{"id":25064,"date":"2022-01-09T11:52:40","date_gmt":"2022-01-09T19:52:40","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=25064"},"modified":"2022-01-17T13:01:10","modified_gmt":"2022-01-17T21:01:10","slug":"sb-2022-01-09","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/01\/sb-2022-01-09\/","title":{"rendered":"Security Bits \u2014 9 January 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Log4Shell (Log4J):\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/01\/07\/log4shell-like-security-hole-found-in-popular-java-sql-database-engine-h2\/\">Log4Shell-like security hole found in popular Java SQL database engine H2 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/01\/05\/ftc-threatens-legal-action-over-unpatched-log4j-and-other-vulns\/\">FTC threatens \u201clegal action\u201d over unpatched Log4j and other vulns \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1ec;&#x1f1e7; Meta (n\u00e9 Facebook) have decided to appeal the recent ruling by the UK Competition &amp; Markets Authority (CMA) to the Competition Appeal Tribunal \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/meta-appeal-uk-regulators-order-sell-giphy\/\">www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.reuters.com\/technology\/facebook-owner-meta-seeks-appeal-uk-ruling-giphy-2022-01-05\/\">Facebook-owner Meta sets out grounds for UK appeal on Giphy \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>As expected, in the wake of Pegasus, other grey-ware companies are coming under scrutiny: <a href=\"https:\/\/www.eff.org\/press\/releases\/saudi-human-rights-activist-represented-eff-sues-spyware-maker-darkmatter-violating\">Saudi Human Rights Activist, Represented by EFF, Sues Spyware Maker DarkMatter For Violating U.S. Anti-Hacking and International Human Rights Laws \u2014 www.eff.org\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 The <em>NoReboot<\/em> iOS Bug<\/h2>\n<p>First off \u2014 don&#8217;t panic, the sky is not falling, but, an interesting new approach to attacking iOS devices has emerged \u2014 <em>fake it till you make it<\/em> (kinda).<\/p>\n<p><em><strong>TL;DR<\/strong> \u2014 you&#8217;re not likely to fall victim to this vulnerability unless you&#8217;re a very high profile target, and even then this is not a bug that lets malware in, but that lets malware that got in some other way do more bad things. The best defence is not to let malware in the first place by keeping your devices patched!<\/em><\/p>\n<p>Attacking iOS devices is hard, and even when you break through one layer of security, you don&#8217;t get very far because Apple have adopted a <em>defence in depth<\/em> strategy. To start doing malicious things on iOS devices usually requires bypassing multiple security systems, so attackers need to <em>chain<\/em> multiple exploits together to get anywhere.<\/p>\n<p>Attackers don&#8217;t just want to run malicious code on your devices once, they want to keep it running as long as possible, so, they want to make alterations to your copy of iOS so their malicious software will get re-started on reboot. The jargon for this is <em>persistence<\/em>.<\/p>\n<p>Persistence on iOS is <em>hard<\/em> \u2014 very hard. This is because one of Apple&#8217;s most tested and yet most successful layers of protection is iOS&#8217;s secure boot process. Altered versions of iOS simply will not boot! This is why rebooting an iOS device regularly is a great defence against spyware \u2014 if someone does manage to hack your device once, when you reboot, things will be back to normal. Even Pegasus couldn&#8217;t survive a reboot!<\/p>\n<p>That&#8217;s what makes the new <em>NoReboot<\/em> vulnerability so interesting \u2014 the attack doesn&#8217;t actually solve the persistence problem, it fakes it by blocking actual reboots and replacing them with fake reboots.<\/p>\n<p>The attack exploits a bug in the iOS shutdown sequence to interrupt and halt the process, and then proceed to make the phone appear to shut down without actually shutting down. The screen goes blank, calls don&#8217;t come through, and there are no notifications or haptics. It looks and feels to a human like the device is powered down. But, it&#8217;s actually running, and the malicious code can keep doing its thing. I can of course simulate iOS booting up, and then let you continue to use your still malware-infested phone as before.  You can watch a video demonstration of this in action <a href=\"https:\/\/youtu.be\/g_8JVUVLxTk\">here<\/a> thanks to Marianne in our <a href=\"https:\/\/podfeet.com\/slack\">Slack<\/a>.<\/p>\n<p>Note that this attack can only work as part of a chain. Before malware can make use of this approach to achieve persistence by faking a reboot, malware has to already be running on the system! This means that the best defence against attacks like these remains the same \u2014 <strong>keep your devices patched<\/strong> so malware can&#8217;t easily get in the first place!<\/p>\n<p>Also note that Apple are almost certain to fix the vulnerability allowing malware to hijack the shutdown\/reboot event, making this attack impossible, at least without discovering a whole new way to intercept the reboot process.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/noreboot-persistent-malware\/\">\u2018NoReboot\u2019 is an iOS Bug That Can Fake a Shutdown to Trick You \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; T-Mobile USA suffered another data breach, and this time it seems to be fewer people much worse affected \u2014 victims either had their account data leaked, their SIM swapped, or both. The company is refusing to give even the most basic details, like how many users were affected, they will only say it was <em>&#8220;a very small number of customers&#8221;<\/em>, and is not explaining what happened, or how the weakness has been addressed \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/20211229-t-mobile-breach\/\">www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/t-mobile-says-new-data-breach-caused-by-sim-swap-attacks\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> this refusal to be transparent is a massive red flag IMO, if I were to have been a customer, I would no longer be!