{"id":17209,"date":"2019-01-11T18:38:41","date_gmt":"2019-01-12T02:38:41","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=17209"},"modified":"2019-01-17T07:17:09","modified_gmt":"2019-01-17T15:17:09","slug":"sb-2019-01-11","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/01\/sb-2019-01-11\/","title":{"rendered":"Security Bits \u2013 11 January 2019"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li>CastHack\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2019\/01\/02\/chromecast-bug-hackers-havoc\/\">Hackers hijack thousands of ChromeCasts to warn of latest security bug \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/04\/dont-fall-victim-to-the-chromecast-hackers-heres-what-to-do\/\">https:\/\/nakedsecurity.sophos.com\/2019\/01\/04\/dont-fall-victim-to-the-chromecast-hackers-heres-what-to-do\/ \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Marriott now admits over 5 million passport numbers were stolen in their recent data breach \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/marriott-admits-5-million-unencrypted-passport-numbers-stolen\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>The first segment on episode 120 of <a href=\"https:\/\/www.securemac.com\/topics\/checklist\">the Checklist podcast by Secure Mac<\/a> covers the convincing new phone scams targeting Apple users we mentioned briefly last time \u2014 <a href=\"https:\/\/overcast.fm\/+HLr6u_gJA\">overcast.fm\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Adobe issued out-of-band patches for their PDF products (Acrobat &amp; Reader) to address critical zero-day vulnerabilities being actively exploited in the wild \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/07\/update-now-adobe-acrobat-and-reader-have-critical-flaws\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>It has been revealed that the update Microsoft released for Skype on Android on the 23<sup>rd<\/sup> of December patched a dangerous lock-screen bypass bug \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/07\/no-android-passcode-no-problem-skype-unlocked-it-for-you\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>This month&#8217;s <em>Patch Tuesday<\/em> contained critical patches from Microsoft &amp; Adobe \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2019\/01\/patch-tuesday-january-2019-edition\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/10\/update-now-microsoft-and-adobes-january-2019-patch-tuesday-is-here\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Phishing just got quite a bit more dangerous with the release of a new penetration-test\/hacking tool designed to automate reverse-proxy-style 2FA hacks similar to those recently reported being used against the US government and Amnesty International. The tool is named <em>Modlishka<\/em>, which is the Polish for <em>Mantis<\/em> (<strong>Editorial by Bart:<\/strong> the existence of software like this just makes it ever more important to check the URL in the address bar before you enter your 2FA code, username, or password) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/11\/2fa-codes-can-be-phished-by-new-pentest-tool\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; A draft list of supposed piracy sites posted by EU law makers in preparation for the implementation of Article 13 of the controversial new <em>European Copyright Directive<\/em> has raised serious concerns about this law&#8217;s possible impact on the internet. Perhaps most glaringly, the list include CloudFlare as a supposed piracy site \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/eu-piracy-list-break-internet\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; The European Commission has announced 15 new bug bounty programs to reward researchers who find and responsibly disclose bugs in many popular free and open source apps \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/04\/eu-to-offer-nearly-1m-in-bug-bounties-for-open-source-software\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The Dutch consumer agency <em>de Consumentenbond<\/em> tested facial recognition technology on 110 phones (iPhones and Android phones), and found it could be easily fooled with a simple high-resolution photo on 42 of the tested Android devices . An additional six Android devices failed the test with their default settings, but could be configured to use stricter modes that could not be bypassed \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/08\/facial-recognition-on-42-android-phones-beaten-by-photo-test\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>The original report is in Dutch (as you&#8217;d expect from a Dutch agency), but you can find the 42 phones that failed the test completely listed under the heading <em>Toestellen ontgrendeld met een foto<\/em> (<strong>translation:<\/strong> devices unlocked with a photo), and those that failed in their default configuration but could be re-configured to be secure under the heading <em>Toestellen ontgrendeld met een foto, maar met betere beveiliging<\/em> (<strong>translation:<\/strong> Devices unlocked with a photo, but with better security). Finally, for completeness, you&#8217;ll find the list of 57 devices that passed the test under the heading <em>Toestellen die niet met een foto zijn te ontgrendelen<\/em> (<strong>translation:<\/strong> Devices that were not unlocked with a photo)  including all tested iPhones\u2014 <a href=\"https:\/\/www.consumentenbond.nl\/veilig-internetten\/gezichtsherkenning-te-hacken#no1\">www.consumentenbond.nl\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; Research by Motherboard finds that US carriers are still selling customer location data (having promised to stop after a damaging expos\u00e9 last June), and $300 is all it costs to buy the location of any given US cellphone \u2014 <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/nepxbz\/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile\">motherboard.vice.com\/\u2026<\/a>\n<ul>\n<li>Federal law makers responded with calls for an investigation \u2014 <a href=\"https:\/\/www.washingtonpost.com\/technology\/2019\/01\/10\/phone-companies-are-selling-your-location-data-now-some-lawmakers-want-federal-investigation\/?noredirect=on&amp;utm_term=.71488f9ca9f9\">www.washingtonpost.com\/\u2026<\/a><\/li>\n<li>AT&amp;T responded to this reporting by promising to stop selling user data (again), T-Mobile &amp; Sprint also say they will stop, and Verizon said it stopped a long time ago \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/att-stop-location-data\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The Intercept reports that employees in Ring&#8217;s research centre in Ukraine can bring up any video from any Ring doorbell with nothing more than the customer&#8217;s email address \u2014 <a href=\"https:\/\/theintercept.com\/2019\/01\/10\/amazon-ring-security-camera\/\">theintercept.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/ring-employees-may-have-been-spying-your-security-cameras-and-doorbells\">www.imore.com\/\u2026<\/a>\n<ul>\n<li>We talked about how Ring announced in 2016 that HomeKit was coming (but it&#8217;s not here yet): <a href=\"https:\/\/blog.ring.com\/2016\/06\/16\/bringing-apple-homekit-support-to-ring\/\">blog.ring.