{"id":24604,"date":"2021-10-17T11:31:43","date_gmt":"2021-10-17T18:31:43","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24604"},"modified":"2021-10-18T06:43:08","modified_gmt":"2021-10-18T13:43:08","slug":"sb-2021-10-23","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/10\/sb-2021-10-23\/","title":{"rendered":"Security Bits \u2014 17 October 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Another example of 2FA-bypass attacks in use in the wild: <a href=\"https:\/\/krebsonsecurity.com\/2021\/10\/how-coinbase-phishers-steal-one-time-passwords\/\">How Coinbase Phishers Steal One-Time Passwords \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/www.brusselstimes.com\/news\/eu-affairs\/189473\/pegasus-project-european-parliament-awards-journalism-prize-to-investigation-of-use-of-spyware\/\">Pegasus Project: European Parliament awards journalism prize to investigation of use of spyware \u2014 www.brusselstimes.com\/\u2026<\/a><\/li>\n<li>Apple have released an updated and more detailed paper arguing against mandated side-loading on iOS: <a href=\"https:\/\/www.apple.com\/privacy\/docs\/Building_a_Trusted_Ecosystem_for_Millions_of_Apps_A_Threat_Analysis_of_Sideloading.pdf\">Building a Trusted Ecosystem for Millions of Apps: A threat analysis of sideloading \u2014www.apple.com\/\u2026<\/a>\n<ul>\n<li>A Good summary: <a href=\"https:\/\/www.tomsguide.com\/news\/apple-sideload-paper\">Apple: App sideloading on iPhones would &#8216;cripple&#8217; security protections \u2014 www.tomsguide.com\/\u2026<\/a><\/li>\n<li>Observations from Bart:\n<ul>\n<li>Apple really stress the illustrative value of Android here. They make a point of separating out the impact of laxer app store rules and side-loading on Android, with numbers showing that 93% of Android malware infections come via side-loading<\/li>\n<li>Apple open up about the abuses they see in the limited and very tightly controlled side-loading system they have \u2014 enterprise apps. They describe actual malware attacks that have been perpetrated using the mechanism and throw Facebook under the bus for good measure with their Onavo spyware VPN. The point being that just having the most tightly controlled side-loading possible has already caused problems, things would obviously get a lot worse if the flood-gates were opened.<\/li>\n<li>Apple argue if there were side-loading even users who don&#8217;t want to sideload would be pressured and\/or tricked into it by schools, employers, developers, and cybercriminals<\/li>\n<li>There&#8217;s an entire page of the report dedicated to quotes from European and American government agencies issuing advice on blocking side-loading for security reasons.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Continuing Social Media Tweaks:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/new-twitter-changes-should-make-it-easier-avoid-drama-llamas\">New Twitter changes should make it easier to avoid the drama llamas \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/whatsapp-e2e-backups\/\">WhatsApp Rolls Out Support for End-To-End Encrypted Backups \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Facebook&#8217;s Very Bad Day<\/h2>\n<p>Unless you&#8217;ve been living under a rock, you know Facebook went down for 6 hours recently. While the outage was going on there were all kinds of speculation about what might be happening, not helped by the fact that the outage roughly coincided with a whistleblower giving evidence to the US congress.<\/p>\n<p>My gut feeling was either a rogue employee making a point and\/or a dramatic exit, or, a sysadmin having a really bad day. Turns out it was a sysadmin making a small mistake that lead to a cascade of failures that was extremely difficult to recover from.<\/p>\n<p>At the root of the outage is some automation around one of the back-bone technologies underpinning the core of the internet \u2014 BGP, the <em>border gateway protocol<\/em>. This is the so-called <em>routing algorithm<\/em> that allows the routers that actually power the internet to build up a map of how the actual cables that carry internet traffic are connected to each other, and which IP addresses are where.<\/p>\n<p>BGP is the absolutely work-horse of the internet, but it flies under the radar of most regular folk most of the time because there is no equivalent of it within our home networks. Routing within a typical home network is trivial, even if you set up three routers in a Y-shaped configuration to segregate off your IoT devices. What makes it trivial is that there is exactly one path between any two devices on the network, and between the internet and any device on the network. There are no choices to make, and there is no possibility of a loop.<\/p>\n<p>The core of the internet is much more complicated, it&#8217;s made up of a massively interconnected grid of routers. Each router connects to many other routers, and there are many possible paths between any two routers, and bad routing decisions could easily set up loops trapping traffic. What&#8217;s worse is that routers come and go constantly as cables are added, removed, taken offline for maintenance, or break, cut by machinery, eaten by rodents (that happens a lot!), snapped by underwater landslides, or cut through by errant ship anchors.<\/p>\n<p>No human could manage the chaos, so the routers have to figure it all out for themselves. This is the problem BGP solves, and a big part of the solution is that all routers are effectively gossips, telling all their neighbours everything they know. This means that information ripples through the internet as salacious news does through a village!