{"id":26563,"date":"2022-08-14T14:02:49","date_gmt":"2022-08-14T21:02:49","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=26563"},"modified":"2022-08-15T15:39:16","modified_gmt":"2022-08-15T22:39:16","slug":"security-bits-14-august-2022","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/08\/security-bits-14-august-2022\/","title":{"rendered":"Security Bits \u2014 14 August 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; A graphic illustration of how real the danger of tech company subpoenas is in a post-Roe America: <a href=\"https:\/\/www.vice.com\/en\/article\/n7zevd\/this-is-the-data-facebook-gave-police-to-prosecute-a-teenager-for-abortion\">This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion \u2014 www.vice.com\/\u2026<\/a> (Facebook had private messages to hand over because while Messenger <strong>can<\/strong> do-end-to-end encryption, it doesn&#8217;t do it by default!)\n<ul>\n<li><strong>Related Advice:<\/strong> <a href=\"https:\/\/www.cultofmac.com\/782206\/data-privacy-roe-v-wade\/\">How to keep your data private after Roe v. Wade reversal \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Two timely AirTag reminders\n<ol>\n<li>Apple explicitly advertise AirTags as being for recovering <strong>lost<\/strong> items, they are absolutely positively not intended to track <strong>stolen<\/strong> items (otherwise they wouldn&#8217;t make noise to attract attention to themselves for a start!). Not only are they designed to reveal themselves to thieves, if you find the thief quickly enough to avoid that, you could also get badly hurt, so <strong>don&#8217;t use AirTags to track down thieves yourself<\/strong>: <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/03\/robbery-victim-tracks-thief-with-airtag-gets-broken-nose\">Robbery victim tracks thief with AirTag, gets broken nose \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>Don&#8217;t ignore AirTag warnings, and notice that Apple&#8217;s safeguards are working: <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/11\/man-jailed-for-stalking-ex-girlfriend-with-an-airtag\">Man jailed for stalking ex-girlfriend with an AirTag \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ol>\n<\/li>\n<li>Leaked screenshots reveal Pegasus spyware features, including reading WhatsApp messages, activating a phone&#8217;s microphone, and recording incoming or outgoing calls \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/05\/rare-pegasus-screenshots-depict-nso-groups-spyware-capabilities\">appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1eb;&#x1f1f7; Three large French publishers join the chorus of miss-guided lawsuits claiming that requiring apps to ask for permission to track (Apple&#8217;s App Tracking Transparency) is anti-competitive \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/french-publishers-seek-injunction-against-apples-app-tracking-transparency-policies\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Apple followed through on their promise to clean up their app store and remove abandoned apps: <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/03\/apple-pulled-a-record-439k-apps-in-q2-including-abandonware\">Apple pulled a record 439K apps in Q2, including abandonware \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>Yet another attempted software supply-chain attack, but it was very quickly cleaned up by Microsoft: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/04\/github-blighted-by-researcher-who-created-thousands-of-malicious-projects\/\">GitHub blighted by \u201cresearcher\u201d who created thousands of malicious projects \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Malware in the Mac App Store<\/h2>\n<p>News broke this week that threat actors managed to sneak malware into Mac AppStore apps using a kind of time-bomb feature where the apps were benign until after they were reviewed, and then they changed their behaviour to become malicious. All the apps affected offered real functionality, otherwise, they&#8217;d not have made it through review, but then they developed some nasty side effects. It&#8217;s not clear how this is possible, but statements from Apple imply that the apps completely changed functionality after passing review. I don&#8217;t quite understand how that would work, but I sure hope Apple figure out how to nip that behaviour in the bud!<\/p>\n<p>The most high-profile app was one for managing Facebook ad buys which hijacked Facebook accounts so the attackers could run their ads on the victim&#8217;s dime. According to Apple this app was originally a document manager and passed review as such, but then transformed into an app for managing Facebook ads, and managed to become very highly rated as such on the Mac AppStore.