{"id":27279,"date":"2022-11-27T14:17:16","date_gmt":"2022-11-27T22:17:16","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27279"},"modified":"2022-11-27T14:17:16","modified_gmt":"2022-11-27T22:17:16","slug":"sb-2022-11-27","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/11\/sb-2022-11-27\/","title":{"rendered":"Security Bits \u2014 27 November 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; The long-running case against Google led by most state Attorneys General over its misleading location settings (turning off location tracking didn&#8217;t actually stop Google tracking your location!) has resulted in the largest-ever settlement with the DoJ \u2013 Google will pay $391.5M, and improve their interfaces \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/google-is-on-the-hook-for-392-million-in-largest-ever-us-consumer-privacy-lawsuit\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>We recently discussed 1Password&#8217;s acquisition of a Passkey-related company, now 1Password have released a preview of the Passkey support coming to their apps in 2023 (and it looks good &#x1f600;) \u2014 <a href=\"https:\/\/www.future.1password.com\/passkeys\/\">www.future.1password.com\/\u2026<\/a><\/li>\n<li>Documents Apple is preparing for their ongoing court battle with grey-hat security company Corellium over their sale of a virtualised version of iOS, purportedly for security research, show that Corellium sold their software to repressive regimes, and to other questionable actors, including the infamous NSO group (Pegasus) \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/21\/corelliums-ios-security-tool-used-by-rogues-gallery-of-iphone-hacking\">appleinsider.com\/\u2026<\/a><\/li>\n<li>At least some of the current Twitter chaos may be coming to an end soon \u2014 Elon Musk has promised a detailed announcement next week describing their future account verification system \u2013 all verified badges will be human-verified, people will get blue badges, companies gold, and government agencies grey \u2014 <a href=\"https:\/\/www.macobserver.com\/analysis\/twitter-may-finally-have-a-good-vision-for-the-future\/\">www.macobserver.com\/\u2026<\/a> &amp; <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/25\/twitter-relaunching-verified-with-manual-authentication-checks\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 More on Apple&#8217;s Analytics<\/h2>\n<p>In the previous instalment I poured cold water on reports that Apple is violating its own rules with user tracking in the app store. Those reports were based on research showing nothing more than normal analytics tracking in iOS 14. The report tried to claim these was a breach of ATT (App Tracking Transparency), but its evidence pre-dated the introduction of ATT, and even if it hadn&#8217;t, there was no evidence presented of cross-app-tracking.<\/p>\n<p>Research has continued and more details have come to light. I don&#8217;t see a smoking gun, and I still don&#8217;t see a reason to panic, but I do now see a need for Apple to tidy things up, and to communicate clearly to explain what&#8217;s going on, and how they&#8217;re going to improve things.<\/p>\n<p>So, what&#8217;s changed since last time?<\/p>\n<p>Firstly, we now have current information, so reports are not based on iOS 14 anymore! Secondly, we now know that Apple sends only pseudo-anonymized IDs, so in theory, they could convert the IDs back to Apple IDs if they wanted to. There is no evidence they are doing that, but they could.<\/p>\n<p>In my opinion, we shouldn&#8217;t have to trust that Apple will do the right thing and not de-anonymise the data later. I&#8217;m not sure anything going on here breaches the letter of Apple&#8217;s agreements, but to me, it clearly breaches their spirit. I tend to agree with the take I&#8217;ve seen elsewhere \u2014 this is probably not malicious, but rather a mix of technical debt and carelessness. This is very old code, and it seems it badly needs a 2022 retrofit!<\/p>\n<p>Further Reading:<br \/>\n* <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/21\/apples-app-store-analytics-may-be-able-to-identify-users\">Apple&#8217;s App Store analytics may be able to identify users \u2014 appleinsider.com\/\u2026<\/a><br \/>\n* <a href=\"https:\/\/www.macobserver.com\/news\/issues-with-privacy-continue-in-ios-as-apples-promise-of-anonymous-data-analytics-flounder\/\">Issues with Privacy Continue in iOS as Apple\u2019s Promise of Anonymous Data Analytics Flounder \u2014 www.macobserver.com\/\u2026<\/a><br \/>\n* <a href=\"https:\/\/9to5mac.com\/2022\/11\/21\/ios-privacy-concerns-deepen\/\">iOS privacy concerns deepen as Apple\u2019s promises on analytics anonymity appear to be false \u2014 9to5mac.com\/\u2026<\/a><\/p>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/20\/eu-warns-against-downloading-qatar-world-cup-apps\">Qatar World Cup apps are privacy nightmares, says EU \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>Brian Krebs warns of a malware gang (dubbed <em>Disneyland Team<\/em>) abusing the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Punycode\">Punycode standard for adding special characters into URLs<\/a> and special characters that look like regular letters to create very convincing looking phishing sites pretending to be major banks \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2022\/11\/disneyland-malware-team-its-a-puny-world-after-all\/\">krebsonsecurity.com\/\u2026<\/a> (Because computers are not fooled by these look-a-likes, this is yet another reason we want passkeys, and why we should use password managers in the mean time)<\/li>\n<li>A report from Pixelate finds that many of the top child-directed apps on both Apple &amp; Google&#8217;s app stores violate COPPA (a US online child protection law) in how they do their advertising (they are missing privacy statements, and\/or including IP and\/or GPS data in calls to ad networks) \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/report-thousands-of-likely-child-directed-apps-violate-us-child-privacy-laws\/\">www.macobserver.com\/\u2026<\/a>\n<ul>\n<li>The full body of the report is only available if you give up your own privacy by giving the company your email address, so I have not been prepared to read it!