{"id":17045,"date":"2018-12-15T11:18:29","date_gmt":"2018-12-15T19:18:29","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=17045"},"modified":"2018-12-19T07:01:47","modified_gmt":"2018-12-19T15:01:47","slug":"sb-2018-12-14","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/12\/sb-2018-12-14\/","title":{"rendered":"Security Bits \u2013 14 December 2018"},"content":{"rendered":"<h3>Followup<\/h3>\n<ul>\n<li>Bloomberg&#8217;s controversial <em>The Big Hack<\/em> story\n<ul>\n<li>SuperMicro released the results of an independent audit which found no evidence of hardware or software tampering on its motherboards \u2014 <a href=\"https:\/\/www.reuters.com\/article\/us-supermicro-chips\/super-micro-says-review-found-no-malicious-chips-in-motherboards-idUSKBN1OA12R\">www.reuters.com\/\u2026<\/a> &amp; <a href=\"https:\/\/arstechnica.com\/?p=1426551\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The Marriott Breach\n<ul>\n<li><a href=\"https:\/\/www.nytimes.com\/2018\/12\/11\/us\/politics\/trump-china-trade.html\">Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li>An interesting related opinion piece by Brian Krebs \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/12\/what-the-marriott-breach-says-about-security\/\">krebsonsecurity.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>&#x1f1e6;&#x1f1fa; Security Medium 1 \u2014 Australia&#8217;s <em>Assistance and Access Act<\/em><\/h3>\n<p>The Australian parliament has just passed an extremely controversial and heavily criticised anti-encryption bill.<\/p>\n<p>The bill provides the government three critical tools (from TMO&#8217;s great summary article on the law):<\/p>\n<blockquote><p>\n  Under the law, Australian law enforcement and government agencies can compel tech companies to give three different levels of forced assistance:<\/p>\n<p>  <strong>Technical assistance request:<\/strong> A notice to provide \u201cvoluntary assistance\u201d to law enforcement for \u201csafeguarding of national security and the enforcement of the law.\u201d<\/p>\n<p>  <strong>Technical assistance notice:<\/strong> A notice requiring tech companies to offer decryption \u201cthey are already capable of providing that is reasonable, proportionate, practicable and technically feasible\u201d where the company already has the \u201cexisting means\u201d to decrypt communications (e.g. where messages aren\u2019t end-to-end encrypted).<\/p>\n<p>  <strong>Technical capability notice:<\/strong> A notice issued by the attorney general, requiring tech companies to \u201cbuild a new capability\u201d to decrypt communications for law enforcement. The bill stipulates this can\u2019t include capabilities that \u201cremove electronic protection, such as encryption.\u201d\n<\/p><\/blockquote>\n<p>One of the biggest sources of criticism is the fact that the law seems to contradict itself. It can both force companies to create new methods for collecting and decrypting data, and yet at the same time says that companies can&#8217;t be forced to add a <em>&#8216;systemic weakness&#8217;<\/em> or <em>&#8216;systemic vulnerability&#8217;<\/em> to their software or hardware. (<strong>Editorial by Bart:<\/strong> this sounds to me like they tried to legislate a unicorn into existence!)<\/p>\n<p>Apple&#8217;s response to the law is a good example:<\/p>\n<blockquote><p>\n  &#8220;Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good [&#8230;] That is a false premise. Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will, by extension, weaken the protections for everyone. It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.&#8221;\n<\/p><\/blockquote>\n<p>The law was also rushed, and is arguably incomplete. As well as many proposed and suggested changes and improvements from expert and industry groups never being taken up in parliament, the law doesn&#8217;t even define important concepts like what it means not to introduce systemic weaknesses or vulnerabilities. That detail is due to be added later through amendments!<\/p>\n<p>With all this uncertainty and vagueness, a lot will depend on how the courts choose to interpret this law. If the ban on systemic weaknesses is taken seriously then the damage to security could be minimal, but if a very weak interpretation is used then this could be a really big deal indeed.<\/p>\n<p>Finally, Australia is a member of the so-called <em>Five Eyes<\/em> group of nations who all share intelligence data with each other (Australia, Canada, New Zealand, UK &amp; USA, more details at <a href=\"https:\/\/en.wikipedia.org\/wiki\/Five_Eyes\">en.wikipedia.org\/\u2026<\/a>), so this law will affect much of the English-speaking world.