{"id":17188,"date":"2019-01-04T09:56:47","date_gmt":"2019-01-04T17:56:47","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=17188"},"modified":"2019-01-04T09:56:48","modified_gmt":"2019-01-04T17:56:48","slug":"sb-2019-01-03","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/01\/sb-2019-01-03\/","title":{"rendered":"Security Bits \u2013 3 Jan 2019"},"content":{"rendered":"<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Microsoft released an emergency fix for an IE Zero-day \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/12\/microsoft-issues-emergency-fix-for-ie-zero-day\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Logitech have released a critical security update for their <em>Logitech Options<\/em> app (used to configure some of their devices). Unfortunately the fix was two days too late, coming two days after Project Zero released details of the bug (time was up) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/18\/logitech-flaw-fixed-after-project-zero-disclosure\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Notable News<\/h3>\n<ul>\n<li>Security researchers succeeded in using a 3D printed fake head to fool many Android phones into unlocking, but could not fool the FaceID on iPhones (<strong>Editorial by Bart:<\/strong> no need to panic though, while the attacks worked in a lab setting, they are a very very long way from being in any way practical, at least for now) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/17\/fake-face-fools-fones\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Reporting from the NYT claims that FaceBook gave some tech companies (e.g. Apple, Microsoft &amp; Netflix) greater access to user data that the normal APIs\/rules allowed. The report claims that this extra data included private messages, but FaceBook denies this \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/20\/facebook-defends-itself-in-latest-data-sharing-scandal\/\">nakedsecurity.sophos.com\/\u2026<\/a>, <a href=\"https:\/\/www.imore.com\/facebook-secretly-shared-your-data-other-tech-companies\">www.imore.com\/\u2026<\/a><\/li>\n<li>Amnesty International have released a report describing targeted spear-phishing attacks that tricked users into bypassing 2FA that are similar to those the security research firm Certfa recently described the Iranian government carrying out against US officials. The Amnesty report contains a new twist though \u2013 the attackers used their initial access to create app-specific passwords to retain their access permanently \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/21\/more-phishing-attacks-on-yahoo-and-gmail-sms-2fa-authentication\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.buzzfeednews.com\/article\/pranavdixit\/india-wants-tech-platforms-to-break-encryption-and-remove\">India Wants Tech Platforms To Break Encryption And Remove Content The Government Thinks Is &#8220;Unlawful&#8221; \u2014 www.buzzfeednews.com\/\u2026<\/a><\/li>\n<li>The same hackers who recently hacked internet connected printers to get them to print out messages asking people to subscribe to <em>PewDiePie<\/em> on YouTube have struck again, this time taking over TVs with a video with the same message. Details are extremely sparse ATM, so I&#8217;m not quite sure what&#8217;s going on, but the affected users seem to be running Google ChromeCasts, and Google are advising users to disable UPnP on their routers \u2014 <a href=\"https:\/\/www.theverge.com\/platform\/amp\/2019\/1\/2\/18165386\/pewdiepie-chromecast-hack-tseries-google-chromecast-smart-tv\">www.theverge.com\/\u2026<\/a>\n<ul>\n<li>Some more details have emerged on the ChromeCast hackery after we recorded this segment, so things are a little clearer now. For starters, we now have a cute name for it \u2014 CastHack! I want to give a special mention to TechCrunch, their writeup really helped me figure out what&#8217;s going on. I&#8217;ve asked Allison to add that link into the show notes <a href=\"https:\/\/techcrunch.com\/2019\/01\/02\/chromecast-bug-hackers-havoc\/\">techcrunch.com\/&#8230;<\/a>.\n<ul>\n<li>My theory was that this was a problem with UPnP bugs allowing the attackers to get internet access to ChromeCasts which would normally only be accessible locally. I&#8217;d assumed the attack then relied on the owners of the ChromeCasts having configured them so they&#8217;d accept a signal from any source (no authentication is obviously the easiest kind from a usability point of view!)<\/li>\n<li>It turns out I was not wrong, but I was also missing a vital piece of information \u2014 this is a two-part hack, abusing UPnP to expose the ChromeCast to the internet is only the first of two phases of the attack. The second phase involves exploiting a bug in the ChromeCast itself that allows attackers to bypass authentication by forcing the ChromeCast into its factory default settings, which then allow the attacker to configure the device as they please.<\/li>\n<li>It turns out that this ChromeCast authentication bypass was first discovered as far back as 2014, and Google were notified about it back then. Because the ChromeCast devices are designed to be local devices, neither the security researchers who reported the bug nor Google took it very seriously, and four years later, it remains un-patched! Google have now promised they&#8217;ll get a fix out soon.<\/li>\n<li>So, for now, the correct advice is still to disable UPnP on your router if you don&#8217;t need it \u2014 it&#8217;s a troubling protocol that is exposing you to a substantial risk. Why take that risk of you don&#8217;t need to? If you&#8217;re one of the small number of people who really do need UPnP, make sure your router is still supported by its vendor and still receiving software updates, and, that you have the very latest updates installed. If Your router is out of support, bin it and get a new one \u2014 you can&#8217;t be safe if you connect to the internet through an un-securable router!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; WIRED are warning of a new wave of quite convincing Apple-themed phishing attacks \u2014 <a href=\"https:\/\/www.wired.com\/story\/apple-app-store-phishing-scam\/\">www.wired.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"http:\/\/theconversation.com\/clean-up-your-cyber-hygiene-6-changes-to-make-in-the-new-year-108565\">Clean up your cyber-hygiene \u2013 6 changes to make in the new year \u2014 theconversation.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Some good advice from the US-CERT on securing those new devices Santa brought \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/12\/28\/Securing-New-Devices\">www.us-cert.gov\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/techcrunch.com\/2018\/12\/25\/cybersecurity-101-guide-password-manager\/\">Cybersecurity 101: Why you need to use a password manager \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"http:\/\/www.applemust.com\/what-is-app-notarization-on-a-mac-and-why-should-i-care\/\">What is App Notarization on a Mac and why should I care? \u2014 www.applemust.