{"id":21497,"date":"2020-07-26T12:59:30","date_gmt":"2020-07-26T19:59:30","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=21497"},"modified":"2020-07-26T15:41:50","modified_gmt":"2020-07-26T22:41:50","slug":"sb-2020-07-26","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/07\/sb-2020-07-26\/","title":{"rendered":"Security Bits \u2014 26 July 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<figure style=\"float: right; margin-left: 10px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2020\/07\/financial-request-to-authenticate.png\" alt=\"Financial request to authenticate\" title=\"#title#\" width=\"300 \" height=\"272\"><figcaption style=\"text-align:center\">Example of Financial Institution Authentication<\/figcaption><\/figure>\n<ul>\n<li>Two weeks ago we talked about the new method of authentication I\u2019d encountered with my bank and you had it too, where you go to log in on a website and it sends you a notification on your phone\u2019s screen, which when tapped opens the app for the website and then does FaceID to authenticate you, and then you\u2019re in on the Mac? The two questions that have come up from that in the last week in <a href=\"https:\/\/podfeet.com\/slack\" target=\"_blank\" rel=\"noopener noreferrer\">our Slack<\/a> are:\n<ul>\n<li>From Jill &#8211; isn\u2019t it quite possible a hacker would try to get into your account, your phone would send you the notification and you\u2019d instinctively tap it and instantly authenticate for them?\n<ul>\n<li>Bart explained that these apps&#8217; implementations (at least Bart and Allison&#8217;s) have one more step. After authenticating with your Face\/TouchID, there is a request to authorize with a yes or no and telling you the OS and browser making the request and the approximate physical location<\/li>\n<\/ul>\n<\/li>\n<li>From Steve &#8211; if the site (like ours) offers you the <em>option<\/em> of this dedicated phone-based authenticated method but the other option is an SMS, isn\u2019t your account just as susceptible to SIM swapping as if they didn\u2019t offer the dedicated phone app?\n<ul>\n<li>Short answer is yes &#8211; the weakest link is the problem<\/li>\n<li>The better option is if the institution allows you to disable the SMS option<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Apple have begin shipping the special pre-rooted iPhones for security researchers announced last year. These devices mean eligible security researchers no longer need jailbreaks to get full root access to iPhones, making it much easier for them to do their invaluable research \u2014  <a href=\"https:\/\/www.imore.com\/apple-now-supplying-bug-bounty-hunters-special-iphones\">www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/tidbits.com\/2020\/07\/23\/apple-releases-dedicated-security-researcher-device\/\">tidbits.com\/\u2026<\/a><\/p>\n<\/li>\n<li>COVID-related Apps\n<ul>\n<li>Apple have added symptom tracking to their Health app. It&#8217;s much broader than the current pandemic, but it may be useful to start tracking your baseline if you normally have COVID-like symptoms for other reasons, that way you have a better chance of noticing a change \u2014 <a href=\"https:\/\/tidbits.com\/2020\/07\/15\/ios-13-6-ipados-13-6-macos-10-15-6-watchos-6-2-8-and-tvos-13-4-8-add-news-features-car-keys-symptom-tracking\/\">tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Apple have added CDC travel guidance notifications into Apple Maps for US users re-entering the country \u2014 <a href=\"https:\/\/www.imore.com\/apple-adds-covid-19-travel-reminders-maps\">www.imore.com\/\u2026<\/a><\/li>\n<li>The Google\/Apple API Saga continues:\n<ul>\n<li>&#x1f1ee;&#x1f1ea; &#x1f1ec;&#x1f1e7; &#x1f1fa;&#x1f1f8;  Apple&#8217;s Google\/Apple-based app continues it&#8217;s successful launch, and the software company who wrote it are being approached by other health authorities from around the world, including at least one US state. The same company also produced Northern Ireland&#8217;s app which is about to be launched. The app has already detected cases in Ireland. \u2014 <a href=\"https:\/\/www.theguardian.com\/world\/2020\/jul\/20\/cheap-popular-and-it-works-irelands-contact-tracing-app-success\">www.theguardian.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/irelands-contact-tracing-app-so-effective-us-wants-it-too\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The Association of Public Health Laboratories (APHL)will build a national COVID-19 exposure notification server for use by state apps using the Apple\/Google&#8217;s API. It will be hosted by Microsoft \u2014 <a href=\"https:\/\/www.imore.com\/aphl-build-national-covid-19-server-using-apple-and-googles-api-hosted-microsoft\">www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>related:<\/strong> <a href=\"https:\/\/9to5mac.com\/2020\/07\/23\/apple-google-coronavirus\/\">Only four states plan to use Apple\/Google coronavirus API; none yet in use \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1e6;&#x1f1fa; Despite counter-examples from Europe (Germany, Ireland \u2026), Australia continues to blame Apple or their failure to build an effective app \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/australian-government-blaming-apple-covid-19-contact-tracing-app-flaws\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Social Media