<\/li>\n<\/ul>\n<\/li>\n<li><strong>Take Note:<\/strong> there&#8217;s a bug in iOS that causes Messages to intermittently send read receipts even when it&#8217;s configured not to. There&#8217;s no clarity yet on the details, but if you depend on read receipts not being sent, stop using Messages until this gets patched! \u2014 <a href=\"https:\/\/www.imore.com\/your-iphone-might-be-sending-imessage-read-receipts-even-when-disabled\">www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Be Aware:<\/strong> there&#8217;s a half-patched bug in iOS that allows any person or app with the rights to add or alter HomeKit devices in a home you are a member of to hard-crash your iOS devices (they&#8217;ll need a full factory reset to recover). The bug is triggered by device names many thousands of characters long. Apple have patched the iOS Home app to stop long names being entered, but not addressing the underlying bug, so a person with an older version of iOS, or an app using the HomeKit API can still trigger the bug. <strong>Until this gets patched, only grant apps and people you trust access to your Home, and only accept access to Homes from people you trust.<\/strong> \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/01\/04\/apple-home-software-bug-could-lock-you-out-of-your-iphone\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/12\/30\/instagram-copyright-infringment-scams-dont-get-sucked-in\/\">Instagram copyright infringement scams \u2013 don\u2019t get sucked in! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; This years&#8217; NDAA (National Defense Authorization Act) has been signed into law, and it contains some cybersecurity changes \u2014 <a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2021\/12\/biden-signs-ndaa-relying-voluntary-private-sector-cybersecurity-collaboration\/360217\/\">www.nextgov.com\/\u2026<\/a>\n<ul>\n<li>CISA mandated to update their incidence response plan biennially (every other year) and to work with private and government agencies to build an exercise program to test it<\/li>\n<li>The National Guard is mandated to provide cyber security support services for critical infrastructure<\/li>\n<li>A grant program is being established in DHSS to foster cybersecurity collaboration between the public and private sectors<\/li>\n<li>Existing collaborations between CISA and the private sector are formalised<\/li>\n<li>Somewhat controversially, the participation of the private sector remains voluntary, even though there were bi-partisan calls for mandatory disclosure rules<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-use-two-factor-authentication-for-your-apple-id-and-icloud-account\/\">How to Use Two-Factor Authentication for Your Apple ID and iCloud Account &#8211; The Mac Security Blog \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>Apple have released a white-paper describing Private Relay in greater detail than they have before \u2014 <a href=\"https:\/\/www.apple.com\/privacy\/docs\/iCloud_Private_Relay_Overview_Dec2021.PDF\">www.apple.com\/\u2026<\/a> (PDF)<\/li>\n<li>&#x1f3a7; Ken Ray expertly illuminates the details of Apple&#8217;s new Legacy Contacts feature: <a href=\"https:\/\/overcast.fm\/+HLr7xf6A8\">Checklist 261: Apple and Legacy Contacts \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>An excellent explainer of the morality of cryptocurrency, and the problems with both <em>proof of work<\/em> and <em>proof of stake<\/em>: <a href=\"https:\/\/www.macobserver.com\/columns-opinions\/editorial\/explaining-mozilla-crypto-donation\/\">Blockchain: Explaining the Negative Backlash Over Mozilla\u2019s Crypto Donation Option \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><strong>Off-topic:<\/strong> A superb explainer on all the complexities of USB: <a href=\"https:\/\/tidbits.com\/2021\/12\/03\/usbefuddled-untangling-the-rats-nest-of-usb-c-standards-and-cables\/\">USBefuddled: Untangling the Rat\u2019s Nest of USB-C Standards and Cables \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>An impressive breakdown of the malware that attacked Macs in 2021: <a href=\"https:\/\/objective-see.com\/blog\/blog_0x6B.html\">Objective-See&#8217;s Blog \u2014 objective-see.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>A fun bit of nerdy detective work into a very odd date bug triggered by entering the year 2022: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/01\/08\/honda-cars-in-flashback-to-2002-cant-get-you-out-of-my-head\/\">Honda cars in flashback to 2002\u00a0\u2013 \u201cCan\u2019t Get You Out Of My Head\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.ifixit.com\/News\/52903\/iphone-13-pro-and-pro-max-teardown-wallpapers\">iPhone 13 Pro and Pro Max Teardown Wallpapers \u2014 www.ifixit.com\/\u2026<\/a><\/li>\n<li>&#x1f3a6; A free full documentary by the Verge: <a href=\"https:\/\/youtube.com\/watch?v=b9_Vh9h3Ohw&#038;feature=share\">Springboard: the secret history of the first real smartphone \u2014 youtube.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Podcast Recommendation: <a href=\"https:\/\/malicious.life\/\">Malicious Life by Cybereason \u2014 malicious.life<\/a><\/li>\n<li>&#x1f3a7; A podcast recommendation from Dave Hay in the NosillaCast Slack community: <a href=\"https:\/\/www.bbc.co.uk\/programmes\/m0012fjk\/episodes\/downloads\">The Hackers \u2014 www.bbc.co.uk\/\u2026<\/a><\/li>\n<li>&#x1f3a7; A podcast recommendation from Allison &#8211; by NosillaCastaway Jill McKinley <a href=\"https:\/\/smallstepspod.com\">Start With Small Things<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Log4Shell (Log4J): Log4Shell-like security hole found in popular Java SQL database engine H2 \u2014 nakedsecurity.sophos.com\/\u2026 &#x1f1fa;&#x1f1f8; FTC threatens \u201clegal action\u201d over unpatched Log4j and other vulns \u2014 nakedsecurity.sophos.com\/\u2026 &#x1f1ec;&#x1f1e7; Meta (n\u00e9 Facebook) have decided [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[1629,4982,5002,50,569,2003],"class_list":["post-25064","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-bug","tag-log4j","tag-noreboot","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25064","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=25064"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25064\/revisions"}],"predecessor-version":[{"id":25147,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25064\/revisions\/25147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=25064"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=25064"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=25064"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}