{"id":26092,"date":"2022-05-29T11:49:19","date_gmt":"2022-05-29T18:49:19","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=26092"},"modified":"2022-05-30T09:57:50","modified_gmt":"2022-05-30T16:57:50","slug":"security-bits-29-may-2022","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/05\/security-bits-29-may-2022\/","title":{"rendered":"Security Bits \u2014 29 May 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The existing Yorkie-Pro GPS tracker finder from Berkeley Varitronics Systems (BVS) which is already used by law enforcement has received a free firmware update to allow it find AirTags too \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/advanced-wireless-threat-detector-now-helps-locate-unwanted-nearby-apple-airtags\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The controversy over the IRS&#8217;s now-abandoned plans to force all online-tax filers to use ID.me to prove their identity has taken another icky turn \u2014 senators are now calling for an investigation after internal whistleblowers let it be known that the company was lying about not using one-to-many facial recognition, current implementations of which are deeply flawed with massive racial and gender biases \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2022\/05\/senators-urge-ftc-to-probe-id-me-over-selfie-data\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; &#x1f1e8;&#x1f1e6; &#x1f1e6;&#x1f1fa; &#x1f1f3;&#x1f1ff; Last time we mentioned that Apple were about to launch the non-controversial parts of the new child protection features for iMessage in the UK, that has now happened, but not just in the UK, Canada, Australia, and New Zealand got the features too \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apple-rolls-out-communication-safety-in-messages-to-the-uk-and-other-countries\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/drivers-maryland-can-now-put-their-license-their-iphones-wallet-app\">Drivers in Maryland can now put their license in their iPhone&#8217;s Wallet app \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Social Media Developments\n<ul>\n<li>Some context for how difficult these platforms are to police:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/twitter-ceo-says-it-suspends-over-half-million-spam-accounts-each-day\">Twitter CEO says it suspends over half a million spam accounts each day \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-removed-16-billion-fake-accounts-just-three-months\">Facebook removed 1.6 billion fake accounts in just three months \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; Twitter agrees a $150M settlement with the FTC (Federal Trade Commission) for misusing email addresses and phone numbers requested for authentication for ad targeting \u2014 <a href=\"https:\/\/www.imore.com\/twitter-pays-150m-make-allegations-privacy-failures-go-away\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-outlines-its-new-crisis-misinformation-policy-deal-fake-news\">Twitter outlines its new crisis misinformation policy to deal with fake news \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/instagram-testing-change-hides-stories-over-sharers\">Instagram is testing a change that hides Stories from over-sharers \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/tiktok-making-it-easier-people-credit-original-creators-videos\">TikTok is making it easier for people to credit original creators in videos \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Twitter tweaks its monetisation options for creators:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/twitter-launches-exclusive-spaces-super-follows\">Twitter launches exclusive Spaces for Super Followers \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-media-rebrands-twitter-create\">Twitter Media has rebranded itself as Twitter Create \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>&#x1f9ef; Deep Dive 1 \u2014 Duck Duck Go&#8217;s Browser Tracking Kerfuffle<\/h2>\n<p>A security researcher has found that the Duck Duck go web browser makes an explicit exception to one of its advanced privacy protections for Microsoft-owned sites.<\/p>\n<p>The context here is very important because the actual scope of this exception is much much smaller than most people realise:<\/p>\n<ul>\n<li>This <strong>does not affect the Duck Duck Go search engine<\/strong><\/li>\n<li>This <strong>does not affect<\/strong> the Duck Duck Go Browser&#8217;s <strong>3rd-Party Cookie Blocking<\/strong><\/li>\n<li>This <strong>only affects a Duck Duck Go-only advanced feature<\/strong> that stops known tracker JavaScript files from being loaded by the browser<\/li>\n<\/ul>\n<p>So what does that mean? The Duck Duck Go browser never even loads most tracking scripts, so that speeds up web page load times, and it stops your visit to the site showing up in the logs on the server hosting the script, but for the Microsoft properties the script is loaded, so the fact that your IP address loaded the script will appear in the server logs <strong>just like it would on every other browser<\/strong>! The script will then run, and try to set a 3rd-party cookie, which the Duck Duck Go browser will then block like it does all 3rd-party cookies!