{"id":19413,"date":"2019-10-07T07:08:47","date_gmt":"2019-10-07T14:08:47","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=19413"},"modified":"2019-10-07T07:08:47","modified_gmt":"2019-10-07T14:08:47","slug":"sb-2019-10-05","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/10\/sb-2019-10-05\/","title":{"rendered":"Security Bits \u2013 5 October 2019"},"content":{"rendered":"<h3>Followup<\/h3>\n<ul>\n<li>Bluetooth permissions on iOS\n<ul>\n<li>A nice article explaining some of the most common legitimate reasons apps me request BlueTooth access: <a href=\"https:\/\/www.theverge.com\/2019\/9\/19\/20867286\/ios-13-bluetooth-permission-privacy-feature-apps\">Here\u2019s why so many apps are asking to use Bluetooth on iOS 13 \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>CloudFlare&#8217;s Warp VPN has Finally been Released \u2014 <a href=\"https:\/\/blog.cloudflare.com\/announcing-warp-plus\/\">blog.cloudflare.com\/\u2026<\/a>, <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/01\/cloudflare-adds-vpn-features-to-1-1-1-1-privacy-app\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/what-cloudflares-warp-and-should-you-use-it\">www.imore.com\/\u2026<\/a>\n<ul>\n<li>Note that VPNs <strong>can<\/strong> provide encryption and anonymization, but they don&#8217;t have to. Depending on how they are configured they can provide one, or the other, neither, or both! In this case, WARP provides encryption, but not anonymization. I.e., when using WARP VPN <strong>your source IP address will not be hidden<\/strong>, but <strong>your traffic will be encrypted<\/strong> from your machine as far as Cloudflare&#8217;s VPN servers.<\/li>\n<li>There is a free version which has some limitations, and a paid version which offers much faster speeds.<\/li>\n<\/ul>\n<\/li>\n<li>The Siri <em>grading<\/em> (human review) kerfuffle:\n<ul>\n<li>Apple has started hiring for in-house reviewers \u2014 <a href=\"https:\/\/www.imore.com\/apple-responds-privacy-concerns-house-siri-grading-positions\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The continuing rollout of DNS over HTTPS (DoH):\n<ul>\n<li>&#x1f1fa;&#x1f1f8; US ISPs are very worried by Google&#8217;s moves to switch to DoH, and have written a letter to House Judiciary Committee asking them to investigate. The letter is concerned that Google is changing people over to their infrastructure, which is not true, and that DoH makes it impossible for them to track their users like they do now. (<strong>Editorial by Bart:<\/strong> IMO this proves the need for DoH to be rolled out ASAP, DNS really is being abused by our ISPS to invade our privacy!) \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1576941\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Malicious Lightning cables:\n<ul>\n<li>This threat is becoming more real as the hacker who prevented his home-made cable at a recent security conference is moving to mass production. The cables are being sold as tools for security testers, but there is no evidence there will be any controls in place to prevent their sale to malicious actors, so we all need to learn to be wary of cables offered to us by others \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/02\/omg-evil-lightning-cable-hits-prime-time\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/fake-lightning-cables-could-compromise-mac\">www.imore.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Security Medium 1 \u2014 The <em>Checkm8<\/em> iOS Device Bootloader Bug<\/h3>\n<p>A veteran of the jail breaking community has released details of a bug in the low-level boot loader used by iOS devices with SOCs (Systems on a Chip) from the A5 up to and including the A11.<\/p>\n<p>That means <strong>the following iOS devices are affected<\/strong>:<\/p>\n<ul>\n<li>iPhones from the iPhone 4S up to an including the iPhone X<\/li>\n<li>iPad generations 2 to 7 (inclusive)<\/li>\n<li>iPad Mini generations 1 to 4 (inclusive)<\/li>\n<li>iPad Pro generation 1 &amp; 2<\/li>\n<li>iPod Touch generations 5 to 7 (inclusive)<\/li>\n<\/ul>\n<p>That means the following newer iOS devices are <strong>not affected<\/strong>:<\/p>\n<ul>\n<li>iPhone XS, iPhone XR, and iPhones 11<\/li>\n<li>iPad Air generation 3<\/li>\n<li>iPad Mini generation 5<\/li>\n<li>iPad Pro generation 3<\/li>\n<\/ul>\n<p>A boot loader is a very low-level component that starts the process of booting a device. It&#8217;s so low-level it can&#8217;t even be patched with a firmware update. The only possible protection would be some sort of work-around in higher level firmware, but the security researcher who found the bug does not believe that&#8217;s possible in this case.