{"id":20521,"date":"2020-03-08T16:13:29","date_gmt":"2020-03-08T23:13:29","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=20521"},"modified":"2020-03-12T13:27:19","modified_gmt":"2020-03-12T20:27:19","slug":"sb-2020-03-08","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/03\/sb-2020-03-08\/","title":{"rendered":"Security Bits \u2014 8 March 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>FireFox are continuing their roll-out of DoH, enabling it by default for new installs in the US \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/28\/firefox-rolling-out-dns-over-https-privacy-by-default-in-the-us\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/25\/google-stops-indexing-whatsapp-chats-other-search-engines-still-at-it\/\">Google stops indexing WhatsApp chats; other search engines still at it \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>HomeKit Router Support continues to roll out:\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/20\/02\/26\/homekit-support-lands-on-amazons-eero-mesh-routers\">HomeKit support lands on Amazon&#8217;s Eero mesh routers \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/homekit-routers-everything-you-need-know\">HomeKit Routers: Everything you need to know \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/how-manage-homekit-enabled-routers-home-app\">How to manage HomeKit-enabled routers in the Home app \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Sign-in with Apple Continues its roll out:\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/use-sign-in-with-apple-to-run-your-wordpress-com-account\/\">Use Sign in With Apple to Access Your WordPress.com Account \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/cool-stuff-found\/etsy-sign-in-with-apple\/\">Etsy Gets Updated to Support Sign In with Apple \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/sign-in-with-apple-apps\/\">Here Are The Apps That Support Sign in With Apple \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/fcc-fine-all-four-us-carriers-200-million-disclosing-real-time-locations-its-customers\">FCC to fine all four US carriers $200 million for disclosing real-time locations of its customers \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Things go from bad to worse for Clearview AI:\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/28\/clearview-ai-loses-entire-database-of-faceprint-buying-clients-to-hackers\/\">Clearview AI loses entire database of faceprint-buying clients to hackers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macrumors.com\/2020\/02\/28\/apple-disables-clearview-ai-dev-account\/\">Apple Disables Clearview AI&#8217;s Developer Account After Violating Enterprise Certificate Rules \u2014 www.macrumors.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f3a7; An in-depth interview with the journalist who broke the story of the CIA &amp; German Intelligence owning the Swiss security device vendor Crypto AG: <a href=\"https:\/\/overcast.fm\/+Ht0xst1lE\">Fresh Air: Uncovering The CIA\u2019s Operation To Steal State Secrets \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h3>The Darkside of the iOS Clipboard<\/h3>\n<p>Security researchers have demonstrated an interesting new abuse of the clipboard on iOS.<\/p>\n<p>For context, it&#8217;s important to bear in mind that iOS has been developed from the start to provide very strong isolation between apps. Initially apps were complete island universes onto themselves, and Apple have only very slowly added mechanisms for moving information between apps. While doing so, Apple have been very careful to keep that flow of information in the user&#8217;s control. In theory, unless a user pro-actively shares information between one app and another, apps absolutely cannot see each other&#8217;s data.<\/p>\n<p>What the researchers realised is that Apple&#8217;s clipboard APIs can be abused by malicious data to read information that originated in other apps that the user did not explicitly grant them access to.<\/p>\n<p>It turns out that background apps can paste from the clipboard as often as they like, allowing them to monitor for interesting information the user did not intend to share with them. Worse still, Today Widgets can do the same thing!<\/p>\n<p>The real kicker is that this behaviour extends to the so-called <em>Universal Clipboard<\/em>, the single unified clipboard managed by iCloud allowing you to copy on one device and paste on another. This means a malicious iOS app could see data copied on other iOS devices, or even Macs!<\/p>\n<p>Some data that often ends up on the clipboard can be a lot more revealing that users realise \u2014 an example pointed to by the security researchers is photos which still contain their EXIF data, which often includes GPS coordinates. Over time this could allow a malicious app to track your location quite accurately.<\/p>\n<p>For now at least, Apple are not considering this a vulnerability, so our only defence is to be selective about the apps we install. This has been my advice all along anyway, so it doesn&#8217;t change anything for me.