{"id":24911,"date":"2021-12-12T12:48:17","date_gmt":"2021-12-12T20:48:17","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24911"},"modified":"2021-12-20T07:02:29","modified_gmt":"2021-12-20T15:02:29","slug":"sb-2021-12-12","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/12\/sb-2021-12-12\/","title":{"rendered":"Security Bits \u2014 12 December 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; &#x1f1fa;&#x1f1ec; Apple informed the US State Department that at least 9 iPhones used by their staff were infected with the NSO Group&#8217;s Pegasus malware. It&#8217;s not clear which NSO Group customer is responsible, but all the iPhones had Ugandan or other East-African SIM cards, so suspicion has fallen on the Ugandan government \u2014 <a href=\"https:\/\/www.reuters.com\/technology\/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03\/\">www.reuters.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.intego.com\/mac-security-blog\/i-am-hacker-nso-group-new-email-scam-leverages-controversial-pegasus-malware\/\">&#8220;I am hacker NSO Group,&#8221; New Email Scam Leverages Controversial Pegasus Malware \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>More details have come to light on the Ubiquiti hack from late last year \u2013 it was an inside-job: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer\/\">Former Ubiquiti dev charged for trying to extort his employer \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>&#x1f1ee;&#x1f1ea; Ireland&#8217;s <em>Health Service Executive<\/em> (HSE) have published the findings of a detailed investigation into the Conti Ransomware that crippled Irish healthcare for months, starting in March this year \u2014 <a href=\"https:\/\/www.rte.ie\/news\/health\/2021\/1210\/1265985-hse-cyber-attack\/\">www.rte.ie\/\u2026<\/a><br \/>\n> PwC said the HSE is operating on a frail IT estate that has been lacking investment over many years to maintain a secure infrastructure and does not have the required cyber security to protect the operation of the health services.<br \/>\n><br \/>\n>It also said it is lacking the expertise and resources to detect, prevent or respond to a cyber attack of this scale.<br \/>\n><br \/>\n> It recommended the creation of two new key roles &#8211; a chief technology and transformation officer and chief information security officer &#8211; along with 24\/7 monitoring.<\/li>\n<li>&#x1f1ec;&#x1f1e7; A multi-billion lawsuit against Google in the UK over its bypassing of Safari privacy protections back in 2011 &amp; 2012 has come to an ignominious end \u2013 killed on a technicality \u2014 <a href=\"https:\/\/www.imore.com\/uk-supreme-court-blocks-43-billion-iphone-tracking-lawsuit-against-google\">www.imore.com\/\u2026<\/a><\/li>\n<li>Social Media Developments\n<ul>\n<li>Meta:\n<ul>\n<li>&#x1f1ec;&#x1f1e7; The UK Competition &amp; Markets Authority have ordered Meta (n\u00e9e Facebook) to sell Giphy. Facebook are looking into how they can fight the decision \u2014 <a href=\"https:\/\/www.imore.com\/uk-supreme-court-blocks-43-billion-iphone-tracking-lawsuit-against-google\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.wired.com\/story\/facebook-protect-two-factor-authentication-requirement\/\">Facebook Will Force More At-Risk Accounts to Use Two-Factor \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/facebook-sued-150bn-rohingya-over-myanmar-hate-speech\">Facebook sued for $150bn by Rohingya over Myanmar hate speech \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/instagram-unveils-time-limit-controls-teens-new-stricter-approach\">Instagram unveils time limit controls for teens in new &#8216;stricter approach&#8217; \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Researchers from KU Leuven &#x1f1e7;&#x1f1ea; &amp; New York University &#x1f1fa;&#x1f1f8; found that Facebook&#8217;s algorithm gets it wrong up to 83% of the time when classifying ads as political or not <a href=\"https:\/\/www.brusselstimes.com\/news\/business\/197144\/facebook-very-poor-at-distinguishing-political-ads-ku-leuven-researchers-find\/\">brusselstimes.com\/\u2026<\/a><br \/>\n> Between July 2020 and February 2021, the KU Leuven and NYU co-authors examined 33.8 million Facebook ads. The subset that was of particular interest consisted of 189,000 ads that Facebook or the researchers deemed political.<br \/>\n><br \/>\n> The researchers found that in this category, Facebook had missed about 117,000 political ads (62%) that ran but should have been taken down in line with its own political ad policy. Conversely, Facebook had flagged approximately 40,000 non-political ads as political (21%). Facebook was, in other words, found wrong on 83% of these 189,000 ads.