<\/p>\n<p>This suggests to me that app updates don&#8217;t get sanity checked by a human anymore, otherwise, you&#8217;d imagine the reviewer would notice the dramatic pivot and send the app off for deeper review again. That&#8217;s just a guess though.<\/p>\n<p>Another researcher, Alex Kleber, reported finding seven malicious apps which had used this morphing technique to bypass the review process. Again, these apps offered legitimate functionality (mostly PFD &amp; Word related), but accepted commands from remote servers and tried to trick users into paying for expensive subscriptions. The research was vouched for by Patrick Wardle, so it seems legitimate. These apps had a lot of downloads, so this was not a niche problem. You&#8217;ll find the list of apps in the Medium post linked below.<\/p>\n<p>Perhaps the most worrying thing about all of this is that Facebook say they notified Apple about the malicious ad manager in mid-July, but Apple did not act until asked for comment by Business Insider last week. It seems the bad guys have found a weakness in Apple&#8217;s process, and they&#8217;re actively exploiting it. The best we can hope for is that Apple close the loophole down ASAP!<\/p>\n<p>Assuming Apple are able to adjust their process, it&#8217;s important not to lose sight of the fact that even with these 8 malicious apps making it into the store, Apple&#8217;s walled garden remains a <strong>lot<\/strong> safer than the general internet!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/apple-removes-facebook-ad-account-hijacking-scam-app\/\">Apple Removes App That Could Hijack Facebook Ad Accounts \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/fraudulent-chinese-apps-elude-apples-strict-mac-app-store-review-process\/\">Fraudulent Chinese Apps Elude Apple\u2019s Strict Mac App Store Review Process \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/privacyis1st.medium.com\/abuse-of-the-mac-appstore-investigation-6151114bb10e\">Investigation report about the abuse of the Mac Appstore \u2014 privacyis1st.medium.com\/\u2026<\/a> (lists the 7 apps found)<\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 The <em>Traffic Light Protocol<\/em> Gets an Update<\/h2>\n<p>If you work in IT in any organisation that has relationships with other organisations (i.e. if you work in just about any organisation), there will be times when sensitive information needs to be shared about some kind of cybersecurity risk or incident. In these kinds of situations, it&#8217;s important that everyone knows how widely that information should be shared. Each organisation could develop its own rules, but that would result in chaos, especially when messages need to go between organisations, so, the FIRST (the <a href=\"https:\/\/www.first.org\/about\/\">Forum of Incident Response and Security Teams<\/a>) have developed a very simple standard that&#8217;s very widely used \u2014 <a href=\"https:\/\/www.first.org\/tlp\/\">the Traffic Light Protocol<\/a>, or TLP. That protocol just moved from version 1 to version 2, so now seems like a good time to share this important piece of knowledge with the community.<\/p>\n<p>Firstly, you&#8217;ll recognise emails as being under the Traffic Light Protocol because their subjects will be pre-fixed with <code>TLP<\/code> and a colour. As of now, there are five <em>colours<\/em> (stretching the definition a little!):<\/p>\n<ol>\n<li><strong>TLP: CLEAR<\/strong> (formerly <strong>TLP: WHITE<\/strong>) \u2014 the information can be freely shared, even publicly<\/li>\n<li><strong>TLP: GREEN<\/strong> \u2014 the information can be shared freely within the cyber security community, but not publicly (you can&#8217;t Tweet or blog about it!)<\/li>\n<li><strong>TLP: AMBER<\/strong> \u2014 the information can only be shared within your organisation, including with contractors\/vendors\/customers<\/li>\n<li><strong>TLP: AMBER+STRICT<\/strong> (new) \u2014 the information can only be shared within your organisation, not including contractors\/vendors\/customers<\/li>\n<li><strong>TLP: RED<\/strong> \u2014 the information can only be shared between explicitly specified recipients.<\/li>\n<\/ol>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/05\/traffic-light-protocol-for-cybersecurity-responders-gets-a-revamp\/\">Traffic Light Protocol for cybersecurity responders gets a revamp \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Last Tuesday was Patch Tuesday, and there were important updates from Microsoft \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2022\/08\/microsoft-patch-tuesday-august-2022-edition\/\">krebsonsecurity.com\/\u2026<\/a> (The worst of the bugs affects self-hosted Exchange servers, but everyone should patch their systems ASAP)<\/li>\n<li><a href=\"https:\/\/www.theverge.com\/2022\/8\/12\/23303411\/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle\">The Zoom installer let a researcher hack his way to root access on macOS \u2014 www.theverge.