{"id":21667,"date":"2020-08-16T13:31:58","date_gmt":"2020-08-16T20:31:58","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=21667"},"modified":"2020-08-16T13:31:58","modified_gmt":"2020-08-16T20:31:58","slug":"sb-2020-08-16","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/08\/sb-2020-08-16\/","title":{"rendered":"Security Bits \u2014 16 August 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>COVID Exposure Notification\/Contact Tracing apps continue to roll out:\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/virginia-releases-first-apple-and-google-powered-covid-19-app-us\">Virginia releases first Apple and Google-powered COVID-19 app in U.S. \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; North Dakota, Wyoming, and Alabama follow: <a href=\"https:\/\/www.imore.com\/three-more-us-states-launch-contact-tracing-apps-using-applegoogle-tech\">Three more U.S. states launch contact tracing apps using Apple\/Google tech \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.bbc.com\/news\/technology-53753678\">England&#8217;s contact-tracing app gets green light for trial \u2014 www.bbc.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Last Month&#8217;s Twitter Hack:\n<ul>\n<li>Twitter updated their blog post explaining the hack with some more details \u2014 it was a well executed attack against the humans running Twitter (the <em>squishy organic bit<\/em> as I like to say &#x1f609;) \u2014 <a href=\"https:\/\/blog.twitter.com\/en_us\/topics\/company\/2020\/an-update-on-our-security-incident.html\">blog.twitter.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.theverge.com\/2020\/7\/31\/21349920\/twitter-hack-arrest-florida-teen-fbi-irs-secret-service\">Three people have been charged for Twitter\u2019s huge hack, and a Florida teen is in jail \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>After a year of trying to find a buyer, Troy Hunt has taken a different approach \u2014 <em>Have I Been Pwned<\/em> has gone open source: <a href=\"https:\/\/www.troyhunt.com\/im-open-sourcing-the-have-i-been-pwned-code-base\/\">I&#8217;m Open Sourcing the Have I Been Pwned Code Base \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<li>Social media companies continue to tackle abuses of their platforms:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/whatsapps-newest-feature-makes-it-easier-debunk-hoaxes\">WhatsApp&#8217;s newest feature makes it easier to debunk hoaxes \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>After an initial false start, Twitter has rolled out reply-limiting to all users (when you post a tweet you can limit who can reply to everyone, just people you follow, or only those mentioned in the tweet \u2014 <a href=\"https:\/\/www.imore.com\/not-drill-twitter-rolls-out-reply-limiting-feature-everyone\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/threema-encrypted-video-calls\/\">\u2018Threema\u2019 Now Supports End-to-End Encrypted Video Calls \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.theverge.com\/2020\/8\/14\/21369737\/facebook-merging-instagram-messenger-chats-update\">Facebook begins merging Instagram and Messenger chats in new update \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/snapchat-voting-tools\/\">Snapchat Voting Tools to Appear in September \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/facebook-launches-2020-voting-information-center\">Facebook launches 2020 Voting Information Center \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.washingtonpost.com\/technology\/2020\/08\/05\/trump-post-removed-facebook\/\">Facebook, Twitter penalize Trump for posts containing coronavirus misinformation \u2014 www.washingtonpost.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 &#x1f9ef;&#8217;Unpatchable&#8217; Secure Enclave Vulnerability<\/h2>\n<p>Security Researchers claim to have found a vulnerability in older versions of Apple&#8217;s Secure Enclave. The problem is in code that&#8217;s effectively burned into the secure enclave chip, making it impossible to patch via a software update.<\/p>\n<p>The researchers revealed very little information, but based on what we do know it seems this is nowhere near as big of a deal as it sounds like. Why? Because the bug can only be exploited at boot-time, so it requires physical access to the device, and, it has already been fixed in the newer A12 and A13 chips, so only older devices are affected.<\/p>\n<p>In short, unless you&#8217;re important enough to be the target of a very sophisticated attack, and yet, run an old phone, and, have lost physically control of it, you&#8217;re not at risk.<\/p>\n<p>If you <em>are<\/em> important enough to be a target, and you&#8217;re using an older device, you have have a simple solution at your disposal \u2014 get a newer iPhone &#x1f642;<\/p>\n<p>More Details: <a href=\"https:\/\/appleinsider.com\/articles\/20\/08\/03\/security-enclave-vulnerability-seems-scary-but-wont-affect-most-iphone-users\">Security Enclave vulnerability seems scary, but won&#8217;t affect most iPhone users \u2014 appleinsider.com\/\u2026<\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/www.loopinsight.com\/2020\/08\/03\/new-unpatchable-exploit-allegedly-found-on-apples-secure-enclave-chip\/\">New \u2018unpatchable\u2019 exploit allegedly found on Apple\u2019s Secure Enclave chip \u2014 www.loopinsight.