{"id":31899,"date":"2024-09-15T13:24:01","date_gmt":"2024-09-15T20:24:01","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=31899"},"modified":"2024-09-15T13:24:01","modified_gmt":"2024-09-15T20:24:01","slug":"sb-2024-09-15","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/09\/sb-2024-09-15\/","title":{"rendered":"Security Bits \u2014 15 September 2024"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Apple have decided to end their case against the NSO Group (authors of the infamous Pegasus spyware) because disclosure could do more harm to users than letting the NSO group off the hook \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/09\/13\/apple-files-to-stop-nso-group-lawsuit-over-fears-of-data-leaks\">appleinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/23andme-to-pay-30-million-in-genetics-data-breach-settlement\/\">23andMe to pay $30 million in genetics data breach settlement \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Class action suit)<\/li>\n<li>Reminder, Apple&#8217;s promised changes to make iPhones easier to repair without triggering a boom in the market for stolen iPhone parts is happening: <a href=\"https:\/\/www.macobserver.com\/ios\/stolen-iphones-will-be-even-more-useless-from-ios-18-onwards\/\">Stolen iPhones Will Be Even More Useless From iOS 18 Onwards \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 The Emerging Dark Side of PWAs<\/h2>\n<p>We\u2019ve not discussed <em>Progressive Web Apps<\/em>, or PWAs in any kind of detail in this segment before because they\u2019ve been quite niche and not had much of an impact on the security of regular users. That\u2019s changing now, and not in a good way \ud83d\ude41<\/p>\n<p>While Allison was in Africa I mentioned a story about a malicious ad campaign on major sites targeting customers of major banks with fake requests to update their banking app with the advice never to believe any kind of call to action from your bank from an ad \u2014 if your bank really needed you to do something to protect your account their chosen method of communication would not be an ad!<\/p>\n<p>I said to put a mental pin in that story and promised a deep dive when Allison was back, and here we are!<\/p>\n<p>The \u2018apps\u2019 those malicious ads were pushing were not full on apps from some kind of App Store, nor were they links to some kind of side-loading request, they were links to Progressive Web Apps.<\/p>\n<h3>What are PWAs?<\/h3>\n<p>As their name may suggest PWAs are web apps with some extra powers.<\/p>\n<p>At a technological level, they are just regular web apps written in HTML, CSS &amp; JavaScript that run online like any other web app, but they have an extra metadata file with instructions for how their code and resources can be caches on-device so they can be \u2018installed\u2019 on a device for use both on and offline. When they get installed their JavaScript gets access to extra APIs that allow them to save data locally and request access to resources on the device like the camera and microphone.<\/p>\n<p>From a user\u2019s point of view, they are using some kind of app on a website, and they get the option to save the app to their \u2018home Screen\u2019 and when they do they get an icon that looks just like a real app. When they click on that icon they get the same app they had been using on a web page, but now full screen without any browser bits around it, and, they can use the app even when off-line. They can also approve camera and microphone access, and those permissions stick, just like on a regular app.<\/p>\n<p>This can be really convenient for users. They get their favourite web app as something that behaves like a real app, and it just works!<\/p>\n<p>From a developer point of view, it offers an interesting middle ground between an app that is trapped in the browser and only works online, and a full-blown App Store app with review and all that setup. They can only write in HTML, CSS &amp; Javascript, they can\u2019t use C++, Objective-C, Swift, Java, or and other \u2018real\u2019 programming languages. They also can\u2019t use the vast vast vast majority of Android, iOS, Windows, macOS, or Linux APIs, but they can get some of that functionality through generic PWA APIs with cross-platform support. But, the biggest appeal is the freedom from the onerous task of registering as a developer (I\u2019ve been through it, the proof of identity for yourself and your company is no joke, and there are fees), and, there is no app review between you and your users!<\/p>\n<h3>Where\u2019s the Danger?<\/h3>\n<p><strong>At a purely technical level, there is no vulnerability<\/strong> \u2014 all the OSes do a good job sandboxing PWAs, and Apple &amp; Google enforce all their normal permissions dialogues on PWAs.<\/p>\n<p>The problem lies with the squishy organic bit. Today, regular folk do not understand what a PWA is, and that leaves them exposed to social engineering attacks like those malicious ads mentioned at the start of this segment.<\/p>\n<p>Users know app stores vet apps, they keep reading news stories about those evil anti-competitive gate keepers locking developers of innocent games like Fortnight out of their stores, so, they give things that look like apps more trust than they warrant.<\/p>\n<p>What a victim who falls for one of these malicious ads sees is an app on their Home Screen with their bank\u2019s logo that looks identical to their old app that the ad told them was out of date. When that app presents them with a familiar login screen, they don\u2019t think twice!<\/p>\n<p>Worse still, once a PWA is installed, there\u2019s no easy way for helpful family members to recognise the app for what it is \u2014 a website in disguise, and, there\u2019s no quick and easy way to see that disguised website\u2019s evil URL, so my standard \u2018look up\u2019 advice does not work.