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/protect-your-kids-on-ios-devices-with-parental-controls\/\">Protect Your Kids on iOS Devices with Parental Controls \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/28\/how-to-protect-your-facebook-account-a-walkthrough\/\">How to protect your Facebook account: a walkthrough \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/29\/how-to-secure-your-twitter-account\/\">How to secure your Twitter account \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/31\/how-to-secure-your-instagram-account-using-2fa\/\">How to secure your Instagram account using 2FA \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-remotely-help-someone-fix-their-iphone-ipad-and-mac-using-messages-screen-sharing\">How to remotely help someone fix their iPhone, iPad, and Mac using Messages screen sharing \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Good advice from Intego on controlling which iOS apps have access to your location data \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-apps-spying-on-your-location\/\">www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"http:\/\/nakedsecurity.sophos.com\/2018\/12\/18\/twitter-fixes-bug-that-lets-unauthorized-apps-get-access-to-dms\/\">http:\/\/nakedsecurity.sophos.com\/2018\/12\/18\/twitter-fixes-bug-that-lets-unauthorized-apps-get-access-to-dms\/ \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/18\/facebook-photo-api-bug-exposed-users-unpublished-photos\/\">Facebook photo API bug exposed users\u2019 unpublished photos \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/personal-details-north-korean-defectors-stolen-hackers\/\">Personal Details of 997 North Korean Defectors Stolen by Hackers \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; The U.S. Department of Defense Inspector General (DOD IG) released a report on the security of the US&#8217;s nuclear weapons systems, and it can best be described as <em>&#8216;scathing&#8217;<\/em>. ZDNet summarised the findings well: <em>&#8220;no data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities&#8221;<\/em> \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/cybersecurity-us-ballistic-missiles-bad\/\">www.macobserver.com\/\u2026<\/a>, <a href=\"https:\/\/www.zdnet.com\/article\/us-ballistic-missile-systems-have-very-poor-cyber-security\/\">www.zdnet.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/19\/how-not-to-secure-us-missile-defences\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/theintercept.com\/2018\/12\/17\/google-china-censored-search-engine-2\/\">Google\u2019s Secret China Project \u201cEffectively Ended\u201d After Internal Confrontation \u2014 theintercept.com\/\u2026<\/a>\n<ul>\n<li><strong>Related Opinion Piece:<\/strong> <a href=\"https:\/\/www.imore.com\/google-reportedly-violated-protocols-shut-privacy-team-out-dragonfly\">Google reminds us why you can&#8217;t trust any company with your data \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.recode.net\/2018\/12\/17\/18140062\/facebook-clear-history-update-privacy-targeting-data-collection\">Facebook still hasn\u2019t launched a big privacy feature that Mark Zuckerberg promised more than seven months ago \u2014 www.recode.net\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2018\/12\/28\/facebook-rulebook\">NYT: &#8216;Inside Facebook\u2019s Secret Rulebook for Global Political Speech&#8217; \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<li>Apple have released their latest transparency report \u2014 <a href=\"https:\/\/www.apple.com\/legal\/transparency\/\">www.apple.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/link\/privacy-concept-apps-cloud\/\">A Privacy Concept That Reimagines Apps and the Cloud \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Brian Krebs explored the corporate leadership pages of the global top 100 companies, checking to see how many or how few of them included any security officers at the highest levels, only about a third did: <a href=\"https:\/\/krebsonsecurity.com\/2018\/12\/a-chief-security-concern-for-executive-teams\/\">A Chief Security Concern for Executive Teams \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/19\/instagram-became-the-preferred-tool-in-russias-propaganda-war\/\">Instagram became the preferred tool in Russia\u2019s propaganda war \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/21\/fortnite-hackers-making-thousands-from-stolen-accounts\/\">Fortnite hackers making a fortune from reselling stolen accounts \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/usb-c-cables-security\/\">USB-C Cables Could Get Built-In Security \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/19\/serious-security-when-cryptographic-certificates-attack\/\">Serious Security: When cryptographic certificates attack \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/12\/19\/sqlite-creator-fires-back-at-tencents-bug-hunters\/\">SQLite creator fires back at Tencent\u2019s bug hunters \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>A nerdy take on the 12 days of Christmas \u2014 <a href=\"https:\/\/twitter.com\/alicegoldfuss\/status\/1076944612432826368\">twitter.com\/\u2026<\/a><\/li>\n<li>A long-form article on one of my Computer Science heroes, Don Knuth: <a href=\"https:\/\/www.nytimes.com\/2018\/12\/17\/science\/donald-knuth-computers-algorithms-programming.html\">The Yoda of Silicon Valley \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Notable Security Updates Microsoft released an emergency fix for an IE Zero-day \u2014 krebsonsecurity.com\/\u2026 Logitech have released a critical security update for their Logitech Options app (used to configure some of their devices). Unfortunately the fix was two days too late, coming two days after Project Zero released details of the bug (time was up) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2916,584,2105,50,569],"class_list":["post-17188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-casthack","tag-chromecast","tag-secure","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=17188"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17188\/revisions"}],"predecessor-version":[{"id":17190,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17188\/revisions\/17190"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=17188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=17188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=17188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}