{"id":19125,"date":"2019-08-27T17:49:04","date_gmt":"2019-08-28T00:49:04","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=19125"},"modified":"2019-08-27T17:49:55","modified_gmt":"2019-08-28T00:49:55","slug":"sb-2019-08-27","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/08\/sb-2019-08-27\/","title":{"rendered":"Security Bits \u2013 27 August 2019"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/27\/github-joins-webauthn-club\/\">GitHub joins WebAuthn club \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Human Review of Voice Assistant Recordings:\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/15\/facebook-got-humans-to-listen-in-on-some-messenger-voice-chats\/\">Facebook got humans to listen in on some Messenger voice chats \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Microsoft have humans review your conversations, and they&#8217;re not up for changing that fact: <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/16\/microsoft-wont-shift-on-ai-recordings-policy\/\">Microsoft won\u2019t shift on AI recordings policy \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/22\/humans-may-have-been-listening-to-you-via-your-xbox\/\">Humans may have been listening to you via your Xbox \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>An interesting opinion piece describing an alternative approach companies like Apple could take: <a href=\"https:\/\/tidbits.com\/2019\/08\/14\/why-cant-users-teach-siri-about-its-mistakes\/\">Why Can\u2019t Users Teach Siri about Its Mistakes? \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-contractors-allegedly-listened-1000-siri-recordings-shift\">Apple contractors allegedly listened to 1,000 Siri recordings per shift \u2014 www.imore.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Security Medium 1 \u2014 Bad Cables<\/h3>\n<p>At this year&#8217;s DEF CON security conference a security researcher generated a lot of media buzz by re-implementing something we&#8217;ve known about for a long time \u2014 a malicious cable.<\/p>\n<p>Using only relatively cheap components and working at home in his kitchen the security researcher was able to take a legitimate Apple cable an seamlessly insert a malicious chip in it to allow him to remotely trigger attacks on the Mac the cable was connected to. At all times the cable would function like a regular USB to lightning cable, but, it would also be listening over WiFi waiting to be commanded to take action. When triggered the implant would become active, interacting with the Mac over USB and allowing the attacker to run commands on the Mac, including opening a remote terminal into the Mac.<\/p>\n<p>Fundamentally there is nothing new here. We&#8217;ve known about malicious cables for years. This caught the media&#8217;s eye because technology has progressed to the point that the implant can be seamlessly hidden in a legitimate Apple cable.<\/p>\n<p>What should we learn from this? IMO, the key take-home is that every time you plug a cable into a device you are expressing trust in that cable. You should ask yourself, where did this cable come from? Is it yours? Does it belong to a trusted friend, colleague, or acquaintance? Or did a strange person or organisation provide it? If it is yours, did you buy it from a trusted source for a believable price, or did you grab it from some random reseller with no reputation for an unrealistically cheap price? This is yet another way in which something that looks too good to be true could well be too good to be true!<\/p>\n<p>How much of a real-world risk this is for your will really depend on who you are, where you are, and what you are doing. If you&#8217;re a high-profile person with control over something of value you should probably be more suspicious than the average person. If you&#8217;re travelling in a foreign country with an authoritarian or police-state streak, you really should be extra suspicious. If you&#8217;re in a situation where industrial espionage could be a problem, be more suspicious! And of course, if you&#8217;re at a security conference like DEF CON or BlackHat, just say no to anything or any shape that plugs into anything electrical what so ever &#x1f642;<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.vice.com\/en_us\/article\/evj4qw\/these-iphone-lightning-cables-will-hack-your-computer\">These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer \u2014 www.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/security-researcher-says-modified-lightning-cable-can-hack-your-mac\">Security researcher says this modified Lightning cable can hack your Mac \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 The Bluetooth <em>KNOB<\/em> Attack<\/h3>\n<p>Security researchers discovered a problem with the Bluetooth spec which they&#8217;ve dubbed <em>KNOB<\/em>, for <em>Key Negotiation of Bluetooth<\/em>. This vulnerability in the spec made it possible for fully compliant Bluetooth devices to be tricked into negotiating an encryption key with just one byte of entropy. Keys with so little entropy are trivial to brute-force, so the attack effectively allowed an attacker to silently disable encryption.<\/p>\n<p>It&#8217;s important to note that the window of opportunity for this attack is very small \u2014 attacks can only be launched while devices are in the process of pairing, and only by an attacker within bluetooth range of the victim devices.<\/p>\n<p>The flaw has been acknowledged and the spec updated to address the problem. It&#8217;s now up to software and hardware vendors to update their drives and firmware to abide by the improved spec.