{"id":24430,"date":"2021-09-19T13:22:07","date_gmt":"2021-09-19T20:22:07","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24430"},"modified":"2021-09-19T13:22:07","modified_gmt":"2021-09-19T20:22:07","slug":"sb-2021-09-19","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/09\/sb-2021-09-19\/","title":{"rendered":"Security Bits \u2014 19 September 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The NSO Group\/Pegasus Saga:<\/li>\n<li>Apple have patched the vulnerability used by the NSO Group to deploy their Pegasus spyware, and the Citizens Lab have published a report on their discovery of the vulnerability which they&#8217;ve named <em>FORCEDENTRY<\/em> \u2014 <a href=\"https:\/\/citizenlab.ca\/2021\/09\/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild\/\">citizenlab.ca\/\u2026<\/a> &amp; <a href=\"https:\/\/arstechnica.com\/?p=1794411\">arstechnica.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/09\/14\/apple-products-vulnerable-to-forcedentry-zero-day-attack-patch-now\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; <a href=\"https:\/\/www.macobserver.com\/news\/germany-purchased-pegasus\/\">Germany Secretly Purchased NSO Group Spyware \u2018Pegasus\u2019 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>Social Media Improvements:<\/li>\n<li><a href=\"https:\/\/www.imore.com\/whatsapp-announces-end-end-encrypted-backups-icloud\">WhatsApp announces end-to-end encrypted backups on iCloud \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related Analysis:<\/strong> A good reminder that end-to-end encryption does not protect the data at either end, just as it moves between ends: <a href=\"https:\/\/tidbits.com\/2021\/09\/10\/remember-communication-services-cannot-guarantee-privacy\/\">Remember, Communication Services Cannot Guarantee Privacy \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>The WSJ has reported that Instagram internal research shows Instagram can be harmful to teenagers with body image issues \u2014 <a href=\"https:\/\/www.theguardian.com\/technology\/2021\/sep\/14\/facebook-aware-instagram-harmful-effect-teenage-girls-leak-reveals\">www.theguardian.com\/\u2026<\/a><\/li>\n<li><strong>Editorial by Bart:<\/strong> This has generally been reported in a very negative way, presumably to get more clicks, but I see this as a very positive thing. Instagram are pro-actively studying the unwanted side-effects of their platform and working to address them. I found the interview Instagram head Adam Mosseri did with Vox very illuminating. The studies didn&#8217;t actually say what many media reports implied they did (they asked different questions so the data had intentional selection biases), and the context he provided made sense to me.<\/li>\n<li><strong>Related:<\/strong> &#x1f3a7; Mosseri&#8217;s interview with Vox: <a href=\"https:\/\/overcast.fm\/+YH-5NCcsk\">Recode Daily: Instagram is bad for teens\u2019 self-esteem, and it knows it\u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Patch Tuesday was this week, and it&#8217;s an important one, including an IE\/MSHTML zero-day that&#8217;s being actively exploited \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/09\/microsoft-patch-tuesday-september-2021-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Details on the Zero-day: <a href=\"https:\/\/krebsonsecurity.com\/2021\/09\/microsoft-attackers-exploiting-windows-zero-day-flaw\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/09\/08\/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Remember to apply those NSO Apple Patches for everything!<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>A report from the UN HCR (Human Rights Council) calls for governments to pause the use of facial recognition and some other AI system until safeguards can be developed and deployed \u2014 <a href=\"https:\/\/www.brusselstimes.com\/news\/business\/185191\/un-calls-for-moratorium-on-facial-recognition-and-other-ai-systems\/\">www.brusselstimes.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/facebook-ray-ban-camera-glasses-everyone-freaking-out\/\">Facebook And Ray-Ban Released Some Camera Glasses and Everyone is Freaking Out \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/link\/ftc-health-apps-warning\/\">Health Apps Must Warn Users of Data Breaches, Says FTC \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/gethealth-data-leak\/\">\u2018GetHealth\u2019 Leaks Apple HealthKit Data With 61 Million Records www.macobserver.com\/&#8230;<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Common Sense Media analysed streaming hardware and apps from a privacy POV, and only one product and one service received a passing grade \u2014 the AppleTV hardware, and the AppleTV+ streaming service \u2014 <a href=\"https:\/\/www.techdirt.com\/articles\/20210901\/07342847477\/every-streaming-company-not-named-apple-receives-lousy-grade-privacy.shtml\">Every Streaming Company Not Named Apple Receives A Lousy Grade On Privacy www.techdirt.com\/\u2026<\/a><\/li>\n<li>A 2-page PDF poster of the findings \u2014 <a href=\"https:\/\/www.commonsensemedia.org\/research\/privacy-of-streaming-apps-and-devices-2021\">www.commonsensemedia.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1793284\">Infosec researchers say Apple\u2019s bug-bounty program needs work \u2014 arstechnica.com<\/a><\/li>\n<li>A long but fascinating read: <a href=\"https:\/\/www.reuters.com\/investigates\/special-report\/usa-spying-raven\/\">Ex-NSA cyberspies reveal how they helped hack foes of UAE \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<li>This is Security adjacent, but an excellent analysis IMO: <a href=\"https:\/\/www.wired.com\/story\/google-getting-caught-in-global-antitrust-net\/\">Google Is Getting Caught in the Global Antitrust Net \u2014 www.wired.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> I saw an awesome billboard on the freeway today. It was by DuckDuckGo and all it said was, <em>\u201cBe a stranger\u201d.<\/em><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The NSO Group\/Pegasus Saga: Apple have patched the vulnerability used by the NSO Group to deploy their Pegasus spyware, and the Citizens Lab have published a report on their discovery of the vulnerability which [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4793,156,2188,4709,50,569,4792],"class_list":["post-24430","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-body-image","tag-facebook","tag-instagram","tag-nso-group","tag-security","tag-security-bits","tag-teenagers"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24430"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24430\/revisions"}],"predecessor-version":[{"id":24437,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24430\/revisions\/24437"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}