{"id":16703,"date":"2018-10-20T18:00:39","date_gmt":"2018-10-21T01:00:39","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=16703"},"modified":"2018-10-20T18:09:34","modified_gmt":"2018-10-21T01:09:34","slug":"sb-2018-10-19","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/10\/sb-2018-10-19\/","title":{"rendered":"Security Bits &#8211; Google Plus Data Breach, SSH Vulnerability, WhatsApp and D-Link Vulnerabilities, Apple Privacy Portal"},"content":{"rendered":"<h3>Followup<\/h3>\n<ul>\n<li>The Facebook hack:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/facebook-october-2018-security-breach-everything-you-need-know\">Facebook October 2018 security breach: Everything you need to know \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/15\/facebook-opens-up-about-data-breach-details\/\">Facebook opens up about data breach details \u2014 nakedsecurity.sophos.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<\/li>\n<li><em>&#8216;The Big Hack&#8217;<\/em> (Bloomberg&#8217;s big story about hardware implants)\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/arstechnica.com\/?p=1389661\">Apple to Congress: Chinese spy-chip story is \u201csimply wrong\u201d \u2014 arstechnica.com<\/a>\n<ul>\n<li>Apple&#8217;s letter to the US congress in full \u2014 <a href=\"https:\/\/www.documentcloud.org\/documents\/4995748-Letter-20-October-208th-20version.html\">www.documentcloud.org\/\u2026<\/a>(PDF)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.buzzfeednews.com\/article\/johnpaczkowski\/apple-china-hacking-bloomberg-servers-spies-fbi\">Apple Insiders Say Nobody Internally Knows What\u2019s Going On With Bloomberg\u2019s China Hack Story \u2014 www.buzzfeednews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2018\/10\/19\/cook-calls-for-bloomberg-retraction\">Daring Fireball: Apple CEO Tim Cook Is Calling for Bloomberg to Retract Its Chinese Spy Chip Story \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2018\/10\/07\/dhs-statement\">Daring Fireball: Statement From DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise \u2014 daringfireball.net\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2018\/10\/09\/big-hack-doubts\">Daring Fireball: Named Source in \u2018The Big Hack\u2019 Has Doubts About the Story \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/bloomberg-says-more-supermicro-servers-have-china-spy-hacks\/\">Bloomberg Says More Supermicro Servers Have China Spy Hacks \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><strong>Opinion:<\/strong> <a href=\"https:\/\/krebsonsecurity.com\/2018\/10\/supply-chain-security-101-an-experts-view\/\">Supply Chain Security 101: An Expert\u2019s View \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><strong>Hint\/Tip:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/09\/apple-and-amazon-hacked-by-china-or-perhaps-not\/\">Apple and Amazon hacked by China? Here\u2019s what to do (even if it\u2019s not true) \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Problems with MikroTik routers continue, and one Russia vigilante is breaking the law to &#8216;help&#8217; vulnerable users \u2014 <a href=\"https:\/\/boingboing.net\/2018\/10\/12\/vigilante-server-administrator.html\">boingboing.net\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 1 \u2014 Google Plus Data Breach &amp; Death<\/h3>\n<p>The Wall St. Journal reported that back in March of this year, Google became aware of a bug in the Google Plus APIs that exposed user data that should not have been exposed, patched it, and then pro-actively chose not to disclose the breach. Here are the key passages from the report:<\/p>\n<blockquote><p>\n  A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident<\/p>\n<p>  Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.\n<\/p><\/blockquote>\n<p>Google&#8217;s logic for not disclosing is simple \u2014 they only keep logs for a short amount of time, this bug was there for ages, so they could never know who had and had not been compromised, and FaceBook were getting all the bad press at the time, so best to say nothing and not draw attention to Google and away from FaceBook.<\/p>\n<p>The problem was with Google&#8217;s <em>People API<\/em> and it meant that apps could use the API to read profile data of the current user&#8217;s friends that they had marked as private (or rather, not marked as public). The information available included things like name, email, occupation, gender and age, but not post contents or passwords or anything like that. This is nowhere near as catastrophic as it could have been, but it is still very useful information for cyber criminals looking to target users with phishing attacks, and, to companies trying to build profiles for sale to advertisers and political campaigns (think Cambridge Analytica).<\/p>\n<p>Note that this breach was discovered before the GDPR went into effect. Had this been discovered in a post-GDPR world then Google could have been in deep trouble. One of the clever aspects of GDPR is the broad definition of a data breach. One option would have been to only consider something a breach if you know it has been exploited by a third party, but that would not work at all well when you think about it. It would set up a perverse incentive for companies to lessen what they know about the systems they&#8217;re responsible for, and, it would mean spending pointless time debating whether or not a given vulnerability or other exposure really is a data breach. GDPR went another way, if the information is exposed to potential inappropriate access, then it&#8217;s a data breach. In this case, the API allowed access to data that should have been kept private, so regardless of what Google&#8217;s logs do or do not show, the mere exposure of the private data is enough for the vulnerability to count as a data breach.