{"id":27093,"date":"2022-10-30T16:19:03","date_gmt":"2022-10-30T23:19:03","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27093"},"modified":"2022-10-30T16:19:03","modified_gmt":"2022-10-30T23:19:03","slug":"sb-2022-10-30","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/10\/sb-2022-10-30\/","title":{"rendered":"Security Bits \u2014 30 October 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>It&#8217;s official: Elon musk now owns Twitter, and he&#8217;s already cleaned house and fired top executives \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/28\/elon-musk-reigns-as-twitter-ceo-fires-top-execs-first-day\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li><strong>Related Opinion:<\/strong> His letter to advertisers is surprisingly sensible \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2022\/10\/27\/musk-twitter-open-letter\">daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1eb;&#x1f1f7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/26\/clearview-ai-image-scraping-face-recognition-service-hit-with-e20m-fine-in-france\/\">Clearview AI image-scraping face recognition service hit with \u20ac20m fine in France \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/25\/paypal-gets-passkey-support-on-iphone-ipad-mac-in-us\">PayPal gets Passkey support on iPhone, iPad, Mac in U.S. \u2014 appleinsider.com\/\u2026<\/a> (Wider rollout later)<\/li>\n<li>Not all social media companies have a problem with Apple&#8217;s App Tracking Transparency: <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/26\/snap-ceo-firm-believer-in-apples-evolving-privacy-moves\">Snap CEO firm believer in Apple&#8217;s evolving privacy moves \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x1f9ef; Deep Dive 1 \u2014 An Over-hyped (but Interesting) Messaging App Location Leak<\/h2>\n<p>Something we come across often in this segment is cool security research that gets over-hyped in terms of its actual effect on user safety. There are perverse incentives at play all along the chain so that probably doesn&#8217;t come as a surprise. Corporate researchers are incentivised to make their work seem as impressive as possible to drive business, academic researchers to drive funding, PR people to boost their company\/university, and news media to boost clicks.<\/p>\n<p>Some very interesting research has been released that can theoretically be leveraged to infer people&#8217;s location against their will, but there are so many caveats that it&#8217;s just not a real threat to regular folks, and it probably never will be because the fix is trivially easy for messaging platforms to implement.<\/p>\n<p>It is worth exploring though because it&#8217;s a very nice example of a so-called <em>side channel attack<\/em>.<\/p>\n<p>It is possible to share your location in a chat using encrypted messaging services, but you have to do it explicitly, and that data is sent very securely, so an attacker can&#8217;t simply eves drop on the network traffic to read people&#8217;s messages, including any location sharing events. So the primary channel is well protected.<\/p>\n<p>But there are always things attackers can see \u2014 data about the data, or about the sending of the data, or the processing of the data. These indirect sources of information are referred to as <em>side channels<\/em>.<\/p>\n<p>Amateurish websites often have glaring obvious side channels like different error messages when a username doesn&#8217;t exist and a username does exist but the password is wrong. Less amateurish sites can have more subtle side channels where the time taken to return an identical message for incorrect username and incorrect password are different enough to measure to give the game away anyway.<\/p>\n<p>What security researchers have found in Signal, WhatsApp &amp; Threema is a more complex version of that kind of time side channel, and when all the conditions line up, it can reveal a user&#8217;s location with about an 80% accuracy.<\/p>\n<p>To understand what the researcher did, it&#8217;s important to understand that large cloud services are not served by single servers, the workload is shared in two ways \u2014 firstly, different tasks are performed by different groups of servers, and each group of servers is duplicated across the world so there should always be done nearby every user. It&#8217;s also important to understand that it&#8217;s easy for anyone to watch the network traffic too and from their own devices.<\/p>\n<p>When you use any modern messaging app you get a little icon to show when a message has been read. The notifications for that icon arrive to the device in a different stream of data than the messages themselves, so if you watch your network, traffic you can pick out the packets that contain the signals powering those icons.<\/p>\n<p>What the researchers wondered was whether the timings of those packets could be meaningful enough to deduce location data, and they are \u2026 sorta, and sometimes.<\/p>\n<p>Each of the messaging systems they examined had large distributed server deployments that don&#8217;t change very much \u2014 if they have servers in New York today, they&#8217;ll probably still have those servers tomorrow, next week, next month, or next year. They also discovered that the network speeds to and from these servers are consistent, so if it takes 5ms to send a packet from Philadelphia to the New York servers today, it&#8217;ll take the same tomorrow, and next week, and so on. Furthermore, they discovered that routing of traffic to the servers is also stable, so if everyone in Atlantic City is routed to the New York servers today, they&#8217;ll be routed there tomorrow, and next week \u2026 Finally, they discovered that the servers are consistently efficient, so any delays observed are down to the path the packets took.<\/p>\n<p>So, what all that means is that if you&#8217;re at your house, the time it takes for the little <em>read<\/em> checkmarks to appear will be different from the time it takes when you&#8217;re in the office, and both of those times will be pretty consistent over the long term.