<\/p>\n<p>So this is a teeny tiny leak of a piece of data that is actually very poor at tracking people that is also leaked by every other browser. In other words, there&#8217;s no real <em>there<\/em> here from a technical POV.<\/p>\n<p>But, there is a potential problem from the trust POV \u2014 Duck Duck Go were not up-front about this pretty meaningless exception to their very robust privacy protections.<\/p>\n<p>You might wonder why this even happened, and the answer is that it&#8217;s required by their contract with Microsoft for their anonymous search partnership. It also appears that this contract is at the root of Duck Duck Go&#8217;s lack of up-front disclosure. The contract has a privacy clause that prevents disclosure of all kinds of things, including the existence of the privacy clause, and stuff like the tracking exception.<\/p>\n<p>Now that the news is out, Duck Duck Go are free to ignore that bit of the contract, and their CEO has said that they have been working to re-negotiate that part of the contract for some time and will continue that fight.<\/p>\n<p>This looks a lot worse than it is, but for a company that&#8217;s built on trust, this is a lot more damaging than it would be for known-privacy abusers like Meta, Twitter, etc. It also makes Microsoft look pretty bad!<\/p>\n<p>What makes all this so stupid is that the most plausible explanation for this whole mess is that the contract pre-dates Duck Duck Go even starting work on their browser, so this was a small irrelevant clause that didn&#8217;t have any effect at all when it was included in the presumably massive document.<\/p>\n<p>Microsoft should have dropped the clause when asked, then none of this would have happened \u2014 a frustrating missed opportunity to do the right thing &#x1f641;<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/duckduckgo-browser-allows-microsoft-trackers-due-to-search-agreement\/\">DuckDuckGo browser allows Microsoft trackers due to search agreement \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; An excellent discussion of the situation: <a href=\"https:\/\/overcast.fm\/+BbbAnzSRM\/03:55\">DTNS 4283  \u2014 overcast.fm\/\u2026<\/a> (time-stamped to the start of the relevant section)<\/li>\n<\/ul>\n<h2>&#x1f9ef; Deep Dive 2 \u2014 Security Researchers Find a Way to Run Malware on iOS Devices Even When they&#8217;re &#8216;Off&#8217;<\/h2>\n<p><strong>TL;DR<\/strong> The headline sounds pretty scary, but at least for now, this is an interesting new area for research rather than a practical way of attacking devices.<\/p>\n<p>Since iOS 15, iPhones have had the ability to do certain things even when they&#8217;re &#8220;off&#8221;. This is what makes it possible for an iPhone to be a reliable car key, a reliable transit ticket, and to be reliably findable on the FindMy network. This is achieved by keeping a small number of low-level chips powered on even when the phone itself is off. Those chips have firmware, and if you can inject malware into that firmware then it can run all the time, even when the phone is &#8220;off&#8221;.<\/p>\n<p>Researchers have found that this firmware is not as well secured as it could (and should) be, and they have demonstrated an actual attack, but it requires either physical access in a lab, or jailbreaking the phone.<\/p>\n<p>Bruce Schneier sums it up well:<\/p>\n<blockquote><p>\n  <em>&#8220;The research is fascinating, but the attack isn\u2019t really feasible. It requires a jailbroken phone, which is hard to pull off in an adversarial setting.&#8221;<\/em> (<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2022\/05\/iphone-malware-that-operates-even-when-the-phone-is-turned-off.html\">www.schneier.com\/\u2026<\/a>)\n<\/p><\/blockquote>\n<p>Apple now have an opportunity to harden the firmware&#8217;s defences in future iPhones, hopefully before someone finds a way of injecting malware via some kind of remote attack (which is very non-trivial!).<\/p>\n<p>Read more: <a href=\"https:\/\/www.macobserver.com\/news\/method-found-to-run-malware-on-iphone-even-when-its-turned-off\/\">www.macobserver.com\/\u2026<\/a><\/p>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple patches just about everything \u2014 <a href=\"https:\/\/tidbits.com\/watchlist\/macos-big-sur-11-66-and-security-update-2022-004-catalina\/\">tidbits.com\/\u2026<\/a> &amp; <a href=\"https:\/\/tidbits.com\/2022\/05\/16\/apple-releases-ios-15-5-ipados-15-5-macos-12-4-watchos-8-6-tvos-15-5-and-homepod-software-15-5\/\"> tidbits.com\/\u2026<\/a>\n<ul>\n<li>&#x2757; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/05\/17\/apple-patches-zero-day-kernel-hole-and-much-more-update-now\/\">Apple patches zero-day kernel hole and much more \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple also released a security update for iTunes on Windows \u2014 <a href=\"https:\/\/www.imore.com\/apple-releases-itunes-12124-windows\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/05\/21\/mozilla-patches-wednesdays-pwn2own-double-exploit-on-friday\/\">Mozilla patches Wednesday\u2019s Pwn2Own double-exploit\u2026 on Friday! \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> A great example of how well run software teams deal with bug reports!