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/columns-opinions\/editorial\/google-shuttering-google-plus-consumers\/\">Google Shuttering Google+ to Consumers, Reportedly Didn\u2019t Disclose Data Breach for Fear of Regulation \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.engadget.com\/2018\/10\/08\/google-shutting-down-google-plus\/\">Google is shutting down Google+ following massive data exposure \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 SSH Vulnerability<\/h3>\n<p>This is an great example of the kind of security news that initially sounds horrifically scary and serious, but is thankfully proves a lot less catastrophic on closer inspection.<\/p>\n<p>It is true that an authentication bypass has been found in an open source SSH library, <code>libssh<\/code> to be precise. This vulnerability really does allow an attacker to log in to an affected SSH server without knowing the user&#8217;s password!<\/p>\n<p><code>libssh<\/code> sounds like the canonical SSH library that you would expect to find in just about every Linux\/Unix OS, but thankfully that&#8217;s not the case. The most popular SSH server is <code>openssh<\/code>. When it comes to SSH libraries another very popular one is <code>libssh2<\/code>. Despite its name, it has nothing to do with <code>libssh<\/code>, and is not vulnerable. There&#8217;s also  a leaner SSH library named <em>DropBear<\/em> that&#8217;s becoming popular on low-powered devices like home routers, and that too is not affected.<\/p>\n<p>Thankfully, most (probably nearly all) Linux &amp; BSD distributions, and macOS, are using <code>openssh<\/code> and\/or <code>libssh2<\/code>, and so are not vulnerable to this very nasty bug. Windows doesn&#8217;t have SSH by default, and the most popular SSH implementation for Windows, PuTTY, is not affected, so most Windows computers should be safe too. And most home routers use DropBear, so they&#8217;re not affected either.<\/p>\n<p>If in doubt, update your Computers\/VMs, routers, and SSH apps, but don&#8217;t be surprised to find no updates waiting for you.<\/p>\n<p>The biggest danger from this bug is IoT devices. It&#8217;s very hard to test what version of SSH may or may not be on any such device, so the best thing you can do is make sure the IoT devices you&#8217;re concerned about are not directly accessible from the internet. It might be worth using a tool like <a href=\"https:\/\/www.grc.com\/x\/ne.dll?bh0bkyd2\">Shields Up to scan your public IP<\/a> and make sure nothing you don&#8217;t need is directly accessible from the internet. For most home users that means there should should be nothing listening for connections from the public internet on your home router&#8217;s public IP.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li>A great explainer from Naked Security \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/17\/serious-ssh-bug-lets-crooks-log-in-just-by-asking-nicely\/\">Serious SSH bug lets crooks log in just by asking nicely\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f39e; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/18\/the-libssh-login-with-no-password-bug-what-you-need-to-know-video\/\">The libssh \u201clogin with no password\u201d bug \u2013 what you need to know \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>This month&#8217;s patch Tuesday saw 49 patches from Microsoft, including 12 critical ones in Windows \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/10\/patch-tuesday-october-2018-edition\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/11\/update-now-microsoft-fixes-49-bugs-12-are-critical\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Microsoft pulled their Autumn 2018 feature update for Windows 10 after it was found to delete user data in some rare circumstances. A fix is already in testing through Microsoft&#8217;s <em>Insiders<\/em> program, but a patched version of the update hasn&#8217;t been generally released yet \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/09\/microsoft-hits-the-brakes-on-latest-windows-10-update-what-to-do\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Microsoft released and out-of-band patch for the Yammer desktop app \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/10\/19\/Microsoft-Releases-Security-Update-Yammer\">www.us-cert.gov\/\u2026<\/a><\/li>\n<li>Apple have published a number of security updates:\n<ul>\n<li>iCloud 7.7 for Windows \u2014 <a href=\"https:\/\/support.apple.com\/en-us\/HT209141\">support.apple.com\/\u2026<\/a><\/li>\n<li>iOS 12.0.1, watchOS 5.0.1 &amp; tvOS 12.0.1 \u2014 <a href=\"https:\/\/tidbits.com\/2018\/10\/08\/apple-fixes-bugs-with-ios-12-0-1-watchos-5-0-1-and-tvos-12-0-1\/\">tidbits.