{"id":29782,"date":"2023-11-12T13:00:11","date_gmt":"2023-11-12T21:00:11","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=29782"},"modified":"2023-11-12T17:43:03","modified_gmt":"2023-11-13T01:43:03","slug":"sb-2023-11-12","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/11\/sb-2023-11-12\/","title":{"rendered":"Security Bits \u2014 12 November 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Attackers continue to succeed in getting Google to host their malicious ads: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-ads-push-malicious-cpu-z-app-from-fake-windows-news-site\/\">Google ads push malicious CPU-Z app from fake Windows news site \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>A final twist in the SolarWinds mega-hack saga:  <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/sec-sues-solarwinds-for-misleading-investors-before-2020-hack\/\">SEC sues SolarWinds for misleading investors before 2020 hack \u2014 www.bleepingcomputer.com\/\u2026<\/a> (SEC is the <em>Securities &amp; Exchange Commission<\/em>)<\/li>\n<li>The scurge of spying tools like the NSO Group&#8217;s infamous Pegasus continues: <a href=\"https:\/\/appleinsider.com\/articles\/23\/10\/31\/apple-sends-iphone-threat-alerts-to-india-opposition-politicians\">Apple sends iPhone threat alerts to India opposition politicians \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2023\/11\/qnap-releases-patch-for-2-critical.html\">QNAP Releases Patch for 2 Critical Flaws Threatening Your NAS Devices \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>If, despite Allison&#8217;s warnings about their past security track record, you&#8217;re using Wyse cameras, be sure they are fully patched, because reserachers have relased a Proof-of-Concept exploit for a vulnerability Wyse patched on the 22nd of October \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/rce-exploit-for-wyze-cam-v3-publicly-released-patch-now\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>One of the most famous hotels in the world has had a spectacularly large breach: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/marina-bay-sands-discloses-data-breach-impacting-665-000-customers\/\">Marina Bay Sands discloses data breach impacting 665,000 customers \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Affected their MBS loyalty program, and no passwords of payment cards were leaked, so the big danger is targeted phishing)<\/li>\n<li>A timely reminder that whenever something is in the news, someone will try abuse that publicity to make a quick buck: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-and-google-host-fake-xai-grok-chat-bot-apps-in-their-app-stores\/\">Apple and Google host fake xAI Grok chat-bot apps in their App Stores \u2014 www.intego.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> it&#8217;s a shame Apple consider Trade Mark infringement a non-security issue, and don&#8217;t prevent it in app review, leaving it to the trademark owner to complain instead.)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>The <em>Forum of Incident Response and Security Teams<\/em> (FIRST) have released the spec for version 4 of their CVSS vulnerability scoring system, the new version aims to tweak the scoring system to better reflect modern threats and help security teams triage vulnerabilities \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-cvss-40-vulnerability-severity-rating-standard-released\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> when you hear things like <em>critical bug<\/em>, those are not arbitrary terms, they come from the CVSS scoring system, so <em>critical<\/em> actually means a CVSS score of 9.0 or greater (the scale goes from zero to 10)<\/li>\n<\/ul>\n<\/li>\n<li>Microsoft have launched a new company-wide security drive they&#8217;ve dubbed their <em>Secure Future Initiative<\/em> \u2014 <a href=\"https:\/\/www.helpnetsecurity.com\/2023\/11\/03\/microsoft-security-initiative\/\">www.helpnetsecurity.com\/\u2026<\/a> (<a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2023\/11\/02\/secure-future-initiative-sfi-cybersecurity-cyberattacks\/\">Microsoft&#8217;s announcement<\/a>)\n<ul>\n<li><strong>Editorial by Bart:<\/strong> <\/li>\n<li>These kinds of things are often more PR sparkle than real change, so I was very skeptical, but even in just the last week we&#8217;ve seen substantive changed happening, so I&#8217;ve shifted to <em>cautiously optimistic<\/em> <\/li>\n<li>To make the anti-Microsoft case, at least one of the announcements in a blog post launching the intitiative reeks of spin \u2014 Microsoft will start to store all signing keys in Hardware Security Modules (HSMs, think <em>Secure Enclave<\/em>s for data centres). They should already have been doing this, and the fact that they weren&#8217;t led to the Chinese government successfully hacking some US government Office365 accounts last year. In my opinion, the correct response here is <em>finally<\/em>, not <em>well done<\/em>!