{"id":23269,"date":"2021-03-21T14:23:59","date_gmt":"2021-03-21T21:23:59","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23269"},"modified":"2021-03-21T14:23:59","modified_gmt":"2021-03-21T21:23:59","slug":"sb-2021-03-21","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/03\/sb-2021-03-21\/","title":{"rendered":"Security Bits \u2014 21 March 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>An interesting timeline of the Microsoft Exchange mega-attack discussed last time (<em><strong>Editorial by Bart:<\/strong> it really begs the question &#8216;what took Microsoft so long?&#8217;<\/em>) \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/a-basic-timeline-of-the-exchange-mass-hack\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Bloomberg Report that when Parler (the social media app that powered the failed US insurrection on January 6th) came back online they applied to be re-listed on the iOS AppStore, but Apple rejected them for &#8216;highly objectionable content&#8217; \u2014 <a href=\"https:\/\/www.imore.com\/apple-denies-parler-request-rejoin-app-store-citing-highly-objectionable-content\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-launches-single-hub-privacy-labels-its-own-native-apps\">Apple launches a single hub for privacy labels on its own native apps \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Apple&#8217;s up-coming App Tracking Transparency feature:\n<ul>\n<li>Facebook &amp; ATT:\n<ul>\n<li>Former Facebook employees say Facebook&#8217;s argument that Apple&#8217;s privacy changes will damage small businesses don&#8217;t stack up, they suggest Facebook is only worried about Facebook \u2014 <a href=\"https:\/\/www.imore.com\/ios-14-tracking-changes-not-affecting-small-business-owner-claims-former-employee\">www.imore.com\/\u2026<\/a><\/li>\n<li>Mark Zuckerberg changes his tune on ATT, in a Clubhouse chat he suggested that if it becomes harder to track people across apps, more companies may want to work directly with Facebook so their interactions are first-party \u2014 <a href=\"https:\/\/www.imore.com\/zuckerberg-now-says-facebook-may-benefit-ios-14-privacy-changes\">Zuckerberg now says Facebook may benefit from iOS 14 privacy changes \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Reports of a Chinese government-sponsored tool for cross-app tracking that avoids iOS&#8217;s IDFA (ID For Advertisers), the ID ATT protects, surface, with the Chinese government apparently encouraging Chinese app makers to use this new technology to keep tracking users across apps without consent when ATT is enforced later this spring \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1749913\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Apple warned developers not to try work around ATT \u2014 <a href=\"https:\/\/www.imore.com\/apple-warning-app-developers-not-skirt-its-privacy-changes-ios-14\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Privacy Mini \u2014 That T-Mobile Tracking Story (by Allison)<\/h2>\n<p>Last week a big news story was that T-Mobile was going to start tracking users for advertising on their phones.  I posted the story in our Slack from <a href=\"https:\/\/bgr.com\/2021\/03\/09\/t-mobile-data-privacy-update-share-advertiser-opt-out\/\" target=\"_blank\" rel=\"noopener\">BGR where they showed how to opt-out<\/a><\/p>\n<p>I was all smug and happy that I didn\u2019t have T-Mobile, when Sandy pointed out that most cell companies in the US do this and she was glad that at least T-Mobile notified users (and there was a way to opt out).<\/p>\n<p>I then dug into the privacy settings on AT&amp;T\u2019s site and disabled \u201crelevant ads\u201d on all of our cell phones. I also had a friend of mine figure out how to do it on her Verizon account.  Verizon had three toggles she was able to turn off: \u201ccustomer proprietary network info\u201d, \u201cbusiness and marketing insights\u201d and \u201crelevant mobile advertising\u201d.<\/p>\n<p>I KNOW you\u2019ve told us they do this before but what we\u2019ve learned about what they do with this tracking lately made this much more front of mind and now I took it seriously.<\/p>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/new-apple-security-updates-recommended-all-users\">New Apple security updates &#8216;recommended for all users&#8217; \u2014 www.imore.com\/\u2026<\/a> (iOS 14, watchOS 7 &amp; macOS Big Sur)<\/li>\n<li>March&#8217;s patch Tuesday saw Microsoft fix 82 flaws, 10 rated critical, one of which is being actively exploited in the wild \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/microsoft-patch-tuesday-march-2021-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2021\/03\/09\/iphone-thousands-calls-exposed\/\">A bug in a popular iPhone app exposed thousands of call recordings \u2014 techcrunch.com\/\u2026<\/a> (the app is called <em>ACR Call Recorder<\/em>)\n<ul>\n<li>A technical deep-dive into the bug: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/11\/how-confidential-are-your-calls-this-iphone-app-shared-them-with-everyone\/\">How confidential are your calls? This iPhone app shared them with everyone \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>(Via Listener Lynda) <a href=\"https:\/\/www.cbsnews.com\/news\/verkada-hack-tesla-nissan-equinox-cloudflare\/\">Hack of video security company Verkada exposes footage from 150,000 connected cameras \u2014 www.cbsnews.com\/\u2026<\/a><\/li>\n<li>Two very disturbing (but excellently researched and written) reports from Vice on security and privacy:\n<ul>\n<li><a href=\"https:\/\/www.vice.com\/en\/article\/y3g8wb\/hacker-got-my-texts-16-dollars-sakari-netnumber\">A Hacker Got All My Texts for $16 \u2014 www.vice.com\/\u2026<\/a><\/li>\n<li>(Via Listener George) <a href=\"https:\/\/www.vice.com\/en\/article\/k7adn9\/car-location-data-telematics-us-military-ulysses-group\">Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military \u2014 www.vice.