<\/p>\n<h4>Further Reading\/Listening<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/australia-encryption-law-passed\/\">Dangerous Australia Encryption Law Passed \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/tech-policy\/2018\/12\/australia-passes-new-law-to-thwart-strong-encryption\/\">Australia passes new law to thwart strong encryption \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li>Security Now Episode 693 goes into the Australian law in great detail \u2014 <a href=\"https:\/\/twit.tv\/shows\/security-now\/episodes\/693\">twit.tv\/\u2026<\/a> &amp; <a href=\"https:\/\/overcast.fm\/+B3JVl_guw\">overcast.fm\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blog.1password.com\/does-australias-access-and-assistance-law-impact-1password\/\">Does Australia&#8217;s access and assistance law impact 1Password? \u2014 blog.1password.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 A Clever New Approach to Spear Phishing<\/h3>\n<p>There is a lot of media attention around a report released by security researchers describing a clever spear-phishing campaign perpetrated by Iran against US government officials.<\/p>\n<p>The bottom line is that there is no need to panic, this is very easy to defend against, never click on links in emails!<\/p>\n<p>With that out of the way, what did the attackers do? They combined two old techniques in an interesting new way.<\/p>\n<p>Firstly, the use of hidden images with unique URLs in emails to track when the email is viewed is absolutely not new or novel. That&#8217;s how surveys like Survey Monkey capture their analytics data, and how spammers learn which addresses are real, and which are not.<\/p>\n<p>Secondly, if you can trick a person into going to a fake page of your making, you can forward any authentication questions you want to them, turning your fake site into a kind of proxy server that wil give the attackers access to the victim&#8217;s account. This technique has been around for decades. It&#8217;s a great way to bypass CAPTCHAs!<\/p>\n<p>So, what did these attackers do? Firstly, they did lots of homework so they could craft very convincing spear phishing emails. They then embedded tracking images into those emails so they knew when an email was viewed, and, they added a phishing URL into the email that would present the victim with a faked login page. When the victim submitted their details the attackers would submit those same details to the real service being impersonated, and reply with a page presenting what ever 2FA challenge the real page presented them. The victim would dutifully enter that into the fake page, and the attackers would copy it into the real page.<\/p>\n<p>Clever, sure, but not a technological hack!<\/p>\n<p>This only works if you can get the victim to click on a link in an email, <strong>and<\/strong> not to notice that they are not where they think they are, i.e. you need to count on the victim not looking at their browser&#8217;s address bar.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/12\/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail\/\">Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Adobe released and out-of-band emergency update for Flash to address a zero-day bug that is being actively exploited \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/12\/06\/Adobe-Releases-Security-Updates\">www.us-cert.gov\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/07\/flash-zero-day-exploit-spotted-patch-now\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>On Patch Tuesday both Microsoft &amp; Adobe released patches, including fixes for Windows, Office, Acrobat, and Flash \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/12\/patch-tuesday-december-2018-edition\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/13\/update-now-microsoft-and-adobes-december-2018-patch-tuesday-is-here\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple patch just about everything \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/12\/05\/Apple-Releases-Multiple-Security-Updates\">www.us-cert.gov\/\u2026<\/a> &amp; <a href=\"https:\/\/arstechnica.com\/?p=1423471\">arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/06\/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws\/\">Patch now (if you can!): Latest Android update fixes clutch of RCE flaws \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/04\/zoom-patches-serious-video-conferencing-bug\/\">Zoom patches serious video conferencing bug \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The latest version of Chrome (71) expands the brower&#8217;s blocking of misleading ads (as well as fixing 43 security vulnerabilities) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/06\/chrome-71-stomps-on-abusive-advertising\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Security researchers have revealed details of a bug in older versions of the firmware for VTech&#8217;s <em>Storio Max<\/em> AKA <em>InnoTab Max<\/em> tablet computers for