{"id":32785,"date":"2024-12-21T15:48:06","date_gmt":"2024-12-21T23:48:06","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=32785"},"modified":"2024-12-21T15:48:06","modified_gmt":"2024-12-21T23:48:06","slug":"sb-2024-12-21","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/12\/sb-2024-12-21\/","title":{"rendered":"Security Bits \u2014 21 December 2024"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 Following the FBI earlier in the month, and following the revelation that 8 major US telcos were compromised by the Chinese government, the US Cybersecurity &amp; Infrastructure Security Agency (CISA) has joined the FBI in recommending the use of End-to-End Encrypted messaging apps, giving special a special mention to Signal as a good choice \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-urges-switch-to-signal-like-encrypted-messaging-apps-after-telecom-hacks\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>CISA&#8217;s advisory \u2014 <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/12\/18\/cisa-releases-best-practice-guidance-mobile-communications\">www.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Inflammatory headline is really about compliance:  <a href=\"https:\/\/www.bbc.com\/news\/articles\/c791lq40v3wo\">Government to ban WhatsApp for official business<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-december-2024-patch-tuesday-fixes-1-exploited-zero-day-71-flaws\/\">Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31514\">Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS) &#8211; SANS Internet Storm Center \u2014 isc.sans.edu\/\u2026<\/a>\n<ul>\n<li>Apple also released\u00a0Safari 18.2\u00a0for macOS 14 Sonoma and macOS 13 Ventura to fix five security vulnerabilities \u2014 <a href=\"https:\/\/tidbits.com\/watchlist\/safari-18-2\/\">tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Reminder \u2014 always check NPM and other repository names from a trusted source, never just guess: <a href=\"https:\/\/thehackernews.com\/2024\/12\/thousands-download-malicious-npm.html\">Thousands Download Malicious npm Libraries Impersonating Legitimate Tools \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83e\uddef Those &#8220;Apple Approval Notice&#8221; SMS messages are a scam \u2014 <a href=\"https:\/\/www.macobserver.com\/tips\/apple-approval-notice-what-is-this-message-and-what-to-do-if-you-receive-one\/\">www.macobserver.com\/\u2026<\/a> <\/li>\n<li>\ud83e\uddefRest assured, these scary viral TikTok videos are utter fiction: (in case you or your family hear about them)\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/24\/12\/17\/tiktok-videos-claim-anyone-can-steal-your-credit-cards-with-airdrop\">TikTok videos claim anyone can steal your credit cards with AirDrop \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/24\/12\/17\/no-ios-photos-isnt-telling-you-who-last-looked-at-your-messages\">No, iOS Photos isn&#8217;t telling you who last looked at your messages \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>An Illustrative example of how <strong>attackers are using legitimate features on popular sites to send more believable phishing emails<\/strong> (in this case, Google Forms to phish pretending to be Google&#8217;s security team): <a href=\"https:\/\/krebsonsecurity.com\/2024\/12\/how-to-lose-a-fortune-with-just-one-bad-click\/\">How to Lose a Fortune with Just One Bad Click \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Similarly, attackers are turning more and more to sending entirely genuine invoices for utterly fictitious produces\/service using popular Software-as-a-Service platforms: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/money-request-and-invoice-scams-via-paypal-venmo-and-docusign\/\">Money request and invoice scams via PayPal, Venmo, and Docusign \u2014 www.intego.com\/\u2026<\/a>\n<ul>\n<li>Lots of nice detailed advice in the article<\/li>\n<li>Top-takeaway \u2014 don&#8217;t trust any information in a field controlled by the sender rather than the service, like <em>sender\/seller\/vendor comment\/note\/message<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>A wise move to counter stigma against victims: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/interpol-replaces-dehumanizing-pig-butchering-term-with-romance-baiting\/\">Interpol replaces dehumanizing &#8220;Pig Butchering&#8221; term with &#8220;Romance Baiting&#8221; \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddea\ud83c\uddfa The GDPR continues to have teeth \u2014 notice that the fines are not for being breached as such, but for not taking the appropriate actions before and after:\n<ul>\n<li>\ud83c\uddee\ud83c\uddea <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ireland-fines-meta-264-million-over-2018-facebook-data-breach\/\">Ireland fines Meta $264 million over 2018 Facebook data breach \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>The fine is not for being breached, but for not having notified affected users clearly and promptly<\/li>\n<li>The fine is also for negligence in Facebook&#8217;s under-the-hood design<\/li>\n<li>\ud83c\uddf3\ud83c\uddf1 <a href=\"https:\/\/thehackernews.com\/2024\/12\/dutch-dpa-fines-netflix-475-million-for.html\">Dutch DPA Fines Netflix \u20ac4.75 Million for GDPR Violations Over Data Transparency \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>The fine is for not having clear and accurate data policies<\/li>\n<li>The fine is also for not responding honestly to subject data requests filed by EU users<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The US Office of the Inspector General (OIG) has determined that the Trump US Department of Justice (DOJ) wrongly subpoenaed Apple for call and message data relating to opposition lawmakers, their aides, and families \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/12\/11\/government-says-doj-subpoenaed-apple-without-authorization\">appleinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8US Authorities are launching an investigation into Chinese router maker TP-Link for a possible ban due to security risks. <a href=\"https:\/\/9to5mac.com\/2024\/12\/18\/most-popular-home-internet-routers-in-us-may-be-banned-as-national-security-risk\/\">Most popular home internet routers in US may be banned as national security risk \u2014 www.9to5mac.com<\/a>\n<ul>\n<li>While an investigation isn&#8217;t a ban Tom Merritt on the Daily Tech News Show explains why a ban is essentially inevitable: <a href=\"https:\/\/youtube.com\/watch?v=7gCG9foORmQ&#038;t=748\">DTNS 4918 for 18 December 2024 on YouTube<\/a><\/li>\n<li>If you own a TP-Link router, consider <a href=\"https:\/\/dd-wrt.com\">flashing it with dd-wrt firmware<\/a> if you don&#8217;t want to throw it in the bin.<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\udde9\ud83c\uddea An interesting example of nation-state-level cybersecurity defences: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/germany-blocks-badbox-malware-loaded-on-30-000-android-devices\/\">Germany blocks BadBox malware loaded on 30,000 Android devices \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/add-legacy-contact-apple-account\/\">How to Add a Legacy Contact to Your Apple Account | Full guide \u2014 www.macobserver.com\/\u2026<\/a> (just in time for all those holiday visits with the family you tech-support \ud83d\ude42)<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Good advice for how US users can protect themselves from SIM swapping from the AARP (recommended by listener Lynn on <a href=\"https:\/\/podfeet.com\/slack\">the Podfeet Slack<\/a>) \u2014 <a href=\"https:\/\/www.aarp.org\/podcasts\/the-perfect-scam\/info-2024\/sim-swapping-scammers-hijack-smartphones-and-steal-thousands.html\">www.aarp.org\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> An excellent telling of the true story of how a suite of Apps myself and Allison and countless other podcasters almost died, but has instead come back to life better than ever in 2024: <a href=\"https:\/\/weblog.rogueamoeba.com\/2024\/12\/13\/the-developers-who-came-in-from-the-cold\/\">The Developers Who Came in From the Cold \u2014 weblog.rogueamoeba.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. \ud83c\uddfa\ud83c\uddf8 Following the FBI earlier in the month, and following the revelation that 8 major US telcos were compromised by the Chinese government, the US Cybersecurity &amp; Infrastructure Security Agency (CISA) has joined the [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":13191,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2079,2105,569,6846],"class_list":["post-32785","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-patch","tag-secure","tag-security-bits","tag-tp-link"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2017\/10\/security_bits_logo_300px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=32785"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32785\/revisions"}],"predecessor-version":[{"id":32786,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32785\/revisions\/32786"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/13191"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=32785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=32785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=32785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}