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/14\/zoom-updates-macos-app-to-patch-root-access-exploit\">Zoom updates macOS app to patch root access exploit<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/in-app-browsers-used-by-companies-like-instagram-and-facebook-are-massive-privacy-risk-warns-developer\/\">In-App Browsers Used by Companies Like Instagram and Facebook Are Massive Privacy Risk Warns Developer \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/08\/the-email-from-slack-to-reset-passwords-is-legit\">The email from Slack to reset passwords is legit \u2014 appleinsider.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/08\/slack-admits-to-leaking-hashed-passwords-for-three-months\/\">Slack admits to leaking hashed passwords for five years \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Beware of this new tactic being deployed by iPhone thieves to try trick victims into removing activation lock: <a href=\"https:\/\/appleinsider.com\/inside\/iphone\/tips\/do-not-remove-icloud-lock-from-a-stolen-iphone-because-a-thief-asks-you-to\">Do not remove iCloud Lock from a stolen iPhone, because a thief asks you to \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Proof that the long drawn-out NIST process is working as intended, with candidates getting well tested before the standard gets finalised: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/03\/post-quantum-cryptography-new-algorithm-gone-in-60-minutes\/\">Post-quantum cryptography \u2013 new algorithm \u201cgone in 60 minutes\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Security researchers have found a bug they&#8217;ve named <em>\u00c6PIC<\/em> which can leak the data in Intel&#8217;s secure-enclave-like SGX feature. This is potentially a big problem in the corporate world, but it&#8217;s not likely to affect home users \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/10\/apic-epic-intel-chips-leak-secrets-even-the-kernel-shouldnt-see\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e6;&#x1f1fa; <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/12\/australia-fines-google-40-million-over-location-tracking-on-android\">Australia fines Google $40 million over location tracking on Android \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The US Federal Elections Commission has approved a proposal from Google that will allow political campaigns in the US to bypass the GMail spam filter \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/you-could-see-more-political-campaign-emails-in-your-gmail-inbox\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/11\/ftc-will-begin-exploring-new-regulations-on-data-privacy-corporate-surveillance\">FTC will begin exploring new regulations on data privacy, corporate surveillance \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-216a\">2021 Top Malware Strains \u2014 www.cisa.gov\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/pxlnv.com\/blog\/ad-tech-revenue-statements-app-tracking-transparency\/\">Ad Tech Revenue Statements Indicate Unclear Effects of App Tracking Transparency \u2014 pxlnv.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/08\/with-irobot-acquisition-amazon-wants-to-scan-every-inch-of-your-home\">With iRobot acquisition, Amazon wants to scan every inch of your home \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/10\/how-an-iphone-battery-works-and-how-to-manage-its-health\">How an iPhone battery works and how to manage its health \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a6; <a href=\"https:\/\/youtu.be\/qD6bPNZRRbQ\">CGP Grey Video: &#8220;The Simple Secret of Runway Digits&#8221; \u2014 youtu.be\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; A graphic illustration of how real the danger of tech company subpoenas is in a post-Roe America: This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion \u2014 www.vice.com\/\u2026 (Facebook [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,1,214],"tags":[],"class_list":["post-26563","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-podcasts","category-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=26563"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26563\/revisions"}],"predecessor-version":[{"id":26588,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26563\/revisions\/26588"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=26563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=26563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=26563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}