{"id":24101,"date":"2021-07-24T12:55:54","date_gmt":"2021-07-24T19:55:54","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24101"},"modified":"2021-07-24T12:56:50","modified_gmt":"2021-07-24T19:56:50","slug":"sb-2021-07-24","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/07\/sb-2021-07-24\/","title":{"rendered":"Security Bits \u2014 24 July 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The <em>PrintNightmare<\/em> story continues to evolve with yet another privilege escalation bug being found in the print spooler \u2014 it&#8217;s now more important than ever to follow Microsoft&#8217;s advice and stop and disable the print spooler on your Windows machines \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/07\/16\/more-printnightmare-we-told-you-not-to-turn-the-print-spooler-back-on\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Following a US-only trial, Ring have expanded End-to-End Encryption globally \u2014 <a href=\"https:\/\/www.imore.com\/ring-doorbells-end-end-encryption-going-global\">www.imore.com\/\u2026<\/a><\/li>\n<li>Continuing Social Media Tweaks &amp; Improvements\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/whatsapp-let-users-appeal-bans-app\">WhatsApp to let users appeal bans in-app \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Instagram have launched a new <em>Security Checkup<\/em> feature to help users secure their account \u2014 <a href=\"https:\/\/www.imore.com\/instagram-tells-users-how-keep-their-accounts-safe-and-secure\">www.imore.com\/\u2026<\/a><\/li>\n<li>Twitter&#8217;s short experiment with ephemeral tweets is over, they&#8217;ve removed the  <em>Fleets<\/em> feature \u2014 <a href=\"https:\/\/www.imore.com\/twitters-killing-fleets-and-surprisingly-candid-about-whole-thing\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-ios-now-lets-you-change-who-can-reply-your-old-tweets\">Twitter for iOS now lets you change who can reply to your old tweets \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/twitters-testing-downvotes-says-they-arent-dislikes-because-reasons\">Twitter&#8217;s testing downvotes but says they aren&#8217;t dislikes because reasons \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/link\/delete-15-mins-google-search\/\">Google Adds Tool to Quickly Delete Your Last 15 Minutes of Searches \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The effects of Apple&#8217;s App Tracking Transparency feature continue to clarify:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/app-tracking-transparency-decreasing-ad-revenue-much-20\">App Tracking Transparency is decreasing ad revenue by as much as 20% \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/advertisers-panicking-75-ios-users-refuse-be-tracked\">Advertisers &#8216;panicking&#8217; as 75% of iOS users refuse to be tracked \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-impact-ios-14-tracking-changes-lower-expected\">Twitter: Impact of iOS 14 tracking changes &#8216;lower than expected&#8217; \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 NSO Group &amp; Pegasus<\/h2>\n<p>In a well-orchestrated campaign, a group of 16 newspapers and Amnesty International broke a story detailing how spyware called <em>Pegasus<\/em> by Israeli grey-hat security company The NSO Group was used by government agencies around the world to spy on journalists, politicians, campaigners, and even the families of these people.<\/p>\n<p>In this case, the story got some extra hype because 23 iPhones were hacked using a previously unknown zero-click iOS exploit. Most of the reporting focused on the cesspool that is the grey-hat security industry, with for-profit companies selling malware to repressive regimes on the promise that they won&#8217;t abuse it. A promise that has been repeatedly broken throughout the NSO Group&#8217;s history. Since the government of Mexico became their first acknowledged client in 2012 the software has been abused to spy on journalists and other inappropriate targets.<\/p>\n<p>Versions of the Pegasus software have been around or a long time too, but it&#8217;s important to understand that it evolves rapidly. It&#8217;s a suite of software that does three things:<\/p>\n<ol>\n<li><strong>Exploits mobile phones using whatever zero-day vulnerabilities the NSO Group currently have in their arsenal<\/strong>. The software attacks iOS and Android devices, and it doesn&#8217;t just use vulnerabilities in the core OS to get in, it will also leverage bugs in third-party apps when they&#8217;re available. Pegasus famously used a Zero-day in WhatsApp to break into phones in 2019.