{"id":27034,"date":"2022-10-16T10:36:38","date_gmt":"2022-10-16T17:36:38","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27034"},"modified":"2022-10-16T10:36:38","modified_gmt":"2022-10-16T17:36:38","slug":"sb-2022-10-16","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/10\/sb-2022-10-16\/","title":{"rendered":"Security Bits \u2014 16 October 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Last time Bart &amp; Allison waxed lyrical about the DART mission, but we didn&#8217;t know yet if it had worked, now we do, it did &#x1f600; \u2014 <a href=\"https:\/\/www.nasa.gov\/press-release\/nasa-confirms-dart-mission-impact-changed-asteroid-s-motion-in-space\">www.nasa.gov\/\u2026<\/a><\/li>\n<li>The Matter home automation standard has been released to developers \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/04\/home-automation-standard-matter-one-step-closer-to-use\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 VPN <em>Leaks<\/em> on Android &amp; iOS<\/h2>\n<p><strong>TL;DR<\/strong> no real risk to users.<\/p>\n<p>Two stories broke this week that are being described as bugs or vulnerabilities, but are actually neither, they are intentional tradeoffs. Both involve traffic not being routed through VPN apps on mobile OSes.<\/p>\n<p>Firstly, there is Android bypassing VPNs for its captive portal wifi checks, and secondly there is Apple communicating directly with its own servers on iOS.<\/p>\n<p>On the one hand the Android example seems pretty cut-and-dried to me, there exist wifi networks that force you to go to a web page to log in or to accept terms and conditions before you can use the network. If you use a browser these networks will redirect every URL to their landing page, but if you use an app of some sort that&#8217;s not possible, so the connection appears broken. To avoid this Android &amp; iOS added an OS feature that tries to phone home, and if it gets intercepted, it opens a browser pane to allow the users to log in regardless of the app they tried to use. This makes the user experience on these so-called <em>captive portal networks<\/em> infinitely better.<\/p>\n<p>For the check to work reliably Google bypass VPNs to do it, and that&#8217;s the <em>&#8216;flaw&#8217;<\/em> that made the news. Note that iOS probably does this too, but that hasn&#8217;t been reported, so don&#8217;t take that as gospel. The only reason there is even a tiny bit of legitimate criticism IMO is that Google have a setting labeled <em>&#8216;Block connections without VPN&#8217;<\/em>, and the captive portal check happens even when that&#8217;s enabled. Either Google need to add some small print, or disable the check when that setting is on, and then they&#8217;ve done everything perfectly IMO.<\/p>\n<p>On iOS meanwhile, some encrypted traffic from iOS to Apple servers bypasses VPNs. Apple haven&#8217;t said why, but it&#8217;s most likely a decision rather than a bug. All the traffic is from Apple apps to Apple servers, and most of it is very confidential (with the exception of Clips!).<\/p>\n<p>Two possible reasons come to mind:<\/p>\n<ol>\n<li><strong>Security<\/strong> \u2014 Apple make a lot of privacy claims, so it makes sense to ensure that data never leaves Apple&#8217;s control, Apple securely handle it every step of the way from phone to server, avoiding handing it over to third-party apps.<\/li>\n<li><strong>Efficiency<\/strong> \u2014 VPNs are inherently slower since they add a wrapping layer and re-route data.<\/li>\n<\/ol>\n<p>Like in the Google case, there is no real risk to end users here.<\/p>\n<p>Remember, like NAT routers were not designed to act as firewalls, VPNs were not designed as privacy tools. NAT routers&#8217; actual job is to facilitate the sharing of a single IPv4 IP by many devices, and a byproduct of that one-to-many relationship is that unless the router has been explicitly configured to route all incoming connections to a specific device, the router can&#8217;t deliver incoming connections, so it drops them. VPNs are encrypted network interfaces that traffic can be routed through. If you choose to route all traffic through them, then you can hide all your network traffic inside them, but that&#8217;s just one possible configuration, and actually, a lot less common than most users think. Corporate VPNs only route traffic to the corporation through the tunnel, and most VPNs sold as privacy VPNs make exceptions for LAN traffic so file shares and printers keep working. Apple and Google are choosing not to route some OS traffic through VPN interfaces. That&#8217;s not a bug, it&#8217;s just a choice some don&#8217;t like.<\/p>\n<h2>Deep Dive 2 \u2014 Bart Gets (Temporarily) Duped by Smishing<\/h2>\n<p><strong>TL,DR remember SMS senders can be faked!<\/strong><\/p>\n<figure style=\"float: right; margin-left: 10px\"><img decoding=\"async\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2022\/10\/COVID-Smishing-Message-Bart-Received.jpeg\" alt=\"COVID Smishing Message Bart Received\"  title=\"COVID Smishing Message Bart Received.jpeg\" width=\"277 \" height=\"600\"><figcaption style=\"text-align:center\">COVID Smishing Message Bart Received<\/figcaption><\/figure>\n<p>Allison makes the point that none of us, no matter how informed we are, or how hard we try, are immune to scams. Allison has shared some stories about how she fell for things, and now it&#8217;s my turn!<\/p>\n<p>My darling beloved got an SMS message today that appeared in his phone as if it had been sent by Ireland&#8217;s national health authority, the HSE, that claimed to be a COVID exposure notification:<\/p>\n<p>Intellectually I know the <em>from<\/em> number of an SMS message can be faked. I know that just because something appears to be from my bank doesn&#8217;t mean it is. I also know that when an SMS sender is faked smartphones will group it into an existing thread if there is one on the device, so the fake message will appear in line with real ones.<\/p>\n<p>I know this, but when my darling beloved sent me the above screenshot I fell for it hook-line-and-sinker. I&#8217;ve obscured the PII, but the first message in the thread is 100% legitimate, and it had the correct name and age, but the second message was not. Because the PII was in the thread, the whole thing felt legitimate, and because it was a terrifying topic, the analytical part of my brain was <strong>off<\/strong>!