{"id":31982,"date":"2024-09-29T13:25:40","date_gmt":"2024-09-29T20:25:40","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=31982"},"modified":"2024-09-29T13:25:40","modified_gmt":"2024-09-29T20:25:40","slug":"sb-2024-09-29","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/09\/sb-2024-09-29\/","title":{"rendered":"Security Bits \u2013 29 September 2024"},"content":{"rendered":"<h1>Feedback &amp; Followups<\/h1>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Consequences arrive for past failure:\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/atandt-pays-13-million-fcc-settlement-over-2023-data-breach\/\">AT&amp;T pays $13 million FCC settlement over 2023 data breach \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddea\ud83c\uddfa Meta fined \u20ac91M by the Irish Data Protection Commissioners for storing over 600 million passwords in plain text back in 2019 (most limited to the ill-fated <em>Facebook Lite<\/em> service, and the passwords were not leaked, just wrongly stored and accessed by thousands of Facebook employees)<\/li>\n<li>\ud83c\uddee\ud83c\uddea The press release from the Irish Data Protection Commissioners \u2014 <a href=\"https:\/\/www.dataprotection.ie\/en\/news-media\/press-releases\/DPC-announces-91-million-fine-of-Meta\">www.dataprotection.ie\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Kaspersky wraps up its exit from the US with bang: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning\/\">Kaspersky deletes itself, installs UltraAV antivirus without warning \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>France&#8217;s arrest of Telegram&#8217;s founder over the company&#8217;s failure to answer valid law enforcement requests has had an effect: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/telegram-now-shares-users-ip-and-phone-number-on-legal-requests\/\">Telegram now shares users\u2019 IP and phone number on legal requests \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>The continuing barrage of negative feedback on Microsoft&#8217;s controversial Windows Recall feature is continuing to have an effect: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-windows-recall-now-can-be-removed-is-more-secure\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Feature will be off by default<\/li>\n<li>Feature will be completely removable<\/li>\n<li>Data protections are being tightened yet more<\/li>\n<li><strong>Editorial by Bart:<\/strong> We&#8217;re now finally getting to the feature set that Microsoft should have come with as their first offering<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Deep Dive(s)<\/h1>\n<h1>\u2757 Action Alerts<\/h1>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple release new OSes and patch the old\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2024\/09\/16\/macos-14-7-sonoma-macos-13-7-ventura-ios-17-7-and-ipados-17-7-provide-security-fixes\/\">macOS 14.7 Sonoma, macOS 13.7 Ventura, iOS 17.7, and iPadOS 17.7 Provide Security Fixes \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li>Details are sparse, but some 3rd-party security tools are not working reliably on macOS 18 Sequoia \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/apple\/macos-sequoia-change-breaks-networking-for-vpn-antivirus-software\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/after-20-odd-years-apple-id-gets-repalced-hello-apple-account\/\">After 20 Odd Years, Apple ID Gets Replaced; Hello Apple Account \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83e\uddef <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31302\">Patch for Critical CUPS vulnerability: Don&#8217;t Panic \u2014 isc.sans.edu\/\u2026<\/a>\n<ul>\n<li>Bug is on Linux&#8217;s feature for browsing the network for shared printers, Apple does use CUPS for printing in macOS, but not for finding shared printers, it uses MDNS for that, so Mac users are not affected<\/li>\n<li>Patch is out, so do patch promptly<\/li>\n<li>Bug is in a feature not enabled by default, and not likely to be used on servers<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/d-link-fixes-critical-rce-hardcoded-password-flaws-in-wifi-6-routers\/\">D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related<\/strong> \u2013 a good illustration of why this matters: \ud83c\udde8\ud83c\uddf3 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/flax-typhoon-hackers-infect-260-000-routers-ip-cameras-with-botnet-malware\/\">Chinese botnet infects 260,000 SOHO routers, IP cameras with malware \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/09\/chatgpt-macos-flaw-couldve-enabled-long.html\">ChatGPT macOS Flaw Could&#8217;ve Enabled Long-Term Spyware via Memory Function \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Worthy Warnings<\/h1>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Beware of another new technique being used to target coders \u2014 malicious <em>&#8220;help&#8221;<\/em> in GitHub comments (one of the man repos targeted was XKPasswd-js):\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2024\/09\/this-windows-powershell-phish-has-scary-potential\/\">This Windows PowerShell Phish Has Scary Potential \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/clever-github-scanner-campaign-abusing-repos-to-push-malware\/\">Clever &#8216;GitHub Scanner&#8217; campaign abusing repos to push malware \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>If you depend on <a href=\"https:\/\/www.torproject.org\">TOR to protect your anonymity<\/a>, you need to be aware of research from the storied <em>Chaos Computer Club<\/em> in Germany that casts doubt on TOR&#8217;s effectiveness, though their research is disputed by the TOR project: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/tor-says-its-still-safe-amid-reports-of-police-deanonymizing-users\/\">Tor says it\u2019s &#8220;still safe&#8221; amid reports of police deanonymizing users \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Notable News<\/h1>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 NIST (National Institute on Science and Technology) has updated their guidance on passwords \u2014 <a href=\"https:\/\/arstechnica.com\/security\/2024\/09\/nist-proposes-barring-some-of-the-most-nonsensical-password-rules\/\">arstechnica.com\/\u2026<\/a> \ud83c\udf89\n<ul>\n<li>This is technically a US standard that only applies to US government agencies and suppliers, but it&#8217;s commonly adopted by other organisations all over the world, and heavily influences similar standards in other countries<\/li>\n<li>The section on end-user passwords has been strengthened to turn advice into requirements (<em>&#8220;should&#8221;<\/em> \u2192 <em>&#8220;shall&#8221;<\/em> etc.)