<\/p>\n<p>If we start to see this technique used in the wild Apple could limit access to the clipboard to foreground apps, or, at the very least, block access to the clipboard for Today Widgets. Apple could even go so far as to make the user explicitly grant apps clipboard access. Only time will tell what Apple will choose to do about this weakness going forward.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/location-data-ios-clipboard\/\">Location Data Can Leak Through iOS Clipboard, Apple Doesn\u2019t View it as a Problem \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/26\/apples-ios-pasteboard-leaks-location-data-to-spy-apps\/\">Apple\u2019s iOS pasteboard leaks location data to spy apps \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.forbes.com\/sites\/zakdoffman\/2020\/02\/26\/simple-apple-security-hack-if-you-have-an-iphone-and-macbook-look-away-now\/\">Simple Apple Security Hack: If You Have An iPhone And MacBook, Look Away Now \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Safari Mandates 1 Year Certs?<\/h3>\n<p>Questions from Allison:<\/p>\n<blockquote>\n<ul>\n<li>Remind us what a certificate is?\n<ul>\n<li>What does it protect us against?<\/li>\n<li>What does it <em>not<\/em> protect us against?<\/li>\n<\/ul>\n<\/li>\n<li>I&#8217;ve heard they&#8217;re not called SSL certs any longer, why is that?<\/li>\n<li>What did Apple announce about this with regard to Safari?<\/li>\n<li>It was a discussion item in a standards body from what I understand. Do we know why the other members didn&#8217;t want to do this when Apple pushed for it?<\/li>\n<li>What is the real impact on web site providers?<\/li>\n<li>What is the increase in safety to the end user over time?<\/li>\n<\/ul>\n<\/blockquote>\n<h4>What is a Certificate?<\/h4>\n<p><em><strong>Note:<\/strong> we recorded <a href=\"https:\/\/www.podfeet.com\/blog\/2013\/09\/434-get-a-samsung-galaxy-s3-upgrade-sooner-rather-than-later-pki-demystified\/#pki\">a more detailed look at certificates etc.<\/a> back in 2013.<\/em><\/p>\n<p>The maths at the heart of our <em>Public Key Infrastructure<\/em> (PKI) is so-called <em>asymmetric encryption<\/em>. Regular (<em>symmetric<\/em>) encryption is quite simple to understand \u2014 you take some plain-text, you use an algorithm that makes use of a key to turn that into encrypted text. To de-crypt you run the process in reverse, using the original key.<\/p>\n<p>Asymmetric Crypto is different \u2014 rather than a single key there is a key-pair. Anything encrypted with one of the pair can only be decrypted by the other. Note that both of the keys in the pair can be used to encrypt. When key-pairs are generated one is arbitrarily chosen to be kept secret and hence forth referred to as the <em>private key<\/em>, the other then becomes the so-called <em>public key<\/em>.<\/p>\n<p>The other vitally important piece of the PKI-puzzle is so-called digest, or hashing, algorithms. These take an arbitrarily long piece of plain text and digest it into a fixed-length fingerprint. For a digest to be considered cryptographically secure the following must be true:<\/p>\n<ol>\n<li>the algorithm must be one-way \u2014 it should be easy to go from pain-text to digest, but so difficult as to be effectively impossible to go from digest to plain-text.<\/li>\n<li>small changes in input must result in large changes in the digest<\/li>\n<li>it must not be feasible to alter the plain-text input in such a way as to cause it to digest to a specific desired value. You&#8217;ll hear this referred to as digests needing to be robust against <em>collisions<\/em>.<\/li>\n<\/ol>\n<p>A digital signature is a digest of some digital content that has been encrypted by a private key. Anyone with the public key can de-crypt the signature and re-calculate the digest to verify that the signed content has not been altered since it was signed, and that it was definitely signed by the private key that matches the public key.<\/p>\n<p>At the root of the PKI is a collection if pre-shared trusted public keys belonging to the so-called <em>Certificate Authorities<\/em>, or CAs. We refer to the CAs as the <em>trust anchors<\/em> of the PKI. Our OSes and browsers ship with the public keys for the trusted CAs, and software updates are needed to update them.<\/p>\n<p>A digital certificate is a public key and some meta-data that has been digitally signed by a certificate authority.<\/p>\n<p>There is a common format for these certs and their metadata that you may have heard of \u2014 <a href=\"https:\/\/en.wikipedia.org\/wiki\/X.509\">X.509<\/a>. It&#8217;s the metadata within the X.509 cert that determines what a cert can be used for. X.509 is used throughout the PKI to secure all sorts of things, not just HTTPS websites.<\/p>\n<p><strong>Digital certificates can be used to encrypt and\/or digitally sign digital content.<\/strong><\/p>\n<p>Digital certificates are a vital component in the TLS\/SSL suite of protocols that are at the heart of many of our secure protocols, including HTTPS for web browsing, many VPN protocols, and the secured versions of our email protocols.<\/p>\n<p>Everything up to this point applies very broadly, from here on we&#8217;ll be focusing on HTTPS, the secure web protocol.