kids. The bug was responsibly disclosed to VTech earlier this year, and a patch was published at the end of May. Anyone with one of these tablets should be sure they have this latest firmware installed now that the details of the vulnerability have been revealed \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/07\/kids-vtech-tablets-vulnerable-to-eavesdropping-hackers\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/14\/update-now-wordpress-5-0-1-release-fixes-seven-flaws\/\">Update now! WordPress 5.0.1 release fixes seven flaws \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/10\/massive-botnet-chews-through-20000-wordpress-sites\/\">Massive botnet chews through 20,000 WordPress sites \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Apple have been forced to crack down on a new type of App Store fraud \u2013 apps that trick users of TouchID devices into authorising very expensive in-app purchases. All the offending apps have been removed from the store, and affected customers are reportedly being refunded:\n<ul>\n<li><a href=\"https:\/\/9to5mac.com\/2018\/11\/30\/app-store-heart-rate-scam\/\">iPhone \u2018Heart Rate\u2019 app on App Store attempts to scam customers out of $90 using Touch ID \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1422023\">iOS apps used Touch ID feature to trick users into paying hefty fees \u2014 arstechnica.com<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/03\/microsoft-cracks-down-on-tech-support-scams-16-call-centers-raided\/\">Microsoft cracks down on tech support scams, 16 call centers raided \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Security researchers have found attacks in the wild exploiting a combination of the <em>UPNProxy<\/em> router vulnerability revealed recently, and the <em>EternalBlue<\/em> and <em>EternalRed<\/em> vulnerabilities revealed in the NSA leaks last year. They&#8217;ve dubbed this new malware <em>EternalSilence<\/em>. (<strong>Editorial by Bart:<\/strong> if you&#8217;re running an un-patched router you really need to stop doing that! Update your firmware if you can, or get a new router if you can&#8217;t) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/03\/router-attack-exploits-upnp-and-nsa-malware-to-target-pcs\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>In a bizarre twist in a rivalry to be the most popular YouTuber printers around the world are hacked to print out pro-PewDiePie propaganda (<strong>Editorial by Bart:<\/strong> don&#8217;t expose your printers to the internet, and if possible, keep their firmware patched!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/03\/printers-pulled-into-9100-port-attack-spew-pewdiepie-propaganda\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Citrix caused some confusion and controversy with a new periodic password reset. Some users assumed this new policy meant the service was probably hacked, but that doesn&#8217;t appear to be the case \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/12\/a-breach-or-just-a-forced-password-reset\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>The UK parliament&#8217;s <em>Digital, Culture, Media, and Sport committee<\/em> (DCMS) published hundreds of private internal Facebook emails, many of them quite damning of the company \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/06\/facebook-staffs-private-emails-published-in-press\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Facebook white-listed some apps for continued access to friends data after they changed their APIs to remove that access in 2014\/15. It looks like this was done without user conscent.<\/li>\n<li>Facebook knew that changing its Android app so it would collect call and text data would make them look bad, so they did their best to hide that they were doing it.<\/li>\n<li>As we suspected, the now abandoned Facebook VPN ONAVO was used to gather data from users, and Facebook used that data for their corporate advantage (to help them figure out what apps were popular enough to be worth buying or investing in).<\/li>\n<\/ul>\n<\/li>\n<li>In a speech at the <em>Brookings Institute<\/em> in the US Microsoft President Brad Smith warned about the dangers of un-regulated use of facial recognition technology, and called for governments to step in and regulate: <em>&#8216;We believe that the only way to protect against this race to the bottom is to build a floor of responsibility that supports healthy market competition&#8217;<\/em> \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/10\/microsoft-calls-for-laws-on-facial-recognition-issues-principles\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple have added experimental support for the <em>WebAuthn<\/em> authentication protocol to their <em>Safari Technology Preview<\/em> (effectively a beta version of