<\/p>\n<p>The source of all this gossip is <em>announcements<\/em> from routers with responsibility for specific blocks of IP addresses <em>advertising<\/em> (telling everyone that&#8217;s listening) that they&#8217;ve just come online and are ready to accept packets for their IP ranges, or, that they&#8217;ve changed their minds, and no longer want packets for those IPs (<em>retractions<\/em>).<\/p>\n<p>Finally, we think of IPs as belonging to single devices, but out of the internet, that&#8217;s not true. Large CDNs use BGP to offer multiple possible end-points for a given IP address. This is how content delivery networks (CDNs) allow for fast downloads \u2014 the DNS for the servers map the name of the content-hosting server to a given IP, and BGP then offers lots of possible paths to that IP, each leading to a different server in a different part of the world that has a copy of the content. Each router uses the shortest path it knows about, so Irish customers end up at a server in one of the data centres ringing Dublin, and someone in Australia ends up talking to a server in Sidney or Melbourne etc.<\/p>\n<p>When you have multiple servers powering a single IP, you need to update your advertised routes as servers are added to the pool, or removed from it.<\/p>\n<p>Facebook decided to automate this process through some automation running on their DNS infrastructure, and through a whoopsie, accidentally caused their DNS servers to send out BGP advertisements retracting <strong>all routes<\/strong> to the IP addresses of their DNS servers. This means their DNS servers took themselves off the internet, and all Facebook domains became impossible to translate from human-friendly name to IP address, including the internal DNS records powering the infrastructure employees needed to securely connect from home. In effect, Facebook knocked themselves off the internet in such a way that the only solution was to physically get into the data centres, connect directly to the routers, and send out updated BGP advertisements. Because so many people are working from home, and because Facebooks data centres <strong>need<\/strong> superb physical security, it took hours to figure out what happened, get physically to the data centres, get into the right rooms, and get the routes published.<\/p>\n<p>Basically, it was a cascading failure. It reminded me of the worst day of my professional career when a swan had an even worse day and shorted some high voltage cables shorting out electricity in most of our county. That cascaded with a battery failure in a UPS, that took down our entire infrastructure for the first time in years, and when we went to power up our private cloud we discovered its startup procedures depended on our DNS VMs which were hosted on our private cloud. One circular dependency, one very bad day! (The fix was a few hard-coded <code>\/etc\/hosts<\/code> files based on a document someone found on their computer that references the IP addresses belonging to the critical DNS names.)<\/p>\n<p>I felt really sorry for the Facebook sysadmins \u2014 they now have one heck of a war story to regale fellow nerds with in the pub at tech conferences &#x1f642;<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/blog.cloudflare.com\/october-2021-facebook-outage\/\">Understanding How Facebook Disappeared from the Internet \u2014 blog.cloudflare.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2021\/10\/what-happened-to-facebook-instagram-whatsapp\/\">What Happened to Facebook, Instagram, &amp; WhatsApp? \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-says-single-error-caused-massive-outage\">Facebook says single error caused massive outage \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/telegram-bagged-70-million-new-users-when-whatsapp-was-down-few-hours\">Telegram bagged 70 million new users when WhatsApp was down for a few hours \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/overcast.fm\/+b-m1i6Pjk\">About the Facebook Outage \u2014 Know a Little More \u2014 Overcast \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.usehaystack.io\/blog\/facebook-outage-increased-developer-throughput-by-32\">Facebook Outage Increased Developer Throughput by 32% \u2014 www.usehaystack.io\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2021\/10\/11\/ios-15-0-2-ipados-15-0-2-and-watchos-8-0-1-fix-bugs-major-security-flaw\/\">iOS 15.0.2, iPadOS 15.0.2, and watchOS 8.0.1 Fix Bugs, Major Security Flaw \u2014 tidbits.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/ios-1502-fixes-zero-day-vulnerability-apple-hasnt-given-credit-researcher-who-found-it\">iOS 15.0.2 fixes a zero-day vulnerability but Apple hasn&#8217;t given credit to the researcher who found it \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2021\/10\/patch-tuesday-october-2021-edition\/\">Patch Tuesday, October 2021 Edition \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>If you run your own Apache-based web server, be sure it&#8217;s fully patched. A very easy to exploit but was found in the web server software that was quickly, but poorly, patched, and a few days later another patch was released \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/10\/08\/apache-patch-proves-patchy-now-you-need-to-patch-the-patch\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A massive infrastructure provider for phone carriers around the world (about 235), including big names like AT&amp;T, T-Mobile, Verizon, Vodafone, and China Mobile has revealed that hackers were active in their systems from May 2016 until May this year. Attackers could see call metadata like who called who for how long, and, the contents of SMS messages. Yet another reason to avoid SMS for 2FA when you have other options \u2014 <a href=\"https:\/\/www.vice.com\/en\/article\/z3xpm8\/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked\">www.