{"id":27526,"date":"2022-12-23T13:14:08","date_gmt":"2022-12-23T21:14:08","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27526"},"modified":"2022-12-23T14:03:36","modified_gmt":"2022-12-23T22:03:36","slug":"sb-2022-12-23","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/12\/sb-2022-12-23\/","title":{"rendered":"Security Bits \u2014 23 December 2022 &#x1f384;"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Apple have released their opt-in new Advanced Data Protection for iCloud , but only in the US for now \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/13\/apples-advanced-data-protection-feature-is-here---what-you-need-to-know\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>At least initially, enabling ADP could complicate the setup of new devices \u2014 <a href=\"https:\/\/appleinsider.com\/inside\/ios-16\/tips\/advanced-data-protection-will-complicate-new-device-setup-this-christmas\">appleinsider.com\/\u2026<\/a> <\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/physical-security-key-support-ios-macos\/\">Physical Security Key Support Arrives in iOS 16.3, macOS Ventura 13.2 Beta \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>LastPass have released more details regarding their ongoing investigation into their recent breach \u2014 <a href=\"https:\/\/blog.lastpass.com\/2022\/12\/notice-of-recent-security-incident\/\">blog.lastpass.com\/\u2026<\/a>\n<ul>\n<li>Users are vulnerable to phishing attacks because of leaked personal details<\/li>\n<li>Backups of users&#8217; end-to-end encrypted vaults were leaked, so any user with a weak password needs to change all their passwords everywhere<\/li>\n<li>LastPass&#8217;s custom file format stores some information like website names and URLs in the clear, so phishing attacks could be very believable<\/li>\n<li><strong>Secrets like passwords, private keys and secure notes have not been leaked<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Is Twitter&#8217;s New Blue Tick Account Verification?<\/h2>\n<p><strong>TL;DR \u2014 nope, but the gold and grey ones might be<\/strong>, if we choose to take Twitter&#8217;s word for it.<\/p>\n<p>Bart explained in <a href=\"https:\/\/www.podfeet.com\/blog\/2022\/12\/ccatp-756\/\">Chit Chat Across the Pond #756<\/a> the meaning of verification and Twitter\/Mastodon implementations.<\/p>\n<p>Last time we recorded Twitter had promised they would be re-launching Twitter blue, that it would have some kind of human review, and that there would be options for validating corporations and government entities.<\/p>\n<p>&#x1f1e6;&#x1f1fa; &#x1f1e8;&#x1f1e6; &#x1f1f3;&#x1f1ff; &#x1f1ec;&#x1f1e7; &#x1f1fa;&#x1f1f8; Since then the service has officially launched in 5 countries (Australia, Canada, New Zealand, The UK, and the USA), and Twitter have updated their website with more details.<\/p>\n<p>People who earned a blue tick when it meant something will get to keep the tick, but it will be marked as being a legacy tick. New people who pay for the tick won&#8217;t get the tick until a human has reviewed their account, and changing your username, display name, or profile picture will remove the tick again until the account is reviewed again.<\/p>\n<p>However, Twitter are making no claims about validating the account, the only claim they make is that blue-tick accounts appear to be <em>non-deceptive<\/em>. They don&#8217;t give a detailed definition for what a deceptive account is other than saying accounts can&#8217;t show evidence of being misleading or of manipulating the platform, i.e. being some kind of malicious bot.<\/p>\n<p>This is better than nothing, and a lot better than the utter failure that was the first for-purchase tick mark, but <strong>this is not account validation<\/strong>.<\/p>\n<p>Twitter have also announced an initial test of a corporate account plan that does claim to offer verification but does not detail that verification in any way whatsoever. Verified companies will get a gold tick.<\/p>\n<p>Similarly, government agencies, officials, elected representatives, and their staff will be able to get their accounts verified in some unspecified way to earn a grey tick.<\/p>\n<p>The level of confidence you should assign the gold and grey ticks is based purely on your assessment of Twitter&#8217;s competence as an organisation, they have provided zero detail to help us make an informed judgment. Time will have to tell I guess \u2014 if we hear stories of fakes with ticks we&#8217;ll no it failed, if we don&#8217;t, we can assume the system works.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/twitter-blue-on-ios-relaunches-on-monday-for-11-monthly\/\">Twitter Blue on iOS Relaunches on Monday for $11 Monthly \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>Twitter&#8217;s Current Description of the Service: <a href=\"https:\/\/help.twitter.com\/en\/using-twitter\/twitter-blue\">About Twitter Blue \u2014 help.twitter.com\/\u2026<\/a>\n<ul>\n<li>Twitter&#8217;s Current Criteria for the Blue Tick: <a href=\"https:\/\/help.twitter.com\/en\/managing-your-account\/about-twitter-verified-accounts\">How to get the blue checkmark on Twitter \u2014 help.twitter.