Safari). Safari is the last of the major browsers not to support the protocol which is designed to allow hardware tokens and biometric devices to be used for authentication on the web \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/experimental-safari-usb-keys\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>A group that includes the Mozilla Foundation, NYU Law and the University of Dundee have launched the <em>Trustable Technology Mark<\/em>, a trust mark for <em>Internet Of Things<\/em> (IoT) devices. Only two companies are certified so far, but if this takes off it could become a useful tool for consumers when choosing between competing products \u2014 <a href=\"https:\/\/www.fastcompany.com\/90277657\/every-other-industry-has-a-safety-label-now-tech-does-too\">www.fastcompany.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; It&#8217;s still got a very long way to go to become an actual law, but 15 US senators have introduced a data privacy bill which they&#8217;ve titled the <em>Data Care Act<\/em>. The bill would impose three duties on companies: a <strong>Duty of Care<\/strong>, a <strong>Duty of Loyalty<\/strong>, and a <strong>Duty of Confidentiality<\/strong> \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/senators-american-privacy-bill\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/05\/those-are-not-your-grandchildren-ftc-warns-of-new-scam\/\">Those are NOT your grandchildren! FTC warns of new scam \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/bjepkm\/how-to-tell-if-partner-is-spying-on-your-phone-stalkerware\">How to Tell If Your Partner is Spying on Your Phone \u2014 motherboard.vice.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.imore.com\/how-delete-your-facebook-data\">How to delete your Facebook information without deleting your account \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/use-one-mac-time-machine-destination-another\/\">How to Use One Mac as a Time Machine Destination for Another \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-use-the-console-app-for-troubleshooting\/\">How to Use the Console App for Troubleshooting \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/news\/quora-data-breach\/\">Quora Data Breach: 100 Million Users Affected \u2014 www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/05\/quora-com-admits-data-breach-affecting-100-million-accounts\/\">Quora.com admits data breach affecting 100 million accounts \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; A subtle coding bug caused Instagram&#8217;s GDPR privacy portal to accidentally leak some users passwords. The bug has been fixed, and affected users have been notified \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/did-instagram-leak-your-password\/\">www.intego.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Google found another bug in their Google+ API that exposed more non-public profile data. Google found this bug themselves, and it looks like it has not been exploited in the wild. Google both patched the bug, and, brought forward the death of G+ for consumers by a few months \u2014 <a href=\"https:\/\/arstechnica.com\/tech-policy\/2018\/12\/google-bug-exposes-non-public-profile-data-for-52-million-users\/\">arstechnica.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/12\/google-to-power-down-early-after-second-security-hole-found\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/12\/samsung-fixes-flaws-that-could-have-let-attackers-hijack-your-account\/\">Samsung fixes flaws that could have let attackers hijack your account \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Spectacularly inept web development exposed the customer data stored on servers run by the company that own the jewlery brands <em>Jared<\/em> and <em>Kay Jewelers<\/em>. The bug has now been fixed. \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/03\/printers-pulled-into-9100-port-attack-spew-pewdiepie-propaganda\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/07\/unencrypted-medical-data-leads-to-12-state-litigation\/\">Unencrypted medical data leads to 12-state litigation \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/analysis\/instascam-blue-ticks-for-sale\/\">InstaScam \u2013 Blue Ticks for Sale \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1f3; <a href=\"https:\/\/www.macobserver.com\/news\/apple-removes-700-apps-china-app-store\/\">Apple Removes 700 Apps from China App Store \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/link\/apple-employee-aclu\/\">Apple Employee Joins ACLU to Fight Government Back Doors \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1425895\">Cryptography failure leads to easy hacking for PlayStation Classic \u2014 arstechnica.com<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/13\/border-agents-are-copying-travelers-data-leaving-it-on-usb-drives\/\">Border