<\/p>\n<p>From a security point of view, one of the vital tasks performed by the iOS boot loader is the validation of the digital signature of the OS it is about to load. This is what prevents iPhones from running OSes not digitally signed by Apple, i.e. what protects users from malicious OSes being installed by attackers, and, from people running un-signed OSes on their own devices, i.e. from <em>jail breaking<\/em>.<\/p>\n<p>The good news is that this low-level bug is <strong>only exploitable while the phone is tethered to a computer<\/strong>, so physical access is needed, and more importantly still, the exploit is <strong>not persistent<\/strong>, so the device has to be tethered each time it boots to keep an un-signed OS running.<\/p>\n<p>Another very important point to note is that the ability to install un-signed OSes <strong>does not in any way bypass the protections offered by the secure enclave<\/strong> and the biometrics and cryptographic keys it protects. This means this vulnerability <strong>can&#8217;t be used to break into a locked device<\/strong>.<\/p>\n<p>It&#8217;s also important to note that what the security researcher released is an exploit, not a functional product of any kind. It was immediately obvious that this is the kind of vulnerability that&#8217;s ideally suited to form the basis of a jailbreaking tool, so unsurprisingly, one has already been released!<\/p>\n<p>This is a big deal for jail breakers, because it means they should now have a reliable jailbreak that Apple can&#8217;t block with a future iOS update, but, it probably has surprisingly little impact on the rest of us.<\/p>\n<p>The biggest danger this exploit presents is to high-value targets who might be subject to state-sponsored surveillance, industrial espionage, or high-level cyber crime. For example civil rights campaigners or lawyers, government workers, officials, or elected representatives, and C-level executives in large corporations. The danger would be that if any of these people lost physical control of their phone it could be silently jail broken and malware could be installed without their knowledge. For these people, the simplest protection is to upgrade to more modern iOS devices that are not affected, or, to reboot their device each time it is removed from their presence. TBH, each new iteration of Apple hardware adds more advanced security protections, so upgrading is good advice to high-value targets regardless of this bug&#8217;s existence!<\/p>\n<p>Ironically this bug might actually make regular folks <strong>more secure<\/strong>! How? By making it easier for security researchers to explore the innards of iOS and responsibly report any vulnerabilities they find to Apple.<\/p>\n<p><strong>Bottom line<\/strong> \u2014 high value targets should consider upgrading their iOS devices to ones running the most modern SOCs, and the rest of us should carry on with our lives without setting our proverbial hair on fire &#x1f642; &#x1f9ef;<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/9to5mac.com\/2019\/09\/27\/ios-unpatchable-ios-exploit-jailbreak-iphone-x\/\">New &#8216;unpatchable&#8217; iOS exploit could lead to permanent jailbreak for iPhone 4s to iPhone X \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/09\/unpatchable-bug-in-millions-of-ios-devices-exploited-developer-claims\/\">Unpatchable bug in millions of iOS devices exploited, developer claims \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/new-exploit-could-lead-permanent-jailbreak-iphone-x-and-older\">New exploit could lead to permanent jailbreak on iPhone X and older \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1576327\">Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/editors-desk-congratulations-jailbreakers-checkm8-lives\">From the Editor&#8217;s Desk: Congratulations jailbreakers! Checkm8 lives \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/new-checkm8-jailbreak-released-for-all-ios-devices-running-a5-to-a11-chips\/\">New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/understanding-checkm8-iphone-4s-iphone-x-bootrom-exploit\">Checkm8, the iPhone 4s to iPhone X bootrom exploit, explained \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/30\/checkm8-jailbreak-and-altstore-put-cracks-in-apples-walled-garden\/\">Checkm8 jailbreak and AltStore put cracks in Apple\u2019s walled garden \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/25\/microsoft-rushes-out-fix-for-internet-explorer-zero-day\/\">Microsoft rushes out fix for Internet Explorer zero-day \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple patch just about everything, and not just once \u2014 <a href=\"https:\/\/support.apple.com\/en-ie\/HT201222\">support.apple.com\/\u2026<\/a>\n<ul>\n<li>iOS &amp; iPadOS have been updated multiple times to address both bugs and security vulnerabilities. The latest version is 13.1.2.