<\/p>\n<\/li>\n<li>\n<p><strong>Related Concrete news:<\/strong><\/p>\n<\/li>\n<li>Microsoft are adding base-line secure-by-default MFA policies into Office365 tenancies so that unless organisations proactively downgrade their settings, all Office365 tenancies will be protected by strong MFA soon  \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Microsoft have added some very clever new AI-driven logic to prevent attackers from spamming users with MFA push notifications in the Microsoft Authenticator app \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-authenticator-now-blocks-suspicious-mfa-alerts-by-default\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Starting with the next release of Windows 11, enabling file and print sharing won&#8217;t open the legacy SMB 1 ports anymore (137, 138 &amp; 139), it will only open the modern, more secure port 445 \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-drops-smb1-firewall-rules-in-new-windows-11-build\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Some nice security enhancements from Google:<\/p>\n<ul>\n<li>Google Chrome now automatically tries to upgrade insecure HTTP connections to secure HTTPS ones, only falling back to HTTP when HTTPS fails \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/google-chrome-now-auto-upgrades-to-secure-connections-for-all-users\/\">www.bleepingcomputer.com\/\u2026<\/a> <\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-play-adds-security-audit-badges-for-android-vpn-apps\/\">Google Play adds security audit badges for Android VPN apps \u2014 www.bleepingcomputer.com\/\u2026<\/a> (apps must be independently audited against the <a href=\"https:\/\/appdefensealliance.dev\/masa\">Mobile App Securirity Assesment, or MASA standard<\/a>)<\/li>\n<\/ul>\n<\/li>\n<li>Meta&#8217;s attempts to avoid changing thier business model despite the GDPR has taken another turn \u2014 the <em>European Data Protection Board<\/em> has upheld a July ruling by the Norwegian Data Protection Commissioners which found that Meta&#8217;s current user consent processes for targetd ads do not comply with the GDPR, and the Irish Data Protection Commissioners have been ordered to order Meta to stop using targeted ads on Facebook and Instagram in Eurpope \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/meta-faces-eu-ban-on-facebook-instagram-targeted-advertising\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/thehackernews.com\/2023\/10\/meta-launches-paid-ad-free-subscription.html\">Meta Launches Paid Ad-Free Subscription in Europe to Satisfy Privacy Laws \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> Google has joined forces with EU cellphone carriers to presure the European Commission into designating iMessage a <em>Gatekeeper<\/em> in an attempt to force Apple to open the iMessage protocol for 3rd-party interoperability \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/11\/08\/google-now-tries-getting-eu-to-force-open-imessage\">appleinsider.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/appleinsider.com\/articles\/23\/11\/08\/apple-admits-third-party-app-stores-in-europe-are-inevitable\">Apple admits third-party App Stores in Europe are inevitable \u2014 appleinsider.com\/\u2026<\/a> (in a US financial filing)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ftc-orders-non-bank-financial-firms-to-report-breaches-in-30-days\/\">FTC orders non-bank financial firms to report breaches in 30 days \u2014 www.bleepingcomputer.com\/\u2026<\/a> (FTC is the <em>Federal Trade Commission<\/em>)<\/p>\n<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2023\/11\/whatsapp-introduces-new-privacy-feature.html\">WhatsApp Introduces New Privacy Feature to Protect IP Address in Calls \u2014 thehackernews.com\/\u2026<\/a> (Calls get routed through Meta&#8217;s servers, but that&#8217;s safe thanks to End-to-End encryption)<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>In iOS 17 you can configure regular tabs to have protections previously only available in private tabs: <a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/enable-advanced-tracking-and-fingerprinting-protection-for-normal-browsing-ios-17\/\">How to Enable Advanced Tracking and Fingerprinting Protection for Normal Browsing on iOS 17 \u2014 www.macobserver.com\/\u2026<\/a> (Same feature is available in Safari on macOS Sonoma under <strong>Settings \u2192 Advanced<\/strong>)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><a href=\"https:\/\/shows.acast.com\/know-a-little-more\/episodes\/about-alohanet\">Know a Little More about ALOHAnet \u2014 shows.acast.com\/\u2026<\/a> (ALOHAnet is the precursor to Ethernet, and its innovations continue to power our networks today)<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em><\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Attackers continue to succeed in getting Google to host their malicious ads: Google ads push malicious CPU-Z app from fake Windows news site \u2014 www.bleepingcomputer.com\/\u2026 A final twist in the SolarWinds mega-hack saga: SEC [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,1,214],"tags":[],"class_list":["post-29782","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-podcasts","category-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29782","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=29782"}],"version-history":[{"count":6,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29782\/revisions"}],"predecessor-version":[{"id":29794,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29782\/revisions\/29794"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=29782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=29782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=29782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}