<\/p>\n<p>An important silver lining here is that the attack only works if <strong>both<\/strong> devices are vulnerable, so OS update will nip this problem in the bud even if many devices never get updated because the vendors don&#8217;t bother releasing updated firmware and\/or users don&#8217;t bother installing the updates.<\/p>\n<p>Apple have patched the vulnerability in their latest OS updates. I haven&#8217;t seen updates of any other OS updates yet.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/08\/new-attack-exploiting-serious-bluetooth-weakness-can-intercept-sensitive-data\/\">New Attack exploiting serious Bluetooth weakness can intercept sensitive data \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/9to5mac.com\/2019\/08\/16\/bluetooth-security-flaw\">Serious Bluetooth security flaw officially acknowledged; now patched by Apple \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2019\/08\/23\/apple-blocks-knob-attack-on-bluetooth\/\">Apple Blocks KNOB Attack on Bluetooth \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 3 \u2014 Contrasting Visions for Tracking Protection<\/h3>\n<p>Both Apple and Google have recently shared their updated visions for tracking prevention, and the contrast could not be more stark!<\/p>\n<p>Starting with Apple, they laid out their new policy on their website. It&#8217;s not long, and it&#8217;s written in human-friendly language. The bottom line is simple \u2014 Apple will treat tracking like malware, and will do everything in their power to prevent it, even if that breaks some things.<\/p>\n<p>Apple explicitly acknowledged Mozilla&#8217;s policy, saying their new policy was <em>&#8220;was inspired by and derived from&#8221;<\/em> Mozilla&#8217;s.<\/p>\n<p>Google on the other hand took a very different tack. They released a blog post outlining an idea (not a product or feature, at least not yet) \u2014 a <em>&#8216;privacy sandbox&#8217;<\/em> that will allow some tracking, but not too much. Websites will get a tracking budget which will let them insert only so much tracking data before Chrome will step in and block further tracking.<\/p>\n<p>This sounds utterly un-workable to me, and seems to be a case of Google the ad company coming into direct conflict with Google the browser vendor. I&#8217;m far from alone in that view!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li>Apple&#8217;s new tracking policy for WebKit \u2014 <a href=\"https:\/\/webkit.org\/tracking-prevention-policy\/\">webkit.org\/\u2026<\/a><\/li>\n<li>Mozilla&#8217;s tracking policy \u2014 <a href=\"https:\/\/wiki.mozilla.org\/Security\/Anti_tracking_policy\">wiki.mozilla.org\/\u2026<\/a><\/li>\n<li>Google&#8217;s blog post: <a href=\"https:\/\/www.blog.google\/products\/chrome\/building-a-more-private-web\/\">Building a more private web \u2014 www.blog.google\/\u2026<\/a><\/li>\n<li>A good writeups TMO &amp; iMore \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/webkit-tracking-prevention-policy\/\">www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/apples-webkit-team-details-new-tracking-prevention-policy\">www.imore.com\/\u2026<\/a><\/li>\n<li>Opinion:\n<ul>\n<li>John Gruber&#8217;s take \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2019\/08\/21\/webkit-tracking-prevention-policy\">daringfireball.net\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1558091\">Google defends tracking cookies\u2014some experts aren\u2019t buying it \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/freedom-to-tinker.com\/2019\/08\/23\/deconstructing-googles-excuses-on-tracking-protection\/\">Deconstructing Google\u2019s excuses on tracking protection \u2014 freedom-to-tinker.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Apple have issued emergency patches for all their operating systems to re-patch a patch that their last patch accidentally un-patched! The so-called <em>regression bug<\/em> returned a previously known exploit to iOS enabling jailbreaking of the most up-to-date version for the first time in many years \u2014 <a href=\"https:\/\/tidbits.com\/2019\/08\/26\/apple-issues-emergency-updates-for-all-its-operating-systems\/\">tidbits.com\/\u2026<\/a><\/li>\n<li>Patch Tuesday has been and gone yet again. The most note-worthy patches fix some very scary <em>wormable<\/em> vulnerabilities in RDP (Remote Desktop Protocol) \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2019\/08\/patch-tuesday-august-2019-edition\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/14\/microsoft-warns-of-new-worm-ready-rdp-bugs\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/22\/microsoft-patches-its-android-rdp-app-to-fix-flaw\/\">Update now! Microsoft patches its Android RDP app to fix flaw \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>FireFox just pushed out a fix for a nasty bug in their new built-in password manager \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/15\/firefox-fixes-master-password-security-bypass-bug\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/21\/googles-nest-webcam-needs-patching-after-flaws-found\/\">Google patches 8 security holes in Nest cameras \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>PSA for owners of HP, Brother, Kyocera, Lexmark, Ricoh &amp; Xerox Printers \u2014 check for firmware updates: <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/15\/researchers-find-serious-flaws-in-six-printer-brands\/\">Serious flaws in six printer brands discovered, fixed \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>The Better Business Bureau is warning that scammers are now using search result manipulation with voice assistants into giving customers the wrong customer support numbers \u2014 their advice, never use a voice assistant to get a customer support number, it can&#8217;t be done safely! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/20\/scammers-use-bogus-search-results-to-fool-voice-assistants\/\">nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<li>In a presentation at DEF CON Google Project Zero security researchers warn of the dangers of pre-installed malware on Android phones, particularly at the lower end of the market where manufacturers are not making much if any money from the sale of the devices themselves, and need other avenues for monetisation \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/13\/android-users-menaced-by-pre-installed-malware\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Since 2015 Kaspersky AV has been injecting JavaScript into all web pages viewed by their users (even HTTPS pages) that contains an un-changing unique ID, creating an un-removable <em>super tracking cookie<\/em>. The software has been updated so the ID is now unique to the version of the product rather than the user, but that&#8217;s a security risk! (<strong>Editorial by Bart:<\/strong> this just confirms my opinion that 3rd-party AV does more harm than good these days. My advice remains to just use Windows Defender!) \u2014 <a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/08\/kaspersky-av-injected-unique-id-into-webpages-even-in-incognito-mode\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Researchers at Kaspersky Labs have found an app in the Google Play Store with 100 million downloads that was updated to add a malicious payload \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1558623\">arstechnica.com\/\u2026<\/a><\/li>\n<li>&#x1f1ee;&#x1f1ea; &#x1f1ea;&#x1f1f8; &#x1f1f0;&#x1f1f7; Facebook has started to roll our their data deletion tool in Ireland, Spain &amp; South Korea. Unfortunately, it doesn&#8217;t actually delete anything! The tool allows all users to disassociate the data Google has collected on them from their accounts, but deletes nothing \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/22\/facebook-delivers-clear-history-tool-that-doesnt-clear-anything\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/gizmodo.com\/big-telecom-every-u-s-state-vow-to-end-americas-roboc-1837481289\">Big Telecom, Every U.S. State Vow to End America&#8217;s Robocall Hell \u2014 gizmodo.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.engadget.com\/2019\/08\/14\/att-t-mobile-call-verification\">AT&amp;T and T-Mobile will now verify phone calls between their networks \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.intego.com\/mac-security-blog\/safari-chrome-firefox-which-is-the-most-private-browser-for-mac\/\">Safari, Chrome, Firefox: Which is the most private browser for Mac? \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/coolinfographics.com\/blog\/macbook-setup-college\">MacBook Setup Essentials for College Students \u2014 coolinfographics.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/offspring.lifehacker.com\/keep-these-apps-off-your-kids-phone-1837449760\">Keep These Apps Off Your Kid&#8217;s Phone \u2014 offspring.lifehacker.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.imore.com\/moviepass-error-exposed-credit-card-billing-info-and-more\">MoviePass error allegedly exposed credit card info, customer names, and more \u2014 www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/22\/massive-moviepass-database-found-exposed-on-public-server\/\">Massive MoviePass database found exposed on public server \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/27\/hostinger-upgrades-password-security-after-14m-accounts-breached\/\">Hostinger upgrades password security after 14m accounts breached \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2019\/08\/cybersecurity-firm-imperva-discloses-breach\/\">Cybersecurity Firm Imperva Discloses Breach \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.theguardian.com\/technology\/2019\/aug\/14\/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms\">Major breach found in biometrics system used by banks, UK police and defence firms \u2014 www.theguardian.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2019\/08\/breach-at-hy-vee-supermarket-chain-tied-to-sale-of-5m-stolen-credit-debit-cards\/\">Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>More Facebook scandal:\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/19\/did-facebook-know-about-view-as-bug-before-2018-breach\/\">Did Facebook know about \u201cView As\u201d bug before 2018 breach? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; A document unearthed by NBC&#8217;s Dylan Byers shows that contrary to what Mark Zuckerberg testified to the US congress, Facebook had evidence that there might be a problem with Cambridge Analytica back in 2015 \u2014 <a href=\"https:\/\/link.nbcnews.com\/view\/57c09634487ccd31218b6128amnse.5g5\/46de4778\">https:\/\/link.nbcnews.com\/view\/57c09634487ccd31218b6128amnse.5g5\/46de4778 \u2014 link.nbcnews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/theintercept.com\/2019\/08\/16\/facebook-moderators-mental-health-accenture\/\">Trauma Counselors Were Pressured to Divulge Confidential Information About Facebook Moderators, Internal Letter Claims \u2014 theintercept.