{"id":25334,"date":"2022-02-20T10:37:23","date_gmt":"2022-02-20T18:37:23","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=25334"},"modified":"2022-02-20T10:37:23","modified_gmt":"2022-02-20T18:37:23","slug":"sb-2022-02-20","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/02\/sb-2022-02-20\/","title":{"rendered":"Security Bits \u2014 20 Feb 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; An update on a story Allison referenced last time: <a href=\"https:\/\/arstechnica.com\/tech-policy\/2022\/02\/missouri-governor-rebuffed-journalist-wont-be-prosecuted-for-viewing-html\/\">Missouri governor rebuffed: Journalist won\u2019t be prosecuted for viewing HTML \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li>&#x1f1ee;&#x1f1f1; <strong>The NSO Group\/Pegasus Saga:<\/strong> The Israeli government has opened an investigation to see if it was targeted by Pegasus \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/israel-pegasus-own-country\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2022\/02\/irs-to-ditch-biometric-requirement-for-online-access\/\">IRS To Ditch Biometric Requirement for Online Access \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Social Media Developments\n<ul>\n<li>Signal provide a mechanism for changing the cellphone number your account is tied to \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/change-signal-number\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/instagram-has-rolled-two-vital-features-out-everyone-after-limited-availability\">Instagram has rolled two vital features out to everyone after limited availability \u2014 www.imore.com\/\u2026<\/a> (<em>Security Checkup<\/em> &amp; <em>Your Activity<\/em>)<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/snapchat-buddy-system-safety\/\">Snapchat Launches Location Sharing Buddy System for Safety \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.theverge.com\/2022\/2\/14\/22927656\/snapchat-snap-stars-stories-ads\">Snapchat will put ads within stories and share the money with creators \u2014 www.theverge.com\/\u2026<\/a> (being tested with a small group of US &#x1f1fa;&#x1f1f8; creators for now)<\/li>\n<li>&#x1f1fa;&#x1f1f8; &#x1f1ec;&#x1f1e7; &#x1f1e8;&#x1f1e6; &#x1f1e6;&#x1f1fa; &#x1f1f3;&#x1f1ff; &#x1f1ee;&#x1f1ea; Twitter is expanding it&#8217;s beta of <em>Safety Mode<\/em> to 50% of users in the US, UK, Canada, New Zealand, Australia &amp; Ireland &#x1f600; \u2014 <a href=\"https:\/\/www.imore.com\/twitter-expanding-rollout-one-its-best-new-features\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/texas-meta-facial-recognition\/\">Texas Sues Meta Over Facebook Facial Recognition \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/9to5mac.com\/2022\/02\/07\/meta-pull-facebook-instagram-from-europe\/\">Meta threatens to pull Instagram and Facebook in Europe over privacy laws, regulators say \u2018please do\u2019 \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>App Tracking Transparency Fallout: <a href=\"https:\/\/www.imore.com\/twitter-profit-falls-company-dodges-impact-ios-14-privacy-changes\">Twitter profit falls but company dodges impact of iOS 14 privacy changes \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Apple AirTag Developments<\/h2>\n<p>Apple has released plans for improving their abuse protections on AirTags. There&#8217;s a mix of short-term and longer-term changes.<\/p>\n<p>The simplest change will be a new privacy warning when setting up an AirTag. The warning tells users not to abuse the trackers, and that Apple know who each tracker belongs to, and will pass that information on to law enforcement when presented with an appropriate warrant. This isn&#8217;t a change in policy, Apple are simply highlighting their existing procedures.<\/p>\n<p>As well as adding the warning Apple are also updating their documentation to give users more information.<\/p>\n<p>At the moment the alerts you get on your phone when a FindMy device that&#8217;s not yours is moving with you don&#8217;t give any details of what the device is, and in some cases, this is causing confusion because modern AirPods are FindMy items too, as are some trackers made by other manufacturers. The warnings will be updated to be more specific.<\/p>\n<p>In the longer-term Apple are going to enable precision finding on trackers are following you, tweak the warning sound to make it easier to hear, and sync the sound with the phone alerts so they happen together. Finally, Apple are going to continue to improve the algorithm for detecting suspicious movement and alert users more quickly when possible.<\/p>\n<p>Meanwhile, the New York Attorney General has released a very well-written warning about the dangers of AirTag abuse, as well as some good advice for how people can protect themselves.<\/p>\n<p>A point I&#8217;ve been making all along is that AirTags did not cause tracker abuse, it was happening before AirTags, and would continue even if AirTags were to vanish tomorrow, and that the reason we hear so much about AirTag tracking is that Apple added more and better protection than everyone else, and it works, so victims of AirTag abuse know about it, while victims tracked with other devices don&#8217;t.