{"id":19681,"date":"2019-11-17T16:03:13","date_gmt":"2019-11-18T00:03:13","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=19681"},"modified":"2019-11-17T16:03:13","modified_gmt":"2019-11-18T00:03:13","slug":"sb-2019-11-17","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/11\/sb-2019-11-17\/","title":{"rendered":"Security Bits \u2013 17 November 2019"},"content":{"rendered":"<h3>Followup<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Mozilla refute the very misleading (factually incorrect) presentation American ISPs gave to congress urging them to take action against encrypted DNS (DoH) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/06\/mozilla-says-isps-are-lying-to-congress-about-encrypted-dns\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Microsoft have issued yet another warning about the patch they released a few months ago for older versions of Windows to remove the so-called <em>BlueKeep<\/em> vulnerability. Attacks have now been observed in the wild! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/11\/microsoft-urges-us-to-patch-after-partially-effective-bluekeep-attack\/\">nakedsecurity.sophos.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/07\/linux-users-warned-to-update-libarchive-to-beat-flaw\/\">Linux users warned to update <em>libarchive<\/em> to beat flaw \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Microsoft patched 74 Windows and Office (including Office for Mac) bugs on Patch Tuesday, including one zero-day in IE \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2019\/11\/patch-tuesday-november-2019-edition\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/13\/november-2019-patch-tuesday-fixes-13-critical-flaws-and-one-zero-day\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/12\/nvidia-patches-graphics-products-and-geforce-experience-update-tool\/\">Nvidia patches graphics products and GeForce Experience update tool \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Google have patched a bug in the <em>Beam<\/em> feature of Android that would allow attackers to install malware on victims phones. The victim would have to approve a prompt though. If you can&#8217;t patch your Android device, you need to think twice before OKing a prompt asking you to install software unexpectedly (actually, we should <strong>always<\/strong> do that on everu device running any OS!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/05\/google-patches-dont-stand-so-close-to-me-bug\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Still have Office for Mac 2011 installed? I really is time to get rid of it now as Microsoft are warning of in-the-wild attacks against long-known security vulnerabilities in the out-of-support app \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/05\/office-for-mac-2011-users-warned-about-sylk-file-format\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>MacOS Catalina users should be aware that if they use encrypted email and do not have full disk encryption enabled (why would anyone who cares enough about security to encrypt their email not go with the defaults and encrypt their drive?) that caches maintained to allow Siri to make use of your emails (locally only) to inform its answers are not encrypted. This could leak potentially sensitive information. Apple have promised a patch in a future software update. But, the quick fix is to enable full disk encryption, which everyone should do anyway IMO \u2014 <a href=\"https:\/\/www.imore.com\/apple-fix-macos-email-encryption-bug-future-software-update\">www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/12\/macos-personalization-tech-leaves-secrets-in-plain-view\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Facebook News:\n<ul>\n<li>Facebook have fixed an apparent bug that caused the camera to activate unexpectedly in their iOS app \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/14\/facebook-fixes-iphone-camera-bug\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/leaked-internal-facebook-documents\/\">Leaked Internal Facebook Documents Reveal Disturbing Information \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.verdict.co.uk\/facebook-vaccination-adverts\/\">Facebook deleted pro-vaccination adverts on political grounds, study finds \u2014 www.verdict.co.uk\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.fastcompany.com\/90426854\/facebook-may-soon-scan-your-face-to-verify-your-identity\">Facebook may soon scan your face to verify your identity \u2014 www.fastcompany.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/07\/facebook-confesses-100-devs-may-have-accessed-leaked-groups-data\/\">Facebook confesses 100 devs may have accessed leaked Groups data \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.computing.co.uk\/ctg\/news\/3083765\/facebook-pay-launch\">Facebook Pay rolls out in the US following India trial \u2014 www.computing.co.uk\/\u2026<\/a><\/li>\n<li><strong>Related Opinion:<\/strong> <a href=\"https:\/\/www.washingtonpost.com\/outlook\/2019\/11\/04\/i-worked-political-ads-facebook-they-profit-by-manipulating-us\/\">I worked on political ads at Facebook. They profit by manipulating us. \u2014 www.washingtonpost.com\/\u2026<\/a><br \/>\n> The real problem is that Facebook profits partly by amplifying lies and selling dangerous targeting tools that allow political operatives to engage in a new level of information warfare. Its business model exploits our data to let advertisers aim at us, showing each of us a different version of the truth and manipulating us with hyper-customized ads \u2014 ads that as of this fall can contain blatantly false and debunked information if they\u2019re run by a political campaign. As long as Facebook prioritizes profit over healthy discourse, it can\u2019t avoid damaging democracy.<\/li>\n<\/ul>\n<\/li>\n<li>Google News:\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2019\/11\/13\/google-to-offer-checking-accounts-in-partnership-with-banks-starting-next-year\/\">Google to offer checking accounts in partnership with banks starting next year \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/google-project-nightingale\/\">Google\u2019s Project Nightingale Collects Health Data on Millions of Americans \u2014 www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/google-has-secretly-been-siphoning-millions-healthcare-data\">Google was allegedly collecting millions of Americans&#8217; healthcare data \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Google has launched <em>OpenTitan<\/em> a project to develop an open source secure enclave for Android \u2014 <a href=\"https:\/\/www.wired.com\/story\/open-titan-open-source-secure-enclave\/\">www.wired.