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/12\/facebook-facial-recognition-class-action-suit-gets-courts-go-ahead\/\">Facebook facial recognition: class action suit gets court\u2019s go ahead \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/tidbits.com\/2019\/08\/21\/apple-google-and-mozilla-team-up-to-block-kazakhstani-surveillance\/\">Apple, Google, and Mozilla Team Up to Block Kazakhstani Surveillance \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/16\/google-removes-option-to-disable-nest-cams-status-light\/\">Google removes option to disable Nest cams\u2019 status light \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/nsa-reauthorize-section-215\/\">NSA Wants Congress to Reauthorize Section 215 Permanently \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; Glass half empty or glass half full? Google have announced that their <em>Password Checkup<\/em> feature added to Chrome earlier this year has encouraged 26% of users to change their un-safe passwords, and 60% of those chose strong passwords: <a href=\"https:\/\/www.macobserver.com\/news\/password-checkup-safer-passwords\/\">Password Checkup Helping Users Stay Safer \u2014 www.macobserver.com\/\u2026<\/a> or <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/20\/chrome-users-ignoring-warnings-to-change-breached-passwords\/\">Chrome users ignoring warnings to change breached passwords \u2014 nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/krebsonsecurity.com\/2019\/08\/forced-password-reset-check-your-assumptions\/\">Forced Password Reset? Check Your Assumptions \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; A timely reminder to be wary of iTunes vouchers that look too good to be true, if they&#8217;re fraudulent they could get you locked out of your account: <a href=\"https:\/\/qz.com\/1683460\/what-happens-to-your-itunes-account-when-apple-says-youve-committed-fraud\/\">Apple locked me out of its walled garden. It was a nightmare \u2014 qz.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; The GDPR has created an interesting new avenue for attackers to try trick companies into handing over personal data. A security researcher did some experiments and found that many companies &#8216;comply&#8217; with <em>subject access requests<\/em>, or SARs (the GDPR mechanism for asking for all data an organisation has on you) without properly validating the identity of the person making the request \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/12\/gdpr-privacy-can-be-defeated-using-right-of-access-requests\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.mediapost.com\/publications\/article\/339320\/arf-the-price-consumers-put-on-their-data.html\">ARF: The Price Consumers Put On Their Data \u2014 www.mediapost.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/13\/hacked-devices-can-be-turned-into-acoustic-weapons\/\">Hacked devices can be turned into acoustic weapons \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The Google Chrome <em>Incognito Mode<\/em> detection cat-and-mouse-game continues: <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/13\/chrome-incognito-mode-detection-fix-busted-by-researchers\/\">Chrome Incognito mode detection fix busted by researchers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/19\/netflix-finds-multiple-http2-dos-flaws\/\">Multiple HTTP\/2 DoS flaws found by Netflix \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/08\/20\/serious-security-phishing-in-the-cloud-the-freemium-way\/\">Serious Security: Phishing in the cloud \u2013 the freemium way \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/ruby-11-backdoors\/\">Ruby 11 Libraries Found to Contain Backdoors \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Suggested Listening<\/h3>\n<ul>\n<li>&#x1f3a7; A great short little history of the last <em>cryptowar<\/em> \u2014 <a href=\"https:\/\/overcast.fm\/+PMNdCRmCw\">Darknet Diaries Ep 12: Crypto Wars \u2014 overcast.fm\/\u2026<\/a>\n<ul>\n<li>I also recommend their episode on Stuxnet: <a href=\"https:\/\/overcast.fm\/+PMNcvkTW0\">Darknet Diaries Ep 29: Stuxnet \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>Actually \u2014 I recommend subscribing to the entire show &#x1f642;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>From Allison: <a href=\"https:\/\/blog.1password.com\/guess-why-were-moving-to-256-bit-aes-keys\/\">Guess why we\u2019re moving to 256-bit AES keys \u2014 blog.1password.com\/\u2026<\/a><\/li>\n<\/ul>\n<p><em><strong>Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Followups GitHub joins WebAuthn club \u2014 nakedsecurity.sophos.com\/\u2026 Human Review of Voice Assistant Recordings: Facebook got humans to listen in on some Messenger voice chats \u2014 nakedsecurity.sophos.com\/\u2026 Microsoft have humans review your conversations, and they&#8217;re not up for changing that fact: Microsoft won\u2019t shift on AI recordings policy \u2014 nakedsecurity.sophos.com\/\u2026 Humans may have been listening to [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[46,156,233,50,569],"class_list":["post-19125","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple","tag-facebook","tag-microsoft","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=19125"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19125\/revisions"}],"predecessor-version":[{"id":19127,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19125\/revisions\/19127"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=19125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=19125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=19125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}