{"id":23448,"date":"2021-04-18T12:55:55","date_gmt":"2021-04-18T19:55:55","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23448"},"modified":"2021-04-19T13:46:06","modified_gmt":"2021-04-19T20:46:06","slug":"sb-2021-03-18","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/04\/sb-2021-03-18\/","title":{"rendered":"Security Bits \u2014 18 April 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1ec;&#x1f1e7; (&#x1f3f4;&#xe0067;&#xe0062;&#xe0065;&#xe006e;&#xe0067;&#xe007f; &amp; &#x1f3f4;&#xe0067;&#xe0062;&#xe0077;&#xe006c;&#xe0073;&#xe007f;) Both Apple &amp; Google have stopped the NHS from publishing an update to their COVID app to insert location tracking. This is expressly forbidden in their COVID exposure notification API terms of service, precisely to stop COVID apps being used for government surveillance \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/12\/apple-and-google-block-official-uk-covid-19-app-update\/\">nakedsecurity.sophos.com\/\u2026<\/a> (<em><strong>Editorial by Bart:<\/strong> The fact that they even tried this makes my<\/em> &#x1f92f;)<\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-updates-its-day-life-your-data-educational-report\">Apple updates it&#8217;s A Day in the Life of Your Data&#8217; educational report \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>The Wall Street Journal (WSJ) is reporting that US firm Procter &amp; Gamble helped develop the Chinese-government-sponsored CAID API designed to bypass Apple&#8217;s upcoming App Tracking Transparency \u2014 <a href=\"https:\/\/www.imore.com\/pg-helped-test-new-tracking-tech-skirts-apples-new-privacy-rules\">www.imore.com\/\u2026<\/a><\/li>\n<li>Other browser makers are not signing up to FLoC (Federated Learning of Cohorts), Google&#8217;s proposed replacement for tracking cookies (that includes the other Chromium-derived browsers like Edge) \u2014 <a href=\"https:\/\/www.theverge.com\/2021\/4\/16\/22387492\/google-floc-ad-tech-privacy-browsers-brave-vivaldi-edge-mozilla-chrome-safari\">www.theverge.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> The EFF have a tester that lets Chrome users know if they&#8217;re part of Google&#8217;s FloC trials (the tool is called <em>Am I FloCed<\/em>), and DuckDuckGo has a new Chrome plugin to block FloC \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2021\/04\/16\/eff-floced\">daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; &#x1f1e6;&#x1f1fa; &#x1f1ee;&#x1f1f1; The WSJ has also found the identity of the security firm the FBI paid to hack into the San Bernardino Shooter&#8217;s iPhone \u2014 and contrary to wide-spread speculation, it was not the controversial grey-hat Israeli company Celebrite, but an Australian company named <em>Azimuth<\/em> \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/azimuth-iphone-unlocking-found\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; German data protection officials are attempting to block Facebook&#8217;s controversial upcoming new Terms of Service which will see more data sharing between WhatsApp and Facebook \u2014 <a href=\"https:\/\/www.imore.com\/facebook-could-face-german-intervention-over-controversial-whatsapp-changes\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Armed with a court order, the FBI hacked into hundreds of Exchange servers that had been back-doored via the recently patched Zero-day bugs to remove the backdoors \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/14\/fbi-hacks-into-hundreds-of-infected-us-servers-and-disinfects-them\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Last Tuesday was <em>Patch Tuesday<\/em>, and MS patched 19 critical bugs, including a Windows bug being actively exploited in the wild \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/04\/microsoft-patch-tuesday-april-2021-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>A new <em>&#8216;bug cluster&#8217;<\/em> named &#42;NAME:WRECK&#42; has been found and patched in a DNS client implementation used in a number of OSes including FreeBSD and proprietary OSes used in many IoT devices \u2014  <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/13\/iot-bug-report-claims-at-least-100m-devices-may-be-impacted\/\">nakedsecurity.sophos.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> this kind of bug just underscores my standard advice <em>&#8216;if your IoT devices is not getting security updates anymore, bin it!&#8217;<\/em>)\n<ul>\n<li>Project CHIP embraces a timeline and the blockchain &#8211; Stacey on IoT | Internet of Things <a href=\"https:\/\/staceyoniot.com\/project-chip-embraces-a-timeline-and-the-blockchain\/\">staceyoniot.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Details of over \u00bdBn Facebook accounts from all around the world has been found on sale on the dark web (through a Telegram bot). The data was stolen in 2019 and includes full names, dates of birth, email addresses &amp; phone numbers. This opens people up to very convincing phishing attacks, and possibly even SIM swapping or identity theft \u2014 <a href=\"https:\/\/tidbits.com\/2021\/04\/05\/over-500-million-facebook-accounts-compromised\/\">tidbits.