<\/p>\n<h4>The Security Guarantees Offered by HTTPS<\/h4>\n<p>HTTPS makes the following security guarantees:<\/p>\n<ol>\n<li><strong>Confidentiality<\/strong> \u2014 information sent over HTTPS is encrypted and can only be read by the web server and web client, not by anyone in between.<\/li>\n<li><strong>Integrity<\/strong> \u2014 the information sent over HTTPS has not been changed by anyone en-route.<\/li>\n<li><strong>Authenticity<\/strong> \u2014 the information sent over an HTTPS request was sent by the owner of the certificate. Depending on the type of certificate that is more or less meaningfulL\n<ul>\n<li><strong>Domain Control Validation (DCV or DV)<\/strong> \u2014 the certificate was issued to a person who has proven they control the domain name(s) the certificate is valid for. This is the lowest form of valuation, and what you get from automated services like Let&#8217;s Encrypt. It tells you you really are at the URL you think you are, but nothing more.<\/li>\n<li><strong>Organisation Validation (OV)<\/strong> \u2014 the certificate was issued to a person who has provided evidence they represent a specific named organisation and control the domain. The same as DCV, but also asserts an organisation.<\/li>\n<li><strong>Extended Validation (EV)<\/strong> \u2014 the same as OV but with more stringent rules.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><strong>HTTPS does not make any sort of assertion about the trustworthiness of any website or organisation!<\/strong><\/p>\n<p>A website being secure just means you are securely communicating with the owner of the domain in your address bar, or with someone who stole the private key belonging to the owner of the website.<\/p>\n<p>If your browser shows a padlock and the URL <code>https:\/\/palpay.com\/<\/code> and a page that looks identical to PayPal the padlock does not mean you are safe! You are simply securely sending your information to the bad guys!<\/p>\n<h4>SSL or TLS?<\/h4>\n<p>SSL is the old term, TLS the new. The first three versions of the protocol we now know as <em>Transport Layer Security<\/em> (TLS) were known as the <em>Secure Socket Layer<\/em> (SSL). TLS 1.0 is effectively SSL4.<\/p>\n<h4>What Did Apple Announce?<\/h4>\n<p>Safari will not accept any server certificate with a start date on or after the 1st of September 2020 that has a validity period of longer than 1 year as valid. In other words, all certs issued from September 2020 need to be 1 year or shorter or Safari will always mark them as invalid, regardless of whether or not they are properly signed by a trusted CA.<\/p>\n<p>This is a unilateral move by Apple, but given the prevalence of iOS, if effectively means all website owners will be limited to one-year certificates  the next time their certificate expires.<\/p>\n<p>For context \u2014 almost exactly two years ago (1 March 2018), the CA forum collectively agree to reducing the maximum age for certificates from 3 years to two.<\/p>\n<h4>Do we Know why Apple Chose to do a <em>Solo Run<\/em> This Time?<\/h4>\n<p>Nope! (At least I don&#8217;t &#x1f642;)<\/p>\n<h4>What&#8217;s the Impact?<\/h4>\n<p>For <strong>automated DVC certificate authorities<\/strong> like Let&#8217;s Encrypt this change has <strong>no effect at all<\/strong> \u2014 automated CAs already work off much shorter certificate life-time of 3 months.<\/p>\n<p>For <strong>certificate authorities issuing OV and EV certs<\/strong> like DigiCert this will require them to issue fresh certs twice as often for their customers. The issuance of certificates is not a big drain on CA resources though, so this will have a <strong>minimal impact<\/strong>. The real work of CAs is the organisation validation, and that has to be performed on an annual basis anyway.<\/p>\n<p>The biggest impact is on <strong>website owners<\/strong>. Running a website with an OV or EV cert will now <strong>require a new certificate<\/strong> be requested and installed <strong>twice as often<\/strong>.<\/p>\n<p>Thankfully <strong>it&#8217;s not looking like website owners will be charged more per-annum for their certificates<\/strong>. Details are still emerging, but an approach that is gaining traction is that of selling <em>certificate subscriptions<\/em>. The idea is that customers buy the right to a certificate for 3, 5, or even 10 years, and they can have that certificate re-issued as often as they like during that subscription.<\/p>\n<h4>Does This Make us Safer?<\/h4>\n<p>Yes, but only a little. IMO, this is a poor solution that&#8217;s easy to achieve because the CA forum are too timid or toothless to tackle the actual problem in an effective way.<\/p>\n<h4>It&#8217;s all About Revocation, or Rather, the Lack of it!<\/h4>\n<p>In theory, a certificate owner can ask a CA to revoke their certificate at any time. The most likely reason to want to do this would be a loss of control over the certificate&#8217;s private key, usually as a result of a hack or an accidental leak. Once the website owner realises they have lost control over their private key, they would request the existing certificate be revoked, the CA would oblige, and all browsers would start rejecting the cert. The website owner would then generate a new key-pair, and ask their CA to use their new public key as the basis for a fresh certificate.