{"id":16780,"date":"2018-11-03T06:45:50","date_gmt":"2018-11-03T13:45:50","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=16780"},"modified":"2018-11-03T06:45:50","modified_gmt":"2018-11-03T13:45:50","slug":"sb-2018-11-02","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/11\/sb-2018-11-02\/","title":{"rendered":"Security Bits \u2013 02 November 2018"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.buzzfeednews.com\/article\/johnpaczkowski\/apple-tim-cook-bloomberg-retraction\">Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story \u2014 www.buzzfeednews.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/26\/facebook-fined-500k-for-cambridge-analytica-saga\/\">Facebook fined \u00a3500K for Cambridge Analytica saga \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/10\/mirai-co-author-gets-6-months-confinement-8-6m-in-fines-for-rutgers-attacks\/\">Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks \u2014 krebsonsecurity.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Apple released security updates for just about all their products \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/01\/update-now-apple-releases-security-fixes-for-ios-macos-safari-others\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>There are media reports of the Apple Watch update being pulled by Apple after it bricked some devices (e.g. <a href=\"https:\/\/www.theverge.com\/circuitbreaker\/2018\/10\/30\/18045762\/apple-watchos-5-1-update-brick-pulled\">Apple pulls watchOS 5.1 update after reports of bricked devices \u2014 www.theverge.com\/\u2026<\/a>), however, the update remains listed on Apple&#8217;s site with no mention of it being withdrawn or of there being any problems (<a href=\"https:\/\/support.apple.com\/en-ie\/HT209195\">support.apple.com\/\u2026<\/a>).<\/li>\n<\/ul>\n<\/li>\n<li>Mozilla have updated FireFox to version 63, including security patches and improvements to their anti-tracking protections \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/25\/firefox-63-gets-tough-with-trackers\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Drupal have released critical security updates to address critical arbitrary code execution vulnerabilities \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/23\/patch-now-multiple-serious-flaws-found-in-drupal\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>A study by scientists from the University of Michigan and the University of Michigan C. S. Mott Children\u2019s Hospital has found that vast majority of the most popular free and paid games in the Google Play store aimed at young kids contain age-inappropriate ads, either because they are designed to confuse kids into clicking on things, or because they are for age-inappropriate things (<strong>Editorial by Bart:<\/strong> the study focused on the Play Store, and in general Apple&#8217;s pro-active vetting tends to reduce the amount of badness in the iOS store, I still think parents would be wise to test-play all games for their young kids from any app store) \u2014 <a href=\"https:\/\/www.reuters.com\/article\/us-health-kids-apps-ads\/kids-apps-may-have-a-lot-more-ads-than-you-think-idUSKCN1N42BZ\">www.reuters.com\/\u2026<\/a><\/li>\n<li>Another lock screen bypass has been found in the latest version of iOS. This one allows to access contacts (<strong>Editorial by Bart:<\/strong> like with other recent lock screen bypasses, this one is not catastrophic because it only allows inappropriate access to contacts, not to the entire device, but it&#8217;s yet another reason to make a pro-active informed decision about what you allow on your lock screen. Please check the toggles under the <em>Allow Access When Locked<\/em> section in <em>Settings<\/em> \u2192 <em>Face ID\/ Touch ID &amp; Passcode<\/em>) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/02\/another-day-another-update-another-iphone-lockscreen-bypass\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Security researchers have found a new way to embed malware in Microsoft Word documents. The technique allows attackers to inject code that will get executed when the document is opened in Word, and will not trigger any security warnings before execution. The technique exploits Word&#8217;s support for embedding web videos into <code>.docx<\/code> documents. Microsoft&#8217;s response implies that are not planning a fix any time soon (<strong>Editorial by Bart:<\/strong> yet another reason never to open an Office document received unexpectedly) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/29\/researchers-exploit-microsoft-word-through-embedded-video\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Bloomberg has highlighted a new trend in the mobile ad space \u2013 <em>uninstall trackers<\/em>. By using some clever tricks app analytics platforms can figure out which users un-installed which apps, and allow advertisers to <em>&#8216;remarket&#8217;<\/em> to those users. This is likely to turn into the next privacy cat-and-mouse game \u2014 <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2018-10-22\/now-apps-can-track-you-even-after-you-uninstall-them\">www.bloomberg.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/24\/are-your-jilted-apps-stalking-you\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple have removed the list of all in-App purchases from both of their app stores \u2014 <a href=\"https:\/\/www.tekrevue.com\/ios-app-store-no-in-app-purchases\/\">www.tekrevue.com\/\u2026<\/a><\/li>\n<li>Google have improved both their pro-active account protections, and, their account recovery process. The only small down-side is that in order to make these improvements possible, Google now require JavaScript be enabled to log in to any Google service in a browser \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/02\/googles-stealthy-sign-in-sentry-can-pick-up-pilfered-passwords\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The latest update to the DMCA rules makes it legal to circumvent DRM in order to repair a device \u2014 <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/xw9bwd\/1201-exemptions-right-to-repair\">motherboard.