agents are copying travelers\u2019 data, leaving it on USB drives \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/14\/youtube-is-reading-text-in-users-videos\/\">YouTube is reading text in users\u2019 videos \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/14\/facebook-has-filed-patents-to-predict-our-future-locations\/\">Facebook has filed patents to predict our future locations \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ee;&#x1f1f9; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/11\/facebook-fined-11m-for-misleading-users-about-how-data-will-be-used\/\">Facebook fined $11m for misleading users about how data will be used \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/12\/how-internet-savvy-are-your-leaders\/\">How Internet Savvy are Your Leaders? \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Google&#8217;s CEO Sundar Pichai testified in congress:\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2018\/12\/11\/watch-google-ceo-sundar-pichai-testify-in-congress-on-bias-china-and-more\/\">Watch Google CEO Sundar Pichai testify in Congress \u2014 on bias, China and more \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/sundar-pichai-censor-google-china\/\">Sundar Pichai Did Not Deny Development of Censored Chinese Version of Google \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; A cautionary tale for Non-profits who use FaceBook \u2013 monitor your account carefully, because hackers may be lurking in your account just waiting for the right moment to pounce, and to defraud well-meaning donors \u2014 <a href=\"https:\/\/www.wired.com\/story\/nonprofits-facebook-get-hacked-need-help\/\">www.wired.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.wired.com\/story\/wired-guide-to-data-breaches\/\">The WIRED Guide to Data Breaches \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.nytimes.com\/interactive\/2018\/12\/10\/business\/location-data-privacy-apps.html\">Your Apps Know Where You Were Last Night, and They\u2019re Not Keeping It Secret &#8211; The New York Times \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Interesting research from privacy-protecting search engine <em>DuckDuckGo<\/em> suggests that Google still manages to personalise searches even when users log out of Google and use private browsing mode. Google dispute the conclusion, and point to flaws in the study&#8217;s methodology \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/06\/googles-private-browsing-doesnt-keep-your-searches-anonymous\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/03\/faster-fuzzing-ferrets-out-42-fresh-zero-day-flaws\/\">Faster fuzzing ferrets out 42 fresh zero-day flaws \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/04\/bleichenbachers-cat-puts-another-scratch-in-tls\/\">Bleichenbacher\u2019s CAT puts another scratch in TLS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/05\/kubernetes-cloud-computing-bug-could-rain-data-for-attackers\/\">Kubernetes cloud computing bug could rain data for attackers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/12\/text-captchas-easily-beaten-by-neural-nets\/\">Text CAPTCHAs easily beaten by neural networks \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/apod.nasa.gov\/apod\/ap181205.html\">Astronomy Picture of the Day \u2014 apod.nasa.gov\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/www.hussainather.com\/2018\/11\/how-to-improve-your-moral-reasoning-in.html\">Heuristic: How to improve your moral reasoning in the digital age \u2014 www.hussainather.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followup Bloomberg&#8217;s controversial The Big Hack story SuperMicro released the results of an independent audit which found no evidence of hardware or software tampering on its motherboards \u2014 www.reuters.com\/\u2026 &amp; arstechnica.com\/\u2026 The Marriott Breach Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing \u2014 www.nytimes.com\/\u2026 An interesting related opinion piece [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2888,2810,776,2872,1931,50,569,2887],"class_list":["post-17045","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-australia","tag-bloomberg","tag-encryption","tag-marriott","tag-phishing","tag-security","tag-security-bits","tag-starwood"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=17045"}],"version-history":[{"count":5,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17045\/revisions"}],"predecessor-version":[{"id":17076,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17045\/revisions\/17076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=17045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=17045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=17045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}