<\/p>\n<p>This all works as expected right up to the bit where browsers are supposed to check for certificate revocations and start rejecting the revoked cert. For efficiency reasons, no modern browsers effectively check for certificate revocations. This means certs effectively always live until their expiration date, even when the private key is compromised.<\/p>\n<p>The simplest solution to this problem is to reduce the validity period of certs, and that&#8217;s what the CA forum did two years ago, and what Apple continued with this announcement.<\/p>\n<p>How we got to this mess is interesting.<\/p>\n<p>The original approach for revocation was so-called CRLs, or <em>Certificate Revocation Lists<\/em> \u2014 simply black-lists of key fingerprints published by the CAs. When only a handful of websites used certificates it was practical for browsers to download the latest CRLs once a week, or even daily, and to keep a list of all known-revoked certs within the browser, and check each site against that list each time the user surfed to a secure URL.<\/p>\n<p>CRLs simply did not scale.<\/p>\n<p>The next approach was a real-time protocol hosted by the CAs, the so-called <em>Online Certificate Status Protocol<\/em>, or OCSP. Each CA would run an OCSP web server and the URL for that server would be embedded in each certificate they issued. Browsers would then check the URL for the cert each time a user browsed to a secure site.<\/p>\n<p>This proved impractical for a few reasons \u2014 it added extra work onto the browser, slowing things down, it required the CAs to run an ultra-efficient and reliable website, which they proved incapable of doing, and it required browsers to treat a failure to reach the OSCP server as a certificate failure. That opened users up to trivial denial of service attacks, because while a man-in-the-middle couldn&#8217;t alter the response from the OCSP server, they could simply block it!<\/p>\n<p>That&#8217;s how we arrived at today&#8217;s mess where browsers simply don&#8217;t even try to do any kind of reliable certificate revocation checking.<\/p>\n<h4>OCSP Stapling Would be a Real Solution<\/h4>\n<p>Most annoyingly, we now have a viable fix of the revocation problem \u2014 a technology called <em>OCSP Stapling<\/em>. Rather than the browser having to check the OCSP status of the cert, the web server periodically fetches a fresh short-lived OCSP assertion from the CA that the certificate has not been revoked, and attaches this assertion to the certificate that gets handed to the browser. The assertion is digitally signed by the CA, so the browser can validate it in the same way it validates the certificate itself.<\/p>\n<p>OCSP stapling exists, and works, but support is patchy. According to <a href=\"https:\/\/twit.tv\/shows\/security-now\/episodes\/756?autostart=false\" target=\"_blank\" rel=\"noopener noreferrer\">Steve Gibson on the most recent Security Now podcast<\/a>, Microsoft&#8217;s IIS is the only web server with robust OCSP Stapling support ATM, and FireFox the only browser with mature OCSP Stapling support. There is some nascent support in Apache and NGINX, but it&#8217;s not ready for the big-time yet.<\/p>\n<p>If the CAs, browser vendors, and web server vendors got together and agreed to commit fully to OCSP stapling, the revocation problem could be solved within a year, with no need for ineffective hacks like simply reducing certificate lifetimes!<\/p>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Google have released the March security updates for Android, and they include fixes for a number of critical vulnerabilities \u2014 update ASAP if you can, and consider getting a securable phone if you can&#8217;t! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/04\/google-fixes-mediatek-bug-in-android-march-patches\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/25\/mystery-zero-day-in-chrome-update-now\/\">Mystery zero-day in Chrome \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/03\/nvidia-patches-severe-flaws-affecting-geforce-quadro-nvs-and-tesla\/\">Nvidia patches severe flaws affecting GeForce, Quadro NVS and Tesla \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/02\/zyxel-fixes-0day-in-network-storage-devices\/\">Zyxel Fixes 0day in Network Storage Devices \u2014 krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/krebsonsecurity.com\/2020\/02\/zyxel-0day-affects-its-firewall-products-too\/\">Zyxel 0day Affects its Firewall Products, Too \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.tomsguide.com\/news\/netgear-security-firmware-patches\">Thousands of Netgear routers are at risk of getting hacked: What to do \u2014 www.tomsguide.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>As with every major international event, malefactors are exploiting the COVID19 crisis to try exploit people, so <strong>beware!