{"id":30928,"date":"2024-04-28T12:08:18","date_gmt":"2024-04-28T19:08:18","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=30928"},"modified":"2024-04-28T12:08:18","modified_gmt":"2024-04-28T19:08:18","slug":"sb-2024-04-28","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/04\/sb-2024-04-28\/","title":{"rendered":"Security Bits \u2014 28 April 2024"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Glen Fleishmann outlines some ways in which Google&#8217;s <em>Find My Device<\/em> network is actually a little more privacy-preserving than Apple&#8217;s <em>Find My<\/em> network (and one nasty sting in the tail that makes it a lot worse &#8211; to use the network at all, you <strong>must<\/strong> tell Google your home address) \u2014 <a href=\"https:\/\/tidbits.com\/2024\/04\/17\/google-raises-privacy-bar-with-its-crowdsourced-tracking-service\/\">tidbits.com\/\u2026<\/a><\/li>\n<li>Attackers continue to target developers:\n<ul>\n<li>Bogus interviews tricking developers into installing malicious coding libraries <em>&#8216;coding tests&#8217;<\/em> is becoming an ever more common thing, this week it&#8217;s NPM packages, but others&#8217; repositories have been abused similarly in recent months \u2014 <a href=\"https:\/\/thehackernews.com\/2024\/04\/bogus-npm-packages-used-to-trick.html\">thehackernews.com\/\u2026<\/a><\/li>\n<li>Attackers have found a novel way to trick GitHub into storing malicious files for them with URLs that belong to a genuinely reputable repo \u2013 start a comment in the victim repo, attach the malicious file, copy the URL from the preview, then just abandon the comment and never submit it, the file is not cleaned up, and it&#8217;s URL has the victim&#8217;s repo at its base \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-comments-abused-to-push-malware-via-microsoft-repo-urls\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>The popular open source GitHub clone GitLab has the same vulnerability too \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Microsoft is joining Google in making changes to fight the volume of spam out there: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-will-limit-exchange-online-bulk-emails-to-fight-spam\/\">Microsoft will limit Exchange Online bulk emails to fight spam \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The US government is continuing to crack down on grey-hat spyware companies like the NSO group: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-imposes-visa-bans-on-13-spyware-makers-and-their-families\/\">US imposes visa bans on 13 spyware makers and their families \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The US Federal Trade Commission (FTC) is continuing to punish privacy invaders: <a href=\"https:\/\/thehackernews.com\/2024\/04\/ftc-fines-mental-health-startup.html\">FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations \u2014 thehackernews.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> The FTC is starting to send the 117,044 American Ring Video Doorbell customers whose private videos were illegally accessed by Amazon staff or contractors their share of the $5.6M settlement they reached with Amazon \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ring-customers-get-56-million-in-privacy-breach-settlement\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 An Interesting Insight from the Kaiser Permanente &#8216;Data Breach&#8217;<\/h2>\n<p>It was big news this week when the large US not-for-profit healthcare organisation <a href=\"https:\/\/about.kaiserpermanente.org\/who-we-are\/fast-facts\">Kaiser Permanente<\/a> reported what it described as a data breach affecting 13.4 million patients \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/kaiser-permanente-data-breach-may-impact-134-million-patients\/\">www.bleepingcomputer.com\/\u2026<\/a>.<\/p>\n<p>Firstly, as data breaches go, this is very mild \u2014 their website had the normal tracking cookies just about every major news site has on it, and because they are a healthcare provider and a non-profit, they consider business-as-usual on the internet a data breach!<\/p>\n<p>If you used the Kaiser Permanente website, then you were tracked by Google, Meta, etc., and they know you are a user of Kaiser Permanente&#8217;s services. I don&#8217;t live in the US, but if I did, this would make me more likely to choose them over a for-profit provider because:<\/p>\n<ol>\n<li>The use of the trackers was flagged, and remediated by entirely internal processes<\/li>\n<li>They chose to be very open about this very minor loss of privacy when they could easily done the absolute bare minimum required by law and moved on.<\/li>\n<\/ol>\n<p>So, this story is not in these show notes because of what it says about Kaiser Permanente, it&#8217;s here because of what it says we, as a global community, now consider normal. Just about every major news site on the internet is invading our privacy <strong>more<\/strong> than this data breach. Even supposed stalwarts of liberal democracy, and supposedly <em>&#8216;woke extremists&#8217;<\/em> like the New York Times are breaching our data worse than this each and every day!<\/p>\n<p>I don&#8217;t know how this toxic business model ends, but I sure hope it does!<\/p>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys\/\">PuTTY SSH client flaw allows recovery of cryptographic private keys \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Canadian civil rights research group Citizens Lab have released a report detailing how literally billions of custom Chinese language keyboards for iOS and Android are phoning home to the Chinese government \u2014 <a href=\"https:\/\/citizenlab.ca\/2024\/04\/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers\/\">citizenlab.ca\/\u2026<\/a><\/li>\n<li>Another reminder of why you can&#8217;t keep using out-of-support network-connected devices, and, why you need to keep your devices patched: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers\/\">Multiple botnets exploiting one-year-old TP-Link flaw to hack routers \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>LastPass are warning that there&#8217;s a sophisticated phishing campaign underway targeting people known to hold a lot of cryptocurrency by posing as LastPass staff \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cybercriminals-pose-as-lastpass-staff-to-hack-password-vaults\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Another reminder of why