{"id":21758,"date":"2020-08-30T14:33:19","date_gmt":"2020-08-30T21:33:19","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=21758"},"modified":"2020-08-30T14:33:19","modified_gmt":"2020-08-30T21:33:19","slug":"sb-2020-08-30","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/08\/sb-2020-08-30\/","title":{"rendered":"Security Bits \u2014 30 August 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Pennsylvania has announced plans to release an Apple\/Google-based COVID app in September \u2014 <a href=\"https:\/\/www.imore.com\/apple-and-googles-contact-tracing-tech-coming-another-us-state\">www.imore.com\/\u2026<\/a>\n<ul>\n<li>Which U.S. states are using Apple\u2019s Exposure Notification API for COVID-19 contact tracing? <a href=\"https:\/\/9to5mac.com\/2020\/08\/24\/covid-19-exposure-notification-api-states\/\">9to5mac.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1e6;&#x1f1fa; Australia&#8217;s non-Google\/Apple COVID app continues to struggle with success rates while phones are locked between 27% &amp; 40% (<strong>Editorial by Bart:<\/strong> this is of course completely expected, and, what surprises me is that it sometimes nearly manages to work half the time) \u2014 <a href=\"https:\/\/www.imore.com\/australias-covidsafe-app-only-working-27-time-some-iphones\">www.imore.com\/\u2026<\/a>;<\/li>\n<li>&#x1f1ec;&#x1f1e7; English &amp; Welsh victims of the massive 2014-2018 data breach at Marriott hotels are suing the company. According to the UK Information Commissioner 7M UK residents were caught up in the breach \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/marriott-facing-lawsuit-over-major-data-breach\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Is a 6-Digit PIN Safe on your iOS Device?<\/h2>\n<p>Thanks to COVID a lot of people who relied on FaceID to make the inconvenience of an alphanumeric password on their iOS devices an acceptable experience are now being tempted to revert to a 6-digit PIN.<\/p>\n<p>An anecdote has emerged that suggests that perhaps there are now enough GreyKey-like machines out there that they have made their way into the hands of regular criminals, and that they are being used to crack iOS PINs on stolen devices.<\/p>\n<p>Somehow, a user who recently had an iPhone with a 6-digit passcode stolen found that the thieves had cracked the PIN, used the PIN to access his KeyChain and then used his passwords to steal $30K via unauthorised wire transfers, spend $2.5K in the AppStore, and break into loads of the user&#8217;s online accounts.<\/p>\n<p>The assumption is that the criminals who stole the phone used a second-hand iPhone cracking device like the GreyKey to crack the PIN. We know these devices exist, but in theory, they are only available to law enforcement. Mind you, at least one example has been reported of one of these devices for sale on eBay, so it&#8217;s not unreasonable to assume they are leaking out beyond the law enforcement community. Of course, good old fashioned corruption is another possibility \u2014 a bad cop making a few bucks on the side cracking iPhones for their mob buddies doesn&#8217;t too outlandish to me.<\/p>\n<p>It&#8217;s important to remember that this is <strong>a single anecdote<\/strong>, and, we are <strong>assuming the PIN was cracked<\/strong>, and guessing that was done with a GreyKey-like device. Be careful not to read too much into this one very wobbly datapoint!<\/p>\n<p>Having said that, my advice remains as it always was, use a real password on your iOS device. If you set your phone to erase after 10 failed attempts, then a 6-character password seems adequate to me \u2014 there&#8217;s a lot more entropy in even a terrible password like <code>M0nkey<\/code> than there is in any six-digit PIN!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2020\/08\/24\/can-thieves-crack-6-digit-iphone-passcodes\">Can Thieves Crack 6-Digit iPhone Passcodes? \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/if-hackers-crack-a-six-digit-iphone-passcode-they-can-get-all-your-passwords\/\">If Hackers Crack a Six-Digit iPhone Passcode, They Can Get All Your Passwords \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Don&#8217;t believe every Android notification you get, even if it&#8217;s from a reputable app \u2014 security researchers have found flaws in how even major companies secure their notification services, and attackers are actively exploiting notifications from high-profile apps including Google Hangouts &amp; Microsoft Teams \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/08\/28\/fake-android-notifications-first-google-then-microsoft-affected\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/08\/voice-phishers-targeting-corporate-vpns\/\">Voice Phishers Targeting Corporate VPNs \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Security researchers have published details of an as-yet-unpatched bug in Safari that allows it to leak some local files, including your browsing history \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/safari-web-share-api-bug\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/235m-tiktok-instagram-and-youtube-profiles-caught-data-breach\">235M TikTok, Instagram, and YouTube profiles caught up in data breach \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/securethoughts.com\/medical-data-of-auto-accident-victims-exposed-online\/\">Medical Data of Auto Accident Victims Exposed Online \u2014 securethoughts.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>A report from the Institute for Strategic Dialogue, a UK counter-extremist organisation, has found that Facebook&#8217;s algorithm &#8216;actively promotes&#8217; Holocaust denial \u2014 <a href=\"https:\/\/www.theguardian.com\/world\/2020\/aug\/16\/facebook-algorithm-found-to-actively-promote-holocaust-denial\">www.theguardian.com\/\u2026<\/a>\n<ul>\n<li><strong>Related<\/strong> Auschwitz Museum Twitter account to see the face of one person per day who was murdered and learn a little bit about them <a href=\"https:\/\/twitter.com\/auschwitzmuseum\">twitter.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Facebook is pro-actively warning their customers (advertisers), that Apple&#8217;s iOS 14 privacy features will cut their revenue by an estimated 50%, and that their entire <em>Audience Network<\/em> tool might become unviable on iOS \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1701438\">arstechnica.com\/\u2026<\/a>\n<ul>\n<li><strong>Bonus:<\/strong> Best headline I&#8217;ve seen on this story: <a href=\"https:\/\/www.theregister.com\/2020\/08\/27\/facebook_ios_ads\/\">Facebook apologizes to users, businesses for Apple\u2019s monstrous efforts to protect its customers&#8217; privacy \u2014 www.theregister.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/news-media-worry-ios-14\/\">News Publishers Join Facebook in Worry Over iOS 14 Anti-Tracking Feature \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/cool-stuff-found\/take-control-zoom-essentials\/\">Glenn Fleishmann Introduces Free Book \u2018Take Control of Zoom Essentials\u2019 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<p><img decoding=\"async\" src=\"https:\/\/imgs.xkcd.com\/comics\/dependency.png\" alt=\"xkcd.com\/...\" title=\"Someday ImageMagick will finally break for good and we'll have a long period of scrambling as we try to reassemble civilization from the rubble.\" \/><\/p>\n<p><a href=\"https:\/\/xkcd.com\/2347\/\">Dependency \u2014 xkcd.com\/\u2026<\/a><\/p>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; Pennsylvania has announced plans to release an Apple\/Google-based COVID app in September \u2014 www.imore.com\/\u2026 Which U.S. states are using Apple\u2019s Exposure Notification API for COVID-19 contact tracing? 9to5mac.com\/&#8230; &#x1f1e6;&#x1f1fa; Australia&#8217;s non-Google\/Apple COVID app [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[515,2650,156,126,50,569,2003],"class_list":["post-21758","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-android","tag-breach","tag-facebook","tag-ios","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=21758"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21758\/revisions"}],"predecessor-version":[{"id":21762,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/21758\/revisions\/21762"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=21758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=21758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=21758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}