{"id":24998,"date":"2021-12-22T16:53:58","date_gmt":"2021-12-23T00:53:58","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24998"},"modified":"2021-12-22T16:54:33","modified_gmt":"2021-12-23T00:54:33","slug":"sb-2021","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/12\/sb-2021\/","title":{"rendered":"Security Bits \u2014 22 December 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><strong>NSO Group\/Pegasus:<\/strong>\n<ul>\n<li>Google&#8217;s <em>Project Zero<\/em> has released a very detailed report into how the <em>ForcedEntry<\/em> zero-click iMessage bug exploited by Pegasus worked \u2014 it&#8217;s deep deep reading, but this analysis highlights the key point well; there was some very impressive engineering powering this exploit \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2021\/12\/21\/project-zero-nso-zero-click-deep-dive\">daringfireball.net\/\u2026<\/a><\/li>\n<li>Bloomberg is reporting that the NSO group are reportedly losing money fast, and considering closing or selling off the Pegasus product, possibly to a company that will convert it to a defensive tool \u2014 <a href=\"https:\/\/www.imore.com\/pegasus-spyware-maker-nso-burning-cash-and-considering-closure\">www.imore.com\/\u2026<\/a><\/li>\n<li>The Financial Times &amp; ArsTechnica published a report detailing how the NSO group struck a deal with Uganda which seems to have resulted in Pegasus being deployed against US State Department officials \u2014 <a href=\"https:\/\/arstechnica.com\/features\/2021\/12\/the-secret-uganda-deal-that-has-brought-nso-to-the-brink-of-collapse\/\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple have released the promised Android app for locating unknown AirTags that have been following you \u2014 <a href=\"https:\/\/www.imore.com\/apple-releases-airtag-tracking-app-android\">www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> we&#8217;re starting to see anecdotal evidence of AirTags being abused (and a lot of evidence of Apple&#8217;s protections working too), e.g. <a href=\"https:\/\/www.imore.com\/driver-finds-hidden-airtag-his-car-ahead-likely-theft-attempt\">Driver finds a hidden AirTag in his car ahead of likely theft attempt \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Troy Hunt has pushed some of the promised changes to <em>Have I Been Pwned<\/em> live \u2014 there is now a mechanism for law enforcement to push data from breaches they find into HIBP, and the code for the HIBP API has been published as open source \u2014 <a href=\"https:\/\/www.troyhunt.com\/open-source-pwned-passwords-with-fbi-feed-and-225m-new-nca-passwords-is-now-live\/\">www.troyhunt.com\/\u2026<\/a><\/li>\n<li>Social Media Updates:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/whatsapp-now-hides-your-last-seen-status-people-you-dont-know\">WhatsApp now hides your &#8216;Last Seen&#8217; status from people you don&#8217;t know \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Log4J<\/h2>\n<p>The last time we recorded Log4J was breaking news, and I predicted it would be a really big deal for corporate IT, and that&#8217;s definitely proven to be the case. In the US an emergency directive has been issued requiring all federal agencies to deal with Log4J before the holidays, so definitely buy and sysadmins you know who work for a US federal agency a coffee!<\/p>\n<p>Things have been quite chaotic over the last 2 weeks with the initial patching having been be patched at least 2 more times!<\/p>\n<p>As more details come to light, this remains, as I suspected, a headache for corporate IT rather than for regular folks. Log4J is primarily an enterprise tool, and while there might be the odd instance of home devices or software having Log4J embedded in them, no clear avenue of attack against home users has become apparent, and at least for now, attackers are not focusing on home users, directing their energies instead to the easiest to exploit and most financially valuable large targets.<\/p>\n<p>For home users, the standard advice continues to apply \u2014 if there are security updates for your hardware or software, apply them!<\/p>\n<p>What I have seen a lot of is confusion, particularly around the <em>Apache<\/em> name.<\/p>\n<p>Officially, the situation is very clear-cut, the Apache Foundation runs a number of open source projects, including The Apache HTTP Server, and Log4J. Because Log4J is an Apache Foundation project, it&#8217;s often referred to as <em>Apache Log4J<\/em>. Because the Apache HTTP server (AKA httpd) is the longest-running Apache Foundation project, predating the existence of the foundation, people often refer to the web server as simply <em>Apache<\/em>. So, <em>Apache Log4J<\/em> sounds like it&#8217;s related to the Apache HTTP Server, <strong>but it isn&#8217;t<\/strong>.<\/p>\n<p>Lots of sysadmins wasted a lot of time explaining to half-informed managers that no, the fact that they run the Apache web server does not mean they have to patch against Log4J.<\/p>\n<p>With all the confusion, something that&#8217;s gotten lost is that there are some totally unrelated security updates for the Apache HTTP server that really should be applied too!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>The best explainer I found: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/13\/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it\/\">Log4Shell explained \u2013 how it works, why you need to know, and how to fix it \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.cisa.gov\/emergency-directive-22-02\">Emergency Directive 22-02: Mitigate Apache Log4J Vulnerability \u2014 www.cisa.gov\/\u2026<\/a><\/li>\n<li>&#x1f3a6; An excellent video showing the vulnerability in action: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/20\/log4shell-the-movie-a-short-safe-visual-tour-for-work-and-home\/\">Log4Shell: The Movie\u2026 a short, safe visual tour for work and home \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.securityweek.com\/chinese-government-punishes-alibaba-not-telling-it-first-about-log4shell-flaw-report\">Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report \u2014 www.securityweek.