<\/p>\n<p>So, if an attacker can benchmark the timings at times when they know where you are, they can then check if you&#8217;re at that location at any time in the future by matching the timings they see to those recorded timings.<\/p>\n<p>For this to work all the following must be true:<\/p>\n<ol>\n<li>You must have a previous conversation with the attackers<\/li>\n<li>You must have a conversation with the attacker at a time when they know where you are to start mapping important locations for you<\/li>\n<li>You must have your phone on and your messages app open at the time the attackers wants to check if you are at one of the known locations.<\/li>\n<\/ol>\n<p>So, no one can use this attack to find arbitrary locations for anyone, all attackers can do is be 80% sure you&#8217;re back at a location they were able to verify you were at before. For an attacker to be able to match you back to a location they need to have a conversation with you over the messaging app at a time they know you are at that location, so they need to have regular conversations with you. Finally, if your phone is asleep, or the messaging app is not running, the notifications will go via push notification, so they will be massively delayed, and the attack fails utterly!<\/p>\n<p>OK, so right now, in some very limited circumstances, and attackers can be 80% sure you&#8217;re back at a place they recorded you being at before. So how can app developers prevent these kinds of attacks? Simple \u2014 add a small random wait to status update messages! The signal is weak, so adding in just a little noise is all it will take!<\/p>\n<p>Of the three apps tested, Threema is the only one to have responded so far, and they&#8217;ve updated their code to add the randomised delay and will be pushing it out to users in a future software update. The others are likely to follow suit.<\/p>\n<p>So, despite what you may have read, no, messaging apps are not really leaking your location!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/restoreprivacy.com\/timing-attacks-on-whatsapp-signal-threema-reveal-user-location\/\">Timing Attacks on WhatsApp, Signal, and Threema can Reveal User Location \u2014 restoreprivacy.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 Apple Improves its Engagement With the Security Community<\/h2>\n<p>Of all the major OS vendors, Apple tends to come in for the most criticism from the security community because they tend towards secrecy, and they&#8217;re quite fond of doing things their way. Over the years they have been proactively reaching out to the community and improving their policies and practices. That continued this week with a handful of small but meaningful changes.<\/p>\n<p>Firstly, Apple have released a new security research portal \u2014 https:\/\/security.apple.com<\/p>\n<p>The portal is surprisingly approachable, with lots of interesting information about the security feature Apple builds into its products, and its various security-related policies and programs.<\/p>\n<p>One of the things Apple did was clarify the differences between software updates and software upgrades, and in the process, they made official something they&#8217;ve been doing for as long as I&#8217;ve followed Apple, but it&#8217;s getting some un-deserved bad press.<\/p>\n<p>We&#8217;ve always known that the newest Apple operating systems are the most secure because each new release adds new security features and improvement to existing security features. We&#8217;ve also always seen that the newest OSes get software updates the quickest, and their updates patch the most bugs. Older OS updates often lag behind by a few days, and they don&#8217;t usually cover as many bugs.<\/p>\n<p>All bugs in all OSes get triaged, and there are always bugs that don&#8217;t meet the bar for patching. We&#8217;ve seen that Apple apply a different bar for the older OSes, only patching the more serious bugs, and now we have a support document from Apple that explicitly says that&#8217;s what they do. This changes nothing \u2014 Apple have always patched the bugs that pose real risk to regular users, and they&#8217;re continuing to do so. Apple have never back-ported every fix to their older OSes, and they&#8217;re not starting now. Their newer OSes were always inherently more secure, and that continues to be the case.<\/p>\n<p>As I see it, Apple being more open about what they do is a good thing. The next thing they could do would be to follow Microsoft&#8217;s lead and share the criteria they use to triage bugs.<\/p>\n<p>Finally, Apple have opened up applications for the special security research version of the iPhone promised earlier in the year. Apple call this the <em>Apple Security Research Device<\/em>, but it&#8217;s an iPhone with a bunch of restrictions removed so security researchers can get low-level access to the OS without needing to resort to jailbreaking. Apple are limiting access to these devices to verified security researchers, and numbers are limited.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/27\/apple-confirms-older-operating-system-patches-arent-as-comprehensive-as-latest-updates\">Apple confirms older operating system patches aren&#8217;t as comprehensive as latest updates \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/27\/apple-claims-faster-response-to-security-bugs-launches-dedicated-site\">Apple claims faster response to security bugs, launches dedicated site \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/18\/zoom-for-mac-patches-sneaky-spy-on-me-bug-update-now\/\">Zoom for Mac patches sneaky \u201cspy-on-me\u201d bug \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/29\/chrome-issues-urgent-zero-day-fix-update-now\/\">Chrome issues urgent zero-day fix \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple patch just about everything \u2014 <a href=\"https:\/\/tidbits.com\/2022\/10\/24\/apple-releases-macos-13-ventura-ipados-16-1-ios-16-1-watchos-9-1-and-more\/\">tidbits.