{"id":19853,"date":"2019-12-15T16:38:40","date_gmt":"2019-12-16T00:38:40","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=19853"},"modified":"2019-12-15T16:38:40","modified_gmt":"2019-12-16T00:38:40","slug":"sb-2019-12-15","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/12\/sb-2019-12-15\/","title":{"rendered":"Security Bits \u2013 15 December 2019"},"content":{"rendered":"<p><em><strong>Note:<\/strong> This is the first of two episodes both recorded on the 15th of December 2019, but released over two weeks.<\/em><\/p>\n<h3>&#x1f9ef;Security Medium Preview 1 \u2014 VPNs Not All Hacked<\/h3>\n<p>We&#8217;ll dig into the details in the second part of this two-parter, but for now, I just want to set everyone&#8217;s mind at ease \u2014 there&#8217;s very little <em>there<\/em> there in the recent high-profile reports that a security flaw has been found in all VPNs on all OSes.<\/p>\n<p>Security researchers did find something interesting, but there is basically nothing for regular users to worry about.<br \/>\n<!--more--><\/p>\n<h3>&#x1f9ef;Security Medium Preview 2 \u2014 Suspected Data Location Leaking Bug in iOS 13 on iPhones 11 not Real<\/h3>\n<p>Again, we&#8217;ll dig into the details in the second part, but for now, I just want to reassure people that the speculation that there was a privacy-leaking bug in how iOS 13 running on iPhones 11 handled location data has proven to be incorrect.<\/p>\n<p>The bottom line is that there is no bug, nothing nefarious afoot, and no danger to user privacy.<\/p>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2019\/12\/10\/apple-pushes-out-ios-13-3-ipados-13-3-ios-13-3-for-homepod-macos-10-15-2-catalina-watchos-6-1-1-and-tvos-13-2\/\">Apple Pushes Out iOS 13.3, iPadOS 13.3, iOS 13.3 for HomePod, macOS 10.15.2 Catalina, watchOS 6.1.1, and tvOS 13.2 \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/12\/apple-ios-13-3-is-here-bringing-support-for-keyfobby-authentication\/\">Apple iOS 13.3 is here, bringing support for keyfobby authentication \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/ios-13-3-fixed-airdos\/\">iOS 13.3 Fixed the \u2018AirDoS\u2019 Bug That Could Make Devices Unusable \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>iOS 13.3 contains new parental controls to allow parents limit who children can call and message, but unfortunately security researchers quickly found bugs in the implementation, allowing resourceful kids to bypass the restrictions \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1632467\">arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/preventing-tracking-prevention-tracking\/\">Safari Now Prevents Tracking Prevention Tracking \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>A new anti-SMS-spam feature in iOS is making SMS-based 2FA a little more annoying for some users (<strong>Editorial by Bart:<\/strong> yet another reason to switch to alternative forms of 2FA when possible!) \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/ios-13-3-sms-2fa\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Patch Tuesday:\n<ul>\n<li>Microsoft has released patches for Windows that fix 7 critical bugs, and patch a vulnerability that is being actively exploited in the wild \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2019\/12\/patch-tuesday-december-2019-edition\/\">krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/12\/december-patch-tuesday-blunts-wizardopium-attack-chain\/\">December Patch Tuesday blunts WizardOpium attack chain \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The last ever security patches for Windows Mobile were included in this patch Tuesday, these devices are now obsolete and in-securable \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/11\/windows-10-mobile-receives-its-last-security-patches\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Adobe have released security updates for Photoshop CC, Acrobat &amp; Reader \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2019\/12\/10\/adobe-releases-security-updates\">www.us-cert.gov\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/12\/chrome-79-includes-anti-phishing-and-hacked-password-protection\/\">Chrome 79 includes anti-phishing and hacked password protection \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Google have released the December 2019 security update for Android, and it fixes a bug described as allowing an attacker to cause a &#8220;permanent&#8221; denial of service (no details, but that sounds like actual bricking!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/05\/critical-dos-messaging-flaw-fixed-in-december-android-update\/\">nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/06\/openbsd-devs-patch-authentication-bypass-bug\/\">OpenBSD devs patch authentication bypass bug \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>WordPress 5.3.1 has been released, fixing a critical security bug that could lead to a site-takeover \u2014 <a href=\"https:\/\/wordpress.org\/news\/2019\/12\/wordpress-5-3-1-security-and-maintenance-release\/\">wordpress.org\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/13\/facebook-will-target-ads-based-on-your-oculus-vr-data\/\">Facebook will target ads based on your Oculus VR data \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/10\/facebook-users-were-duped-by-cambridge-analytica-ftc-rules\/\">Facebook users were duped by Cambridge Analytica, FTC rules \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/facebook-photo-transfer-tool\/\">Facebook Begins Rollout of New Photo Transfer Tool \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/06\/instagram-trying-to-protect-kids-by-getting-dates-of-birth-from-new-users\/\">Instagram trying to protect kids by getting dates of birth from new users \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/13\/youtube-bans-malicious-insults-veiled-threats-harassment\/\">YouTube bans malicious insults, veiled threats, harassment \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/11\/ftc-warns-christmas-buyers-that-smart-toys-are-a-security-risk\/\">FTC warns Christmas buyers that smart toys are a security risk \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/techcrunch.com\/2019\/11\/22\/more-than-1-million-t-mobile-customers-exposed-by-breach\/\">More than 1 million T-Mobile customers exposed by breach \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f;&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.vice.com\/en_us\/article\/evjekz\/the-california-dmv-is-making-dollar50m-a-year-selling-drivers-personal-information\">The California DMV Is Making $50M a Year Selling Drivers\u2019 Personal Information \u2014 www.vice.