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.troyhunt.com\/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned\/\">The Facebook Phone Numbers Are Now Searchable in Have I Been Pwned \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<li><strong>Analysis:<\/strong> <a href=\"https:\/\/krebsonsecurity.com\/2021\/04\/are-you-one-of-the-533m-people-who-got-facebooked\/\">Are You One of the 533M People Who Got Facebooked? \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cybernews.com\/news\/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2\/\">Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof \u2014 cybernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/clubhouse-api-public-scraping\/\">Clubhouse API Open to Scraping Public User Data \u2014 www.macobserver.com\/\u2026<\/a> (Exposes users to automated but targeted phishing attacks)<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2021\/04\/parkmobile-breach-exposes-license-plate-data-mobile-numbers-of-21m-users\/\">ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Pwn2Own 2021 went ahead as a virtual event, and lots of money was paid to lots of researchers for responsibly disclosing lots of bugs in really important software like Windows, Ubuntu Desktop, Chrome, Edge, Safari, Zoom, Teams, Exchange, Parallels, and more \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/09\/pwn2own-2021-zoom-teams-exchange-chrome-and-edge-fully-owned\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/microsoft-rolls-out-kids-mode-its-edge-browser-mac\">Microsoft rolls out Kids Mode for its Edge browser on the Mac \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/google-copies-pastes-ios-14s-clipboard-access-notifications-android\">Google copies, pastes iOS 14&#8217;s clipboard access notifications for Android \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>&#x2b50;&#xfe0f; A superb (but long!) explanation of the so-called <em>SolarWinds attack<\/em> written for a non-technical audience: <a href=\"https:\/\/www.npr.org\/2021\/04\/16\/985439655\/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack\">A &#8216;Worst Nightmare&#8217; Cyberattack: The Untold Story Of The SolarWinds Hack \u2014 www.npr.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1755111\">How Apple\u2019s new App Tracking Transparency policy works \u2014 arstechnica.com<\/a><\/li>\n<li>The EFF&#8217;s explanation of <em>UID2<\/em>, a new and very invasive tracking API being developed by the ad industry to track people across apps and websites using their email address. This is not a browser-level tool like cookies, but an information interchange format to allow advertisers, advertising agencies and app and website owners to share data in such a way that they can track actual people all across the connected world, not just browsers \u2014 <a href=\"https:\/\/www.eff.org\/deeplinks\/2021\/04\/after-cookies-ad-tech-wants-use-your-email-track-you-everywhere\">After Cookies, Ad Tech Wants to Use Your Email to Track You Everywhere | Electronic Frontier Foundation \u2014 www.eff.org\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f4cc; &#x1f1fa;&#x1f1f8; In an opinion on the recent US Supreme Court case regarding the @realdonaldtrump account blocking users, Justice Thomas made an interesting argument for treating large social media companies like common carriers \u2014 <a href=\"https:\/\/www.protocol.com\/bulletins\/thomas-scotus-twitter-trump-ban\">www.protocol.com\/\u2026<\/a> (This could well become very important in future SCOTUS cases)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<h3>From Allison<\/h3>\n<ul>\n<li>Probably the most impressive JavaScript demonstration I\u2019ve ever seen \u2014 an interactive map of the MCU: <a href=\"https:\/\/live.yworks.com\/demos\/promo\/GDC2019\/\">Marvel Cinematic Universe \u2014 live.yworks.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>From Bart<\/h3>\n<ul>\n<li>&#x1f3a7; An excellent segment (link jumps to just before the segment starts) on the probable new physics scientists are starting to get a glimpse of when observing muons at particle colliders: <a href=\"https:\/\/overcast.fm\/+IrEcSDiYU\/12:19\">The Science Hour: On the trail of rare blood clots \u2014 overcast.fm\/\u2026<\/a>\n<ul>\n<li>&#8220;Physics Girl&#8221; Explaining the exciting new Fermilab muon result to her production team <a href=\"https:\/\/youtu.be\/0roQUZvU-As\">This result could change physics forever<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f3a7; A fascinating discussion about Web Accessibility standards with 29-year veteran L\u00e9onie Watson: <a href=\"https:\/\/overcast.fm\/+RWbgKxuiY\">Code[ish] 16: Accessibility in Web Standards \u2014  overcast.fm\/\u2026<\/a> (<a href=\"https:\/\/www.heroku.com\/podcasts\/codeish\/16-accessibility-in-web-standards\">show notes<\/a>)<\/li>\n<li>&#x1f3a6; A fun but very informative video from Apple-Reporter-extraordinaire Joanna Stern using Rock &#8217;em-Sock &#8217;em robots with custom heads to explain the fight between Apple &amp; Facebook over privacy in general, an App Tracking Transparency in particular \u2013 <a href=\"https:\/\/www.wsj.com\/video\/series\/joanna-stern-personal-technology\/apple-vs-facebook-why-ios-145-started-a-big-tech-fight\/1C9C84F2-0F68-45B5-8A4E-ADC6D71EA4E2\">www.wsj.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1ec;&#x1f1e7; (&#x1f3f4;&#xe0067;&#xe0062;&#xe0065;&#xe006e;&#xe0067;&#xe007f; &amp; &#x1f3f4;&#xe0067;&#xe0062;&#xe0077;&#xe006c;&#xe0073;&#xe007f;) Both Apple &amp; Google have stopped the NHS from publishing an update to their COVID app to insert location tracking. This is expressly forbidden in their COVID exposure notification API [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-23448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23448"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23448\/revisions"}],"predecessor-version":[{"id":23459,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23448\/revisions\/23459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}