{"id":23686,"date":"2021-05-30T12:50:30","date_gmt":"2021-05-30T19:50:30","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23686"},"modified":"2021-05-30T12:55:39","modified_gmt":"2021-05-30T19:55:39","slug":"sb-2021-05-30","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/05\/sb-2021-05-30\/","title":{"rendered":"Security Bits \u2014 30 May 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Hot on the heels of the Colonial Pipeline hack, the US Department of Homeland Security (DHS) has published cybersecurity rules for pipeline operators \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/dhs-rules-pipeline-operators\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Vizio&#8217;s questionable privacy stance has come up a few times on this segment over the years. Turns out they&#8217;re the perfect example of why it pays to follow the money: <a href=\"https:\/\/www.engadget.com\/vizio-q1-earnings-inscape-013937337.html\">Vizio makes nearly as much money from ads and data as it does from TVs \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li>Troy Hunt has followed through on his plans to open source <em>Have I Been Pwned<\/em>, and also struck a deal which will see the US FBI contributing data to the project \u2014 <a href=\"https:\/\/www.zdnet.com\/article\/have-i-been-pwned-goes-open-source\/\">www.zdnet.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Facebook&#8217;s Next Sneaky Trick \u2013 Location Data by the Back Door<\/h2>\n<p>Some nice sleuthing by Forbes has exposed yet another way Facebook chooses to get around the spirit of the law while sticking to the letter of it. When you use either the OS setting to deny Facebook GPS location data, or even when you use the Facebook settings to indicate that you don&#8217;t want your location tracked, Facebook still infer and store your location based on the EXIF metadata embedded in photos and videos you upload to any of their services.<\/p>\n<p>The EXIF metadata standard provides fields for storing coordinates, and most cameras with built-in GPS receivers will populate these fields in the photos they take. This includes smartphones. This is how apps like Apple Photos can group your photos by place, and display them on a map.<\/p>\n<p>For privacy reasons, all the social networks have been stripping the location fields from the EXIF data on all uploaded images and videos before they&#8217;re shared with other users. Because the EXIF data is gone when people see the images, the assumption has always been that Facebook deletes the data \u2014 NOPE! <strong>Facebook store the stripped data and use it to target ads!<\/strong><\/p>\n<p>The writers at Forbes suggest two possible defences \u2014 you can install share-sheet apps that strip metadata and use those to filter your images before Facebook can get their hands on them, or, they suggest not uploading images or videos to any Facebook apps. I have a third suggestion \u2014 <strong>delete your account<\/strong> &#x1f642;<\/p>\n<h3>Link<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.forbes.com\/sites\/zakdoffman\/2021\/05\/22\/apple-user-warning-how-to-stop-facebook-secretly-tracking-your-iphone-ipad\/\">Facebook Tracks Your iPhone Location \u2013 This Is How To Stop It \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 &#x1f9ef; That Un-patched Safari Bug<\/h2>\n<p>There&#8217;s been a lot of breathless reporting about Apple not patching a bug in Safari they were told about three weeks ago, but there&#8217;s absolutely no need to panic, we&#8217;re in no immediate danger!<\/p>\n<p>A bug does exist, Apple have not yet patched it, but it doesn&#8217;t actually pose an imminent danger because it only breaks through one of the layers of defence Apple puts around Safari, not all of them, so it can&#8217;t be used to execute arbitrary code, at least not yet.<\/p>\n<p>The biggest danger here is a hypothetical future discovery of another vulnerability that can be combined with this one to and perhaps multiple others to form a so-called <em>exploit chain<\/em> that does break through all the protections. If that happens, then it becomes important Apple rush a patch out, but until that happens, it&#8217;s OK for Apple to take their time and get this out some time relatively soon.<\/p>\n<p>What&#8217;s more interesting here than the bug itself is its story. The bug was found in the open source WebKit engineer that powers Safari. The open source community released a patch to WebKit that fixed this bug, and that was how the world learned about it. Apple have not yet taken that fix from the upstream WebKit project and merged it into Safari. This is a great example of one of the potential metaphorical open source roundabouts that slightly counteracts all those metaphorical open source swings. It&#8217;s such a common problem it even has a name \u2014 <em>the patching gap<\/em>, and the act of exploiting a bug in the window between it being fixed in an upstream open source project, and another derived product is called <em>patch-gapping<\/em> in the malware community.<\/p>\n<h3>Link<\/h3>\n<ul>\n<li>The best write-up I found on the bug: <a href=\"https:\/\/arstechnica.com\/?p=1767876\">No, it doesn\u2019t just crash Safari. Apple has yet to fix exploitable flaw \u2014 arstechnica.com<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 3 \u2014 &#x1f9ef; The <em>M1racle<\/em> M1 <em>unpatchable<\/em> Vulnerability<\/h2>\n<p>Yes, it&#8217;s true, there is something that is technically a bug baked into Apple&#8217;s new M1 chips, but there&#8217;s absolutely nothing to worry about.<\/p>\n<p>There are two bits inside an apparently unused CPU register that have overly broad permissions. This doesn&#8217;t provide a way in for malware, nor does it allow malware to read data from other processes or parts of the filesystem it shouldn&#8217;t have access to. All it does is allow two pieces of malware already installed on an M1 Mac to share two bits of data behind the OS&#8217;s back.<\/p>\n<p>In other words, if you&#8217;ve already been hacked twice or more, the malwares can very very slowly chat among themselves without the OS overhearing their conversation.