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/huge-twitch-leak-exposes-source-code-passwords-what-you-need-do\">Huge Twitch leak exposes source code, passwords &#8211; what you need to do \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; A breach at Verizon carrier <em>Visible<\/em> has resulted in fraudulent orders of iPhones being charged to people&#8217;s connected payment methods \u2014 <a href=\"https:\/\/www.imore.com\/iphone-13s-ordered-through-reported-breach-digital-carrier-visible\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Apple&#8217;s support pages were briefly updated to list Safari Bookmarks as end-to-end encrypted, but the page updated again a few days later to say the bookmarks are encrypted in transit and while stored. That&#8217;s good, but not as good as E2EE \u2014 <a href=\"https:\/\/www.imore.com\/safari-bookmarks-arent-end-end-encrypted-despite-apple-saying-they-were\">www.imore.com\/\u2026<\/a><\/li>\n<li>Apple have warned developers that if their app allows users to create an account, it must also allow users to delete their accounts. The deadline for developers to comply is the end of January 2022 \u2014 <a href=\"https:\/\/www.imore.com\/apple-apps-create-accounts-must-let-people-delete-them-february-2022\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.imore.com\/uk-judge-rules-ring-video-doorbell-breach-neighbours-privacy\">UK judge rules Ring video doorbell breach of neighbor&#8217;s privacy \u2014 www.imore.com\/\u2026<\/a> (This seems to be more than just a simple case of a Ring camera being used in the normal way, but the fact that the Judge found that video of the neighbour belonged to the neighbour from a data protection POV seems significant, as did the focus on the Ring&#8217;s audio recording capabilities)\n<ul>\n<li><strong>Related:<\/strong> &#x1f3a7; The first episode of the excellent <a href=\"https:\/\/podcasting.voxmedia.com\/show\/nice-try\">Nice Try! podcast<\/a> dedicates an entire section of the show to the legal questions around Ring in the US, especially its audio features: <a href=\"https:\/\/overcast.fm\/+R7MgvnU-E\">Nice Try! &#8211; The Doorbell \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/1password-announces-easy-item-sharing-people-who-arent-using-it\">1Password announces easy item sharing with people who aren&#8217;t using it \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2021\/10\/07\/add-two-factor-codes-to-password-entries-in-ios-15-ipados-15-and-safari-15\/\">Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15 \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-use-icloud-private-relay-iphone-and-ipad\">How to use iCloud Private Relay on iPhone and iPad \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/theintercept.com\/2021\/10\/12\/facebook-secret-blacklist-dangerous\/\">Revealed: Facebook\u2019s Secret Blacklist of \u201cDangerous Individuals and Organizations\u201d \u2014 theintercept.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+oiPWJX7X4\">The Ezra Klein Show: A Crypto Optimist and a Crypto Skeptic Walk Into a Podcast Studio \u2014 overcast.fm\/\u2026<\/a> (A fascinating discussion of the big-picture changes the blockchain could bring to society if you assume the tech becomes easy to use and ubiquitous)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>The NASA Astronaut Shane Kimbrough has been tweeting up a storm from the ISS, including some lovely photos of the earth at night. Two personal highlights:\n<ul>\n<li>&#x1f1ee;&#x1f1ea; Dublin \u2014 <a href=\"https:\/\/twitter.com\/astro_kimbrough\/status\/1447599550307373060?s=12\">twitter.com\/\u2026<\/a><\/li>\n<li>&#x1f1e7;&#x1f1ea; Brussels \u2014 <a href=\"https:\/\/twitter.com\/astro_kimbrough\/status\/1448290701645594629?s=12\">twitter.com\/\u2026<\/a><\/li>\n<li>A great explanation of what the change of rain percentage on your weather apps actually means, and why it can say 100%, you can stay totally dry, and the app can still be completely correct \u2014 <a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/what-chance-of-rain-weather-really-means\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Another example of 2FA-bypass attacks in use in the wild: How Coinbase Phishers Steal One-Time Passwords \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026 &#x1f1ea;&#x1f1fa; Pegasus Project: European Parliament awards journalism prize to investigation of use [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4843,4844,1117,4847,776,4846,4845,156,50,569],"class_list":["post-24604","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-bgp","tag-border-gateway-protocol","tag-dns","tag-encrypted-in-transit","tag-encryption","tag-encryted-at-rest","tag-end-to-end-encryption","tag-facebook","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24604"}],"version-history":[{"count":6,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24604\/revisions"}],"predecessor-version":[{"id":24617,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24604\/revisions\/24617"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}