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Critical security updates have been released for Grub2, the open source boot loader used by many Linux distros. The updates include a patch for the catchily named <em>BootHole<\/em> bug \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/07\/30\/servers-at-risk-from-boothole-bug-what-you-need-to-know\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Last Tuesday was <em>Patch Tuesday<\/em>, seeing the usual release of critical updates from Microsoft (Windows) &amp; Adobe \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2020\/08\/microsoft-patch-tuesday-august-2020-edition\/\">krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li>Adobe have released security updates for Acrobat, Reader &amp; Lightroom \u2014 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2020\/08\/11\/adobe-releases-security-updates\">us-cert.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple have released security updates for all their major OSes \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1698540\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Apple have released security updates for iCloud on Windows \u2014 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2020\/08\/11\/apple-releases-security-updates-icloud-windows\">us-cert.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/07\/29\/us-tax-service-says-2fa-is-a-must\/\">US tax service says, \u201c2FA is a must!\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>High profile YouTube channels are coming under attack, and those that fall are being used to spread bitcoin scams. YouTube seems incapable or unwilling to respond effectively \u2014 <a href=\"https:\/\/www.imore.com\/youtube-experiencing-egregious-bitcoin-hack-no-one-fixing\">www.imore.com\/\u2026<\/a>\n<ul>\n<li>A deeper dive: <a href=\"https:\/\/www.imore.com\/how-malware-started-bitcoin-hack-youtube-just-cant-keep\">How malware started a Bitcoin hack that YouTube just can&#8217;t keep up with \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; <strong>Related:<\/strong> A good deep-dive into what&#8217;s going on: <a href=\"https:\/\/overcast.fm\/+HLr6tFsrI\">Checklist Episode 194 &#8211; YouTube Hijacking Bitcoin Blues with Stephen Warwick \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Microsoft have launched <em>Microsoft Family Safety<\/em>, effectively mobile device management for families, on iOS &amp; Android \u2014 <a href=\"https:\/\/www.imore.com\/microsofts-family-safety-launches-android-and-ios\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/lastpass-will-now-monitor-your-accounts-breaches-and-risk-passwords-and-alert-you-when-you-need\">LastPass will now monitor your accounts for breaches and at-risk passwords and alert you when you need to change them \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/08\/why-where-you-should-you-plant-your-flag\/\">Why &amp; Where You Should Plant Your Flag \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-send-files-securely\/\">How to Send Files Securely \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1691715\">Here\u2019s why Apple believes it\u2019s an AI leader\u2014and why it says critics have it all wrong \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f4ca; The Periodic Table like you&#8217;ve never seen it before, colour-coded to show how the element was created (Big Bang, Supernova etc.) \u2014 [apod.nasa.gov\/\u2026](https:\/\/apod.nasa.gov\/apod\/ap200809.html\n<ul>\n<li>A semi-accessible SVG version of the Periodic Table <a href=\"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/31\/Nucleosynthesis_periodic_table.svg\">upload.wikimedia.org\/&#8230;<\/a>. I say semi-accessible because you have to interpret how VoiceOver reads out element symbols. Helium for example sounds just like He, which is how it&#8217;s spelled.<\/li>\n<\/ul>\n<\/li>\n<li>&#x2763;&#xfe0f; Breaking News: Macmillan Dictionary now includes over 50 emoji, carefully selected by lexicographer<br \/>\n<a href=\"https:\/\/janesolomon\" target=\"_blank\" rel=\"noopener noreferrer\">@janesolomon<\/a>: <a href=\"https:\/\/www.macmillandictionary.com\/learn\/emoji.html\">Emoji in MacMillon Dictionary<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. COVID Exposure Notification\/Contact Tracing apps continue to roll out: &#x1f1fa;&#x1f1f8; Virginia releases first Apple and Google-powered COVID-19 app in U.S. \u2014 www.imore.com\/\u2026 &#x1f1fa;&#x1f1f8; North Dakota, Wyoming, and Alabama follow: Three more U.S. states launch [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4275,50,569,2003],"class_list":["post-21667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-secure-enclave","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=21667"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21667\/revisions"}],"predecessor-version":[{"id":21670,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21667\/revisions\/21670"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=21667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=21667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=21667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}