Continues to Evolve\n<ul>\n<li>Facebook Messenger for iOS now allows you to use biometrics to lock the app, so handing someone your phone to quickly do or check something doesn&#8217;t give them access to your messages \u2014 <a href=\"https:\/\/www.imore.com\/facebook-messenger-ios-gets-hefty-new-security-measure\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-adds-live-broadcasting-messenger-rooms\">Facebook adds live broadcasting to Messenger Rooms \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 ECJ Ends EU\/US Data Privacy Shield<\/h2>\n<p>Back in the year 2000, the European Commission created <em>Safe Harbour<\/em>, a framework that allowed companies to transfer data on EU citizens to the US. The logic was the US and EU law provided similar protections, so the transfer did not compromise EU citizens&#8217; rights. That always stretched credulity, but the whole idea became ever more untenable as the EU moved to add ever more protections and the US didn&#8217;t. Even before the GDPR, EU citizens had much better protections than US citizens, and so the Safe Harbour was challenged in the European Court of Justice and overturned. In a bit of a mad scramble, the European Commission replaced Safe Harbour with the <em>EU-US Privacy Shield<\/em> in 2016. When the GDPR was introduced it seemed like just a matter of time until this too would fall, and that&#8217;s what happened this month. The ECJ agreed with Austrian privacy activist Max Schrems that the privacy shield is not compatible with GDPR because US law simply doesn&#8217;t provide enough protections.<\/p>\n<p>This doesn&#8217;t mean that data on EU citizens can&#8217;t be transferred to the US, it just means that the 5,378 organisations that were using the privacy shield to avoid having to actually implement GDPR now have to actually ask users consent before transferring their data. Or, to put it in legalese, they need to use Standard Contractual Clauses, or SCCs.<\/p>\n<p>The most important thing to note is that none of this covers information we as users enter into digital services, it&#8217;s about the data those services collect about us. If an EU citizen uploads a photo to Flickr, shares a file via DropBox or posts a Tweet, that can flow all over the world without issue. This is about what happens the data all those trackers infesting the web and our apps are hoovering up all the time.<\/p>\n<p>At the end of the day, as best as I can tell, this won&#8217;t have any negative impact on users, and it just might give us all a little more control over our privacy, and at the very least, should shine a little light on some of the stuff these companies get up to.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/eu-us-privacy-shield-failed-protect-data-eu-citizens-court-rules\">EU-US Privacy Shield failed to protect data of EU citizens, court rules \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/its-time-to-say-goodbye-to-the-eu-us-privacy-shield\/\">It\u2019s time to say goodbye to the EU-US Privacy Shield \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 The Twitter Hack<\/h2>\n<p>A small number of very high profile Twitter accounts were taken over and used to spread a bitcoin scam \u2014 basically &#8220;send me some bitcoin and I&#8217;ll send you back twice as much&#8221;. We now know attempts were made to take over 130 accounts, and 45 of those attempts succeeded. We also know the attackers attempted to generate GDPR-style full data exports from some of the compromised accounts.<\/p>\n<p>This wasn&#8217;t a technical hack, but instead, a social engineering attack. According to media reports, we&#8217;re talking about Twitter employees with access to back-end systems being paid to take over the accounts.<\/p>\n<p>Twitter responded promptly and well \u2014 locking down all verified accounts who&#8217;re passwords had been recently changed, and tweeting updates on their on-going investigation, and producing a quite detailed blog post explaining their findings.<\/p>\n<p>This attack in-and-of-itself doesn&#8217;t pose a danger to us regular folk, instead it shines a bright spotlight on just how much power Twitter has in modern political discourse, and underlines the dangers these kinds of massive centralised social media services pose to democratic elections. This attack seems to have been more about the LOLs and making a quick buck, but imagine what a well-resourced nation state could do on US election day were they to get control of Twitter&#8217;s back-end system like these attackers did!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Twitter&#8217;s official blog post: <a href=\"https:\/\/blog.twitter.com\/en_us\/topics\/company\/2020\/an-update-on-our-security-incident.html\">An update on our security incident \u2014 blog.twitter.