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1768316\">Covert channel in Apple\u2019s M1 is mostly harmless, but it sure is interesting \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/05\/27\/unpatchable-vuln-in-apples-new-mac-chip-what-you-need-to-know\/\">\u201cUnpatchable\u201d vuln in Apple\u2019s new Mac chip \u2013 what you need to know \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple patches just about everything: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-ios-14-6-watchos-7-5-macos-11-4-and-more-with-many-security-fixes\/\">Apple Releases iOS 14.6, watchOS 7.5, macOS 11.4 and More, with Many Security Fixes &#8211; The Mac Security Blog \u2014 www.intego.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/05\/25\/apple-patches-dangerous-security-holes-one-in-active-use-update-now\/\">Apple patches dangerous security holes, one in active use \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/macos-big-sur-114-fixes-bug-could-see-secret-screenshots-taken\">macOS Big Sur 11.4 fixes bug that could see secret screenshots taken \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/9to5mac.com\/2021\/05\/27\/ios-14-6-now-prompts-apple-watch-series-3-users-to-restore-their-device-before-updating\/\">iOS 14.6 now prompts Apple Watch Series 3 users to restore their device before updating \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A good description of a new twist on scamming I wasn&#8217;t aware of \u2014 follow up a successful phish by pretending to be the bank investigating the fraud the user probably reported when they realised what they&#8217;d done: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/05\/25\/eight-suspects-busted-in-raid-on-home-delivery-scamming-operation\/\">Eight suspects busted in raid on \u201chome delivery\u201d scamming operation \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>A now-fixed bug allowed owners of the popular Eufy security cameras to see each other&#8217;s feeds \u2014 <a href=\"https:\/\/www.imore.com\/potential-security-breach-eufy-camera-owners-see-other-peoples-feeds\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ee;&#x1f1f3; <a href=\"https:\/\/www.imore.com\/whatsapp-sues-indian-government-over-new-rules-traceable-messages\">WhatsApp sues Indian government over new rules on &#8216;traceable&#8217; messages \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/05\/19\/regulator-fines-covid-19-tracker-for-turning-contact-data-into-sales-leads\/\">Regulator fines COVID-19 tracker for turning contact data into sales leads \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The developers at 1Password have been very busy:\n<ul>\n<li>1Password for Linux is released, and some of the underlying libraries open sourced \u2014 <a href=\"https:\/\/blog.1password.com\/welcoming-linux-to-the-1password-family\/\">blog.1password.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/1password-adds-support-touch-id-and-dark-mode-browser\">1Password adds support for Touch ID and Dark Mode in the browser \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-rolling-out-new-verification-program\">Twitter rolling out new verification program \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>&#x1f5c4; Some excellent advice from 1Password on planning an orderly handover of your digital life should you <em>shuffle off this mortal coil<\/em> (as Monty Python would put it): <a href=\"https:\/\/blog.1password.com\/digital-estate-planning-guide\/\">Digital estate planning: How to safely transfer your digital accounts \u2014 blog.1password.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>An excellent article by Adam Angst explaining the huge difference between <em>Find my iPhone\/Mac<\/em> and the new <em>Find my Network<\/em>: <a href=\"https:\/\/tidbits.com\/2021\/05\/23\/the-two-faces-of-find-my\/\">The Two Faces of Find My \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f3a6; An excellent explainer of <em>Smart Contracts<\/em>, and why we might want to care about them: <a href=\"https:\/\/www.youtube.com\/watch?v=ZE2HxTmxfrI\">Smart contracts &#8211; Simply Explained \u2014 www.youtube.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Some more detail on the new Matter IoT standard: <a href=\"https:\/\/staceyoniot.com\/project-chip-becomes-matter\/\">Project CHIP gets a new name and so does the Zigbee Alliance \u2014 staceyoniot.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>Security researcher Brian Krebs has a very simple suggestion for protecting yourself from Russian-adjacent malware \u2014 set your default keyboard to one for a country in Russia&#8217;s sphere of influence. Much of this malware uses keyboard settings to avoid <em>friendly fire<\/em> on targets the Russian government would not take kindly to them exploiting \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/05\/try-this-one-weird-trick-russian-hackers-hate\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> &#x1f3a7; A story we covered at the time on the show expertly told and contextualised into an important cautionary tale: <a href=\"https:\/\/overcast.fm\/+U9ZGn82Ks\">Cautionary Tales with Tim Harford: Wrong Tools Cost Lives \u2014  overcast.fm\/\u2026<\/a><\/li>\n<li><strong>From Allison:<\/strong> Figure out how long a journey would have taken as an ancient Roman: <a href=\"https:\/\/orbis.stanford.edu\/\">ORBIS: The Stanford Geospatial Network Model of the Roman World \u2014 orbis.stanford.edu<\/a><\/li>\n<li>macOS Crash Log Viewer <a href=\"http:\/\/s.sudre.free.fr\/Software\/Unexpectedly\/about.html\">WhiteBox &#8211; Unexpectedly \u2014 s.sudre.free.fr\/&#8230;<\/a> <\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; Hot on the heels of the Colonial Pipeline hack, the US Department of Homeland Security (DHS) has published cybersecurity rules for pipeline operators \u2014 www.macobserver.com\/\u2026 Vizio&#8217;s questionable privacy stance has come up a [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[2447,156,2997,4604,4608,1973,4586,4607],"class_list":["post-23686","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-back-door","tag-facebook","tag-location-tracking","tag-m1","tag-m1racle","tag-safari","tag-vulnerability","tag-webkit"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23686"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23686\/revisions"}],"predecessor-version":[{"id":23688,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23686\/revisions\/23688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}