{"id":27779,"date":"2023-02-05T11:46:53","date_gmt":"2023-02-05T19:46:53","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27779"},"modified":"2023-02-06T06:23:32","modified_gmt":"2023-02-06T14:23:32","slug":"sb-2023-02-05","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/02\/sb-2023-02-05\/","title":{"rendered":"Security Bits \u2014 5 Feb 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/23\/01\/31\/anker-admits-that-eufy-cameras-were-never-encrypted\">Anker admits that Eufy cameras were never encrypted \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>Apple have released their support for hardware Fido tokens for iCloud 2FA \u2014 <a href=\"https:\/\/sixcolors.com\/post\/2023\/01\/apple-id-security-key-support-added-in-ios-16-3-macos-13-2\/\">sixcolors.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> remember that this feature comes with a loss of convenience, and is not intended for universal use, but for those who are especially at risk. You need at least 2 hardware tokens, you need all your devices on the latest OSes, and you can&#8217;t use iCloud for Windows at the moment<\/li>\n<li>If you want to go ahead anyway, these might be useful: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-protect-your-apple-id-account-with-security-keys-on-iphone-ipad-or-mac\/\">How to protect your Apple ID account with Security Keys on iPhone, iPad, or Mac &#8211; The Mac Security Blog \u2014 www.intego.com\/\u2026<\/a> &amp; <a href=\"https:\/\/appleinsider.com\/inside\/ios-16\/best\/five-best-security-keys-for-ios-163\">Five best security keys for iOS 16.3 \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>GitHub have added the ability to add social media links to your profile, and if you add Mastodon links here, then links to your GitHub on Mastodon will validate &#x1f600; \u2014 <a href=\"https:\/\/hachyderm.io\/@derekprior\/109790473003989772\">@derekprior@hachyderm.io on Mastodon<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 A Vulnerability in KeePass? It&#8217;s Complicated<\/h2>\n<p>Officially, there is a vulnerability in KeePass (it has a CVE number), but the open source project team are disputing this classification, they literally say it&#8217;s a feature not a bug!<\/p>\n<p>If you can write to a user&#8217;s KeePass settings file, you can add an event handler that can silently do anything with the data in a vault when the user unlocks it, including automatically stealing the entire contents!<\/p>\n<p>Security researchers argue this is a vulnerability in something like a password manager, but the KeePass team argue that if baddies have write access to your files, you&#8217;re in bigger trouble anyway, so this is not actually a bug, and besides, event handlers are a cool feature that let geekier users do fun things.<\/p>\n<p>The feature can be disabled globally on a computer by editing a master XML file in the applications installation directory, which is the kind of thing corporations might want to roll out with MDM\/Group Policy Objects.<\/p>\n<p>5 years ago I think I&#8217;d have sided with the KeePass developers \u2014 on traditional desktop OSes, once an attacker got to run code as you they could do anything, so all bets were off, so this wouldn&#8217;t really give them anything they couldn&#8217;t get with a key logger. The security perimeter was the user account, so if baddies got in they got in, and that was that.<\/p>\n<p>That&#8217;s still true on many desktop OSes in use today, but it&#8217;s not true anymore on modern versions of macOS, where a new layered approach is taken, it&#8217;s not so much a castle and a moat as a security onion. There isn&#8217;t one security perimeter, but many \u2014 getting your code to execute doesn&#8217;t get you automatic access to a whole load of important information anymore on the Mac \u2014 each of those security prompts apps need to ask you for when you first run them reveal these new perimeters, they include:<\/p>\n<ol>\n<li>Permission to access the Documents and Desktop folders<\/li>\n<li>Permission to access Contacts<\/li>\n<li>Permission to access Photos<\/li>\n<li>And most importantly for this discussion \u2014 permission for <em>assistive technologies<\/em>, which includes access to keyboard events.<\/li>\n<\/ol>\n<p>This means that on a Mac, baddies can&#8217;t just install a key logger the moment they get into your account, they need to bypass additional controls before they can do that. This means that <strong>on a Mac<\/strong>, by default, <strong>anything you save in KeePass is more exposed that items saved in other password managers and the KeyChain<\/strong>.<\/p>\n<p>It is true that you really don&#8217;t want baddies accessing your user account on your Mac, but it&#8217;s also true that when bad stuff happens, every layer of defence limits the damage, so if I were a KeePass user I would be disabling this feature, and to be honest, the lax attitude the developers are showing to security would give me real pause. I think I would probably be looking at alternatives <strong>before<\/strong> something terrible happened. The attitude from the KeePass team would be entirely appropriate for other container-like apps such as EverNote, but secure vaults need to meet a higher bar <strong>IMO<\/strong>, their default configuration should be as secure as possible, and <strong>this kind of power feature<\/strong> used by only a tiny percentage of users <strong>should be opt-in<\/strong>, with appropriate warnings about the security implications, not on-by-default.