{"id":26746,"date":"2022-09-11T11:49:24","date_gmt":"2022-09-11T18:49:24","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=26746"},"modified":"2022-09-11T13:34:25","modified_gmt":"2022-09-11T20:34:25","slug":"sb-2022-09-09","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/09\/sb-2022-09-09\/","title":{"rendered":"Security Bits \u2014 11 September 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.cultofmac.com\/789593\/twitter-begins-testing-long-awaited-edit-button\/\">Twitter begins testing long-awaited edit button \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<li>Formal Confirmation of unconfirmed reports from The Intercept a few months ago: <a href=\"https:\/\/appleinsider.com\/articles\/22\/09\/07\/facebook-engineers-have-no-idea-what-happens-with-user-data\">Facebook engineers have no idea what happens with user data \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple released iOS 12.5.6 to protect older iPhones from an actively exploited zero-day vulnerability \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-ios-12-5-6-for-old-iphone-ipad-ipod-touch-models-to-fix-actively-exploited-vulnerability\/\">www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/09\/05\/chrome-fixes-zero-day-security-hole-reported-anonymously-update-now\/\">Chrome and Edge fix zero-day security hole \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/09\/02\/samsung-hack-in-july-2022-led-to-customer-data-theft\">Samsung hack in July 2022 led to customer data theft \u2014 appleinsider.com\/\u2026<\/a> (no social security numbers or payment details, so the biggest danger seems to be target phishing including correct device information)<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/ftc-files-suit-against-data-broker-kochava-for-selling-sensitive-location-tracking-information\/\">FTC Files Suit Against Data Broker Kochava for Selling Sensitive Location Tracking Information \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2022\/09\/02\/macoss-new-xprotect-now-regularly-scans-for-malware\/\">macOS\u2019s New XProtect Remediator Now Regularly Scans for Malware \u2014 tidbits.com\/\u2026<\/a> (the new component is named <em>XProtect Remediator<\/em>)<\/li>\n<li>&#x1f9ef;LastPass suffered a breach, but because their system is well architected so that they <strong>can&#8217;t<\/strong> see the passwords people store, the attackers couldn&#8217;t either, though they were able to steal a copy of the source code (but not edit the published version) \u2014 <a href=\"https:\/\/blog.lastpass.com\/2022\/08\/notice-of-recent-security-incident\/\">blog.lastpass.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart<\/strong> I&#8217;ve been asked by a few LastPass users if they should switch, and my answer was simple <em>&#8220;only if you already wanted to leave for other reasons&#8221;<\/em>. My thinking lines up well with the guys at Naked Security: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/29\/lastpass-source-code-breach-do-we-still-recommend-password-managers\/\">LastPass source code breach \u2013 do we still recommend password managers? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A timely reminder of why it&#8217;s important to keep NAS boxes patched and if possible, off the public internet: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/09\/07\/deadbolt-ransomware-rears-its-head-again-attacks-qnap-devices\/\">DEADBOLT ransomware rears its head again, attacks QNAP devices \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>From Allison: <a href=\"https:\/\/techcrunch.com\/2022\/09\/09\/patreon-security-layoffs\/\">Patreon confirms security team layoffs \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x1f4cc; &#x1f1e6;&#x1f1fa; Australia&#8217;s e-Safety Commissioner has sent legal letters to Apple, Google, Meta &amp; Microsoft requiring them to reply with a description of how they are fighting CSAM on their platform, and they have 28 days to comply \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/30\/australia-orders-apple-others-to-disclose-anti-csam-measures?\">appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f4cc; &#x1f1fa;&#x1f1f8; California&#8217;s two legislative chambers have passed the controversial <em>California Age-Appropriate Design Code<\/em>, it&#8217;s now waiting on the Governor&#8217;s signature or veto \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/08\/30\/california-passes-bill-to-require-guardrails-to-protect-children-online\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>The bill&#8217;s status (and history and text) \u2014 <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billStatusClient.xhtml?bill_id=202120220AB2273\">leginfo.legislature.ca.gov\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Listen to Allison, Tom &amp; Co. explain it: <a href=\"https:\/\/overcast.fm\/+BbbCLH7eo\">DTNS 4344: Twitter\u2019s Circles of Mystery \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>Why I&#8217;m such a fan of ISO 8601 (or its narrower sub-set RFC 3339) dates: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/09\/09\/hoe-to-deal-with-dates-and-times-without-any-timezone-tantrums\/\">How to deal with dates and times without any timezone tantrums\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>An interesting analysis of why 1-time-codes that get sent to users have turned sour for corporate IT: <a href=\"https:\/\/krebsonsecurity.com\/2022\/08\/how-1-time-passcodes-became-a-corporate-liability\/\">How 1-Time Passcodes Became a Corporate Liability \u2014 krebsonsecurity.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> This is why we need to move to better key-based systems like FIDO\/Passkeys)<\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>Researchers published a paper titled <em>&#8216;Mining Node.js Vulnerabilities via Object Dependence Graph and Query.&#8217;<\/em> &#8211; they found and responsibly reported bugs which were promptly fixed, which is not noteworthy, but they did it using an entirely new <strong>automated<\/strong> technique, which is very noteworthy indeed! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/08\/30\/javascript-bugs-aplenty-in-node-js-ecosystem-found-automatically\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>From Allison: <a href=\"https:\/\/twitter.com\/madzadev\/status\/1566318274429812737\">&#8220;Give this book a coding-related title&#8221; \u2014 twitter.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Twitter begins testing long-awaited edit button \u2014 www.cultofmac.com\/\u2026 Formal Confirmation of unconfirmed reports from The Intercept a few months ago: Facebook engineers have no idea what happens with user data \u2014 appleinsider.com\/\u2026 Deep Dive(s) [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-26746","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=26746"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26746\/revisions"}],"predecessor-version":[{"id":26747,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/26746\/revisions\/26747"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=26746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=26746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=26746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}