<\/li>\n<li>Ban periodic password reset requirements but require forced password changes when there is evidence of compromise<\/li>\n<li>Ban on password complexity rules (in terms of composition), but all printable characters should be allowed<\/li>\n<li>A minimum length of 8 characters must be enforced, and it&#8217;s recommended to enforce a minimum of 15<\/li>\n<li>If there&#8217;s a maximum length enforced, it&#8217;s recommended to be at least 64 characters<\/li>\n<li>A ban on password hints<\/li>\n<li>A ban on knowledge-based (Mother&#8217;s maiden name etc.) authentication factors<\/li>\n<li>Note that these rules are for <em>people<\/em> (end-users), not for non-human identities like service accounts, so forcing the rotation of passwords used by scripts and stuff is completely out of scope here (and might even be required, I didn&#8217;t check!)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/09\/gsma-plans-end-to-end-encryption-for.html\">GSMA (GSM Association) Plans End-to-End Encryption for Cross-Platform RCS Messaging \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/ftc-exposes-massive-surveillance-of-kids-teens-by-social-media-giants\/\">FTC exposes massive surveillance of kids, teens by social media giants \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\udde6\ud83c\uddf9 The vocal privacy campaign group NOYB (None of Your Business) has filed a formal complaint against Mozilla in Austria over their enabling of a browser-side collection of anonymous ad effectiveness data within the browser: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/mozilla-accused-of-tracking-users-in-firefox-without-consent\/\">www.bleepingcomputer.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> this is a case of the idealists taking on the realists, not any kind of malice or malfeasance as best as I can tell)<\/li>\n<li>\ud83c\uddec\ud83c\udde7 Is there some kind of conservation of AI training volume in the UK? \ud83d\ude09\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/09\/meta-to-train-ai-models-using-public-uk.html\">Meta to Train AI Models Using Public U.K. Facebook and Instagram Posts \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/09\/linkedin-halts-ai-data-processing-in-uk.html\">LinkedIn Halts AI Data Processing in U.K. Amid Privacy Concerns Raised by ICO \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa Apple &amp; Meta have opted out of the EU&#8217;s voluntary responsible AI code \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/09\/26\/apple-meta-ignore-eu-artificial-intelligence-regulatory-initiative-for-now\">appleinsider.com\/\u2026<\/a><\/li>\n<li>Some nice security-related app updates:\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/discord-rolls-out-end-to-end-encryption-for-audio-video-calls\/\">Discord rolls out end-to-end encryption for audio, video calls \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/google-password-manager-now-automatically-syncs-your-passkeys\/\">Google Password Manager now automatically syncs your passkeys \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/09\/chrome-introduces-one-time-permissions.html\">Chrome Introduces One-Time Permissions and Enhanced Safety Check for Safer Browsing \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-server-2025-hotpatching-in-public-preview-installs-security-updates-without-restarts\/\">Windows Server 2025 previews security updates without restarts \u2014 www.bleepingcomputer.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> nice to see Windows Server catching up with Linux &amp; Unix, and hopefully this makes its way down to Windows 11 soon)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Top Tips<\/h1>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-lock-and-hide-apps-on-iphone-and-ipad-to-increase-your-privacy\/\">How to Lock and Hide Apps on iPhone and iPad to Increase Your Privacy \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Interesting Insights<\/h1>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A very thoughtful discussion on why our existing laws don&#8217;t mean what we think they mean (disclosure is much less mandated than we think), and why companies should choose to disclose anyway: <a href=\"https:\/\/www.troyhunt.com\/the-data-breach-disclosure-conundrum\/\">The Data Breach Disclosure Conundrum \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Palate Cleansers<\/h1>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/software\/winamp-releases-source-code-asks-for-help-modernizing-the-player\/\">Winamp releases source code, asks for help modernizing the player \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><strong>From Allison<\/strong>: Elle Cordova does very clever videos about technical and space things. Her video on digital assistants is priceless: <a href=\"https:\/\/www.tiktok.com\/t\/ZP8RXXqyF\/\">&#8220;Server break room&#8221; on TikTok<\/a> (you can also find her on Instagram.)<\/li>\n<\/ul>\n<h1>Legend<\/h1>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Consequences arrive for past failure: \ud83c\uddfa\ud83c\uddf8 AT&amp;T pays $13 million FCC settlement over 2023 data breach \u2014 www.bleepingcomputer.com\/\u2026 \ud83c\uddea\ud83c\uddfa Meta fined \u20ac91M by the Irish Data Protection Commissioners for storing over 600 million passwords [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2485,1877,135,114,50,569,2003],"class_list":["post-31982","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-gdpr","tag-nist","tag-passwords","tag-privacy","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=31982"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31982\/revisions"}],"predecessor-version":[{"id":31983,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31982\/revisions\/31983"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=31982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=31982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=31982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}