\n<ul>\n<li>The series of patches includes a fix for a permissions problem that granted 3rd-party keyboards more access to user data than they should have gotten \u2014 <a href=\"https:\/\/www.imore.com\/apple-patches-ios-13-security-bug-third-party-keyboards\">www.imore.com\/\u2026<\/a><\/li>\n<li>The fixes also included a patch for the last of a series of bugs presented at the Black Hat conference a few weeks ago \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/27\/apple-users-patch-now-the-bug-that-got-away-has-been-fixed\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>As well as patching iOS 13, Apple also patched iOS 12 which is now at 12.4.2, so there is some additional protection for older devices too.<\/li>\n<\/ul>\n<\/li>\n<li>WatchOS for modern watches has been updated to version 6.0.1, but Apple also updated watchOS 5 to 5.3.2 so Series 1 &amp; 2 watches get some security updates too \u2014 <a href=\"https:\/\/www.imore.com\/apple-releases-watchos-532-apple-watch-series-1-and-series-2\">Apple releases watchOS 5.3.2 for Apple Watch Series 1 and Series 2 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>macOS has been updated to 10.14.6, and Mojave, Sierra &amp; High Sierra have been updated with <em>Supplemental Update 2<\/em><\/li>\n<\/ul>\n<\/li>\n<li>WhatsApp for Android has been updated to patch a critical remote code execution bug \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/04\/whatsapp-vulnerability-could-compromise-android-smartphones\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Security researchers have uncovered a flaw in PDF&#8217;s encryption specification, and have named it <em>PDFex<\/em>. The bottom line is that PDF encryption is less secure than we thought, so it should not be relied on to protect sensitive documents, we&#8217;ll need to wrap our own encryption around our sensitive PDFs before emailing them etc. \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/03\/pdf-encryption-standard-weaknesses-uncovered\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Facebook has deleted &#8216;tens of thousands&#8217; of apps for data abuse as part of its investigations into the Cambridge Analytica scandal \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/24\/facebook-has-booted-tens-of-thousands-of-data-grabbing-apps\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/daringfireball.net\/linked\/2019\/09\/23\/facebook-far-larger\">daringfireball.net\/\u2026<\/a><\/li>\n<li>The UK, US &amp; Australian governments have jointly written to Facebook asking them to halt their rollout of end-to-end encryption, or at least give them a backdoor \u2014 <a href=\"https:\/\/www.imore.com\/uk-us-and-australian-governments-call-facebook-not-proceed-end-end-encryption\">www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/news\/us-uk-data-facebook-backdoor-encryption\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/tiktok-ban-political-ads-us-eu\/\">TikTok Bans Political Ads in U.S. and EU \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>The ECJ (European Court of Justice) has released two potentially confusing rulings affecting tech companies:\n<ol>\n<li>Ruling on a case brought by Google, the ECJ rules that the so-called <em>right to be forgotten<\/em> does not extend outside the EU. The ruling does make is clear that Google must make efforts to hide affected search results from EU visitors, regardless of the Google domain they use to access the content (<code>google.fr<\/code> -v- <code>google.com<\/code> etc.), but Google do not have to block the results for locations outside the EU \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/25\/google-wins-landmark-case-right-to-be-forgotten-only-applies-in-eu\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>In a case brought against Facebook by an Austrian politician the ECJ has rules that European courts can order companies to completely remove  content found to be <strong>illegal<\/strong> from their systems, including duplicates or near-duplicates of the illegal material<\/li>\n<\/ol>\n<\/li>\n<li>Google provided a good illustration of why Apple&#8217;s System Integrity Protection (SIP) is a good idea, and why you should leave it enabled \u2013 a bug in Google&#8217;s auto-updater deleted system files MacOS needs to boot, but SIP prevented the deletions. Affected Macs with SIP disabled became unbootable, while Macs with SIP were just fine \u2014 <a href=\"https:\/\/tidbits.com\/2019\/09\/25\/google-keystone-update-damages-file-system-on-sip-disabled-macs\/\">tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The <em>Voting