{"id":24266,"date":"2021-08-22T12:05:17","date_gmt":"2021-08-22T19:05:17","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24266"},"modified":"2021-08-22T13:26:34","modified_gmt":"2021-08-22T20:26:34","slug":"2021-08-22","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/08\/2021-08-22\/","title":{"rendered":"Security Bits by Bart Busschots \u2014 22 August 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Apple&#8217;s Child Protection Features\n<ul>\n<li>New Information:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-publishes-child-safety-faq-address-csam-scanning-concerns-and-more\">Apple publishes Child Safety FAQ to address CSAM scanning concerns and more \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-details-new-security-threat-review-its-new-csam-feature\">Apple shares a security threat review for its new CSAM detection feature \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li>An excellent summary: <a href=\"https:\/\/tidbits.com\/2021\/08\/13\/new-csam-detection-details-emerge-following-craig-federighi-interview\/\">New CSAM Detection Details Emerge Following Craig Federighi Interview \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>My key new learnings:\n<ul>\n<li>Apple is not just using the NCMEC database of known CSAM, they are cross-referencing it with another database (they haven&#8217;t said who&#8217;s) and only including images common to both.<\/li>\n<li>The threshold for making it possible for Apple to know an account has been flagged is being set at <em>about 30<\/em>, at least for the initial rollout.<\/li>\n<li>Apple will be publishing the hash of the CSAM DB with each iOS release, so any injections into the list of hashes will be detectable by 3rd parties<\/li>\n<li>Apple have confirmed what I was pretty sure was the case, that Apple employees can never see the actual matched images, even when the threshold is met \u2014 they only see the contents of the then decrypted security vouchers which only contain low-resolution previews of the images.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Apple Reach Out\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2021\/08\/10\/interview-apples-head-of-privacy-details-child-abuse-detection-and-messages-safety-features\/\">Interview: Apple\u2019s head of Privacy details child abuse detection and Messages safety features \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-software-chief-admits-child-protection-measures-have-been-widely-misunderstood\">Apple software chief admits child protection measures have been &#8216;widely misunderstood&#8217; \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/corellium-aid-csam-security-testing-part-new-initiative\">Corellium to aid Apple CSAM security testing as part of new initiative \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/apple-reaches-settlement-corellium\/\">Apple Reaches Settlement With Corellium, Dropping its Lawsuit \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/apple-has-appealed-another-lawsuit-against-corellium\">Apple has appealed its lawsuit against Corellium \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The push-back continues: <a href=\"https:\/\/arstechnica.com\/?p=1788549\">Apple photo-scanning plan faces global backlash from 90 rights groups \u2014 arstechnica.com<\/a><\/li>\n<li>&#x1f9ef;The version of something that looks like NeuralHash found in iOS 14, reverse engineered, and found to be poor at avoiding hashes is <strong>not<\/strong> the code that Apple will be using in iOS 15 despite the irresponsible assumptions of many, and the resulting breathless headlines \u2014 <a href=\"https:\/\/www.vice.com\/en\/article\/wx5yzq\/apple-defends-its-anti-child-abuse-imagery-tech-after-claims-of-hash-collisions\">www.vice.com\/\u2026<\/a><\/li>\n<li>We may have a better understanding of why Apple implemented the two features it did: <a href=\"https:\/\/www.imore.com\/apples-fraud-chief-knew-it-had-child-porn-problem-messages-reveal\">Apple&#8217;s fraud chief knew it had a child porn problem, messages reveal \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Social Media Sites are Continuing to Fight Abuses of their Platforms (and they had a good 2 weeks)\n<ul>\n<li>Facebook have improved their Facebook Transfer Tool (for migrating data easily to other platforms) to add some nice usability tweaks, two new end-points (Photobucket &amp; Google Calendar), and a new data type (Facebook Events) \u2013 <a href=\"https:\/\/www.macobserver.com\/news\/facebook-transfer-tool-photobucket\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Google have announced a suite of improvements to their child protection features (nothing earth-shattering, but