fret over Chrome auto-login change \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1383633\">Google backtracks\u2014a bit\u2014on controversial Chrome sign-in feature \u2014 arstechnica.com<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/24\/facebook-faces-sanctions-if-it-drags-its-feet-on-data-transparency\/\">Facebook faces sanctions if it drags its feet on data transparency \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/26\/facebook-scolds-police-for-using-fake-accounts-to-snoop-on-citizens\/\">Facebook scolds police for using fake accounts to snoop on citizens \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/28\/robocallers-slapped-with-huge-fines-for-using-spoofed-phone-numbers\/\">Robocallers slapped with huge fines for using spoofed phone numbers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/fbi-face-id-suspect\/\">FBI Uses Face ID to Unlock Suspect\u2019s iPhone in Child Abuse Case \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/11\/keybase-browser-extension-weakness-discovered\/\">Keybase browser extension weakness discovered \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/01\/monero-fixes-major-burning-bug-flaw-preventing-mass-devaluation\/\">Monero fixes major \u2018burning bug\u2019 flaw, preventing mass devaluation \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/11\/yikes-1-in-5-employees-share-their-email-passwords-with-coworkers\/\">Yikes: 1 in 5 employees share their email passwords with coworkers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8;  <a href=\"https:\/\/www.theverge.com\/2018\/10\/2\/17927430\/california-net-neutrality-law-preemption-state-lawsuit\">Why feds can\u2019t block California\u2019s net neutrality bill \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/11\/the-rise-of-targeted-ransomware\/\">The rise of targeted ransomware \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/28\/whatsapp-cofounder-i-sold-my-users-privacy\/\">WhatsApp cofounder: \u201cI sold my users\u2019 privacy\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/cloudflare-private-web-esni\/\">Cloudflare Works to Make the Web More Private With ESNI \u2014 www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/26\/finally-a-fix-for-the-encrypted-webs-achilles-heel\/\">Finally, a fix for the encrypted web\u2019s Achilles\u2019 heel \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/05\/googles-intra-app-secures-older-androids-with-encrypted-dns\/\">Google\u2019s Intra app secures older Androids with encrypted DNS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><img decoding=\"async\" src=\"https:\/\/imgs.xkcd.com\/comics\/bad_opinions.png\" alt=\"Bad Opinions\" \/> <a href=\"https:\/\/xkcd.com\/2051\/\" title=\"I thought of another bad opinion! I couldn't find anyone who expressed it specifically, but still, the fact that I can so easily imagine it is infuriating! I'm gonna tell everyone about it!\">xkcd.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.forbes.com\/sites\/bernardmarr\/2018\/09\/24\/what-are-artificial-neural-networks-a-simple-explanation-for-absolutely-anyone\/#19e680b71245\">What Are Artificial Neural Networks &#8211; A Simple Explanation For Absolutely Anyone \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<li>Apple&#8217;s new <em>Space Ship HQ<\/em> in Lego \u2014 <a href=\"https:\/\/www.flickr.com\/photos\/51130204@N04\/sets\/72157700052292491\">www.flickr.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Security Bits \u2013 5 October 2018 Followups &#x1f1fa;&#x1f1f8; The CA IoT security law discussed previously has been signed into law \u2014 www.theverge.com\/\u2026 Google have announced plans to further limit what browser plugins can do in an attempt to crack down on the explosion in plugin-based malware we talked about last time \u2014 arstechnica.com\/\u2026 &amp; nakedsecurity.sophos.com\/\u2026<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[568,202,46,2810,156,170,50,567],"class_list":["post-16571","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-2fa","tag-amazon","tag-apple","tag-bloomberg","tag-facebook","tag-hack","tag-security","tag-two-factor-authentication"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=16571"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16571\/revisions"}],"predecessor-version":[{"id":16574,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16571\/revisions\/16574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=16571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=16571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=16571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}