<\/p>\n<p>Had my logical brain been functioning, it would have picked this up as a scam immediately for 2 reasons:<\/p>\n<ol>\n<li>The domain name ends in <code>.ie.site<\/code>, the HSE has a <strong>real<\/strong> <code>.ie<\/code> domain, it does not use a pretend one under the generic <code>.site<\/code> TLD!<\/li>\n<li>Exposure notifications are via push notifications, not SMS messages!<\/li>\n<\/ol>\n<p>There is only one reason neither of us clicked the link \u2014 we&#8217;d picked up 20 COVID tests last week because I was legitimately a close contact of an actual case and had been testing daily for the past 7 days to play it safe (so far so negative, so &#x1f91e;). Once I stopped to think I noticed the domain, and when I pointed it out we both laughed about how naive we&#8217;d been, but the bottom line remains, we&#8217;re both well-informed and vigilant, but we&#8217;re also both human, so the fooled us, at least for a while.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/android-leaks-some-traffic-even-when-always-on-vpn-is-enabled\/\">Android leaks some traffic even when &#8216;Always-on VPN&#8217; is enabled \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/12\/most-apple-apps-on-ios-16-bypass-vpn-connections\">Most Apple apps on iOS 16 bypass VPN connections \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/12\/patch-tuesday-in-brief-one-0-day-fixed-but-no-patches-for-exchange\/\">Patch Tuesday in brief \u2013 one 0-day fixed, but no patches for Exchange! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/10\/apple-continues-hot-fix-releases-with-ios-1603-watchos-902\">iOS 16.0.3 &amp; watchOS 9.0.2 updates arrive with bug &amp; security fixes \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/07\/one-million-facebook-users-had-their-passwords-stolen-by-fake-apps\">One million Facebook users had passwords stolen by fake apps \u2014 appleinsider.com\/\u2026<\/a> (Over 400 malicious apps with fake <em>Log in with Facebook<\/em> screens on iOS &amp; Android)\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/07\/whatsapp-goes-after-chinese-password-scammers-via-us-court\/\">WhatsApp goes after Chinese password scammers via US court \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.reuters.com\/technology\/toyota-says-information-about-296000-users-its-t-connect-service-leaked-2022-10-07\/\">Toyota says about 296,000 pieces of customer info possibly leaked \u2014 www.reuters.com\/\u2026<\/a> (T-Connect users:  email addresses &amp; customer numbers, but not names, phone numbers or credit card information)<\/li>\n<li><a href=\"https:\/\/tidbits.com\/2022\/10\/06\/no-more-security-updates-for-first-generation-eero-devices\/\">No More Security Updates for First-Generation Eero Devices \u2014 tidbits.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> if you&#8217;re still using one of these routers, you should probably replace it ASAP!)<\/li>\n<li>&#x1f1fa;&#x1f1f8; PSA from CISA: <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/PSA-information-activities_508.pdf\">Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections \u2014 www.cisa.gov\/\u2026<\/a> (PDF)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Mac MDM provider Jamf have released details of a Gatekeeper bypass they found in macOS which the responsibly disclosed to Apple who patched it in July \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/06\/flaw-in-macos-archive-utility-could-let-attackers-bypass-gatekeeper\">appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1e7;&#x1f1f7; &#x1f1ee;&#x1f1f3; <a href=\"https:\/\/www.macobserver.com\/news\/instagram-expands-age-verification-program-backed-by-ai-to-brazil-and-india\/\">Instagram Expands Age Verification Program Backed by AI to Brazil and India \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/06\/former-uber-cso-convicted-of-covering-up-megabreach-back-in-2016\/\">Former Uber CSO convicted of covering up megabreach back in 2016 \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (Sentencing hearing to come)<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>Some simple practical advice from the SANS Internet Storm Center: <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/29118\">What is in your Infosec Calendar? \u2014 isc.sans.edu\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2022\/10\/11\/what-does-sos-in-the-iphone-status-bar-mean\/\">What Does SOS in the iPhone Status Bar Mean? \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Disturbing reporting from Brian Krebs about how Zelle is being added to users account by US banks, and how those same banks are failing to pay back money their customers lose to Zelle-based frauds, which are rampant: <a href=\"https:\/\/krebsonsecurity.com\/2022\/10\/report-big-u-s-banks-are-stiffing-account-takeover-victims\/\">Report: Big U.S. Banks Are Stiffing Account Takeover Victims \u2014 krebsonsecurity.com\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>The best <a href=\"https:\/\/nationaltoday.com\/ada-lovelace-day\/\">Ada Lovelace Day<\/a> article I read: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/11\/move-over-patch-tuesday-its-ada-lovelace-day\/\">Move over Patch Tuesday \u2013 it\u2019s Ada Lovelace Day! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Special life episode of a podcast Bart&#8217;s recommended before: <a href=\"https:\/\/overcast.fm\/+smMNvOY2o\">Lazarus Heist live \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Last time Bart &amp; Allison waxed lyrical about the DART mission, but we didn&#8217;t know yet if it had worked, now we do, it did &#x1f600; \u2014 www.nasa.gov\/\u2026 The Matter home automation standard has [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[515,126,1931,5528,5056,142,5529],"class_list":["post-27034","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-android","tag-ios","tag-phishing","tag-smishing","tag-sms","tag-vpn","tag-vpn-leaks"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27034"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27034\/revisions"}],"predecessor-version":[{"id":27036,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27034\/revisions\/27036"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}