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.forbes.com\/sites\/thomasbrewster\/2018\/10\/24\/apple-just-killed-the-graykey-iphone-passcode-hack\/#78ee67753184\">Apple Just Killed The &#8216;GrayKey&#8217; iPhone Passcode Hack \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<li>Apple&#8217;s updated documentation reveals that as well as protecting encryption keys and facilitating secure boot, the T2 security chip also physically disconnects the microphone when a laptop&#8217;s lid is closed, making it impossible for any software, even if it gains full system-level privileges, from engaging the microphone while the lid is closed \u2014 <a href=\"https:\/\/techcrunch.com\/2018\/10\/30\/apple-t2-security-chip-microphone-eavesdropping\/\">techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/manage-keychain-passwords-iphone-ipad\/\">How to See and Manage Keychain Passwords on Your iPhone or iPad \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2018\/10\/24\/inside-ios-12-use-third-party-password-managers-to-simplify-logins\/\">Inside iOS 12: Use Third-Party Password Managers to Simplify Logins \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/congressman-support-net-neutrality\/\">How to Tell if Your Congressman Supports Net Neutrality \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/81000-facebook-accounts-hacked\/\">Private Messages from 81,000 Hacked Facebook Accounts for Sale \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/01\/passcodes-are-protected-by-fifth-amendment-says-court\/\">Passcodes are protected by Fifth Amendment, says court \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; &#x1f1e8;&#x1f1f3; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/01\/us-indicts-alleged-chinese-spies-for-hacking-aerospace-companies\/\">US indicts alleged Chinese spies for hacking aerospace companies \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2018\/10\/25\/tim-cook-calls-for-gdpr-like-laws-around-the-world\/\">Tim Cook Calls for GDPR-Like Laws around the World \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.nytimes.com\/2018\/10\/24\/us\/politics\/trump-phone-security.html\">When Trump Phones Friends, the Chinese and the Russians Listen and Learn \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/26\/facebooks-stopped-8-7m-nude-images-of-children-in-3-months\/\">Facebook stopped 8.7m nude images of children in 3 months \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/facebook-hires-former-uk-politician-to-head-global-affairs\/\">Facebook Hires Former UK Politician to Head Global Affairs \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/01\/facebook-is-still-approving-fake-political-ads\/\">Facebook is still approving fake political ads \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/25\/google-and-facebook-accused-of-secretly-tracking-users-locations\/\">Google and Facebook accused of secretly tracking users\u2019 locations \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; An interesting analysis of the problems facing the WordPress security team as it becomes ever harder to keep back-porting security fixes to ever older versions that are still in use \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/24\/wordpress-takes-aim-at-ancient-versions-of-its-software\/\">nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.fastcompany.com\/90255355\/the-surveillance-state-is-outsourced-to-silicon-valley-says-report\">Big Brother is being increasingly outsourced to Silicon Valley, says report \u2014 www.fastcompany.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1396633\">How to make elections secure in the age of digital operatives \u2014 arstechnica.com<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/25\/could-tls-session-resumption-be-another-super-cookie\/\">Could TLS session resumption be another \u2018super cookie\u2019? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/11\/02\/popular-browsers-made-to-cough-up-browsing-history\/\">Popular browsers made to cough up browsing history \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.buzzfeednews.com\/article\/craigsilverman\/how-a-massive-ad-fraud-scheme-exploited-android-phones-to\">Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme \u2014 www.buzzfeednews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/24\/poorly-secured-ssh-servers-targeted-by-chalubo-botnet\/\">Poorly secured SSH servers targeted by Chalubo botnet \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1f3; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/10\/30\/china-hijacking-internet-traffic-using-bgp-claim-researchers\/\">China hijacking internet traffic using BGP, claim researchers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/99percentinvisible.org\/article\/colorful-language-decoding-utility-markings-spray-painted-on-city-streets\/\">Colorful Language: Decoding Utility Markings Spray-Painted on City Streets \u2014 99percentinvisible.org\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followups Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story \u2014 www.buzzfeednews.com\/\u2026 &#x1f1ec;&#x1f1e7; Facebook fined \u00a3500K for Cambridge Analytica saga \u2014 nakedsecurity.sophos.com\/\u2026 Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks \u2014 krebsonsecurity.com\/\u2026<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[46,2810,156,170,50,2003],"class_list":["post-16780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple","tag-bloomberg","tag-facebook","tag-hack","tag-security","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=16780"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16780\/revisions"}],"predecessor-version":[{"id":16783,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16780\/revisions\/16783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=16780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=16780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=16780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}