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/google-app-defense-alliance\/\">Google Seeks Better Android Security via App Defense Alliance \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1f7;&#x1f1fa; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/04\/russias-sovereign-internet-law-comes-into-force\/\">Russia\u2019s sovereign internet law comes into force \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/07\/warrant-let-police-search-online-dna-database\/\">Warrant let police search online DNA database \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/04\/pentagon-publishes-ai-guidelines\/\">Pentagon publishes AI guidelines \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/13\/microsoft-says-it-will-honor-californias-new-privacy-law-across-us\/\">Microsoft says it will honor California\u2019s new privacy law across US \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.aclu.org\/press-releases\/federal-court-rules-suspicionless-searches-travelers-phones-and-laptops\">Federal Court Rules Suspicionless Searches of Travelers\u2019 Phones and Laptops Unconstitutional \u2014 www.aclu.org\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.zdnet.com\/article\/experts-dont-reboot-your-computer-after-youve-been-infected-with-ransomware\/\">Experts: Don&#8217;t reboot your computer after you&#8217;ve been infected with ransomware \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2019\/11\/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin\/\">Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable IoT Vulnerabilities\n<ul>\n<li>Security researchers found a bug in the Ring Video Doorbell Pro that leaked WiFi usernames and passwords, but thankfully an automatic update has already been pushed out to fix the problem (they used HTTP instead of HTTPS which is a pretty embarrassing mistake) \u2014 <a href=\"https:\/\/labs.bitdefender.com\/2019\/11\/ring-video-doorbell-pro-under-the-scope\/\">labs.bitdefender.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/15\/brave-1-0-launches-extends-ad-watching-payouts-to-ios\/\">Brave 1.0 launches, extends ad-watching payouts to iOS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/9to5mac.com\/2019\/11\/12\/ios-13-3-safari-nfc-usb-lighting-security-keys\/\">iOS 13.3. beta 2 brings Safari support for NFC, USB, and Lightning FIDO2 security keys \u2014 9to5mac.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.forbes.com\/sites\/kateoflahertyuk\/2019\/11\/14\/apple-ios-133-is-poised-to-launch-with-this-killer-security-feature\/#14a0895872e5\">Apple iOS 13.3 Is Poised To Launch With This Killer Security Feature \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/news\/duckduckgo-privacy-essentials-returns\/\">DuckDuckGo Privacy Essentials Returns to Safari \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/11\/huge-airbnb-scam-leads-to-promise-to-vet-every-host-every-listing\/\">Huge Airbnb scam leads to promise to vet every host, every listing \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-has-pulled-instagram-stalking-app-patrol-app-store\">Apple has pulled Instagram stalking app Like Patrol from the App Store \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/15\/apple-fires-employee-after-he-texts-customers-pic-to-his-own-phone\/\">Apple fires employee after he texts customer\u2019s pic to his own phone \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/intels-major-chip-flaw-not-fixed-it-said-it-was\">Intel&#8217;s major chip flaw still hasn&#8217;t been fixed \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2019\/11\/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks\/\">Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/44-fake-news-facebook\/\">Only 44% of People Correctly Spotted Fake News on Facebook \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/04\/us-grounds-chinese-made-drones-as-part-of-security-review\/\">US grounds Chinese-made drones as part of security review \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/04\/undercover-reporter-tells-all-after-working-for-a-polish-troll-farm\/\">Undercover reporter tells all after working for a Polish troll farm \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/arstechnica.com\/?p=1550273\">Antitrust 101: Why everyone is probing Amazon, Apple, Facebook, and Google \u2014 arstechnica.com<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/15\/how-ransomware-attacks\/\">How ransomware attacks \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/arstechnica.com\/?p=1602451\">What the newly released <em>Checkra1n<\/em> jailbreak means for iDevice security \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/15\/how-the-linux-kernel-balances-the-risks-of-public-bug-disclosure\/\">How the Linux kernel balances the risks of public bug disclosure \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>&#x2b50;&#xfe0f; Researchers discover that microphones in smart speakers can be triggered by laser light, allowing them to silently send commands to voice assistants from a distance \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/06\/smartphone-and-speaker-voice-assistants-can-be-hacked-using-lasers\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/hackers-can-control-your-google-home-or-amazon-echo-laser-powered-light-commands\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.engadget.com\/2019\/11\/15\/github-store-public-open-source-code-arctic-vault\/\">GitHub will store all of its public open source code in an Arctic vault \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/11\/04\/apple-developers-get-this-update-to-protect-the-rest-of-us\/\">Apple developers \u2013 get this update to protect the rest of us! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Suggested Listening<\/h3>\n<ul>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+Ip8zZylf0\">The Real Story: &#8220;Russia\u2019s new internet firewall&#8221; \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>&#x1f3a7; A short, understandable, and to-the-point explanation of quantum computing, and why it matters for encryption \u2014 <a href=\"https:\/\/overcast.fm\/+S2kGow\">TED Talks Daily: &#8220;Cryptographers, quantum computers and the war for information&#8221; \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<p><em><strong>Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Followup &#x1f1fa;&#x1f1f8; Mozilla refute the very misleading (factually incorrect) presentation American ISPs gave to congress urging them to take action against encrypted DNS (DoH) \u2014 nakedsecurity.sophos.com\/\u2026 Microsoft have issued yet another warning about the patch they released a few months ago for older versions of Windows to remove the so-called BlueKeep vulnerability. Attacks have now [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-19681","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=19681"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19681\/revisions"}],"predecessor-version":[{"id":19683,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19681\/revisions\/19683"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=19681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=19681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=19681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}