{"id":23153,"date":"2021-03-07T13:54:02","date_gmt":"2021-03-07T21:54:02","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23153"},"modified":"2021-03-07T13:54:02","modified_gmt":"2021-03-07T21:54:02","slug":"sb-2021-03-07","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/03\/sb-2021-03-07\/","title":{"rendered":"Security Bits \u2014 7 March 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><em>Silver Sparrow<\/em> Mac Malware Update:\n<ul>\n<li><strong>Correction:<\/strong> in the previous Security Bits we made it sound like 30K M1 Macs were infected with this new strain of malware, and that it only affected M1 Macs. That&#8217;s not correct. The malware has simply been compiled using Apple&#8217;s tools so it runs natively on both Apple Silicon and Intel CPUs (i.e. it&#8217;s a <em>Universal Binary<\/em>), and the 30K infections cover both platforms \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/\">www.intego.com\/\u2026<\/a><\/li>\n<li>In the previous instalment Allison asked how to tell if you were infected, I didn&#8217;t have an answer, but now I do: <a href=\"https:\/\/www.macobserver.com\/news\/how-find-silver-sparrow\/\">How to Find Out if Your Mac has \u2018Silver Sparrow\u2019 Malware \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; <strong>Related Suggested Listening:<\/strong> An excellent interview with stalwart Mac security researcher Patrick Wardle covering Silver Sparrow in particular, and malware on M1 Macs in general \u2014 <a href=\"https:\/\/overcast.fm\/+HLr6-CTBE\">The Checklist by SecureMac Ep. 220: Malware and the M1 with Patrick Wardle \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>App Tracking Transparency Update:\n<ul>\n<li>Facebook starts making the case for tracking to the users who will soon get to make their own decisions on cross-app tracking \u2014 <a href=\"https:\/\/www.imore.com\/facebook-has-new-initiative-highlight-importance-personalized-ads\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-hails-ios-14-privacy-changes\">Twitter hails iOS 14 privacy changes \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/twitter-announces-paid-super-follows-alongside-facebook-group-communities\">Twitter announces paid-for Super Follows alongside Facebook Group-like Communities \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/linkedin-stop-collecting-tracking-data-apple-shames-it\">LinkedIn to stop collecting tracking data before Apple shames it \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 FireFox&#8217;s <em>Total Cookie Protection<\/em><\/h2>\n<p>The latest Firefox update brings along a very substantial change to how the browser handles cookies, and it&#8217;s a privacy game-changer, effectively ending third-party cookies.<\/p>\n<p>Before describing what Firefox have done, let&#8217;s describe the world as it has been up until now.<\/p>\n<p>To keep things clear, we need to agree on some terminology.<\/p>\n<p>Firstly, the URL in the address bar defines what I&#8217;ll refer to as the <em>primary site<\/em>. It&#8217;s where you explicitly chose to send your browser in some way, perhaps by clicking a link, opening a bookmark, or typing it into the address bar.<\/p>\n<p>When your browser loads the primary web page there are two parties involved, the browser and the site&#8217;s web server. These are the <em>first and second parties<\/em>.<\/p>\n<p>Web pages can embed resources from other websites. Those could be anything, images, videos, scripts, little embedded sub-pages (iframes) etc. To load those resources your browser has to talk to the web servers hosting them, and those web servers are all <em>third parties<\/em>. You didn&#8217;t explicitly choose to contact those servers, they were implicitly contacted so as to be able to load the page you did explicitly request.<\/p>\n<p>Every time your browser contacts any web server that server can include a little token in the reply and ask the browser to store that token locally, and to include that same token in all future requests to that server. These tokens are called <em>cookies<\/em>, and the browser stores them in a so-called <em>cookie jar<\/em>.<\/p>\n<p>Every cookie in a cookie jar contains at least four important pieces of information:<\/p>\n<ol>\n<li>the domain of the website that sent (or set) the cookie<\/li>\n<li>a name for the cookie<\/li>\n<li>a value for the cookie<\/li>\n<li>an expiration date for the cookie<\/li>\n<\/ol>\n<p>In this pre-total-cookie-protection world, the browser retains one cookie jar for all regular tabs and all regular windows, and that jar is permanent, when you quit and re-start the browser all the cookies are still in that jar.<\/p>\n<p>One of the things that makes private browser mode different is that those tabs get their own cookie jar, and the private cookie jar is not permanent, when you quit the browser the private cookie jar gets emptied.<\/p>\n<p>In this world, ad tracking works by asking the owners of primary websites to embed a resource (perhaps just 1px by 1px image) in their page that loads from a server that&#8217;s part of the ad tracking network. That server is a third-party, and they can include a cookie in their reply. The browser gets the cookie that contains a unique ID, and stores it in the one universal cookie jar.<\/p>\n<p>Every time the user visits another primary website with the same tracker embedded, their browser returns the cookie it was sent before, telling the server they are the same person from the other websites in the process.