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2021\/11\/30\/twitter-expands-safety-policy-bans-posting-images-of-people-without-their-consent\/\">Twitter expands safety policy, bans posting images of people without their consent \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Firefox 95 is out with a bunch of important security fixes, but also a new sandboxing technology to better isolate code running in separate tabs, even when it uses shared libraries \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/07\/firefox-update-brings-a-whole-new-sort-of-security-sandbox\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/firefox-95-mac-adds-performance-and-security-improvements-popular-browser\">Firefox 95 for Mac adds performance and security improvements to the popular browser \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Expect a lot of software updates for internet-connected apps because Mozilla have patched a critical bug dubbed <em>BigSig<\/em> in their NSS (Netscape Security Suite) open source crypto library \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/03\/mozilla-patches-exploitable-bigsig-cryptographic-bug\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/tile-parent-company-life360-selling-its-customers-location-data\">Tile&#8217;s new owner is selling its customer&#8217;s location data \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The LA-branch of Planned Parenthood leaked 400K patient records including name and one or more of &#8220;address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and\/or prescription information&#8221; \u2014 <a href=\"https:\/\/www.washingtonpost.com\/nation\/2021\/12\/01\/los-angeles-planned-parenthood-hack\/\">www.washingtonpost.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/arstechnica.com\/information-technology\/2021\/12\/verizon-ignored-users-previous-opt-outs-in-latest-push-to-scan-web-browsing\/\">Verizon overrides users\u2019 opt-out preferences in push to collect browsing history \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Apache have patched a critical zero-day dubbed <em>Log4Shell<\/em> in the very widely used logging library Log4J. Log4J is an open source Java library that&#8217;s used very heavily in Java-based enterprise apps, and on the platforms powering major cloud services. This is not something end-users can fix, but something sysadmins around the world are now scrambling to fix on their servers. Best you can do is buy any affected sysadmins a much-needed coffee! \u2014 <a href=\"https:\/\/www.wired.com\/story\/log4j-flaw-hacking-internet\/\">www.wired.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/10\/log4shell-java-vulnerability-how-to-safeguard-your-servers\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The Financial Times is reporting that Apple have &#8216;loosened&#8217; their anti-tracking policies \u2014 <a href=\"https:\/\/www.imore.com\/apple-allowing-much-looser-interpretation-ad-tracking-policy-claims-report\">www.imore.com\/\u2026<\/a>\n<ul>\n<li><em><strong>Editorial by Bart:<\/strong> From my reading of this I&#8217;m not seeing any &#8216;there&#8217; there. Aggregated anonymised data is not tracking banned under Apple&#8217;s policy, and it&#8217;s what Apple themselves provide via their own ad effectiveness reporting APIs. This has the whiff of &#8216;clickbait&#8217; to me.<\/em><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1ec;&#x1f1e7; The UK government have published a draft <em>Product Security and Telecommunications Infrastructure<\/em> (PSTI) bill that would set a security floor on IoT devices, default credentials would be banned, there would be a duty to notify users of vulnerabilities, and the packaging would have to state the length of time security updates will be available \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/02\/iot-devices-must-protect-consumers-from-cyberharm-says-uk-government\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A fascinating look at a simple logic bug that cost millions: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/06\/cryptocurrency-startup-fails-to-subtract-before-adding-loses-31m\/\">Cryptocurrency startup fails to subtract before adding, loses $31m \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a7; Business Wars has just finished another mini-series the NosillaCastaways might enjoy: <a href=\"https:\/\/overcast.fm\/+LnJeCCkuc\">Blackberry vs iPhone \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>&#x1f3a7; One of my favourite science podcasts, <a href=\"https:\/\/www.bbc.co.uk\/programmes\/b07dx75g\/episodes\/downloads\">The Curious Cases of Rutherford &amp; Fry<\/a>, has started a new mini-series on living with AI. The first episode is out: <a href=\"https:\/\/overcast.fm\/+IPRQMrzFA\">AI in Warfare \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Code Newbie interviews iAsia Brown, a military veteran and programmer who is now a programmer at Microsoft and is very compelling on how to transition from the military to life in tech <a href=\"https:\/\/www.codenewbie.org\/podcast\/how-military-veterans-can-translate-their-skills-to-tech\">www.codenewbie.org\/&#8230;<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; &#x1f1fa;&#x1f1ec; Apple informed the US State Department that at least 9 iPhones used by their staff were infected with the NSO Group&#8217;s Pegasus malware. It&#8217;s not clear which NSO Group customer is responsible, [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[4952,1565,71,4951,4773,2079,114,50,569,2073],"class_list":["post-24911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-code-newbies","tag-electro-tactile-stimulation","tag-firefox","tag-java","tag-nso","tag-patch","tag-privacy","tag-security","tag-security-bits","tag-verizon"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24911"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24911\/revisions"}],"predecessor-version":[{"id":24973,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24911\/revisions\/24973"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}