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/24\/apples-macos-ventura-is-heavy-with-security-enhancements-fixes\">Apple&#8217;s macOS Ventura is heavy with security enhancements &amp; fixes \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> improvements in how full disk access is controlled are causing some issues when upgrading, apps that had full disk permission before the upgrade could lose it during the upgrade, including security apps \u2014 <a href=\"https:\/\/www.macobserver.com\/tips\/deep-dive\/bug-in-macos-ventura-may-have-silently-broken-your-malware-protection-heres-how-to-fix-it\/\">www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/26\/malwarebytes-crippled-by-macos-ventura-update\">appleinsider.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/24\/macos-monterey-macos-big-sur-get-security-update\">macOS Monterey &amp; macOS Big Sur get security update \u2014 appleinsider.com\/\u2026<\/a><\/p>\n<\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1892801\">Apple releases patch for iPhone and iPad 0-day reported by anonymous source \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/27\/apple-releases-ios-1571-for-users-who-cant-or-wont-update-to-ios-16\">Apple releases iOS 15.7.1 for users who can&#8217;t, or won&#8217;t update to iOS 16 \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> Why patching is important: <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/26\/malicious-apps-could-have-listened-in-on-siri-conversations\">Malicious Mac and iOS apps could have listened in on Siri conversations \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>\n<p><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/26\/online-ticketing-company-see-pwned-for-2-5-years-by-attackers\/\">Online ticketing company \u201cSee\u201d pwned for 2.5 years by attackers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/p>\n<ul>\n<li>Very slow response by the company<\/li>\n<li>Payment data exposed &#x1f641; (name, address, zip code, payment card number, card expiry date &amp; CVV number)<\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/hospital-web-tracker-leak-may-have-sent-3-million-patients-info-to-big-tech-companies\/\">Hospital Web Tracker Leak May Have Sent 3 Million Patients\u2019 Info to Big Tech Companies \u2014 www.macobserver.com\/\u2026<\/a> (Advocate Aurora Health AKA AHA in Illinois &amp; Wisconsin)\n<ul>\n<li>Not a hack, but a poorly configured analytics package, so the info only leaked to reputable companies like Google<\/li>\n<li>Discovered and fixed by the company itself<\/li>\n<li>Data included: IP addresses, appointment information including scheduling and type, proximity to an AAH facility, provider information, digital messages, first &amp; last names, insurance data, and MyChart account information. (no payment data)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Another Log4Shell-esque but has been found in another commonly used Java library, this time it&#8217;s <em>Apache Commons Text<\/em>. The bug has been patched and it&#8217;s more difficult to exploit reliably than Log4Shell, so while it means a lot of Java-based servers and apps need to be patched, it&#8217;s not the same kind of drop-everything panic as Log4Shell \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/18\/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again\/\">nakedsecurity.sophos.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> But do still buy your friendly neighbourhood sysadmin a coffee &#x1f609;)<\/li>\n<li>OpenSSL have pre-announced a critical bug fix to be released on 1 Nov, but not given any specific details \u2014 <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/29192\">isc.sans.edu\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> so buy your sysadmin a second coffee!)<\/li>\n<li>DuckDuckGo have released a public beta of their Mac browser. One of the nicer features is automatic handling of cookie preference popovers on websites \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/18\/duckduckgos-private-browser-for-mac-enters-public-beta\">appleinsider.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> I&#8217;ve installed it and first impression are good)<\/li>\n<li>&#x1f1fa;&#x1f1f8; The US state of New York has fined the fashion brand SHEIN $1.9m as a result of a data breach in 2018. They didn&#8217;t have adequate protection in place, and tried to cover up the breach \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/17\/fashion-brand-shein-fined-1-9m-for-lying-about-data-breach\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/19\/women-in-cryptology-usps-celebrates-ww2-codebreakers\/\">Women in Cryptology \u2013 USPS celebrates WW2 codebreakers \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.theregister.com\/2022\/10\/29\/kathleen_booth_obit\/\">RIP: Kathleen Booth, the inventor of assembly language \u2014 www.theregister.com\/\u2026<\/a> (via Allison)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a6; From listener David Bogdan: <a href=\"https:\/\/youtube.com\/watch?v=Mf2H9WZSIyw&#038;feature=share\">Why the longest English word is PAPAL and SPA is the pointiest. &#8211; YouTube \u2014 youtube.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. It&#8217;s official: Elon musk now owns Twitter, and he&#8217;s already cleaned house and fired top executives \u2014 appleinsider.com\/\u2026 Related Opinion: His letter to advertisers is surprisingly sensible \u2014 daringfireball.net\/\u2026 &#x1f1eb;&#x1f1f7; Clearview AI image-scraping face [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5549],"class_list":["post-27093","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-side-channel-attack"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27093"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27093\/revisions"}],"predecessor-version":[{"id":27095,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27093\/revisions\/27095"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}