Village<\/em> hacker challenge at the Defcon security conference has shown that US voting machines are easy to hack \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/01\/hacking-2020-voting-systems-is-a-piece-of-cake\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The OpenID Foundation has confirmed that <em>Sign In With Apple<\/em> is compatible with the OpenID standard, and have praised Apple for addressing all the security and compatibility issues they&#8217;d raise earlier in the summer during the beta process. They still point to some non-security-related room for improvement, but there could be privacy implications to some of their quibbles with SIWA, so Apple may choose not to implement some or all of these suggestions \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/openid-sign-in-with-apple-integration\/\">www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/sign-apple-better-still-has-issues-says-openid-foundation\">www.imore.com\/\u2026<\/a><\/li>\n<li>DuckDuckGo conducted a survey of US adults (the population in general, not DuckDuckGo users) and found that almost 4 out of 5 had taken some kind of pro-active action to protect their privacy on social media, by deleting accounts, tweaking settings, or reducing usage. Almost a quarter had deleted a social media profile due to privacy concerns (<strong>Editorial by Bart:<\/strong> it seems the recent privacy scandals are having an effect on regular folks in the real world after all) \u2014 <a href=\"https:\/\/spreadprivacy.com\/people-taking-action-on-privacy\/\">spreadprivacy.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/04\/buying-a-new-laptop-heres-how-to-secure-it\/\">Buying a new laptop? Here\u2019s how to secure it \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.imore.com\/doordash-reveals-49-million-accounts-affected-server-breach\">DoorDash reveals 4.9 million accounts affected by server breach \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/news\/words-with-friends-data-breach\/\">\u2018Words With Friends\u2019 Data Breach Affects 218 Million \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/26\/vimeo-sued-for-storing-faceprints-of-people-without-their-say-so\/\">Vimeo sued for storing faceprints of people without their say-so \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/02\/yahoo-engineer-pleads-guilty-to-hacking-6000-womens-accounts\/\">Ex-Yahoo engineer pleads guilty to hacking 6,000 accounts \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable IoT Vulnerabilities<br \/>\n* <\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.imore.com\/twitters-new-dm-abuse-filter-rolling-out-everyone\">Twitter&#8217;s new DM abuse filter is rolling out to everyone \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/24\/apple-restricts-adblocking-extensions\/\">Apple restricts old adblocking tech \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/ios-and-macos-users-served-1-billion-popups-thanks-chrome-and-safari-exploits\">iOS and macOS users served up 1 Billion popups thanks to Chrome and Safari exploits \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Google News:\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/04\/google-brings-incognito-mode-to-maps\/\">Google brings Incognito mode to Maps \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Google will move their password checker from a plugin into the core browser in an up-coming release. The change is already in the early beta versions \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/03\/googles-password-manager-now-checks-for-breached-credentials\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/27\/google-made-thousands-of-deepfakes-to-aid-detection-efforts\/\">Google made thousands of deepfakes to aid detection efforts \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/23\/google-pulls-more-fake-adblockers-from-chrome-web-store\/\">Google pulls more fake adblockers from Chrome Web Store \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/27\/fleeceware-play-store-apps-quietly-charging-up-to-250\/\">&#8216;Fleeceware&#8217; Play store apps quietly charging up to $250 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.imore.com\/uk-lawsuit-against-google-over-iphone-privacy-reinstated\">U.K. lawsuit against Google over iPhone privacy reinstated \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Facebook News:\n<ul>\n<li><a href=\"https:\/\/www.bbc.com\/news\/technology-49827375\">Facebook will not fact-check politicians \u2014 www.bbc.