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/21\/apaches-other-product-critical-bugs-in-httpd-web-server-patch-now\/\">Apache\u2019s other product: Critical bugs in \u2018httpd\u2019 web server, patch now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Microsoft&#8217;s December <em>Patch Tuesday<\/em> updates are out, and include fixes for bugs being actively exploited in the wild \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2021\/12\/microsoft-patch-tuesday-december-2021-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Apple have released updates for almost all their OSes: <a href=\"https:\/\/tidbits.com\/2021\/12\/13\/apple-releases-ios-15-2-ipados-15-2-macos-12-1-monterey-watchos-8-3-and-tvos-15-2\/\">Apple Releases iOS 15.2, iPadOS 15.2, macOS 12.1 Monterey, watchOS 8.3, and tvOS 15.2 \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li>iOS 15.2 also contains security-related feature updates:\n<ul>\n<li><strong>Account Recovery Contacts<\/strong> (so family\/friends can help <strong>you<\/strong> get back in if you forget your password): <a href=\"https:\/\/www.imore.com\/how-set-account-recovery-contacts-iphone-and-ipad\">How to set up Account Recovery contacts on iPhone and iPad \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Legacy Contacts<\/strong> (so <strong>your family\/friends<\/strong> can access your iCloud data when you&#8217;re gone): <a href=\"https:\/\/www.imore.com\/how-set-legacy-contact-iphone-and-ipad\">How to set up a Legacy Contact on iPhone and iPad \u2014 www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/apple-digital-legacy-everything-you-need-know\">Apple Digital Legacy: Everything you need to know! \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>App Privacy Report<\/strong> (opt-in feature to enable detailed app activity log, primarily aimed at security researchers, but fun for nerds): <a href=\"https:\/\/www.intego.com\/mac-security-blog\/understanding-ios-and-ipados-app-privacy-report\/\">Understanding iOS and iPadOS App Privacy Report \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><strong>Siri &amp; iMessage Child Protection Features<\/strong> (the two non-controversial ones)\n<ul>\n<li><strong>Related:<\/strong> Apple updated their website to only list the live features, a bunch of sites assumed that meant CSAM detection was dead, Apple responded to say their plans were unchanged \u2014 <a href=\"https:\/\/www.theverge.com\/2021\/12\/15\/22837631\/apple-csam-detection-child-safety-feature-webpage-removal-delay\">www.theverge.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2021\/12\/22\/chatter-phone-bluetooth-bug\/\">Fisher-Price\u2019s Chatter phone has a simple but problematic Bluetooth bug \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>Believing in conspiracy theories can be dangerous to your health: <a href=\"https:\/\/www.bbc.co.uk\/news\/technology-59703523\">Anti-5G necklaces found to be radioactive \u2014 www.bbc.co.uk\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1ec;&#x1f1e7; The UK Competition &amp; Markets Authority (CMA) has released an interim report on the state of the mobile ecosystem, and while it&#8217;s strongly critical of Google &amp; Apple, it doesn&#8217;t actually recommend any action be taken \u2014 <a href=\"https:\/\/www.imore.com\/uk-cma-publishes-scathing-app-store-report-wont-recommend-investigation\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A thought-provoking essay by Troy Hunt. The essay takes you on quite a long journey to get to its final recommendation, but it&#8217;s worth the ride. The piece convinced me that Troy&#8217;s simple suggested definition for a breach is the right approach: <a href=\"https:\/\/www.troyhunt.com\/when-is-a-scrape-a-breach\/\">When is a Scrape a Breach? \u2014 www.troyhunt.com\/\u2026<\/a><br \/>\n> &#8220;A data breach occurs when information is obtained by an unauthorised party in a fashion in which it was not intended to be made available&#8221;<\/li>\n<li>&#x1f3a7; Kara Swisher interviews the Facebook whistleblower Frances Haugen: <a href=\"https:\/\/overcast.fm\/+m_rrOdeyc\">Sway: Why Facebook Whistle-Blower Frances Haugen Thinks She\u2019ll Outlast Mark Zuckerberg \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>My bank, AIB, sent out one of the best security reminder explanations I&#8217;ve seen in a very long time: <a href=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/12\/aib-phishing-training.png\" target=\"_blank\" rel=\"noopener\">&#8220;Don&#8217;t Gift a Criminal This Christmas&#8221;<\/a>.<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>iPhone 13 Pro Schematics wallpapers \u2014 <a href=\"https:\/\/basicappleguy.com\/basicappleblog\/iphone-13-pro-schematic\">basicappleguy.com\/\u2026<\/a><\/li>\n<li>&#x1f384;&#x1f3a6; &#x1f3a7; Watch\/listen to a recording of the live-streamed Carol Service from Maynooth (&#x1f1ee;&#x1f1ea;) \u2014 <a href=\"https:\/\/www.youtube.com\/watch?v=-g471AnA08s\">www.youtube.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. NSO Group\/Pegasus: Google&#8217;s Project Zero has released a very detailed report into how the ForcedEntry zero-click iMessage bug exploited by Pegasus worked \u2014 it&#8217;s deep deep reading, but this analysis highlights the key point [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4986,4741,4984,4985,4982,4983],"class_list":["post-24998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-account-recovery","tag-apple-child-protection","tag-apple-updates","tag-legacy-contacts","tag-log4j","tag-log4shell"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24998"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24998\/revisions"}],"predecessor-version":[{"id":25002,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24998\/revisions\/25002"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}