<\/li>\n<li><strong>Gathers as much data as it can<\/strong> \u2014 depending on the available zero-days and just how deeply they can penetrate the phones the software gathers up location data, messages, photos, and can sometimes even enable the camera or the mic to spy on its victims directly. Again, this is not limited to core apps, popular messaging services are high on the list of desired data, especially those that encrypt their data really well while it&#8217;s in transit!<\/li>\n<li><strong>Sneak the data out<\/strong>, or in security jargon <em>exfiltrate the data<\/em>.<\/li>\n<\/ol>\n<p>All three parts continually evolve and change as the phone vendors and third-party app vendors find and fix bugs, and tweak their features.<\/p>\n<p>The first stage probably varies the most, with Apple and Google regularly patching their OSes. Sometimes Pegasus will need to use spear-phishing to get in, but sometimes they can do it silently using so-called <em>zero-click<\/em> attacks \u2014 there are attacks that are invisible to the user and don&#8217;t depend on them doing anything. The most recent incarnation of Pegasus made use of a bug in iMessage to break into fully patched iPhones in a zero-click way. A message was sent to the victim&#8217;s phones that would silently exploit iMessage, take it over so the user never even got a notification that a message had arrived, and deploy the malware into the phone.<\/p>\n<p>The data that can be gathered also varies over time as Apple and Google find and patch bugs, and add ever more security protections. Another thing that varies over time is how sticky the malware is. Apple and Google have put a lot of work into protecting the boot process on their OSes, so vulnerabilities that allow or persistent take-overs that survive a reboot are exceedingly rare, and it seems the most recent versions of Pegasus are indeed wiped by simply rebooting an infected phone.<\/p>\n<p>The bottom line is that it&#8217;s a real cat-and-mouse game, it has been going on for years, and it will go on for many more years to come!<\/p>\n<p>This product entirely depends on the NSO group knowing about vulnerabilities Apple, Google, and other app vendors don&#8217;t know about. Those are expensive to acquire, and they have a finite shelf life. Every time they are used they risk being discovered and patched. This is why the number of phones discovered to be actually exploited is so small.<\/p>\n<p>The ultimate effect of these economics is that the specific danger to regular folks is very very low, but the societal impact of a small number of well-targeted hacks could be huge, and could easily affect us all.<\/p>\n<p>One last point \u2014 this group of journalists chose to help the NSO group to keep their story juicier. They have known about the iOS bug Pegasus currently leverages for that very very dangerous zero-click entry, and those chose <strong>not<\/strong> to responsibly disclose to Apple, which means this bug was left needlessly un-patched for weeks, if not months. Personally, I find that unconscionable.<\/p>\n<p>Similarly, the anti-Apple focus in one of the two Washington Post articles is utterly unfounded \u2014 it&#8217;s the worst kind of click-bait IMO. They give the numbers and say there were more hacked iPhones found than hacked Android devices as if that number is meaningful, only in the next paragraph do they admit to its complete meaninglessness by admitting that Android phones don&#8217;t retain enough logs for infections to be detected as easily of as often, so they actually can&#8217;t do any sort of meaningful comparison.<\/p>\n<p>Finally finally \u2014 you might well be wondering what&#8217;s new here. Pegasus has been around for nearly a decade, and we&#8217;ve known it&#8217;s been abused to spy on journalists and others for nearly as long, so what&#8217;s the big new reveal? There is none. Amnesty and Co. have simply succeeded in getting a long-running story the traction it should have gotten years ago with some well-executed PR moves.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Two Washington Post Stories\n<ul>\n<li>The primary one: <a href=\"https:\/\/www.washingtonpost.com\/investigations\/interactive\/2021\/nso-spyware-pegasus-cellphones\/\">Private Israeli spyware used to hack cellphones of journalists, activists worldwide \u2014 www.washingtonpost.com\/\u2026<\/a><\/li>\n<li>A secondary anti-Apple click-bait one: <a href=\"https:\/\/www.washingtonpost.com\/technology\/2021\/07\/19\/apple-iphone-nso\/\">Despite the hype, iPhone security no match for NSO spyware \u2014 www.washingtonpost.com\/\u2026<\/a> (the sub-head is: <em>International investigation finds 23 Apple devices that were successfully hacked<\/em>)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/gaping-ios-146-imessage-security-flaw-saw-journalists-iphones-infected-spyware\">Gaping iOS 14.6 iMessage security flaw saw