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Investigations by 9to5Mac have found that the popular parcel tracking app <em>Parcels \u2013 Track Your Packages<\/em> (not the even more popular app <em>Parcel<\/em>) recruits all devices running the app into what is effectively a single-purpose botnet for carrying out the work you would expect to be done on servers run by the developers. This is an interesting way for the company to avoid the expense of running servers, and paying for bulk access to APIs. It also comes at a privacy cost to users. The app exists for both iOS and Android, but 9to5Mac only tested the iOS version \u2014 <a href=\"https:\/\/9to5mac.com\/2019\/01\/07\/package-tracking-app-turns-users-devices-into-a-bot-farm-violates-user-privacy\/\">9to5mac.com\/\u2026<\/a><\/li>\n<li>Contrary to what you may have heard, the privacy-protecting search engine DuckDuckGo is not using browser fingerprinting to track users \u2014 <a href=\"https:\/\/techcrunch.com\/2019\/01\/07\/duckduckgo-browser-fingerprinting\/\">techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.imore.com\/privacy-now\">iPhone Privacy: How to lock down and delete threats to your online information \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Brian Krebs uses a practical example to illustrate the dangers of buying cheap Microsoft subscriptions on eBay, and lists three red flags to look our for: <a href=\"https:\/\/krebsonsecurity.com\/2019\/01\/dirt-cheap-legit-windows-software-pick-two\/\">Dirt-Cheap, Legit, Windows Software: Pick Two \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/09\/how-to-share-photos-without-using-facebook\/\">How to share photos \u2013 without using Facebook \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/08\/sms-phishing-is-alive-and-well-and-simply-believable\/\">SMS phishing is alive and well\u2026 and simply believable \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; Hot new trading site <em>DX.Exchange<\/em> found to be riddled with sensitive-data-leaking bugs \u2014 <a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/01\/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/08\/la-sues-the-weather-channel-over-selling-users-location-data\/\">LA sues The Weather Channel over selling users\u2019 location data \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/07\/hacker-doxes-hundreds-of-german-politicians\/\">Hacker doxes hundreds of German politicians \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Research commissioned by the advocacy group <em>Privacy International<\/em> has found that 61% of the Android apps they tested reported usage stats to FaceBook \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/09\/some-android-apps-are-phoning-home-to-facebook-even-when-you-dont-have-an-account\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; Research from security firm Trend Micro found that 85 apps downloaded more than 9 million times from the Google Play store contained adware \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/android-adware-apps-google-play-store\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/09\/politicians-who-block-social-media-users-are-violating-first-amendment\/\">Politicians who block social media users are violating First Amendment \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/09\/zerodiums-waving-fatter-payouts-for-zero-day-bug-hunters\/\">Zerodium\u2019s waving fatter payouts for zero-day bug hunters \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1436113\">New Windows 10 build silences Cortana, brings passwordless accounts \u2014 arstechnica.com<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/10\/supreme-court-refuses-to-hear-fiat-chrysler-appeal-in-jeep-hacking-case\/\">Supreme Court refuses to hear Fiat Chrysler appeal in Jeep hacking case \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fb;&#x1f1f3; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/10\/facebook-violated-tough-new-cybersecurity-law-says-vietnam\/\">Facebook violated tough new cybersecurity law, says Vietnam \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/tips\/deep-dive\/apple-t2-security-chip-disk-storage\/\">How Apple\u2019s T2 Security Chip Affects Your Disk Storage \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.wired.com\/story\/intel-meltdown-spectre-storm\/\">The Elite Intel Team Still Fighting Meltdown and Spectre \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Researchers from the Foundation for Research and Technology in Greece and the University of Illinois have published a paper showing just how much can be inferred from the metadata belonging to a public Twitter feed, even when the owner is careful not to reveal sensitive information (they have a sense of humour, because they titled their paper <em>&#8216;Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data&#8217;<\/em>) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/11\/old-twitter-posts-reveal-hidden-secrets-say-researchers\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/www.wired.co.uk\/article\/eu-parliament-elections-hacking\">The EU doesn&#8217;t really have a plan to stop its elections being hacked \u2014 www.wired.co.uk\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/nsa-releases-free-ghidra\/\">NSA to Release Free Reverse Engineering Tool GHIDRA \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/01\/04\/vein-authentication-beaten-by-wax-hand-and-photograph\/\">Vein authentication beaten by wax hand and photograph \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>A recent planet money episode looked at how insurance is providing the incentives for corporations to up their game when it comes to providing their staff with security training, and just how effective that can be:  <a href=\"https:\/\/overcast.fm\/+HuIinDgSE\">Planet Money Episode 886: The Price of a Hack \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2019\/01\/03\/scratch-3-0-is-now-available\/\">Scratch 3.0 is now available \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followups CastHack Hackers hijack thousands of ChromeCasts to warn of latest security bug \u2014 techcrunch.com\/\u2026 https:\/\/nakedsecurity.sophos.com\/2019\/01\/04\/dont-fall-victim-to-the-chromecast-hackers-heres-what-to-do\/ \u2014 nakedsecurity.sophos.com\/\u2026 Marriott now admits over 5 million passport numbers were stolen in their recent data breach \u2014 www.macobserver.com\/\u2026 The first segment on episode 120 of the Checklist podcast by Secure Mac covers the convincing new phone scams targeting [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-17209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=17209"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17209\/revisions"}],"predecessor-version":[{"id":17266,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17209\/revisions\/17266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=17209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=17209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=17209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}