{"id":23520,"date":"2021-05-02T12:49:16","date_gmt":"2021-05-02T19:49:16","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23520"},"modified":"2021-05-02T12:49:41","modified_gmt":"2021-05-02T19:49:41","slug":"sb-2021-05-02","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/05\/sb-2021-05-02\/","title":{"rendered":"Security Bits \u2014 2 May 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Apple are letting Parler back into the iOS AppStore, they have apparently sufficiently reformed their moderation practices \u2014 <a href=\"https:\/\/www.imore.com\/parler-controversial-social-media-app-coming-back-app-store\">www.imore.com\/\u2026<\/a><\/li>\n<li>SolarWinds are changing their name to N-able! \u2014 <a href=\"https:\/\/www.n-able.com\/becoming-n-able\">www.n-able.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple have released security and feature updates for just about everything \u2014 <a href=\"https:\/\/tidbits.com\/2021\/04\/26\/apple-releases-ios-14-5-ipados-14-5-macos-11-3-watchos-7-4-and-tvos-14-5\/\">tidbits.com\/\u2026<\/a> &amp; <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/04\/27\/apple-releases-security-updates\">us-cert.cisa.gov\/\u2026<\/a> (more complete list)\n<ul>\n<li>iOS 14.5 brings App Tracking Transparency, and, Apple Watch unlock when wearing a face mask \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/ios-14-5-is-out-now\/\">www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/deep-dive\/how-block-app-tracking\/\">iOS 14.5: Here\u2019s How to Start Blocking App Trackers \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-confirms-ios-14-app-tracking-option-grayed-out-some-cases\">Apple confirms iOS 14 app tracking option disabled in some cases \u2014 www.imore.com\/\u2026<\/a> (Kids, managed Apple IDs in Education\/Business, and brand new accounts)<\/li>\n<li><a href=\"https:\/\/lifehacker.com\/how-to-fix-your-iphones-app-tracking-transparency-if-it-1846782530\">How to Fix Your iPhone&#8217;s &#8216;App Tracking Transparency&#8217; If It&#8217;s Grayed Out in iOS 14.5 \u2013 Lifehacker<\/a><\/li>\n<li><strong>Related:<\/strong> &#x1f3a6; Another excellent WSJ video from Joanna Stern \u2013 she explains ATT including an interview with Apple&#8217;s Craig Federighi \u2014 <a href=\"https:\/\/youtu.be\/G05nEgsXgoI\">youtu.be\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/no-incentives-ios-145-app-tracking-allowed-says-apple\">No incentives for iOS 14.5 app tracking allowed, says Apple \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/how-unlock-your-iphone-your-apple-watch\">How to unlock your iPhone with your Apple Watch \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>MacOS 11.3 patches an important bug in GateKeeper: <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/install-macos-11-3-now\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/28\/gamers-update-nvidia-patches-gpu-driver-kernel-escalation-bugs\/\">Gamers update! Nvidia patches GPU driver kernel escalation bugs \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Security researchers at the Technical University of Darmstadt &#x1f1e9;&#x1f1ea; are warning about a significant data leak from Apple&#8217;s AirDrop when in <em>contacts only<\/em> mode, because they allow self-signed certs (dumb and easy to fix), and because they uses un-salted hashes, email addresses and phone numbers are exposed. For now, it seems best to leave AirDrop off when you don&#8217;t need it, and open to all when you do need it \u2014  <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/23\/apple-airdrop-has-significant-privacy-leak-say-german-researchers\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> this is such low-hanging security fruit Apple should be utterly ashamed of themselves. Clearly, this protocol has been left languishing for far too long. I use AirDrop a lot since it actually works well these days, so I really hope Apple fix these trivial short-comings quickly. Just stop accepting self-signed certs immediately, and add some salt!<\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2021\/04\/experian-api-exposed-credit-scores-of-most-americans\/\">Experian API Exposed Credit Scores of Most Americans \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2021\/04\/27\/kaminsky\">Renowned Internet Security Researcher Daniel Kaminsky Dies at 42 \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<li>Dutch &#x1f1f3;&#x1f1f1;  politicians were tricked by a sophisticated DeepFake \u2014 they had a video conferencing call with an imposter pretending to be Alexei Navalny&#8217;s chief of staff Leonid Volkov. There is talk of <em>state actors<\/em> being involved, and reports of other politicians in other European countries being similarly tricked \u2014 <a href=\"https:\/\/nltimes.nl\/2021\/04\/24\/dutch-mps-video-conference-deep-fake-imitation-navalnys-chief-staff\">nltimes.nl\/\u2026<\/a><\/li>\n<li>Apple have launched their AirTags trackers, and they&#8217;ve baked security and privacy right into the heart of the design \u2014 <a href=\"https:\/\/www.fastcompany.com\/90628073\/apple-airtag-privacy-security\">www.fastcompany.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> Apple&#8217;s support page: <a href=\"https:\/\/support.apple.com\/en-us\/HT212227\">What to do if you find an AirTag or get an alert that an AirTag is with you \u2014 support.apple.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/heres-what-happens-if-you-lose-airtag\">Here&#8217;s what happens if you lose an AirTag \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Firefox 88 has closed another tracking loop-hole (the unassuming <code>window.name<\/code> JavaScript variable), and other browser vendors are following their lead \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/04\/20\/firefox-88-patches-bugs-and-kills-off-a-sneaky-javascript-tracking-trick\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Major tech\/security firms including Amazon, Cisco, FireEye, McAfee &amp; Microsoft are working to establish an international task force targeted at disrupting ransomware operations \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/04\/task-force-seeks-to-disrupt-ransomware-payments\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>The Verge tells the story of Kosta Eleftheriou&#8217;s one-man quest to draw attention to Apple&#8217;s utter failure to keep obvious scam subscriptions out of their iOS AppStore. They&#8217;re shockingly easy to find &#x1f641; \u2014 <a href=\"https:\/\/www.theverge.com\/2021\/4\/21\/22385859\/apple-app-store-scams-fraud-review-enforcement-top-grossing-kosta-eleftheriou\">www.theverge.com\/\u2026<\/a><\/li>\n<li>Security researcher extraordinaire and co-author of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Signal_Protocol\">the Signal Protocol<\/a> (powering Signal, WhatsApp, Facebook Messenger and more)  <a href=\"https:\/\/en.wikipedia.org\/wiki\/Moxie_Marlinspike\">Moxie Marlinspike<\/a> explains the spectacular insecurities he found in Cellebrite&#8217;s iPhone data extraction tools (TL;DR \u2013 these things are so insecure their outputs can&#8217;t be used in court, and the seem to violate Apple&#8217;s IP to boot) \u2014 <a href=\"https:\/\/signal.org\/blog\/cellebrite-vulnerabilities\/\">signal.org\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>A wonderfully illustrated and animated guide to the mechanical marvel that is the internal combustion engine \u2014 <a href=\"https:\/\/ciechanow.ski\/internal-combustion-engine\/\">ciechanow.ski\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Apple are letting Parler back into the iOS AppStore, they have apparently sufficiently reformed their moderation practices \u2014 www.imore.com\/\u2026 SolarWinds are changing their name to N-able! \u2014 www.n-able.com\/\u2026 Deep Dive(s) &#x2757; Action Alerts Calls [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4570,4543,4584,50,569,4585,4586],"class_list":["post-23520","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-airtags","tag-app-tracking-transparency","tag-cellebrite","tag-security","tag-security-bits","tag-software-update","tag-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23520"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23520\/revisions"}],"predecessor-version":[{"id":23522,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23520\/revisions\/23522"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}