<\/p>\n<h3>Links<\/h3>\n<p>A clear and appropriately nuanced description of the issue: [Password-stealing \u201cvulnerability\u201d reported in KeePass \u2013 bug or feature? \u2014 nakedsecurity.sophos.com\/\u2026]https:\/\/nakedsecurity.sophos.com\/2023\/02\/01\/password-stealing-vulnerability-reported-in-keypass-bug-or-feature\/)<\/p>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>&#x1f9ef;<a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/02\/03\/openssh-fixes-double-free-memory-bug-thats-pokable-over-the-network\/\">OpenSSH fixes double-free memory bug that\u2019s pokable over the network \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (Patched, and, at least for now, not actually exploitable)<\/li>\n<li>Apple have patched just about all their OSes \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/01\/24\/apple-patches-are-out-old-iphones-get-an-old-zero-day-fix-at-last\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/23\/01\/23\/apple-gives-some-older-iphones-os-updates-going-back-to-iphone-5s\">Apple gives some older iPhones OS updates, going back to iPhone 5s \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>&#x1f9ef;<a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/01\/25\/goto-admits-customer-cloud-backups-stolen-together-with-decryption-key\/\">GoTo admits: Customer cloud backups stolen together with decryption key \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>The announcement was again missing important details, so again, we have to assume the worst &#x1f641;<\/li>\n<li>Naked Security recommend: change passwords, re-set 2FA (including generating new backup codes), if using SMS-based 2FA, switch to app-based.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/01\/31\/github-code-signing-certificates-stolen-but-will-be-revoked-this-week\/\">GitHub code-signing certificates stolen (but will be revoked this week) \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>The keys were encrypted, so it&#8217;s not nearly as bad as it sounds<\/li>\n<li><strong>These are the keys used to sign the GitHub app, this has nothing to do with GitHub accounts<\/strong>!<\/li>\n<li>If you didn&#8217;t get the app update update before the keys were revoked, auto-update will fail, so you&#8217;ll need to re-install the app.<\/li>\n<li>This is evidence of GitHub&#8217;s defences working as intended, not evidence of any kind of negligence!<\/li>\n<\/ul>\n<\/li>\n<li>Don&#8217;t put AirTags on your pets, it could literally kill them \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/01\/31\/heres-why-you-dont-put-an-airtag-on-your-dogs-collar\">Here&#8217;s why you don&#8217;t put an AirTag on your dog&#8217;s collar \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/appleinsider.com\/articles\/23\/01\/24\/us-sues-google-over-digital-ad-market-monopoly\">US sues Google over digital ad market monopoly \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; &#x1f1f3;&#x1f1f1; &#x1f1e9;&#x1f1ea; <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/01\/27\/hive-ransomware-servers-shut-down-at-last-says-fbi\/\">Hive ransomware servers shut down at last, says FBI \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (International operation in cooperation with Dutch &amp; German law enforcement)<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macstories.net\/news\/apple-offers-educational-resources-for-data-privacy-day\/\">Apple Offers Educational Resources for Data Privacy Day \u2014 www.macstories.net\/\u2026<\/a> (The video is particularly nice \u2014 short and fun, yet information rich)<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f3a9; a simply superb pair of articles by Glenn Fleishman:\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2023\/01\/27\/is-your-future-distributed-welcome-to-the-fediverse\/\">Is Your Future Distributed? Welcome to the Fediverse! \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2023\/01\/27\/mastodon-a-new-hope-for-social-networking\/\">Mastodon: A New Hope for Social Networking \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>Google has quietly been rolling out a 15 year old idea for improving DNS security, using randomised case to add entropy and make cache poisoning much more difficult \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/01\/23\/serious-security-how-deliberate-typos-might-improve-dns-security\/\">nakedsecurity.sophos.com\/\u2026<\/a> (Note this is a stop-gap measure until all authoritative DNS servers support at least on secure protocol like DNSSEC or DNS-over-HTTPS)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>A pair of related web-APIs designed to be accessed from the Terminal with the <code>curl<\/code> command (makes HTTP requests from the terminal):\n<ul>\n<li><strong>From Allison:<\/strong> Examples showing the use of the free <a href=\"https:\/\/github.com\/chubin\/wttr.in\">wttr.in web API<\/a> to weather data in the terminal <a href=\"https:\/\/mastodon.social\/@nixCraft\/109797146360973415\">nixCraft &#x1f427; on Mastodon (mastodon.social\/\u2026)<\/a>\n<ul>\n<li><strong>Bonus Tip:<\/strong> Follow <a href=\"https:\/\/mastodon.social\/@nixCraft\">@nixCraft@mastodon.social<\/a>, they post great nerdy stuff!<\/li>\n<li><strong>Extra Bonus Tip:<\/strong> We used this API from JavaScript in Programming by Stealth: <a href=\"https:\/\/pbs.bartificer.net\/pbs80\">PBS 80 of X \u2013 JavaScript Promise Chains \u2014 pbs.bartificer.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>From Bart:<\/strong> <a href=\"https:\/\/appleinsider.com\/articles\/22\/12\/07\/how-to-use-cheatsh-in-macos-terminal\">How to use cheat.sh in macOS Terminal \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Anker admits that Eufy cameras were never encrypted \u2014 appleinsider.com\/\u2026 Apple have released their support for hardware Fido tokens for iCloud 2FA \u2014 sixcolors.com\/\u2026 Editorial by Bart: remember that this feature comes with a [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5681,50,569,2003,4586],"class_list":["post-27779","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-keepass","tag-security","tag-security-bits","tag-vulnerabilities","tag-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27779"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27779\/revisions"}],"predecessor-version":[{"id":27785,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27779\/revisions\/27785"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}