{"id":20835,"date":"2020-04-19T12:41:48","date_gmt":"2020-04-19T19:41:48","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=20835"},"modified":"2020-04-22T18:30:09","modified_gmt":"2020-04-23T01:30:09","slug":"sb-2020-04-19","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/04\/sb-2020-04-19\/","title":{"rendered":"Security Bits \u2014 19 April 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><strong>Correction:<\/strong> \u2014 the microphone cut-off switch in the new iPad Pros is not a physical disconnect, but it is completely independent of iOS and can&#8217;t be affected by malware because it&#8217;s in the T2 security chip \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/06\/will-apples-microphone-switch-stop-your-ipad-getting-bugged\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Zoom continue to improve their security and privacy:\n<ul>\n<li>An excellent follow-up piece from Glenn Fleishman laying out the progress as well as he initially laid out the problems: <a href=\"https:\/\/tidbits.com\/2020\/04\/15\/zoom-repairs-flaws-and-improves-privacy\/\">Zoom Repairs Flaws and Improves Privacy \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/zoom-announces-collaboration-security-experts-netflix-uber-ea-and-more\">Zoom announces collaboration with security experts from Netflix, Uber, EA and more \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/zoom-improves-password-requirements-and-introduces-longer-meeting-ids-latest-update\">Zoom improves password requirements and introduces longer meeting IDs in latest update \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Unsurprisingly, Zoom seems to be under attack, so if you re-used a password from somewhere else on Zoom, you should probably update your Zoom password to a unique one. Presumably re-used Zoom passwords are appearing for sale on the dark web \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/15\/zoom-passwords-for-sale-on-the-dark-web-ten-a-penny-by-all-accounts\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/news\/zoom-account-credentials-sold-hacker-forums-dark-web\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/make-sure-your-zoom-meetings-are-safe-by-doing-these-10-things\/\">Zoom security: Your meetings will be safe and secure if you do these 10 things \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; A good discussion of some of Zoom&#8217;s responses: <a href=\"https:\/\/overcast.fm\/+LUuQtE2dE\/12:27\"> Security Now 762: Virus Contact Tracking \u2014 overcast.fm\/\u2026<\/a> (starting at 00:12:27)<\/li>\n<\/ul>\n<\/li>\n<li>Google is engaging with Apple to progress their proposed standard for reducing the insecurity of SMS-based 2 factor authentication \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/google-helps-apple-progress-with-one-time-passcode-proposal\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Facebook have abandoned their attempts to start a crypto currency, instead, Libra will become yet another regular digital wallet <em>ala<\/em> Apple Pay, Google Pay, PayPal, etc. \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/facebook-scales-back-libra\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Location data privacy continues to be an issue during the pandemic:\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/06\/rights-groups-appeal-to-governments-over-covid-19-surveillance\/\">Rights groups appeal to governments over COVID-19 surveillance \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-has-made-maps-mobility-data-available-authorities-help-fight-coronavirus\">Apple has made Maps mobility data available to authorities to help fight coronavirus \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Apple &amp; Google&#8217;s Privacy-Protecting COVID-19 Contact Tracing API<\/h2>\n<p>Apple and Google have partnered to develop on an API for tracking close personal contacts in an attempt to fight the COVID-19 pandemic. Unlike other solutions rolled out by some more authoritarian governments, this is a de-centralised solution designed from the ground up to prevent it&#8217;s use for tracking.<\/p>\n<p>The solution makes use low energy bluetooth rather than GPS for recording close physical contacts, and it uses a combination of public-key crypto and one-way hashing functions to generate anonymous ephemeral tokens that each participating phone broadcasts. As users move around their phone records the ephemeral tokens for all phones it comes close to, and keeps a lot for a few weeks. If a participating user gets tested positive, they can choose to instruct their phone to tell a server that they have tested positive, and upload all their ephemeral keys. Participating devices will periodically check to see if any of the known-infected keys are in their cache, and if they are, alert the user that they have potentially been exposed.<\/p>\n<p>The key point is that the tokens change regularly, so the same phone does not have the same token for long. This means you can&#8217;t use the tokens to track people. Also, the tokens cycle in sync with the randomisation of Bluetooth MAC addresses, so the tokens can&#8217;t be used to un-do the tracking protection provided by MAC address randomisation.<\/p>\n<p>Apple and Google insist their API will always be opt-in, and that there will need to be some kind of validation of diagnoses to avoid trolling. There will not be a single global server all phones check for positive tokens, instead, separate countries or regions will run their own servers, and the operators of those servers will put in the appropriate safeguards to validate positive diagnoses.<\/p>\n<p>Initially this will be available as an API developers can incorporate into 3rd-party apps, but Apple and Google plan to add the functionality into iOS and Android in the coming months.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>An excellent explainer of how the technology works by Matthew Panzarino \u2014 <a href=\"https:\/\/techcrunch.com\/2020\/04\/10\/apple-and-google-are-launching-a-joint-covid-19-tracing-tool\/\">techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2020\/04\/10\/apple-and-google-partner-for-privacy-preserving-covid-19-contact-tracing-and-notification\/\">Apple and Google Partner for Privacy-Preserving COVID-19 Contact Tracing and Notification \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1667565\">Apple and Google detail bold and ambitious plan to track COVID-19 at scale \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apples-contact-tracing-system-requires-verification-report-infection\">Apple&#8217;s contact tracing system requires verification to report infection \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-sends-letter-senators-response-privacy-concerns-about-its-coronavirus-app\">Apple sends letter to senators in response to privacy concerns about its coronavirus app \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; An excellent not-overly-technical description of what Apple &amp; Google have designed: <a href=\"https:\/\/overcast.fm\/+YH-6Dm_QE\">Reset: Contact Tracing, Explained \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>&#x1f3a7; A good (relatively) human-friendly description of the nuts-and-bolts of the solution: <a href=\"https:\/\/overcast.fm\/+LUuQtE2dE\/1:19:09\">Security Now Episode 762: Virus Contact Tracking \u2014 overcast.fm\/\u2026<\/a> (starting at 01:19:09)<\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/www.imore.com\/eu-hints-adoption-apple-and-googles-contact-tracing-solution\">EU hints at adoption of Apple and Google&#8217;s contact tracing solution \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.imore.com\/uks-nhs-will-add-apple-and-googles-coronavirus-tracing-api-its-app\">The UK&#8217;s NHS will add Apple and Google&#8217;s coronavirus tracing API to its app \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.theguardian.com\/technology\/2020\/apr\/16\/nhs-in-standoff-with-apple-and-google-over-coronavirus-tracing\">NHS in standoff with Apple and Google over coronavirus tracing \u2014 www.theguardian.com\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/04\/microsoft-patch-tuesday-april-2020-edition\/\">Microsoft Patch Tuesday, April 2020 Edition \u2014 krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/16\/update-now-windows-zero-day-flaws-fixed-in-patch-tuesday\/\">Update now! Windows zero-day flaws fixed in Patch Tuesday \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/17\/critical-bug-in-google-chrome-get-your-update-now\/\">Critical bug in Google Chrome \u2013 get your update now \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/08\/update-firefox-again-more-rces-and-an-android-takeover-bug-too\/\">Update Firefox again \u2013 more RCEs and an Android \u201ctakeover\u201d bug too \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/linksys-asks-users-to-reset-passwords-after-hackers-hijacked-home-routers-last-month\/\">Linksys asks users to reset passwords after hackers hijacked home routers last month \u2014 www.zdnet.com\/\u2026<\/a> (Only affects <em>Linksys Smart WiFi<\/em> users)<\/li>\n<li>Apple have released a critical security update for XCode \u2014 <a href=\"https:\/\/support.apple.com\/en-us\/HT211141\">support.apple.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Security researchers are warning users of Apple&#8217;s App Store to be aware of a new risk \u2014 extortionately priced subscriptions, or, as they named them, <em>Fleeceware<\/em>. When signing up for any subscription, always check both the price, and, the renewal period! \u2014 <a href=\"https:\/\/www.imore.com\/how-stop-app-store-fleeceware-grabbing-your-cash\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/14\/tiktok-users-beware-hackers-could-swap-your-videos-with-their-own\/\">TikTok users beware: Hackers could swap your videos with their own \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/10\/sextortion-emails-and-porn-scams-are-back-dont-let-them-scare-you\/\">Sextortion emails and porn scams are back \u2013 don\u2019t let them scare you! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/17\/github-users-targetted-by-sawfish-phishing-campaign\/\">GitHub users targeted by Sawfish phishing campaign \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f9ef;Contrary to come fake news that seems to have been spread maliciously, there is no evidence at all of a security problem with the popular video conferencing app HouseParty \u2014 <a href=\"https:\/\/www.imore.com\/houseparty-safe-use\">www.imore.com\/\u2026<\/a><\/li>\n<li>Social Media companies are working hard to respond to the changes brought on by the pandemic:\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/16\/tiktok-announces-family-pairing-bust-your-moves-but-cap-the-risk\/\">TikTok announces \u201cFamily Pairing\u201d \u2013 bust your moves but cap the risk \u2014 nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/tiktok-expands-parental-controls-blocks-dms-underage-users\">TikTok expands parental controls, now automatically blocks DMs for underage users \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/whatsapp-puts-limits-message-forwarding-curb-covid-19-misinformation\">WhatsApp puts limits on message forwarding to curb COVID-19 misinformation \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/google-blocking-18m-coronavirus-scam-emails-a-day\/\">Google Blocking 18m Coronavirus Scam Emails a Day \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-taking-aggressive-steps-quash-5g-conspiracy-theories-could-cause-physical-harm\">Facebook taking &#8216;aggressive steps&#8217; to quash 5G conspiracy theories that could cause physical harm \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/interview-we-sat-down-two-5g-experts-and-debunked-recent-conspiracies\">Interview: We sat down with two 5G experts to debunk recent conspiracies | iMore \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-rolls-out-quiet-mode-ios-spend-less-time-facebook\">Facebook rolls out &#8216;Quiet Mode&#8217; on iOS to spend less time on Facebook \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/ecobee-announces-two-factor-authentication-secure-your-smart-home\">ecobee announces two-factor authentication to secure your smart home \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f9ef;Twitter initially warned users that a bug in FireFox was allowing some private data to be cached locally for too long, but it turns out they were not setting the correct HTTP headers! This was probably a non-issue for most people, the one exception would be users of public computers, were their DMs might have been left exposed for some time after they logged out of Twitter \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/04\/07\/twitter-warns-users-firefox-might-hold-on-to-private-messages\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><img decoding=\"async\" src=\"https:\/\/imgs.xkcd.com\/comics\/garbage_math.png\" alt=\"'Garbage In, Garbage Out' should not be taken to imply any sort of conservation law limiting the amount of garbage produced.\" \/><br \/><a href=\"https:\/\/xkcd.com\/2295\/\">xkcd: Garbage Math \u2014 xkcd.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Correction: \u2014 the microphone cut-off switch in the new iPad Pros is not a physical disconnect, but it is completely independent of iOS and can&#8217;t be affected by malware because it&#8217;s in the T2 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[156,50,569,1968,904],"class_list":["post-20835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-facebook","tag-security","tag-security-bits","tag-zero-day","tag-zoom"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=20835"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20835\/revisions"}],"predecessor-version":[{"id":20849,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/20835\/revisions\/20849"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=20835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=20835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=20835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}