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/mark-zuckerberg-sue-government\/\">If Elizabeth Warren Wins Mark Zuckerberg Will Sue the Government \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/30\/outlook-on-the-web-bans-a-further-38-file-types\/\">Outlook on the web bans a further 38 file types \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/link\/white-house-blocks-hacking-audit\/\">White House Blocks Audit of its Offensive Hacking Strategy \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/tidbits.com\/2019\/09\/26\/why-apple-asks-for-your-passcode-or-password-with-a-new-login-and-why-its-safe\/\">Why Apple Asks for Your Passcode or Password with a New Login (and Why It\u2019s Safe) \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.wired.co.uk\/article\/no-deal-brexit-data-adequacy-gdpr\">A no-deal Brexit may trigger a data disaster, and UK companies don&#8217;t have a clue \u2014 www.wired.co.uk\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/30\/social-media-manipulation-as-a-political-tool-is-spreading\/\">Social media manipulation as a political tool is spreading \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>&#x2b50;&#xfe0f; <strong>TL;DR<\/strong> if you&#8217;ve installed the WordPress plugin <em>Rich Reviews<\/em>, delete it ASAP and make sure your site has not been hacked \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/26\/hackers-are-infecting-wordpress-sites-via-a-defunct-plug-in\/\">Hackers are infecting WordPress sites via a defunct plug-in \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/news\/http-3-launch-cloudflare\/\">Cloudflare, Chrome, and Firefox Launch HTTP\/3 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/02\/exim-suffers-another-critical-remote-code-execution-flaw\/\">Exim suffers another \u2018critical\u2019 remote code execution flaw \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/09\/23\/could-earecho-change-the-way-we-authenticate-to-our-smartphones\/\">Could EarEcho change the way we authenticate our phones? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Suggested Listening<\/h3>\n<ul>\n<li>&#x1f3a7; A fascinating exploration of a years-long campaign of hacking into supposedly friendly countries by the UK&#8217;s GCHQ that was uncovered when their malware was detected within the Belgian ISP Belgacom (now Proximus). Why Belgacom? They provide services to EU institutions based in Belgium: <a href=\"https:\/\/overcast.fm\/+PMNcldN7o\">Darknet Diaries Ep 48: Operation Socialist \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>&#x1f3a7; The first series of Sleepwalkers is now complete (there is a second one in the works). This 10-part miniseries takes a frank look at both the dangers and opportunities offered by AI, and highlights the fact that whether we like it or not, AI is happening, and we need to start making decisions about how we&#8217;re going to regulate and manage an AI-rich world. This is not a doom-and-gloom show hyping all the negatives to try scare you, it&#8217;s a balanced look at the real dangers, and, the very real opportunities AI brings: <a href=\"https:\/\/www.sleepwalkerspodcast.com\/\">Sleepwalkers \u2014 www.sleepwalkerspodcast.com<\/a><\/li>\n<li>&#x1f3a7; An interesting interview with Microsoft president Brad Smith exploring the big question &#8220;how do we ensure our astonishing technological advances are harnessed for good, not harm?&#8221; \u2014 <a href=\"https:\/\/overcast.fm\/+Ip9EjQDj0\">HARDtalk: President of Microsoft &#8211; Brad Smith \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/amzn.to\/335MgZG\">Transparent USB Data Blocker on Amazon<\/a><\/li>\n<li>How Allison feels when doing her Programming By Stealth homework: <a href=\"https:\/\/twitter.com\/savvy_moon_\/status\/1177738918357323776\/video\/1\">Cat\u2019s 6th attempt to jump on the counter<\/a><\/li>\n<\/ul>\n<p><em><strong>Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Followup Bluetooth permissions on iOS A nice article explaining some of the most common legitimate reasons apps me request BlueTooth access: Here\u2019s why so many apps are asking to use Bluetooth on iOS 13 \u2014 www.theverge.com\/\u2026 CloudFlare&#8217;s Warp VPN has Finally been Released \u2014 blog.cloudflare.com\/\u2026, nakedsecurity.sophos.com\/\u2026 &amp; www.imore.com\/\u2026 Note that VPNs can provide encryption and [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-19413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=19413"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19413\/revisions"}],"predecessor-version":[{"id":19415,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19413\/revisions\/19415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=19413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=19413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=19413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}