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/link\/ios-12-protects-you-against-fake-keyboards\/\">iOS 12 Protects You Against Fake Keyboards \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>WhatsApp&#8217;s Android and iOS apps have been patched to fix a critical security vulnerability \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/whatsapp-security-flaw-iphone\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Continuing poor security practices at Chinese OEM manufacturer Xiongmai leaves millions of IoT webcams vulnerable to takeover and recruitment into another Mirai-style botnet. The original Mirai botnet&#8217;s growth was powered by previous problems with Xiongmai IoT devices. Since Xiongmai are an OEM manufacturer, the actual branding on affected devices is very broad \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/11\/millions-at-risk-from-default-webcam-passwords\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Detailed report from security firm SEC Consult, including instructions for figuring out whether or not your camera is affected \u2014 <a href=\"https:\/\/sec-consult.com\/en\/blog\/2018\/10\/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud\/\">sec-consult.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Security researchers have detailed an attack against WhatsApp users who leave their voicemail passwords at the default. TL;DR, WhatsApp will fall back to a voice call to deliver your 2FA code, which will go to voicemail if you don&#8217;t answer, so attackers wait till the middle of the night in your timezone, rely on you not noticing the SMS and not answering the phone, and then use your default voicemail password to get the 2FA token. Bottom line \u2013 make sure you set a custom password\/pin on your voicemail! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/08\/attackers-use-voicemail-hack-to-steal-whatsapp-accounts\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A Polish security researcher has published details of critical vulnerabilities in eight D-Link router models. D-Link have said six of the eight models are EOL, with the clear implication being that they will not be patching them. It also doesn&#8217;t appear that the other two models have been patched either. The eight affected models are the DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, &amp; DWR-111. (<strong>Editorial by Bart:<\/strong> I think the only thing owners of these routers can do is upgrade to a newer model, it&#8217;s not safe to run an un-patchable router IMO) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/19\/serious-d-link-router-security-flaws-may-never-be-patched\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.macobserver.com\/news\/facebook-political-ad-shake-up-uk\/\">Facebook Brings Political Ad Shake-up to UK \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>Apple privacy updates\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Apple extends its data privacy portal to US users: <a href=\"https:\/\/www.imore.com\/how-use-apples-new-data-and-privacy-portal\">How to use Apple&#8217;s data and privacy portal \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/cool-stuff-found\/apple-privacy-website-updates\/\">Apple Updates Privacy Website with macOS Mojave and iOS 12 Details \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Google&#8217;s GSuite now warns users of government attacks by default (it was previously and op-in feature) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/09\/google-ramps-up-g-suite-protections-against-government-backed-attacks\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Google have announced that Android Pie will support a new feature that increases the security of Android backups and makes it impossible for Google to decrypt them by using the lock screen password on the phone to secure the encryption key \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/16\/google-using-lock-screen-passwords-to-encrypt-android-cloud-backups\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/16\/how-to-buy-and-set-up-a-safe-and-secure-baby-monitor\/\">How to buy (and set up) a safe and secure baby monitor \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/15\/beware-sextortionists-spoofing-your-own-email-address\/\">Beware sextortionists spoofing your own email address \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blog.elcomsoft.com\/2018\/10\/everything-you-wanted-to-know-about-activation-lock-and-icloud-lock\/\">Everything You Wanted to Know about Activation Lock and iCloud Lock \u2014 blog.elcomsoft.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2018\/10\/15\/sneaky-subscriptions-are-plaguing-the-app-store\/\">Sneaky subscriptions are plaguing the App Store \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-spot-fake-product-reviews\/\">How to Spot Fake Product Reviews \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/do-not-track-privacy-setting\/\">Privacy Setting Do Not Track Doesn\u2019t Do Anything \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; If you run an HTTPS website be sure you are not using a Symantec TLS\/SSL cert, because form next month on neither FireFox nor Chrome will consider such certs valid (fallout from a serious security incident at the CA last year) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/16\/how-chrome-and-firefox-could-ruin-your-online-business-this-month\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/12\/experian-credit-freeze-pins-could-be-revealed-by-a-simple-trick\/\">Experian credit-freeze PINs could be revealed by a simple trick \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/17\/35-million-us-voter-records-up-for-sale-on-the-dark-web\/\">35 million US voter records up for sale on the dark web \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/17\/donald-daters-app-for-pro-trump-singles-exposes-users-data-at-launch\/\">Donald Daters app for pro-Trump singles exposes users\u2019 data at launch \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/link\/duckduckgo-hits-30m\/\">Privacy Search Engine DuckDuckGo Hits 30M Daily Searches \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.recode.net\/2018\/10\/16\/17966102\/facebook-portal-ad-targeting-data-collection\">It turns out that Facebook could in fact use data collected from its Portal in-home video device to target you with ads \u2014 www.recode.net\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Another iOS 12 lock screen bypass found, though this one only exposes your photos \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/17\/new-iphone-lock-screen-bypass-exposes-your-photos\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1393567\">Apple to Australia: \u201cThis is no time to weaken encryption\u201d \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/08\/seven-russian-cyberspies-indicted-for-hacking-wire-fraud-id-theft\/\">Seven Russian cyberspies indicted for hacking, wire fraud, ID theft \u2014 nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.wired.com\/story\/russian-spies-indictment-hotel-wi-fi-hacking\/\">How Russian Spies Infiltrated Hotel Wi-Fi to Hack Their Victims Up Close \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/18\/twitter-publishes-data-on-iranian-and-russian-troll-farms\/\">Twitter publishes data on Iranian and Russian troll farms \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/08\/fitbit-data-leads-to-arrest-of-90-year-old-in-stepdaughters-murder\/\">Fitbit data leads to arrest of 90-year-old in stepdaughter\u2019s murder \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/11\/instagram-tests-sharing-your-location-history-with-facebook\/\">Instagram tests sharing your location history with Facebook \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/12\/35-state-attorney-generals-tell-fcc-to-pull-the-plug-on-robocalls\/\">35 state attorneys general tell FCC to pull the plug on robocalls \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/1password-auto-fill-disabled\/\">1Password Auto Fill Disabled on macOS Mojave \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/cops-face-id-lock-out\/\">Cops Taught How to Avoid Face ID Lock Out \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apples-updated-privacy-site-and-why-it-matters\">Apple&#8217;s updated privacy site and why it matters \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/18\/you-dont-have-to-sequence-your-dna-to-be-identifiable-by-your-dna\/\">You don\u2019t have to sequence your DNA to be identifiable by your DNA \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/17\/is-this-the-simple-solution-to-password-re-use\/\">Is this the simple solution to password re-use? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2018\/10\/04\/sms-text-message-login-codes-autofill-in-ios-12-and-mojave-but-remain-insecure\/\">SMS Text Message Login Codes Autofill in iOS 12 and Mojave, but Remain Insecure \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1394641\">Already facing an uphill misinformation fight, Facebook loses to scammers, too \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/18\/is-googles-android-app-unbundling-good-for-security\/\">Is Google\u2019s Android app unbundling good for security? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>The major browser vendors have reached an agreement to end support for TLS 1.0 and 1.1 in early 2020 \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1395081\">arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/quantum-verification-problem\/\">Graduate Student Solves Quantum Verification Problem \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/cool-stuff-found\/install-macos-mojave-unsupported-macs\/\">This Tool Lets You Install macOS Mojave on Unsupported Macs \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.atlasobscura.com\/places\/encryption-lava-lamps\">Encryption Lava Lamps \u2013 San Francisco, California &#8211; Atlas ObscuraRandom Place Icon \u2014 www.atlasobscura.com\/\u2026<\/a>  (via listener Lynda)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followup The Facebook hack: Facebook October 2018 security breach: Everything you need to know \u2014 www.imore.com\/\u2026 Facebook opens up about data breach details \u2014 nakedsecurity.sophos.com\/\u2026<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2810,2822,156,260,170,50,569,2823],"class_list":["post-16703","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-bloomberg","tag-data-breach","tag-facebook","tag-google-plus","tag-hack","tag-security","tag-security-bits","tag-ssh-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=16703"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16703\/revisions"}],"predecessor-version":[{"id":16704,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16703\/revisions\/16704"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=16703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=16703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=16703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}