<\/li>\n<li>The methodology is available without surrendering your own privacy \u2014 <a href=\"https:\/\/www.pixalate.com\/coppa-compliance-tools-methodology\">www.pixalate.com\/\u2026<\/a><\/li>\n<li>On reading the methodology, it became clear to me that <strong>only the app interactions with ad networks were analysed<\/strong>, and this is not obvious from any of the reporting I&#8217;ve read!<\/li>\n<li>I could not find a freely available or searchable list of affected apps (they may be in the full report I&#8217;m not prepared to download)<\/li>\n<li>Advertising sets up a strong conflict of interest in apps for kids, the actionable take-away from this would seem to be to <strong>avoid letting your kids play ad-supported games<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/25\/voice-scamming-site-ispoof-seized-100s-arrested-in-massive-crackdown\/\">Voice-scamming site \u201ciSpoof\u201d seized, 100s arrested in massive crackdown \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>&#x1f1e6;&#x1f1fa; &#x1f1e8;&#x1f1e6; &#x1f1eb;&#x1f1f7; &#x1f1e9;&#x1f1ea; &#x1f1ee;&#x1f1ea; &#x1f1f1;&#x1f1f9; &#x1f1f3;&#x1f1f1; &#x1f1fa;&#x1f1e6; &#x1f1ec;&#x1f1e7; &#x1f1fa;&#x1f1f8; Massive international operation in involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK &amp; the USA<\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/23\/cryptorom-pig-butchering-scam-sites-seized-suspects-arrested-in-us\/\">Multimillion dollar CryptoRom scam sites seized, suspects arrested in US \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f9ef;Reports of a &#8216;vulnerability&#8217; in Apple&#8217;s Private Relay that is costing advertisers millions of dollars in fraud are misleading, the vulnerability is in the current ad sales infrastructure which can&#8217;t handle actual privacy! \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/22\/apples-icloud-private-relay-being-abused-in-65m-ad-fraud\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>A nice explainer on Passkeys to share with friends and family: <a href=\"https:\/\/appleinsider.com\/inside\/ios-16\/tips\/how-to-use-passkeys-instead-of-passwords-on-ios-16\">How to use Passkeys instead of passwords on iOS 16 \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>A nice example of a current phishing technique designed to trick you into giving attackers your 2FA code, and removing your suspicion by giving you a <em>soft dismount<\/em>, in other words, making it look like you achieved whatever aim they tricked you into wanting to achieve, like canceling a fraudulent transaction\/order: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/21\/how-social-media-scammers-buy-time-to-steal-your-2fa-codes\/\">How social media scammers buy time to steal your 2FA codes \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Elastic Security Labs&#8217; 2022 annual threat report shows that the Mac still suffers very few malware infections in the real world, and of those it does suffer, questionable software like MacKeeper makes up the vast majority of &#8216;infections&#8217; \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/15\/report-shows-macos-had-the-least-malware-infections-in-2022\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>Of the malware infections the company found, 54% were on Windows, 39.4% on Linux (servers get attacked a lot because they are valuable!), and just 6.2% on the Mac.<\/li>\n<\/ul>\n<\/li>\n<li>We still suck at passwords, see how bad we are in NordPass&#8217;s 2022 200 most common passwords list \u2014 <a href=\"https:\/\/nordpass.com\/most-common-passwords-list\/\">nordpass.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.cultofmac.com\/797949\/show-your-iphone-14s-guts-with-bold-new-schematic-wallpaper\/\">Show your iPhone 14\u2019s guts with bold new schematic wallpaper \u2014 www.cultofmac.com\/\u2026<\/a> (no iPhone 14Pro or ProMax &#x1f641;)<\/li>\n<li>&#x1f3a7; An excellent exploration of the fascinating history of the humble browser cookie \u2013 how a tool developed to protect privacy went bad and ended up invading it: <a href=\"https:\/\/overcast.fm\/+YsPQXSvWU\">Planet Money: How the cookie became a monster \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; The long-running case against Google led by most state Attorneys General over its misleading location settings (turning off location tracking didn&#8217;t actually stop Google tracking your location!) has resulted in the largest-ever settlement [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[46,5597,5598,1359,169,50,569],"class_list":["post-27279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple","tag-apple-analytics","tag-bad-actors","tag-google","tag-hackers","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27279"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27279\/revisions"}],"predecessor-version":[{"id":27281,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27279\/revisions\/27281"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}