<\/p>\n<p>So, third-party cookies facilitate the tracking of users across the primary websites they visit, assuming those primary sites are integrated with the same tracker.<\/p>\n<p>You might think that blocking third-party cookies would solve the tracking problem, and it would, but, not without some serious collateral damage!<\/p>\n<p>3rd party cookies were not invented for tracking, they were invented to facilitate relationships between sites. Among those relationships are authentication relationships \u2014 you can&#8217;t have any kind of single-sign-on without 3rd party cookies, so when you block them, some things simply stop working, you find yourself logged out of some sites and unable to log in.<\/p>\n<p>So, the desire is to allow the cross-site relationships we rely on while blocking tracking.<\/p>\n<p>Until now, the approach has been to assume all 3rd-party cookies are legitimate and to block known trackers by simply not saving cookies from their domains into the one universal cookie jar.<\/p>\n<p>Firefox have turned that approach on its head. Rather than assuming all 3rd-party cookies are fine and block-listing known trackers, they are assuming all 3rd-party cookies are hostile, and allow-listing only authentication providers.<\/p>\n<p>Only authentication cookies go into the universal cookie jar, and all other cookies go into a per-site cookie jar for each primary website you visit. When you go to <code>google.com<\/code> a Google-only cookie jar is created, when you go to <code>facebook.com<\/code> a Facebook-only cookie jar is created, and so on. Each jar is still storing 3rd-party cookies, but they&#8217;re all independent of each other, so a tracker sees you on Google and you on Facebook as two completely separate people, putting an end to cross-site tracking via cookies.<\/p>\n<p>Something else to note, Firefox are not only relying on allow-lists of known authenticators, they are also including some algorithms (probably ML of some kind) to detect authentication-like behaviour and allow those cookies into the global cookie jar. Assuming Firefox can keep these algorithms well-tuned they should make this entire change 100% transparent to users.<\/p>\n<p>Finally, just a reminder that none of this in any way alters your relationship to the primary sites you visit. When you go to a site, that site can track what you do on that site, and it will always be able to do so, nothing can change that. Firefox can stop Facebook from seeing what you do on Reddit, but it can never stop Facebook seeing what you do on Facebook!<\/p>\n<p><strong>Link:<\/strong> <a href=\"https:\/\/www.imore.com\/firefox-has-just-announced-major-privacy-advance\">Mozilla has just announced a &#8216;major privacy advance&#8217; for its Firefox browser \u2014 www.imore.com\/\u2026<\/a><\/p>\n<h2>Deep Dive 2 \u2014 Has Google Seen the Light?<\/h2>\n<p>Google released a blog post announcing their intention to move away from cookie-based tracking and switching to privacy-respecting aggregate tracking instead.<\/p>\n<p>Some Highlights:<\/p>\n<blockquote><p>\n  \u2026 If digital advertising doesn&#8217;t evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.<\/p>\n<p>  That\u2019s why last year Chrome announced its intent to remove support for third-party cookies, and why we\u2019ve been working with the broader industry on the Privacy Sandbox to build innovations that protect anonymity while still delivering results for advertisers and publishers. Even so, we continue to get questions about whether Google will join others in the ad tech industry who plan to replace third-party cookies with alternative user-level identifiers. Today, we\u2019re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.<br \/>\n  \u2026<br \/>\n  \u2026 our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.\n<\/p><\/blockquote>\n<p>I&#8217;d love to be able to go into great technical detail, but I can&#8217;t, because Google haven&#8217;t told is what they will do, just what they won&#8217;t, and some vague aspirations.<\/p>\n<p>I don&#8217;t know whether Google are being good netizens, or if they&#8217;re just being pragmatic and can see the writing on the wall for the modern tracking ecosystem. I&#8217;m not sure that&#8217;s what really matters though. Regardless of their motivation, what we need to see is the actual technology they roll out. Will it actually preserve privacy? Or will it just be a case of <em>meet the new boss, same as the old boss<\/em>?<\/p>\n<p>My approach is to welcome the sentiment, assume they are being genuine, but verify that assumption when they start rolling out actual technology. Basically, I&#8217;m taking a page from President Reagan&#8217;s book \u2014 <em>trust but verify<\/em>.<\/p>\n<h3>Links:<\/h3>\n<ul>\n<li>Google&#8217;s blog post: <a href=\"https:\/\/blog.google\/products\/ads-commerce\/a-more-privacy-first-web\">Charting a course towards a more privacy-first web \u2014 blog.google\/\u2026<\/a><\/li>\n<li>Related Opinion\/Analysis:**\n<ul>\n<li><a href=\"https:\/\/www.eff.org\/deeplinks\/2021\/03\/googles-floc-terrible-idea\">Google\u2019s FLoC Is a Terrible Idea | Electronic Frontier Foundation \u2014 www.eff.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/daringfireball.net\/2021\/03\/google_advertising_share\">Google\u2019s Outsized Share of Advertising Money \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/02\/23\/keybase-secure-messaging-fixes-photo-leaking-bug-patch-now\/\">Keybase secure messaging fixes photo-leaking bug \u2013 patch now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/04\/another-chrome-zero-day-exploit-so-get-that-update-done\/\">Another Chrome zero-day exploit \u2013 so get that update done! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2021\/02\/26\/macos-11-2-2-protects-macbook-pro-and-macbook-air-from-non-compliant-usb-c-hubs-and-docs\/\">macOS 11.2.2 Protects MacBook Pro and MacBook Air from Non-Compliant USB-C Hubs and Docs \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> <a href=\"https:\/\/www.tomsguide.com\/news\/lastpass-android-app-tracking\">LastPass Android app tracking users, says researcher \u2014 www.tomsguide.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/03\/i-see-you-your-home-working-photos-reveal-more-than-you-think\/\">I see you: your home-working photos reveal more than you think! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Microsoft have released an out-of-band emergency patch for their Exchange corporate group-ware server, plugging a collection of vulnerabilities being actively exploited by a newly discovered Chinese espionage group to break into large corporations and education and research institutions \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails\/\">Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails \u2014 krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li>Microsoft&#8217;s post about the attacks: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/\">HAFNIUM targeting Exchange Servers with 0-day exploits \u2014 www.microsoft.com\/\u2026<\/a><\/li>\n<li>Microsoft&#8217;s Advisory on the vulnerabilities: <a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/02\/multiple-security-updates-released-for-exchange-server\/\">Multiple Security Updates Released for Exchange Server \u2013 updated March 5, 2021 \u2014 msrc-blog.microsoft.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/tidbits.com\/2021\/03\/04\/brave-to-launch-its-own-search-engine\/\">Brave to Launch Its Own Search Engine \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/tiktok-settles-for-92-million\/\">TikTok Settles Class Action Lawsuit for $92 Million \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cnet.com\/how-to\/transferring-photos-from-icloud-to-google-photos-is-finally-possible-heres-how\/\">Transferring photos from iCloud to Google Photos is finally possible. Here&#8217;s how &#8211; CNET<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/04\/using-tiktok-check-out-these-six-security-tips\/\">Using TikTok? Check out these six security tips \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>A good summary and explanation of the recent faux-scandal around a locked Apple ID: <a href=\"https:\/\/tidbits.com\/2021\/03\/05\/the-mystery-of-dustin-curtiss-locked-apple-id\/\">The Mystery of Dustin Curtis\u2019s Locked Apple ID \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Excellent reporting from Wired highlights the fact that many mobile apps make use of cloud services for their back-ends, and many of them are misconfigured, making them insecure: <a href=\"https:\/\/www.wired.com\/story\/ios-android-leaky-apps-cloud\/\">Thousands of Android and iOS Apps Leak Data From the Cloud \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>Brian Krebs explains a concerning new development in malware economics \u2014 grey-hat companies and cybercriminals are paying browser plugin creators to add extra code into their extensions, or are simply buying popular extensions outright and adding in extra nefarious code themselves: <a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/is-your-browser-extension-a-botnet-backdoor\/\">Is Your Browser Extension a Botnet Backdoor? \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>A fascinating deep-dive into a modern malware delivery mechanism: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/02\/search-crimes-how-the-gootkit-gang-poisons-google-searches\/\">Search crimes \u2013 how the Gootkit gang poisons Google searches \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a6; <strong>Bart:<\/strong>  Perseverance filmed itself landing on Mars \u2014 <a href=\"https:\/\/apod.nasa.gov\/apod\/ap210223.html\">apod.nasa.gov\/\u2026<\/a><\/li>\n<li><strong>Bart:<\/strong> <a href=\"https:\/\/www.theverge.com\/2021\/2\/23\/22297094\/hidden-message-parachute-nasa-mars-perseverance-rover\">There\u2019s a hidden message in the parachute of NASA\u2019s Mars rover \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li><strong>Allison:<\/strong> <a href=\"https:\/\/xkcd.com\/2433\/\">Mars Rovers \u2014 xkcd.com\/\u2026<\/a><br \/>\n<img decoding=\"async\" src=\"https:\/\/imgs.xkcd.com\/comics\/mars_rovers.png\" alt=\"XKCD Comic\" title=\"I just Googled 'roomba sojourner mod' and was sorely disappointed. Be the change, I guess!\" \/><\/li>\n<li><strong>Allison:<\/strong> <a href=\"https:\/\/youtu.be\/u20ETyp4jx4\">Luke Miani creates the first &#8220;M1 iMac mini&#8221;<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Silver Sparrow Mac Malware Update: Correction: in the previous Security Bits we made it sound like 30K M1 Macs were infected with this new strain of malware, and that it only affected M1 Macs. [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[71,4525,4526,1892],"class_list":["post-23153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-firefox","tag-firefox-total-cookie-protection","tag-google-tracking","tag-third-party-cookies"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23153"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23153\/revisions"}],"predecessor-version":[{"id":23155,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23153\/revisions\/23155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}