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; Bulk SMS service TrueDialog accidentally exposed a database containing millions of SMS messages sent of behalf of various corporations including a lot of sensitive data \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/03\/sms-company-exposes-millions-of-text-messages-credentials-online\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; German call centre operator 1&amp;1 has been fined \u20ac9.6M under the GDPR for failing to fully authenticate users making calls into their call centres \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/13\/weak-account-checks-earn-company-10-5-million-privacy-fine\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/05\/yodel-parcel-tracking-app-blabs-about-other-peoples-parcels\/\">Yodel parcel tracking app blabs about other people\u2019s parcels \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/03\/mixcloud-user-accounts-up-for-sale-on-dark-web\/\">Mixcloud user accounts up for sale on dark web \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; Google submitted comments to the FTC as part of their public consultation on a review of the <em>Children&#8217;s Online Privacy Protection Act<\/em> (COPPA) requesting that the government to eliminate rules that categorise anyone watching \u201cchild-directed\u201d content online as under 13 \u2014 <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2019-12-09\/youtube-to-ftc-don-t-assume-only-kids-are-watching-kids-videos\">www.bloomberg.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/11\/ad-industry-groups-ask-that-the-ccpa-keep-its-mitts-off-their-cookies\/\">Ad industry groups ask that the CCPA keep its mitts off their cookies \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1ea;&#x1f1fa; <a href=\"https:\/\/www.reuters.com\/article\/us-eu-alphabet-antitrust-exclusive\/exclusive-eu-antitrust-regulators-say-they-are-investigating-googles-data-collection-idUSKBN1Y40NX\">EU antitrust regulators say they are investigating Google&#8217;s data collection \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/house-passes-traced-act-protect-consumers-illegal-robocalls\">House passes TRACED Act to protect consumers from illegal robocalls \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/techcrunch.com\/2019\/12\/05\/homeland-security-drops-airport-citizens-face-scans\/\">After criticism, Homeland Security drops plans to expand airport face recognition scans to US citizens \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1ef;&#x1f1f5; <a href=\"https:\/\/www.japantimes.co.jp\/news\/2019\/12\/10\/business\/corporate-business\/osaka-metro-facial-recognition\/#.Xfa_zy2ZPUI\">Osaka Metro unveils ticket gate with facial recognition tech<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/02\/fake-android-apps-uploaded-to-play-store-by-notorious-sandworm-hackers\/\">Fake Android apps uploaded to Play store by notorious Sandworm hackers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/first-ever-uber-safety-report-reveals-9-murders-58-crash-deaths-and-over-3000-sexual-assaults-2018\">First-ever Uber safety report reveals 9 murders, 58 crash deaths and over 3,000 sexual assaults in 2018 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/04\/fbi-russia-based-faceapp-is-a-potential-counterintelligence-threat\/\">FBI: Russia-based FaceApp is a \u2018potential counterintelligence threat\u2019 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1f3; <a href=\"https:\/\/www.imore.com\/smartphone-owners-china-now-need-send-facial-scans-government\">Smartphone owners in China now need to send facial scans to the government \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/10\/tiktok-settles-class-action-over-child-privacy-one-day-after-its-filed\/\">TikTok settles class action over child privacy one day after it\u2019s filed \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/02\/uncle-sam-opens-arms-to-friendly-hackers\/\">Uncle Sam opens arms to friendly hackers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/10\/eu-releases-its-5g-conclusions\/\">EU releases its 5G conclusions \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.wired.co.uk\/article\/libra-data-privacy-europe-gdpr\">We need to address Libra\u2019s privacy problems before it&#8217;s too late \u2014 www.wired.co.uk\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.theatlantic.com\/magazine\/archive\/2019\/12\/social-media-democracy\/600763\/\">The Dark Psychology of Social Networks \u2014 www.theatlantic.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.comparitech.com\/blog\/vpn-privacy\/biometric-data-study\/\">50 countries ranked by how they\u2019re collecting biometric data and what they\u2019re doing with it \u2014 www.comparitech.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/06\/mac-users-targetted-by-lazarus-fileless-trojan\/\">Mac users targetted by Lazarus \u2018fileless\u2019 Trojan \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/04\/microsoft-looks-to-rust-language-to-beat-memory-vulnerabilities\/\">Microsoft looks to Rust language to beat memory vulnerabilities \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/10\/snatch-ransomware-pwns-security-using-sneaky-safe-mode-reboot\/\">Snatch ransomware pwns security using sneaky \u2018safe mode\u2019 reboot \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/05\/machine-raiding-python-libraries-squashed-by-community\/\">Machine-raiding Python libraries squashed by community \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Suggested Listening<\/h3>\n<ul>\n<li>&#x1f3a7; I don&#8217;t want to give the game away, but trust me, it&#8217;s very relevant to computers and to stuff we talk about in this segment: <a href=\"https:\/\/overcast.fm\/+HuIhfcpk4\">Planet Money Episode 773: Slot Flaw Scofflaws \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/12\/09\/serious-security-understanding-how-computers-count\/\">Serious Security: Understanding how computers count \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<p><em><strong>Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to. When the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note: This is the first of two episodes both recorded on the 15th of December 2019, but released over two weeks. &#x1f9ef;Security Medium Preview 1 \u2014 VPNs Not All Hacked We&#8217;ll dig into the details in the second part of this two-parter, but for now, I just want to set everyone&#8217;s mind at ease \u2014 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-19853","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=19853"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19853\/revisions"}],"predecessor-version":[{"id":19862,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19853\/revisions\/19862"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=19853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=19853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=19853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}