<\/li>\n<\/ul>\n<\/li>\n<li>VMWare have patched two particularly nasty bugs in their very popular virtualisation platform, if you run VMWare in your business, be sure to patch ASAP. The US government have mandated the patch be applied immediately on all government networks! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/05\/20\/us-government-says-patch-vmware-right-now-or-get-off-our-network\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>If you work for Verizon, some of your data, including your contact details, have been stolen by attackers, so you&#8217;re at risk of spearphishing attacks: <a href=\"https:\/\/www.theverge.com\/2022\/5\/27\/23144418\/hacker-verizon-employee-database\">A Verizon employee database was stolen by a hacker, now held for ransom \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>The privacy-focused Brave browser for iOS has been updated with a new privacy hub \u2014 <a href=\"https:\/\/www.imore.com\/brave-browsers-new-privacy-hub-shows-which-websites-are-trying-track-you-and-how\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The DOJ has announced that it will stop using the problematic Computer Fraud &amp; Abuse Act (CFAA) against <em>good-faith<\/em> security researchers \u2014 <a href=\"https:\/\/techcrunch.com\/2022\/05\/19\/justice-department-good-fatih-hackers-cfaa\/\">techcrunch.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> This is literally the bare minimum they could do, and it does little more than spin an acceptance of last year&#8217;s Supreme Court decision greatly limiting the law&#8217;s vague and hence overly broad scope as some kind of wonderful initiative by the DOJ. This also doesn&#8217;t address the core problem \u2014 the CFAA is a terrible law that makes the world less safe and has been abused to ruin lives.<\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1ec;&#x1f1e7; The Information Commissioners Office (ICO) have announced the final details of their judgment against ClearView AI \u2014 the company must stop including UK citizens in its DB, delete any existing data on UK citizens, and pay a \u00a37.5M fine (a lot less than the previously promised \u00a317M!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/05\/23\/clearview-ai-face-matching-service-fined-a-lot-less-than-expected\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>A good news story from Allison:<\/strong> the EFF are retiring their HTTPS-Everywhere browser plugin because it&#8217;s not needed anymore, browsers now have this functionality baked in \u2014 <a href=\"https:\/\/www.eff.org\/deeplinks\/2021\/09\/https-actually-everywhere\">www.eff.org\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> my annual donation at work changing the world for the better &#x1f642;)<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>The Irish Council for Civil Liberties has released a detailed report into how Google and others (but not Facebook or Amazon for some reason &#x1f928;) operate their <em>Real-Time Bidding<\/em> system for selling ads \u2014 they are very critical of the way the system is operated, describing it as <em>&#8216;a massive privacy breach &#8216;<\/em> \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/civil-liberties-group-warns-of-global-privacy-breach-google-largest-offender\/\">www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><em>&#8220;\u201cGoogle and other key players in the high velocity, surveillance-based ad auction system are processing and passing people\u2019s data billion of times per day\u201d&#8221;<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison &amp; Bart:<\/strong> <a href=\"https:\/\/www.scanofthemonth.com\/scans\/ipod-evolution\">Go inside the iPod with stunning CT scans and creator Tony Fadell \u2014 www.scanofthemonth.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; <strong>From Bart:<\/strong> I&#8217;ve mentioned Bruce Schneier a lot in recent weeks, so I wanted to share this fantastic recent interview: <a href=\"https:\/\/overcast.fm\/+HZUcR07eY\">The Changelog: Software Development, Open Source \u2014 overcast.fm\/\u2026<\/a> (I particularly enjoyed the section on cryptocurrency (&amp; NFTs, etc) near the start \u2014 Bruce makes the case that it doesn&#8217;t add value and doesn&#8217;t actually do what its promises)<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The existing Yorkie-Pro GPS tracker finder from Berkeley Varitronics Systems (BVS) which is already used by law enforcement has received a free firmware update to allow it find AirTags too \u2014 www.macobserver.com\/\u2026 &#x1f1fa;&#x1f1f8; The [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[],"class_list":["post-26092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26092","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=26092"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26092\/revisions"}],"predecessor-version":[{"id":26093,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26092\/revisions\/26093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=26092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=26092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=26092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}