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.engadget.com\/crypto-scammers-hack-elon-musk-bill-gates-twitter-204011058.html\">Crypto scammers hack Elon Musk, Biden, Obama, and Kanye on Twitter | EngadgetEngadgetEngadgetPage 1Page 1ear iconeye iconFill 23text filevr \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-other-high-profile-twitter-accounts-hacked-bitcoin-scam\">Twitter experiences widespread hack in coordinated cryptocurrency scam \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/07\/16\/twitter-limits-tweeting-as-prominent-accounts-spam-out-cryptocoin-scams\/\">Twitter limits tweeting as prominent accounts spam out cryptocoin scams \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.nytimes.com\/2020\/07\/17\/technology\/twitter-hackers-interview.html\">Hackers Tell the Story of the Twitter Attack From the Inside \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-says-130-accounts-targeted-45-compromised-security-breach\">Twitter says 130 accounts targeted, 45 compromised in a security breach \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-says-least-one-elected-official-had-dms-accessed-during-breach\">Twitter says at least one elected official had DMs accessed during breach \u2014 www.imore.com<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/07\/15\/patch-now-sigred-the-wormable-hole-in-your-windows-servers\/\">Patch now! SIGRED \u2013 the wormable hole in your Windows servers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/07\/24\/asus-routers-could-be-reflashed-with-malware-patch-now\/\">ASUS routers could be reflashed with malware \u2013 patch now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple have patched just about all their OSes, as well as some new features there are of course security updates \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1692026\">arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.dpreview.com\/news\/4088574048\/adobe-pushes-critical-security-update-for-bridge-photoshop-and-prelude\">Adobe pushes critical security updates for Bridge, Photoshop and Prelude \u2014 www.dpreview.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/07\/20\/7-vpns-that-leaked-their-logs-the-logs-that-didnt-exist\/\">7 VPNs that leaked their logs \u2013 the logs that \u201cdidn\u2019t exist\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/gedmatch-data-breach\/\">DNA Company \u2018GEDmatch\u2019 Hacked in Data Breach \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/dont-close-laptop-lid-cover\/\">Apple Warns Not to Close Your Laptop Lid With a Webcam Cover \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; T-Mobile has announced updated tools for customers to help protect themselves from robocalls and scams. They&#8217;re rolling out enhanced caller ID based on STIR\/SHAKEN, and adding free call blocking services they&#8217;re calling <em>Scam Shield<\/em> \u2014 <a href=\"https:\/\/www.imore.com\/t-mobile-announces-scam-shield-new-free-anti-robocaller-tool\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/how-set-two-factor-authentication-your-skype-account\">How to set up two-factor authentication for your Skype account \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+b-m13Jodg\">Know a Little More: About WiFi 6 \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A good overview of the research into TikTok. TL;DR, it&#8217;s a security and privacy train-wreck &#x1f641; \u2014 <a href=\"https:\/\/www.macobserver.com\/analysis\/is-tiktok-collecting-data\/\">www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> &#x1f3a7; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/overcast.fm\/+YH-4n3Ny4\">Reset: Can the government ban TikTok? \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Thanks to the CCPA reporter Thomas Smith was able to see all the third-party companies he uses that share their data on him back to Facebook: <a href=\"https:\/\/onezero.medium.com\/doordash-and-thousands-of-other-companies-passively-send-your-data-to-facebook-4ebe851e710\">Doordash and Thousands of Other Companies Passively Send Your Data to Facebook \u2014 onezero.medium.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/are-smart-locks-really-that-smart\/\">Are \u201cSmart Locks\u201d Really that Smart? \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/07\/thinking-of-a-cybersecurity-career-read-this\/\">Thinking of a Cybersecurity Career? Read This \u2014 krebsonsecurity.com\/\u2026<\/a><br \/>\nIe<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> The EFF&#8217;s Atlas of Surveillance \u2014 <a href=\"https:\/\/www.eff.org\/pages\/about-atlas-surveillance-project\">www.eff.org\/\u2026<\/a><\/li>\n<li>A new mini-series of RedHat&#8217;s Command Line Heroes has started focusing on how to become a coder. The first episode is out: <a href=\"https:\/\/overcast.fm\/+LGh6EHf04\">Command Line Heroes: Becoming a Coder \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Example of Financial Institution Authentication Two weeks ago we talked about the new method of authentication I\u2019d encountered with my bank and you had it too, where you go to log in on a [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147],"tags":[4246,4247,50,569,4245],"class_list":["post-21497","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","tag-atlas-of-surveillance","tag-privacy-shield","tag-security","tag-security-bits","tag-twitter-hack"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=21497"}],"version-history":[{"count":6,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21497\/revisions"}],"predecessor-version":[{"id":21514,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21497\/revisions\/21514"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=21497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=21497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=21497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}