password re-use is bad, and MFA\/2FA is important: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/roku-leaks-576000-accounts-its-second-data-breach-of-2024\/\">Roku leaks 576,000 accounts\u2014its second data breach of 2024 \u2014 www.intego.com\/\u2026<\/a> (Another <em>password stuffing<\/em> attack)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/arstechnica.com\/tech-policy\/2024\/04\/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules\/\">Cops can force suspect to unlock phone with thumbprint, US court rules \u2014 arstechnica.com\/\u2026<\/a> (Only a thumbprint because it doesn&#8217;t require any thought)\n<ul>\n<li><strong>Editorial by Bart:<\/strong> I agree with John Gruber that the best response to this is not to stop using TouchID, but to internalise the squeeze &amp; hold gesture to disable biometrics on iPhones \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2024\/04\/18\/police-touch-id\">daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 \ud83c\udde8\ud83c\uddf3 Turbulent times for TikTok in the US \u2014 A bill requiring their Chinese owners, ByteDance, to see the company within 9 months (or one year if the President grants an optional 3-month extension), or be removed from the US app stores:\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/24\/04\/24\/biden-signs-tiktok-bill-into-law-as-chinese-firm-threatens-legal-action\">Biden signs TikTok bill into law as Chinese firm threatens legal action \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/24\/04\/26\/bytedance-would-rather-shut-down-us-tiktok-than-sell-it\">ByteDance would rather shut down US TikTok than sell it \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/fortune.com\/2024\/04\/15\/tiktok-china-data-sharing-bytedance-project-texas\/\">Some ex-TikTok employees say the social media service worked closely with its China-based parent despite claims of independence \u2014 fortune.com\/\u2026<\/a><\/li>\n<li>An investing related story: <a href=\"https:\/\/www.macobserver.com\/news\/apple-forced-to-pull-whatsapp-and-threads-from-china-app-store\/\">Apple Forced to Pull WhatsApp and Threads from China App Store \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/play.acast.com\/s\/know-a-little-more\/about-bytedance\">About ByteDance | Know a Little More by Tom Merritt<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Mixed news from Google:\n<ul>\n<li>\ud83d\ude41 <a href=\"https:\/\/thehackernews.com\/2024\/04\/google-postpones-third-party-cookie.html\">Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83d\ude42 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-meet-opens-client-side-encrypted-calls-to-non-google-users\/\">Google Meet opens client-side encrypted calls to non Google users \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Meta have announced that Passkey support is on its way to WhatsApp on iOS \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/whatsapp-finally-rolls-out-passkeys-support-for-iphones\/\">www.macobserver.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/appleinsider.com\/articles\/24\/04\/25\/fcc-votes-to-restore-net-neutrality-protections-in-the-united-states\">FCC votes to restore net neutrality protections in the United States \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Colorado has expanded its existing privacy law protecting biometrics to also include brain wave data \u2014 <a href=\"https:\/\/arstechnica.com\/tech-policy\/2024\/04\/colorado-privacy-law-first-to-safeguard-brain-activity-data\/\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>The untimely death of fellow Mac podcaster and wonderful human being Charles Edge is a timely reminder that we all need to prepare our digital legacies for the sake of our loved ones when we&#8217;re gone: <a href=\"https:\/\/tidbits.com\/2024\/04\/26\/preparing-for-the-unthinkable-a-brief-guide-to-digital-legacy-planning\/\">Preparing for the Unthinkable: A Brief Guide to Digital Legacy Planning \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison via Steve Mattan on <a href=\"https:\/\/podfeet.com\/slack\">our Slack<\/a><\/strong>:\n<ul>\n<li><a href=\"https:\/\/poginate.github.io\/blog\/2014\/10\/06\/douglas-adams-and-javascript\/\">Douglas Adams and JavaScript &#8211; Nate Dickson \u2014 poginate.github.io\/\u2026<\/a> (<strong>Note from Bart:<\/strong> if you get this, you get bonus PBS geek points \ud83e\udd13\ud83d\ude09)<\/li>\n<\/ul>\n<\/li>\n<li><strong>From Bart:<\/strong>\n<ul>\n<li>A long read, but utterly worth it: <a href=\"https:\/\/www.theverge.com\/c\/24070570\/internet-cables-undersea-deep-repair-ships\">The invisible seafaring industry that keeps the internet afloat \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li>\ud83c\udfa6 A fascinating video from Bertrand Serlet (former Apple VP of Engineering of <em>&#8220;Redmond, start your photocopiers&#8221;<\/em> fame): <a href=\"https:\/\/www.youtube.com\/watch?v=QwtyIDmhxh4\">WHY AI Works \u2014 www.youtube.com\/\u2026<\/a><\/li>\n<li>\ud83c\udfa7 One of my pet peeves is people who pervert one of the few success stories that show that we actually can all get together and mitigate a foreseeable problem, the Y2K bug, into an example of why we should do the opposite and not <em>&#8216;overreact&#8217;<\/em> \u2013 don&#8217;t take my word for it, let the Malicious Life podcast walk you through the story: <a href=\"https:\/\/overcast.fm\/+BCNCxLTYGM\">Malicious Life: The Y2K Bug, Part 1 \u2014 overcast.fm\/\u2026<\/a> &amp; <a href=\"https:\/\/overcast.fm\/+BCNCyABw3o\">Malicious Life: The Y2K Bug, Part 2 \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Glen Fleishmann outlines some ways in which Google&#8217;s Find My Device network is actually a little more privacy-preserving than Apple&#8217;s Find My network (and one nasty sting in the tail that makes it a [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569,2003],"class_list":["post-30928","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/30928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=30928"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/30928\/revisions"}],"predecessor-version":[{"id":30931,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/30928\/revisions\/30931"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=30928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=30928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=30928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}