{"id":20716,"date":"2020-04-05T12:57:04","date_gmt":"2020-04-05T19:57:04","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=20716"},"modified":"2020-04-05T12:57:04","modified_gmt":"2020-04-05T19:57:04","slug":"sb-2020-04-05","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/04\/sb-2020-04-05\/","title":{"rendered":"Security Bits \u2014 5 April 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/warp-vpn-beta-mac\/\">Cloudflare\u2019s WARP VPN Enters Beta for macOS, Windows \u2014 www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> WireGuard, the new and very promising open source VPN protocol that powers WARP VPN has reached 1.0, and has been added to the Linux kernel (as of Linux 5.6) \u2014 <a href=\"https:\/\/arstechnica.com\/gadgets\/2020\/03\/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel\/\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 To Zoom or not to Zoom?<\/h2>\n<aside class=\"small-aside\">Note that this Deep-dive is an opinion piece by Bart, not the usual technical deep-dive.<\/aside>\n<p>Thanks to some great work by Glenn Fleishman at TidBits, there&#8217;s no need for me to do a deep-dive into the technical details of the many many Zoom security and privacy stories that have broken this week. Glenn explains them all extremely clearly, what what&#8217;s more, he ends each description with instructions for what you can or must do to protect yourself \u2014 <a href=\"https:\/\/tidbits.com\/2020\/04\/03\/every-zoom-security-and-privacy-flaw-so-far-and-what-you-can-do-to-protect-yourself\/\">tidbits.com\/\u2026<\/a><\/p>\n<p>Zoom&#8217;s business model is freemium, so it&#8217;s not FreePI, so the incentives should not be pushing the company to invade your privacy, and yet, we&#8217;ve seen a lot of privacy problems mixed in with the security problems, what&#8217;s going on?<\/p>\n<p>Because of the extreme arrogance shown by the company last summer when it was discovered their app installed and insecure web server that bypassed important Safari user protections in the name of ease of use, and then left that vulnerable web server behind when the app was uninstalled, my initial impression of the company was extremely negative. So negative in fact that I have been actively boycotting them, but I think that first impression was not quite fair.<\/p>\n<p>Fleishman chooses to use the word <em>careless<\/em>, and I think that&#8217;s much closer to the mark. I think it&#8217;s also extremely important to point out that while their response last summer was most charitably described as <em>poor<\/em>, their responses this month have been much better \u2014 they have apologised, explained, and, more importantly, patched quickly. They&#8217;ve even gone so far as to announce a 90-day feature freeze so they can focus all their attention on patching security bugs and addressing the myriad privacy concerns that have been raised.<\/p>\n<p>I&#8217;m not sure it&#8217;s a defence, but the motivation for some of their most galling behaviour has been to create a more user-friendly experience. I personally think it&#8217;s utterly inappropriate to undermine your users&#8217; security in the name of convenience, but I still think motivation matters when judging a company, and user convenience is absolutely not a malicious motivation, and that&#8217;s gotta be worth something!<\/p>\n<p>Zoom is one of the single most popular online meeting apps \u2014 why? Because it works really well, even for really big groups, because it&#8217;s easy to use both for people organising meetings, and for people invited into meetings, and because there is a feature-rich free tier.<\/p>\n<p>In these days when we&#8217;re forced to keep our physical distance, tools that allow us to remain socially close from afar are more valuable than ever!<\/p>\n<p>So, should you use Zoom? That&#8217;s your call \u2014 all I suggest is that you take the time to make an informed decision. <strong>Does the value out-weight the risks, and are you prepared to take the extra steps needed use Zoom in as secure as manner as is currently possible?<\/strong><\/p>\n<p>Since the value is obvious, what are the risks?<\/p>\n<p>Looking at Zoom&#8217;s history, it seems clear to me that they have accrued massive technical debt \u2014 <strong>years of sloppy programming has resulted in a code-base littered with bugs<\/strong>, some of which have been found and patched, but many more almost certainly remain, and they could bite Zoom users badly at any moment.<\/p>\n<p>We also know that at a technical level, <strong>Zoom&#8217;s encryption is poorly designed and weak<\/strong>. They have promised to fix it, but that will take time, so at least for now, we know it&#8217;s not a safe way to communicate private information. That&#8217;s unlikely to be a show-stopper for home users (just assume someone could be listening in and behave accordingly and you&#8217;ll be grand), it&#8217;s a huge problem for higher risk users like reporters, activists, campaigners, political leaders, and corporations likely to be the targets of industrial espionage.