<\/p>\n<p>To underline this point, the New York Times did an excellent piece where tech journalist Kashmir Hill used an AirTag, a Tile, and a GPS tracker to track her partner (with his permission), to test both their effectiveness and their protections. The bottom line is pretty clear, everyone else&#8217;s protections are &#8216;way worse&#8217; than Apple&#8217;s.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Apple&#8217;s press release \u2014 <a href=\"https:\/\/www.apple.com\/newsroom\/2022\/02\/an-update-on-airtag-and-unwanted-tracking\/\">www.apple.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/apple-fight-airtag-stalking\/\">Here\u2019s How Apple Will Work to Fight AirTag Stalking \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/stunning-test-reveals-privacy-dangers-other-trackers-way-worse-airtags\">Stunning test reveals privacy dangers of other trackers &#8216;way worse&#8217; than AirTags \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/new-york-ag-airtag\/\">New York Attorney General Warns of Malicious AirTag Tracking \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/pennsylvania-man-arrested-over-airtag-stalking-following-anti-stalking-alert\">Pennsylvania man arrested over AirTag stalking thanks to iOS alert \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 Google&#8217;s <em>Android Privacy Sandbox<\/em> (non)Announcement<\/h2>\n<p>Google released a statement describing some vague possible privacy in the future, but giving no detail, and promising not to block anything advertisers can do today for at least the next 2 years. The spin Google are trying to put on this is that they are doing something as good as Apple&#8217;s App Tracking Transparency, but without hurting advertisers.<\/p>\n<p>In terms of actual technology, they do mention their new Topics API, and a new similar FLEDGE API for tracking users across apps and then grouping them into custom audiences for advertisers.<\/p>\n<p>The big thing they&#8217;re promising is an opt-in sandboxed API ad networks could choose to use to limit what their ad code can do when embedded in apps.<\/p>\n<p>Ron Amadeo&#8217;s excellent critique at Ars Technica summarises this really get to the heart of this announcement in its conclusion:<\/p>\n<blockquote><p>\n  Since Google is not making any privacy changes mandatory, it is basically asking advertising companies to voluntarily stop collecting data on users. If advertisers wanted to do that, they could make that change today.\n<\/p><\/blockquote>\n<h3>Links:<\/h3>\n<ul>\n<li>Google&#8217;s Announcement: <a href=\"https:\/\/www.blog.google\/products\/android\/introducing-privacy-sandbox-android\/\">Introducing the Privacy Sandbox on Android \u2014 www.blog.google\/\u2026<\/a><\/li>\n<li>Ron Amadeo&#8217;s Critique: <a href=\"https:\/\/arstechnica.com\/gadgets\/2022\/02\/androids-toothless-privacy-sandbox-fails-to-answer-ios-tracking-limits\/\">Android\u2019s toothless \u201cPrivacy Sandbox\u201d fails to answer iOS tracking limits \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 3 \u2014 &#x1f9ef; That T2 Hack<\/h2>\n<p>Details are sparse, but a <em>grey hat<\/em> hacking company is now offering a solution for brute-force cracking full disk encryption on Macs with a T2 hardware security chip.<\/p>\n<p>One of the T2&#8217;s most important functions is to protect the encryption key for full-disk encryption on Macs with hardware protections preventing its extraction, and limiting the speed of guesses, making even a brute-force attack impossible.<\/p>\n<p>We don&#8217;t know the details, but what Passware have found is a way to bypass the rate-limiting on guesses. Their password cracking solution can now make 15 guesses a second on Macs with a T2 chip.<\/p>\n<p>This means a strong password will still take millennia to crack, but a commonly used and weak password can be guessed in less than a day.<\/p>\n<p>Physical access is needed to perform these kinds of attacks, so this is not something most of us have to worry about, and, even with physical access, a strong password still provides excellent protection. So, no need to panic, just use a strong password for your Mac.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/9to5mac.com\/2022\/02\/17\/t2-mac-security-vulnerability-passware\/\">T2 Mac security vulnerability means passwords can now be cracked \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>&#x203c;&#xfe0f;A very important security update from Apple fixing a WebKit vulnerability being actively exploited: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/11\/apple-zero-day-drama-for-macs-iphones-and-ipads-patch-now\/\">Apple zero-day drama for Macs, iPhones and iPads \u2013 patch now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x203c;&#xfe0f;<a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/15\/google-announces-zero-day-in-chrome-browser-update-now\/\">Google announces zero-day in Chrome browser \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-mystery-security-updates-for-macos-big-sur-catalina\/\">Apple releases mystery security updates for macOS Big Sur, Catalina \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2022\/02\/microsoft-patch-tuesday-february-2022-edition\/\">Microsoft Patch Tuesday, February 2022 Edition \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/14\/adobe-fixes-zero-day-exploit-in-e-commerce-code-update-now\/\">Adobe fixes zero-day exploit in e-commerce code: update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (the very popular open source Magento e-commerce tool &amp; it&#8217;s paid variant <em>Adobe Commerce<\/em>)<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/18\/irony-alert-php-fixes-security-flaw-in-input-validation-code\/\">Irony alert! PHP fixes security flaw in input validation code \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/zoom-still-using-mac-microphone-outside-calls-despite-fix-claim-users\">Zoom still using Mac microphone outside of calls despite fix, claim users \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/appointment-booker-flexbooker-suffers-second-data-leak\/\">Appointment Booker \u2018FlexBooker\u2019 Suffers Second Data Leak \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/givesendgo-data-breach\/\">GiveSendGo Data Breach Affects Donors of \u2018Freedom Convoy\u2019 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Microsoft adjusts the convenience\/risk posture of some of its own tools:\n<ul>\n<li>Microsoft have disabled the MSIX protocol which could be used to install apps directly from the web, and which was being actively abused in malware campaigns \u2014 <a href=\"https:\/\/www.zdnet.com\/article\/microsoft-weve-switched-off-this-critical-msix-protocol-handler-but-were-working-to-bring-it-back\/\">www.zdnet.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/07\/microsoft-blocks-web-installation-of-its-own-app-installer-files\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/08\/at-last-office-macros-from-the-internet-to-be-blocked-by-default\/\">At last! Office macros from the internet to be blocked by default \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (Microsoft&#8217;s announcement: <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-365-blog\/helping-users-stay-safe-blocking-internet-macros-by-default-in\/ba-p\/3071805\">techcommunity.microsoft.com\/\u2026<\/a>)<\/li>\n<\/ul>\n<\/li>\n<li>A more human-friendly way to get a patched OS only old hardware: <a href=\"https:\/\/www.imore.com\/google-brings-chrome-os-mac-new-chrome-os-flex\">Google brings Chrome OS to Mac with new Chrome OS Flex \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/cia-collects-american-data\/\">Senators Reveal CIA Program That Collects American Data \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; California law makers have introduced a bill that would impose a code of conduct on tech companies limiting the data they can collect on children \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1834756\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>A good explanation of <em>Zero Trust<\/em> security model that I&#8217;ve mentioned a few times in recent episodes: <a href=\"https:\/\/er.educause.edu\/articles\/2022\/2\/zero-trust-architecture-rethinking-cybersecurity-for-changing-environments\">Zero Trust Architecture: Rethinking Cybersecurity for Changing Environments \u2014 er.educause.edu\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f3a7; An excellent description of a very likely future where our devices can give us real security without the inconvenience of FaceID or TouchID: <a href=\"https:\/\/overcast.fm\/+dmRs6UQQ0\">Rene Ritchie: How Apple DESTROYS Face ID \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; CISA have published a big list of free cyber security tools &amp; services: <a href=\"https:\/\/www.cisa.gov\/free-cybersecurity-services-and-tools\">www.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a6; Another dose of physics fun from Allison&#8217;s Tiktok Feed: <a href=\"https:\/\/www.tiktok.com\/@cas3yart\/video\/7063295683163622703?is_from_webapp=1&#038;sender_device=pc&#038;web_id6965127149104268806\">www.tiktok.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; An update on a story Allison referenced last time: Missouri governor rebuffed: Journalist won\u2019t be prosecuted for viewing HTML \u2014 arstechnica.com\/\u2026 &#x1f1ee;&#x1f1f1; The NSO Group\/Pegasus Saga: The Israeli government has opened an investigation [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4570,515,1359,170,3545,3546,114,5078,50,569,2862],"class_list":["post-25334","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-airtags","tag-android","tag-google","tag-hack","tag-opt-in","tag-opt-out","tag-privacy","tag-sandbox","tag-security","tag-security-bits","tag-t2-chip"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=25334"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25334\/revisions"}],"predecessor-version":[{"id":25337,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25334\/revisions\/25337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=25334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=25334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=25334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}