<\/p>\n<h3>Best Advice?<\/h3>\n<p>There is no easy answer, but I am warning non-techie family members not to follow any ad anywhere ever, and not to let any website add itself to their Home Screen without checking with me first.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps\/\">Hackers steal banking creds from iOS, Android users via PWA apps \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Patch Tuesday has been and gone yet again with 79 vulnerabilities patched, 7 of them critical, and 4 under active attack \u2014 <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31254\">isc.sans.edu\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-fixes-windows-smart-app-control-zero-day-exploited-since-2018\/\">Microsoft fixes Windows Smart App Control zero-day exploited since 2018 \u2014 www.bleepingcomputer.com\/\u2026<\/a> (lets attackers bypass the protections that should make users accept a warning before an executable downloaded from the web can run)<\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2024\/09\/bug-left-some-windows-pcs-dangerously-unpatched\/\">Bug Left Some Windows PCs Dangerously Unpatched \u2014 krebsonsecurity.com\/\u2026<\/a> (a bug in some version checking code left some devices falsely thinking they were fully patched when they weren&#8217;t)<\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-to-start-force-upgrading-windows-22h2-systems-next-month\/\">Microsoft to start force-upgrading Windows 22H2 systems next month \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit\/\">Adobe fixes Acrobat Reader zero-day with public PoC exploit \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Google have released their September Android security updates, fixing 34 vulnerabilities including one under active exploitation, if you can, patch ASAP \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-backports-fix-for-pixel-eop-flaw-to-other-android-devices\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Reminder \u2014 restart all browsers not managed by OS updates daily so they get vital fixes: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-tags-a-tenth-chrome-zero-day-as-exploited-this-year\/\">Google tags a tenth Chrome zero-day as exploited this year \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/google-increases-chrome-bug-bounty-rewards-up-to-250-000\/\">Google increases Chrome bug bounty rewards up to $250,000 \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>If you use the open-source multi-protocol messaging app Pidgin you need to read this: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malware-infiltrates-pidgin-messengers-official-plugin-repository\/\">Malware infiltrates Pidgin messenger\u2019s official plugin repository \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>If you use an obsolete D-Link DIR-846W router it&#8217;s got a critical vulnerability that is under active attack, and it won&#8217;t get the patch, so get it offline ASAP \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/d-link-says-it-is-not-fixing-four-rce-flaws-in-dir-846w-routers\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related<\/strong> \u2014 attacks on these kinds of known-vulnerable obsolete devices are common-place now: <a href=\"https:\/\/thehackernews.com\/2024\/09\/quad7-botnet-expands-to-target-soho.html\">Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Be aware that sextortion scammers have adopted two new techniques in recent weeks \u2014 <strong>these emails remain scams based on false claims!<\/strong>\n<ul>\n<li>In addition to using leaked passwords to make their bogus claims more legit, attackers are now also using leaked physical addresses along with publicly available mapping imagery to add a photo of your actual home\/front yard to their emails \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2024\/09\/sextortion-scams-now-include-photos-of-your-home\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Attackers are now using leaked data to include actual names in false claims that a victim&#8217;s spouse is cheating on them \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/sextortion-scam-now-use-your-cheating-spouses-name-as-a-lure\/\">www.bleepingcomputer.com\/\u2026<\/a> (Due to typos in some of the names observed in the campaign, there is a strong suspicion the source of the data is the wedding planning site <em>The Knot<\/em>)<\/li>\n<\/ul>\n<\/li>\n<li>Beware! Attackers have found another way to attack the open source community: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes\/\">GitHub comments abused to push password stealing malware masked as fixes \u2014 www.bleepingcomputer.com\/\u2026<\/a> (<strong>TL;DR<\/strong> \u2014 don&#8217;t run any commands you don&#8217;t understand, even if they come from a comment on the GitHub project for the software\/code library you&#8217;re currently struggling with)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>It seems that, at least on Android (we don&#8217;t know if there&#8217;s any effect on Windows), ad company Cox Media Group who work with big companies like Facebook had a product that injected audio bugs (eavesdropping code) into ads \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/09\/03\/facebook-ad-partner-may-have-tried-to-listen-into-your-conversations\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>The feature was branded <em>Active Listening<\/em> and advertised in a PowerPoint deck for potential customers under the heading <em>&#8220;The power of voice (and our devices&#8217; microphones)&#8221;<\/em><\/li>\n<li>The