lots of small improvements) \u2014 <a href=\"https:\/\/blog.google\/technology\/families\/giving-kids-and-teens-safer-experience-online\/\">blog.google\/\u2026<\/a><\/li>\n<li>Signal now allows you to mark your messages to automatically disappear by default \u2014 <a href=\"https:\/\/signal.org\/blog\/disappearing-by-default\/\">signal.org\/\u2026<\/a><\/li>\n<li>Instagram have rolled out new tools to control abuse via DMs and comments including a new <em>Limits<\/em> feature that allows users to hide DMs and comments from people that don&#8217;t follow them or have only recently started to. They&#8217;re also adding warnings to posters if they use potentially offensive language, and a <em>Hidden Words<\/em> feature that filters off potentially offensive DMs into a separate inbox. They&#8217;re also working on detecting spikes in abusive DMs so they can pro-actively offer victims the option to turn on <em>Limits<\/em> \u2014 <a href=\"https:\/\/www.imore.com\/instagram-rolling-out-new-tools-stop-abuse-its-platform\">www.imore.com\/\u2026<\/a><\/li>\n<li>Twitter research shows that ID verification would not stop abuses because almost all abuse is from accounts that can be linked to real people already \u2014 <a href=\"https:\/\/www.imore.com\/twitter-says-id-verification-wont-stop-abuse-its-platform\">www.imore.com\/\u2026<\/a><\/li>\n<li>TikTok adds new privacy features for teens, including much more restrictive defaults requiring teens to pro-actively choose to share their content more broadly, and stopping push notifications during nighttime hours \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/tiktok-sets-out-new-safety-and-privacy-features-for-teens\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/facebook-e2e-messenger-calls\/\">Facebook Adds End-To-End Encryption to Messenger Calls, Instagram DMs \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-testing-reporting-covid-19-misinformation\">Twitter testing reporting for COVID-19 misinformation \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Firefox 91 completes the rollout of the <em>Total Cookie Protection<\/em> feature we described in a <a href=\"https:\/\/www.podfeet.com\/blog\/2021\/03\/sb-2021-03-07\/\">Security Bits segment back in March<\/a> \u2014 <a href=\"https:\/\/www.imore.com\/firefox-rolls-out-new-tool-can-delete-all-your-cookies\">www.imore.com\/\u2026<\/a><\/li>\n<li>The ground-breaking privacy docudrama <em>The Social Dilemma<\/em> is now streaming for free on YouTube \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/the-social-dilemma-now-streaming-free-on-youtube\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Another Patch Tuesday has been and gone, and one of the Windows bugs patched is now under active exploitation, so be sure to patch promptly \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/08\/microsoft-patch-tuesday-august-2021-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Security researchers at Tenable have found a critical bug in the firmware used in many home routers by Buffalo, and as re-badged routes from major ISPs \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/08\/10\/home-and-small-business-routers-under-attack-how-to-see-if-you-are-at-risk\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.tenable.com\/security\/research\/tra-2021-13\">www.tenable.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2021\/08\/t-mobile-breach-exposed-ssn-dob-of-40m-people\/\">T-Mobile: Breach Exposed SSN\/DOB of 40M+ People \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Security researchers at Mandiant have found critical vulnerabilities in the Kaylay back-end used by many smart home devices from many vendors, including security cameras and baby monitors \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/08\/17\/video-surveillance-network-hacked-by-researchers-to-hijack-footage\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Another worrying TOS update: <a href=\"https:\/\/gizmodo.com\/ancestry-com-just-gave-itself-the-rights-to-your-belove-1847456138\">Ancestry.com Just Gave Itself the Rights to Your Beloved Family Photos \u2014 gizmodo.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Cryptocurrency exchanges are clearly being targeted ATM:\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/08\/11\/hacker-grabs-600m-in-cryptocash-from-blockchain-company-poly-networks\/\">Hacker grabs $600m in crypto cash from blockchain company Poly Networks \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/08\/20\/japanese-cryptocoin-exchange-robbed-of-100000000\/\">Japanese cryptocoin exchange robbed of $100,000,000 \u2014 nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<li><strong>Editorial by Bart:<\/strong> remember that the whole point of cryptocurrency is that it&#8217;s impossible to regulate, so, there are no authorities that can refund people their money when this kind of thing happens. When you trust an exchange with your cryptocurrency you are <strong>really<\/strong> trusting them, there is no safety net!