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Patch Tuesday has been and gone, including fixes for two zero-day bugs in Windows:\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/12\/14\/patch-tuesday-0-days-rce-bugs-and-a-curious-tale-of-signed-malware\/\">Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2022\/12\/microsoft-patch-tuesday-december-2022-edition\/\">Microsoft Patch Tuesday, December 2022 Edition \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> details have emerged of an extremely dangerous Windows bug that was patched in September, it allowed for completely automated remote takeover of vulnerable computers, in other words, it was <em>wormable<\/em> \u2014 <a href=\"https:\/\/arstechnica.com\/information-technology\/2022\/12\/critical-windows-code-execution-vulnerability-went-undetected-until-now\/\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple release security patches for just about everything:\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2022\/12\/13\/apple-releases-ios-16-2-ipados-16-2-macos-13-1-ventura-watchos-9-2-and-tvos-16-2\/\">Apple Releases iOS 16.2, iPadOS 16.2, macOS 13.1 Ventura, watchOS 9.2, and tvOS 16.2 \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/13\/apple-hasnt-left-monterey-big-sur-ipados-15-ios-15-behind-yet\">Apple hasn&#8217;t left Monterey, Big Sur, iPadOS 15, iOS 15 behind yet \u2014 appleinsider.com\/\u2026<\/a> <\/li>\n<li><a href=\"https:\/\/tidbits.com\/watchlist\/safari-16-2\/\">Safari 16.2 \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> Microsoft have released details of a bug in macOS 11 &amp; 12 that Apple recently patched, it was similar to a recent Windows bug in that it bypassed Gatekeeper, allowing un-signed software that should be blocked to run \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/12\/20\/microsoft-dishes-the-dirt-on-apples-achilles-heel-shortly-after-fixing-similar-windows-bug\/\">nakedsecurity.sophos.com\/\u2026<\/a> (The bug was not particularly serious, but got a disproportionate amount of media buzz, presumably because it mentions Apple, and, because Microsoft gave their article a catchy name \u2014 <em>The Achilles\u2019 Heel of macOS<\/em>)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.vox.com\/recode\/2022\/12\/19\/23516925\/epic-games-ftc-settlement-520-million\">Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy \u2014 www.vox.com\/\u2026<\/a> (<em>Dark patterns<\/em> &amp; COPPA violations)<\/li>\n<li>&#x1f1fa;&#x1f1f8; There are real Equifax breach settlement emails being sent ATM, but Brian Krebs warns that scammers are likely to start sending fake ones soon, so he describes how to verify your email is real \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2022\/12\/the-equifax-breach-settlement-offer-is-real-for-now\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/12\/21\/suspicious-login-scammers-up-their-game-take-care-at-christmas\/\">\u201cSuspicious login\u201d scammers up their game \u2013 take care at Christmas \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (Fake &#8216;we noticed suspicious activity on your account&#8217; emails)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.forbes.com\/sites\/emilybaker-white\/2022\/12\/22\/tiktok-tracks-forbes-journalists-bytedance\/\">TikTok Spied On Forbes Journalists \u2014 www.forbes.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/12\/12\/pwn2own-toronto-54-hacks-63-new-bugs-1-million-in-bounties\/\">Pwn2Own Toronto: 54 hacks, 63 new bugs, $1 million in bounties \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Interestingly, no one even attempted to hack iPhones, Pixel Phones, or any of the major smart speakers, but it&#8217;s not clear if that&#8217;s because no one found reliable attacks, or because they are worth more on the grey\/black market<\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1e6;&#x1f1fa; The Australian e-Safety Commissioner has criticised Microsoft &amp; Apple for not doing enough to fight CSAM on their platforms \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/15\/apple-slammed-for-not-doing-enough-to-prevent-csam-distribution\">appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/21\/uk-says-sharing-netflix-passwords-could-be-illegal\">UK says sharing Netflix passwords could be illegal \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> <a href=\"https:\/\/www.cultofmac.com\/799508\/jellycar-worlds-squishy-physics-driving-game-apple-arcade\/\">Squishy physics makes JellyCar Worlds like no other driving game \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1fa;&#x1f1f8; Apple have released their opt-in new Advanced Data Protection for iCloud , but only in the US for now \u2014 appleinsider.com\/\u2026 At least initially, enabling ADP could complicate the setup of new devices [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"quote","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5620,46,5627,4722,233,2079,50,73,5625,5626,1968],"class_list":["post-27526","post","type-post","status-publish","format-quote","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-advanced-data-protection","tag-apple","tag-checkmark","tag-csam","tag-microsoft","tag-patch","tag-security","tag-twitter","tag-validation","tag-verification","tag-zero-day","post_format-post-format-quote"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27526"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27526\/revisions"}],"predecessor-version":[{"id":27528,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27526\/revisions\/27528"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}