bullets under that heading went on to promise <em>&#8220;Smart devices capture real-time intent data by listening to our conversations&#8221;<\/em> \u2026 <em>&#8220;advertisers can pair this voice-data with behavioural data to target in-market customers&#8221;<\/em> \ud83d\ude31<\/li>\n<li>These kinds of things are not possible on iOS or macOS due to how camera and microphone access is gated by permission dialogues<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa \ud83c\uddf3\ud83c\uddf1 The Dutch data protection authority (<em>Autoriteit Persoonsgegevens<\/em>) has fined two major companies for breaching the GDPR:\n<ul>\n<li>Uber (for a third time), this time for \u20ac290M (~$325M) for moving data on EU users to the US without putting the proper data protection processes in place \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/legal\/uber-fined-325-million-for-moving-driver-data-from-europe-to-us\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Clearview AI for \u20ac30.5M (~$34M) for collecting photos of Dutch citizens and using them for biometric profiles without consent \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/legal\/clearview-ai-fined-305-million-by-dutch-dpa-for-unlawful-data-collection\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa \ud83c\uddee\ud83c\uddea <a href=\"https:\/\/thehackernews.com\/2024\/09\/irelands-watchdog-launches-inquiry-into.html\">Ireland&#8217;s Watchdog Launches Inquiry into Google&#8217;s AI Data Practices in Europe \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/wordpressorg-to-require-2fa-for-plugin-developers-by-october\/\">WordPress.org to require 2FA for plugin developers by October \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Another legacy technology beloved by cybercriminals is going away: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-office-2024-to-disable-activex-controls-by-default\/\">Microsoft Office 2024 to disable ActiveX controls by default \u2014 www.bleepingcomputer.com\/\u2026<\/a> \ud83c\udf89<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>Adversary in the Middle (AiTM) is now available as <em>Malware-as-a-Service<\/em> and it is one of the most effective attacks I see in the real world at the minute \u2014  this post is written by a vendor so the last 20% is an ad, but the first 80% is a superb explanation of how AiTM works and will help everyone stay on guard: <a href=\"https:\/\/thehackernews.com\/2024\/08\/how-to-stop-aitm-phishing-attack.html?m=1\">How AitM Phishing Attacks Bypass MFA and EDR\u2014and How to Fight Back \u2014 thehackernews.com\/\u2026<\/a> (<strong>TL;DR<\/strong> \u2014 the most effective advice remains to always check the address bar before doing any kind of authentication)<\/li>\n<li><a href=\"https:\/\/www.wired.com\/story\/apple-private-cloud-compute-ai\/\">Apple Intelligence Promises Better AI Privacy. Here\u2019s How It Actually Works \u2014 www.wired.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Apple have released a detailed academic paper outlining their safety testing of Apple Intelligence, the paper itself is not accessible to regular folk, but this is an excellent overview: <a href=\"https:\/\/www.cultofmac.com\/news\/apple-foundation-model\">Apple shows why it\u2019s ahead in AI, not behind \u2014 www.cultofmac.com\/\u2026<\/a> (<strong>TL;DR<\/strong> \u2014 by putting a lot of effort into cleaning the training data Apple&#8217;s models are functionally en-par with the rest, but much safer, it seems to be more effective to stop models from learning dangerous things than trying to stop them blurting out dangerous things they have learned)<\/li>\n<li>\ud83c\udfa7 The arrest of the Telegram CEO is cybersecurity adjacent, but not quite in our bailiwick, but if you want a well informed reasoned analysis, I can recommend this TED interview: [TED Talks Daily: The arrest of Telegram CEO Pavel Durov \u2013 and why you should care with Eli Pariser \u2014 overcast.fm\/\u2026](https:\/\/overcast.fm\/+AAAAAQKIrik]<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>Allison:<\/strong> <a href=\"https:\/\/mastodon.social\/@schizanon\/113139515962010517\">The hardest Problems in the Computer Science \u2014 mastodon.social\/\u2026<\/a><\/li>\n<li><strong>Bart:<\/strong> \ud83c\udfa7 Season 2 of the BBC <a href=\"https:\/\/www.bbc.co.uk\/programmes\/m0022swq\">Uncharted podcast<\/a> with mathematician and STEM communicator extraordinaire Hannah Fry is out \u2014 my favourite episode features my favourite Irish woman in STEM Jocelyn Bell Burnell, and I hope this inspires lots of interested young girls to follow their hearts into STEM: <a href=\"https:\/\/overcast.fm\/+ABD0hnuSfyc\">Uncharted with Hannah Fry: 14. Whispers from the Cosmos \u2014 overcast.fm\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Apple have decided to end their case against the NSO Group (authors of the infamous Pegasus spyware) because disclosure could do more harm to users than letting the NSO group off the hook \u2014 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2079,6772,6771,50,569,2003],"class_list":["post-31899","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-patch","tag-porgressive-web-apps","tag-pwas","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=31899"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31899\/revisions"}],"predecessor-version":[{"id":31901,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31899\/revisions\/31901"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=31899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=31899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=31899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}