journalists&#8217; iPhones infected with spyware \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-says-imessage-flaw-nsos-pegasus-uses-not-threat-most\">Apple says the iMessage flaw NSO&#8217;s Pegasus uses is &#8216;not a threat&#8217; to most \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/no-need-fear-spyware-people-are-not-criminals-says-ceo-nso-group\">No need to fear iPhone spyware for &#8216;people that are not criminals&#8217;, says CEO of NSO Group \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/pegasus-vendor-denies-scope-spyware-claims-says-customers-blame\">Pegasus vendor denies scope of spyware claims, says customers to blame \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1781561\">Apple under pressure over iPhone security after NSO spyware claims \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/pegasus-spyware-your-iphone-risk\">Pegasus Spyware \u2014 Is your iPhone at risk? \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.theverge.com\/2021\/7\/21\/22587234\/amnesty-international-nso-pegasus-spyware-detection-tool-ios-android-guide-windows-mac\">Here\u2019s how to check your phone for Pegasus spyware using Amnesty\u2019s tool \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li>The Wikipedia page on the NSO Group detailing its long history of controversy \u2014 <a href=\"https:\/\/en.wikipedia.org\/wiki\/NSO_Group\">en.wikipedia.org\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Patch Tuesday has been and gone, and Microsoft patched 116 security vulnerabilities, including 4 being actively exploited in the wild \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/07\/microsoft-patch-tuesday-july-2021-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Apple have patched just about all their OSes and Safari \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-ios-14-7-watchos-7-6-macos-11-5-and-more\/\">www.intego.com\/\u2026<\/a> (The % SSID bug seems to be fixed by these updates)<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/cybernews.com\/news\/humana-insurance-customers-medical-data-leaked\/\">Thousands of Humana customers have their medical data leaked online by threat actors \u2014 cybernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/xbox-family-settings-gets-big-upgrade-control-childrens-spending\">Xbox Family Settings app gets big upgrade to control children&#8217;s spending \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; (from Allison) The British Government&#8217;s Department of Digital, Media, Culture and Sport have put out guidance asking social media companies not to protect children&#8217;s content with end-to-end encryption \u2014 <a href=\"https:\/\/techcrunch.com\/2021\/06\/30\/uk-tells-messaging-apps-not-to-use-e2e-encryption-for-kids-accounts\/\">techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The Biden administration have formally accused China of being behind the recent spate of Microsoft Exchange server hacks \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/china-microsoft-exchange-hack\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The US government have launched a new web portal to fight ransomeware and aggregate resources from various government agencies, the site is as <a href=\"https:\/\/%20stopransomware.gov\/\"> StopRansomware.gov\/&#8230;<\/a> \u2014 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/07\/15\/new-stopransomwaregov-website-us-governments-one-stop-location\">us-cert.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Motherboard pose as a customer trying to buy personal data on US citizens \u2013 in the process they expose the lie that advertising tracking IDs are anonymous \u2014 <a href=\"https:\/\/www.vice.com\/en\/article\/epnmvz\/industry-unmasks-at-scale-maid-to-pii\">Inside the Industry That Unmasks People at Scale \u2014 www.vice.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+b-m0YK1CQ\">Know a Little More: About HTTP Cookies \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The PrintNightmare story continues to evolve with yet another privilege escalation bug being found in the print spooler \u2014 it&#8217;s now more important than ever to follow Microsoft&#8217;s advice and stop and disable the [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4709,4708,2105,50,569],"class_list":["post-24101","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-nso-group","tag-pegasus","tag-secure","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24101"}],"version-history":[{"count":5,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24101\/revisions"}],"predecessor-version":[{"id":24106,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24101\/revisions\/24106"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}