<\/p>\n<p>Finally, it also seems clear to me that Zoom&#8217;s sloppiness goes beyond their code to their decision making and their policies. <strong>They&#8217;re not thinking things through properly before implementing them<\/strong>, and their policies have tended to air on the side of allowing the company far more rights than it needs. Their recently updated privacy policy is a massive improvement, but that doesn&#8217;t obviate the many poor decisions that have yet to be reversed like their automatic sharing of information between people who&#8217;s email addresses happen to be on the same domain.<\/p>\n<p>Finally \u2014 always remember there are alternatives:<\/p>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2020\/04\/02\/videoconferencing-options-in-the-age-of-pandemic\/\">Videoconferencing Options in the Age of Pandemic \u2014 tidbits.com\/\u2026<\/a> (also by Glenn Fleishman)<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/5-zoom-alternatives\/?utm_source=macobserver&amp;utm_medium=rss&amp;utm_campaign=rss_everything\">5 Zoom Alternatives to Maintain Your Privacy \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/best-alternatives-zoom\">Best Alternatives to Zoom in 2020 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple have patched all their OSes, including security updates as well as new features:\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2020\/03\/24\/apple-releases-macos-10-15-4-catalina-watchos-6-2-tvos-13-4-and-ios-13-4-for-homepod\/\">Apple Releases macOS 10.15.4 Catalina, watchOS 6.2, tvOS 13.4, and iOS 13.4 for HomePod \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li>&#x26a0;&#xfe0f; A bug has been found in VPN support in iOS that is not patched by this latest update \u2014 enabling a VPN does not force existing connections to terminate and re-route through the VPN, so data can be leaked \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/30\/apples-ios-13-4-hit-by-vpn-bypass-vulnerability\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/macos-10-15-4-chrome-passwords\/\">macOS Catalina 10.15.4 Lets You Import Chrome Passwords to iCloud Keychain \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/tidbits.com\/watchlist\/security-update-2020-002-mojave-and-high-sierra\/\">Security Update 2020-002 (Mojave and High Sierra) \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/watchlist\/safari-13-1\/\">Safari 13.1 \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-beefs-intelligent-tracking-prevention-and-safari-security-ios-134\">Apple beefs up Intelligent Tracking Prevention and Safari security in iOS 13.4 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/26\/apple-safari-now-blocks-all-third-party-cookies-by-default\/\">Apple Safari now blocks all third-party cookies by default \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple&#8217;s blog post describing the privacy improvements: <a href=\"https:\/\/webkit.org\/blog\/10218\/full-third-party-cookie-blocking-and-more\/\">Full Third-Party Cookie Blocking and More \u2014 webkit.org\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Adobe have released an emergency out-of-band patch to a nasty vulnerability in Creative Cloud that allowed remote attackers to delete files on victim computers \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/26\/adobe-issues-emergency-fix-for-file-munching-bug\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Mozilla has released a critical fix for Firefox that patches a zero-day vulnerability that is being actively exploited in the wild \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2020\/04\/03\/mozilla-patches-critical-vulnerabilities-firefox-firefox-esr\">www.us-cert.gov\/\u2026<\/a><\/li>\n<li>Keep an eye out for next Tuesday&#8217;s updates from Microsoft, they are expected to contain a patch for a zero-day that is being actively exploited in the wild \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/25\/windows-has-a-zero-day-that-wont-be-patched-for-weeks\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/31\/patch-now-critical-flaw-found-in-openwrt-router-software\/\">Patch now! Critical flaw found in OpenWrt router software \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Two critical bugs have been fixed in the popular WordPress plugin <em>Rank Math<\/em>, if you run this plugin, patch ASAP! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/02\/dont-get-locked-out-of-your-own-website-update-this-wordpress-plugin-now\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A reminder that, like with every disaster and crisis, malefactors are exploiting our understandable fears about and interest in the COVID-19 pandemic and attempting to defraud us all:\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/cybercriminals-are-preying-on-coronavirus-fears\/\">Cybercriminals are preying on coronavirus fears \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/26\/hijacked-twitter-accounts-used-to-advertise-face-masks\/\">Hijacked Twitter accounts used to advertise face masks \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/26\/watch-out-scummy-scammers-target-home-deliveries\/\">Watch out! Scummy scammers target home deliveries \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/03\/watch-out-for-the-new-wave-of-covid-19-scams-warns-irs\/\">Watch out for the new wave of COVID-19 scams, warns IRS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/31\/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests\/\">Marriott International confirms data breach of up to 5.2 million guests \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Security researchers have found yet another way Android apps are invading users&#8217; privacy: <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/27\/android-apps-are-snooping-on-your-installed-software\/\">Android apps are snooping on your installed software \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Court filings by grey-hat security company NSO Group allege Facebook tried to buy their controversial Pegasus spyware solution intended for use by law enforcement to spy on users as part of their highly problematic and now-defunct <em>Onavo<\/em> VPN \u2014 <a href=\"https:\/\/www.vice.com\/en_us\/article\/pke9k9\/facebook-wanted-nso-spyware-to-monitor-users\">www.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/ipad-pro-microphone-disconnect\/\">iPad Pro Adds Mac-Like Microphone Disconnect Feature \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>Evidence that Apple&#8217;s Bug Bounty program is working: <a href=\"https:\/\/www.imore.com\/apple-paid-out-75000-hacker-who-used-zero-day-exploit-hijack-iphone-camera\">Apple paid out $75,000 to a hacker who used zero-day exploit to hijack iPhone camera \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Google&#8217;s Threat Analysis Group has released their 2019 report which includes the fact that Google sent about 40K warnings to targets of state-backed hacking groups (down 25% from 2018) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/30\/google-sent-40k-warnings-to-targets-of-state-backed-attackers-in-2019\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Location Tracking and COVID-19\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2020\/04\/03\/google-is-now-publishing-coronavirus-mobility-reports-feeding-off-users-location-history\/\">Google is now publishing coronavirus mobility reports, feeding off users\u2019 location history \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; 8 major European cellphone carriers have agreed to share anonymised location data with the European Commission to help them track COVID-19 spread \u2014 <a href=\"https:\/\/www.engadget.com\/2020-03-25-carriers-share-locations-with-eu-to-track-covid-19.html\">www.engadget.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.businessinsider.com\/us-using-mobile-ad-data-to-track-people-2020-3?r=US&amp;IR=T\">The US is using mobile ad data to track people&#8217;s movements during coronavirus lockdown \u2014 www.businessinsider.com\/\u2026<\/a><\/li>\n<li><strong>Related Analysis:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/03\/30\/should-governments-track-your-location-to-fight-covid-19\/\">Should governments track your location to fight COVID-19? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/arstechnica.com\/tech-policy\/2020\/03\/court-violating-a-sites-terms-of-service-isnt-criminal-hacking\/\">Court: Violating a site\u2019s terms of service isn\u2019t criminal hacking \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/02\/phone-carriers-must-authenticate-calls-to-fight-robocalls-says-fcc\/\">Phone carriers must authenticate calls to fight robocalls, says FCC \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/robservatory.com\/how-i-lost-control-of-our-bank-accounts-to-a-phone-scammer\/\">How I lost control of our bank accounts to a phone scammer \u2014 robservatory.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleanser<\/h2>\n<h4>Chris Ashley of SMR Podcast on Daily Tech News Show talks about how nice we are online right now: <a href=\"https:\/\/dailytechnewsshow.com\/2020\/04\/03\/1999-nice-2020-memes-dtns-3753\/\">1999 Nice + 2020 Memes \u2013 DTNS 3753 \u2013 Daily Tech News Show<\/a><\/h4>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Cloudflare\u2019s WARP VPN Enters Beta for macOS, Windows \u2014 www.macobserver.com\/\u2026 Related: WireGuard, the new and very promising open source VPN protocol that powers WARP VPN has reached 1.0, and has been added to the [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569,904],"class_list":["post-20716","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits","tag-zoom"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=20716"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20716\/revisions"}],"predecessor-version":[{"id":20720,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20716\/revisions\/20720"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=20716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=20716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=20716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}