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-agrees-pre-install-apps-russian-devices\">Apple agrees to pre-install apps on Russian devices \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>TikTok is changing the options it gives users regarding ads on April 15th. All users will get personalised ads (they can currently opt out), but they will retain the option not to be tracked across apps and websites. So, a user&#8217;s ads will be based on just their TikTok activity, or, their TikTok activity combined with 3rd-party tracking. This brings TikTok into line with other social media apps \u2014 <a href=\"https:\/\/www.theverge.com\/2021\/3\/17\/22336093\/tiktok-mandatory-personalized-ads-privacy-tracking\">www.theverge.com\/\u2026<\/a><\/li>\n<li>Social Media Apps Continue to Improve their Security\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/instagram-will-prevent-people-dming-under-18s-who-dont-follow-them\">Instagram will prevent people DMing under 18s who don&#8217;t follow them \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-ban-users-who-break-group-rules\">Facebook to ban users who break group rules \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/twitter-multiple-key-support\/\">Twitter Announces Multiple Security Key Support for Accounts \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-expands-support-security-keys-iphone\">Facebook expands support for security keys on iPhone \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/linux-foundation-announces-new-open-source-software-signing-service\/\">Linux Foundation announces new open-source software signing service \u2014 www.zdnet.com\/\u2026<\/a> (think <em>Let&#8217;s Encrypt for Code Signing<\/em>)<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>&#x1f3a7; Tom Merrit expertly explains blockchains and their hot new application, NFTs: <a href=\"https:\/\/overcast.fm\/+b-m29n-k4\">Know a Little More: About Blockchain \u2014 overcast.fm\/\u2026<\/a>\n<ul>\n<li>&#x1f3a7; <strong>Related:<\/strong> An excellent explanation of the economics of NFTs: <a href=\"https:\/\/overcast.fm\/+YsPTyDiAk\">Planet Money: The $69 Million JPEG \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/03\/09\/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks\/\">Serious Security: Webshells explained in the aftermath of HAFNIUM attacks \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/google-immune-apples-privacy-protections\">Why Google is immune to Apple&#8217;s Privacy Protections \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>Encode your own Perseverance Rover parachute message \u2014 <a href=\"https:\/\/projects.noahliebman.net\/encodemightythings\/\">projects.noahliebman.net\/\u2026<\/a><\/li>\n<\/ul>\n<figure style=\"float: center; margin: 10px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/03\/20210321-perseveranceParachute.png\" alt=\"Perseverence Parachute with pattern for secret message\" title=\"#title#\" width=\"500 \" height=\"500\"><figcaption style=\"text-align:center\">Perseverence Parachute with Pattern for JPL&#8217;s Secret Message<\/figcaption><\/figure>\n<figure style=\"float: center; margin: 10px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/03\/20210321-perseveranceParachuteExplained.png\" alt=\"Perseverance-style Cute Explained \u2014 Stay Patched and Stay Secure\" title=\"#title#\" width=\"500 \" height=\"\"><figcaption style=\"text-align:center\">Perseverance-style \u2014 Stay Patched and Stay Secure<\/figcaption><\/figure>\n<ul>\n<li><a href=\"https:\/\/petapixel.com\/2021\/03\/16\/photographer-spends-12-years-1250-hours-exposing-photo-of-milky-way\/\">Photographer Spends 12 Years, 1250 Hours, Exposing Photo of Milky Way \u2014 petapixel.com\/\u2026<\/a>\n<ul>\n<li>There&#8217;s a free, one-day Open Source 101 conference on Tuesday 30 March that might be fun.  Register at <a href=\"https:\/\/allthingsopen.6connex.com\/event\/ATO\/os101-2021\/login\">allthingsopen.6connex.com\/&#8230;<\/a> Mike Price alerted us to their superb harassment policy for the conference:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote><p>\n  All Things Open Conference is dedicated to providing a harassment-free conference experience for everyone regardless of gender identity, sexual orientation, disability, physical appearance, body size, race, religion, operating system or text editor of choice.\n<\/p><\/blockquote>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. An interesting timeline of the Microsoft Exchange mega-attack discussed last time (Editorial by Bart: it really begs the question &#8216;what took Microsoft so long?&#8217;) \u2014 krebsonsecurity.com\/\u2026 Bloomberg Report that when Parler (the social media [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4543,4542,2079,50,2003],"class_list":["post-23269","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-app-tracking-transparency","tag-microsoft-exchange","tag-patch","tag-security","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23269"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23269\/revisions"}],"predecessor-version":[{"id":23272,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23269\/revisions\/23272"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}