<\/strong> \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/05\/coronavirus-warning-spreads-computer-virus\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2020\/03\/06\/defending-against-covid-19-cyber-scams\">Defending Against COVID-19 Cyber Scams \u2014 www.us-cert.gov\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/apple-rejecting-coronavirus-apps-are-not-health-organizations\">Apple is rejecting coronavirus apps that are not from health organizations \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/27\/facebook-bans-coronavirus-miracle-cure-ads\/\">Facebook bans coronavirus \u2018miracle cure\u2019 ads \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/06\/5-tips-for-working-safely-from-home\/\">Remote working due to coronavirus? Here\u2019s how to do it securely\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/if-you-want-disinfect-your-phone-do-not-use-these-household-clearers\">If you want to disinfect your phone do not use these household clearers \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/locked-apple-notes-arent-secure\/\">Locked Apple Notes Aren\u2019t as Secure as You Think \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/cathay-pacific-fined-500000-for-major-data-breach\/\">Cathay Pacific Fined \u00a3500,000 For Major Data Breach \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/24\/kidsguard-stalkerware-leaks-data-on-secretly-surveilled-victims\/\">KidsGuard stalkerware leaks data on secretly surveilled victims \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.pcmag.com\/news\/exclusive-popular-baby-monitor-wide-open-to-hacking\">Exclusive: Popular Baby Monitor Wide Open to Hacking \u2014 www.pcmag.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/03\/goodrx-stops-sharing-personal-medical-data-with-google-facebook\/\">GoodRx stops sharing personal medical data with Google, Facebook \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/06\/boots-yanks-loyalty-card-payouts-after-150k-accounts-get-stuffed\/\">Boots yanks loyalty card payouts after 150K accounts get stuffed \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>A major new flaw has been found in all Intel chips. It undermines the TPM, putting DRM and even disk encryption in danger. For now there is still a hardware key protecting disk encryption, but the security researchers expect that key to be cracked soon, at which point all TPM-based disk encryption will be compromised. For now it&#8217;s not clear there are any practical attacks, so this is worrying, but not yet a cause for panic \u2014 <a href=\"https:\/\/www.theregister.co.uk\/2020\/03\/05\/unfixable_intel_csme_flaw\/\">www.theregister.co.uk\/\u2026<\/a><\/li>\n<li>Security researcher have found a new WiFi vulnerability and named it <em>KrOOk<\/em>.   It affects WiFi devices with Broadcom &amp; Cypress chipsets. Patches have been released by both chip makers, and many hardware vendors have already released firmware updates (thanks to responsible disclosure). The bug affects WPA2, and allows attackers to break WiFi encryption. Switch to WPA3 or update your firmware as soon as you can \u2014 <a href=\"https:\/\/www.zdnet.com\/article\/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets\/\">www.zdnet.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.vice.com\/en_us\/article\/4ag7vq\/airbnb-has-secret-trustworthy-scores-and-this-privacy-group-is-demanding-to-see-them\">Airbnb Has Secret \u2018Trustworthy Scores\u2019 and This Privacy Group Is Demanding to See Them \u2014 www.vice.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/02\/28\/google-has-right-to-censor-conservative-nonprofit-on-youtube\/\">Google has right to censor conservative nonprofit on YouTube \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/how-back-your-contacts-mac\">How to back up your contacts on Mac \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/homekit-secure-video-everything-you-need-know\">HomeKit Secure Video: Everything you need to know \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/03\/why-free-wi-fi-isnt-really-free\/\">Why \u2018free\u2019 Wi-Fi isn\u2019t really free \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<p>From Twitter: &#8220;<a href=\"https:\/\/twitter.com\/ChrisBernie42\" target=\"_blank\" rel=\"noopener noreferrer\">@ChrisBernie42<\/a>: Due to #COVID\u30fc19, all TCP applications will be converted to UDP to avoid handshakes. &#x1f913;&#8221;<\/p>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>pay-wall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. FireFox are continuing their roll-out of DoH, enabling it by default for new installs in the US \u2014 nakedsecurity.sophos.com\/\u2026 Google stops indexing WhatsApp chats; other search engines still at it \u2014 nakedsecurity.sophos.com\/\u2026 HomeKit Router [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2873,170,4035,4032,114,4033,3551,3550,4034],"class_list":["post-20521","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-certificate-authority","tag-hack","tag-ios-clipboard","tag-pki","tag-privacy","tag-public-key-encryption","tag-ssl","tag-tls","tag-tls-certificates"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=20521"}],"version-history":[{"count":5,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20521\/revisions"}],"predecessor-version":[{"id":20529,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20521\/revisions\/20529"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=20521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=20521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=20521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}