<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-backed-smart-home-standard-matter-delayed-until-2022\">Apple-backed smart home standard &#8216;Matter&#8217; delayed until 2022 \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-has-released-icloud-windows-125-new-password-manager\">Apple has released iCloud for Windows 12.5 with a new password manager \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>GitHub have implemented the tighter authentication policies for Git operations they announced late last year \u2014 Git actions like pushing code into a repo can&#8217;t be authenticated by passwords anymore, users have to use more secure mechanisms like SSH keys, OAuth, or personal access tokens. Because GitHub is used to manage so much open source software, this will make all of us more secure \u2014 <a href=\"https:\/\/github.blog\/2021-08-16-securing-your-github-account-two-factor-authentication\/\">github.blog\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>What sites\/services get targeted most by hackers? Here&#8217;s the top-10: <a href=\"https:\/\/www.intactsoftware.com\/blog\/the-biggest-cyber-hacking-targets-in-the-world\/\">The Biggest Cyber-Hacking Targets in the World \u2014 www.intactsoftware.com\/\u2026<\/a><\/li>\n<li>The way 5G is being rolled out at the moment, it&#8217;s actually 4G from a security POV, so while we have the speeds, we often don&#8217;t yet have the promised security and privacy: <a href=\"https:\/\/www.wired.com\/story\/5g-network-stingray-surveillance-non-standalone\/\">A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance \u2014 www.wired.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/pretty-good-phone-privacy\/\">Researchers Propose New Way to Limit Location Tracking With \u2018Pretty Good Phone Privacy\u2019 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>An interesting little article connecting a blunder by Russian sensors with the strangely intertwined histories of regular expressions and AI: <a href=\"https:\/\/whyisthisinteresting.substack.com\/p\/the-regular-expression-edition\">The Regular Expression Edition &#8211; by Guest Contributor &#8211; Why is this interesting?CommentShareCommentShare \u2014 whyisthisinteresting.substack.com\/\u2026<\/a><\/li>\n<li>Another amazing Astronomy Picture of the Day: <a href=\"https:\/\/apod.nasa.gov\/apod\/ap210815.html\">Perseid Rain \u2014 apod.nasa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: center;\">Emoji<\/th>\n<th style=\"text-align: left;\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">&#x1f3a7;<\/td>\n<td style=\"text-align: left;\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">&#x2757;<\/td>\n<td style=\"text-align: left;\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><em>flag<\/em><\/td>\n<td style=\"text-align: left;\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">&#x1f4ca;<\/td>\n<td style=\"text-align: left;\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">&#x1f9ef;<\/td>\n<td style=\"text-align: left;\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&quot;no need to light your hair on fire&quot;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">&#x1f4b5;<\/td>\n<td style=\"text-align: left;\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">&#x1f4cc;<\/td>\n<td style=\"text-align: left;\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">&#x1f3a9;<\/td>\n<td style=\"text-align: left;\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Apple&#8217;s Child Protection Features New Information: Apple publishes Child Safety FAQ to address CSAM scanning concerns and more \u2014 www.imore.com\/\u2026 Apple shares a security threat review for its new CSAM detection feature \u2014 www.imore.com\/\u2026 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4741,4742,4722,114,50,569,2139],"class_list":["post-24266","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple-child-protection","tag-crypto-currency","tag-csam","tag-privacy","tag-security","tag-security-bits","tag-social-media"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24266"}],"version-history":[{"count":5,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24266\/revisions"}],"predecessor-version":[{"id":24271,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24266\/revisions\/24271"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}