{"id":32814,"date":"2025-01-03T12:58:29","date_gmt":"2025-01-03T20:58:29","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=32814"},"modified":"2025-01-03T12:58:29","modified_gmt":"2025-01-03T20:58:29","slug":"sb-2025-01-03","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/01\/sb-2025-01-03\/","title":{"rendered":"Security Bits \u2014 3 January 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 The recently disclosed massive hack of western telecommunications firms that lead the US FBI &amp; CISA to issue advice to switch to E2EE VoIP and messaging apps like Signal over SMS &amp; phone calls has been confirmed to be just a little bit bigger \u2014 the official tally of compromised US telcos has gone from 8 to 9 \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/white-house-links-ninth-telecom-breach-to-chinese-hackers\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> Two of the now nine breached US telcos, AT&amp;T &amp; Verizon,  have reported that the attacks have been successfully evicted from their networks \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/atandt-and-verizon-say-networks-secure-after-salt-typhoon-breach\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Meta scored an important legal victory against the NSO group over their infamous Pegasus spyware&#8217;s hacking of WhatsApp \u2014 a US federal judge in CA has issued a pre-trial ruling that the Israeli company did hack Meta&#8217;s servers, so the only issue for the trial to decide on is the damages. The ruling was scathing against the NSO group, calling them out for failing to comply with discovery orders \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-court-finds-spyware-maker-nso-liable-for-whatsapp-hacks\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The US Federal Trade Commission (FTC) has wrapped up their investigation of a massive 344M user data breach at Starwood Hotels (a subsidiary of Marriott) in 2016, the company has been ordered to implement a comprehensive information security program, and to submit to supervision for 20 years \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ftc-orders-marriott-and-starwood-to-implement-strict-data-security\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>A timely reminder of why you can&#8217;t run un-patched or un-patchable routers: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malware-botnets-exploit-outdated-d-link-routers-in-recent-attacks\/\">Malware botnets exploit outdated D-Link routers in recent attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Cybersecurity researchers are warning of a novel new take on the concept of <em>click-jacking<\/em>, which they&#8217;ve dubbed <em>DoubleClickjacking<\/em> \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-doubleclickjacking-attack-exploits-double-clicks-to-hijack-accounts\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Traditional click-jacking was a big problem about a decade ago, when attackers noticed they could abuse transparent iframes to trick users into clicking on buttons they could not see, and hence inadvertently grant permissions to the attackers, but browsers and websites developed strong defences against this technique, denting the technique&#8217;s effectiveness<\/li>\n<li>Security researchers have observed a new variant of this attack that evades all current protections by abusing the sub-second timing delay between the two halves of a human double-click, letting them sneak the malicious button under the mouse pointer in time for the second half of the double click, and then hiding it again before a human can see or do anything<\/li>\n<li>It&#8217;s inevitable browsers and websites will develop defences against this new variant too, but that&#8217;s going to take time<\/li>\n<li>In the meantime, don&#8217;t allow any website to social-engineer a click gesture on the web. This is not normal, so you can assume all such requests are illegitimate!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Details have emerged of a broad phishing campaign targeted at Chrome browser plugin developers that succeeded in injecting malware into at least 35 extensions, most notably those from security firm Cyberhaven \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>This story emphasises the fact that attackers are heavily focusing on browser plugins these days, seeing them as one of the weakest links in our current cybersecurity chain.<\/li>\n<li>Attackers are specifically targeting the developers of popular legitimate plugins, so just avoiding new and rarely used plugins is not going to provide any defence.<\/li>\n<li>The advice to enterprises is to move from a block-listing to an allow-listing approach for plugins, which is a lot of extra work, so I doubt that&#8217;s going to happen in all but the most security-aware organisations<\/li>\n<li>For home users, the only vaguely useful advice is to <strong>run only plugins that give you genuine value<\/strong>, so you are getting something real in return for the security tradeoff each plugin represents.<\/li>\n<li>Expect this to get worse before it gets better \u2014 2025 is likely to be the year where browser plugin compromises really start making the news in all the wrong ways \ud83d\ude41<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddee\ud83c\uddf9 Italy fines OpenAI \u20ac15M for ChatGPT GDPR violations, but more importantly, forces the company to launch a national ad campaign informing users of how to exercise their GDPR rights with respect to ChatGPT \u2014 <a href=\"https:\/\/thehackernews.com\/2024\/12\/italy-fines-openai-15-million-for.html\">thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 2024 was noteworthy for the amount of US health organisations that suffered massive data breaches as cybercriminals turned their attention to what proves to be a woefully under-prepared sector. This has now triggered the Department of Health &amp; Human Services (HSS) to update the HIPPA cybersecurity rules to raise the baseline requirements for all healthcare organisations \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/massive-healthcare-breaches-prompt-us-cybersecurity-rules-overhaul\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Apple will pay $95 million to people who were spied on by Siri &#8211; The Verge <a href=\"https:\/\/www.theverge.com\/2025\/1\/2\/24334268\/apple-siri-recording-privacy-lawsuit-settlement-proposed\">www.theverge.com\/&#8230;<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><strong>Related:<\/strong> An excellent overview of how the state of AI has evolved in 2024: <a href=\"https:\/\/simonwillison.net\/2024\/Dec\/31\/llms-in-2024\/\">Things we learned about LLMs in 2024 \u2014 simonwillison.net\/\u2026<\/a>\n<ul>\n<li>Not strictly a cybersecurity topic, but relevant none-the-less, because attackers are already using LLMs to craft better phishing and social engineering attacks, and that trend is only going to grow in 2025!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A nice overview of the biggest cybersecurity stories of 2024 \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/the-biggest-cybersecurity-and-cyberattack-stories-of-2024\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>From Bob Goodrich &amp; Norbert Frassa in <a href=\"https:\/\/podfeet.com\/slack\">our Slack<\/a>: <a href=\"https:\/\/arstechnica.com\/security\/2024\/12\/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security\/\">Passkey technology is elegant, but it\u2019s most definitely not usable security \u2013 Ars Technica<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>Allison asked on Mastodon, why isn&#8217;t open source hyphenated when used in the phrase &#8220;open source license&#8221;? <a href=\"https:\/\/mastodon.ie\/@scottishwildcat\">Calum aka @scottishwildcat@mastodon.ie<\/a> responded with the official answer from <a href=\"https:\/\/opensource.org\/blog\/is-open-source-ever-hyphenated\">opensource.org<\/a> <\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. \ud83c\uddfa\ud83c\uddf8 The recently disclosed massive hack of western telecommunications firms that lead the US FBI &amp; CISA to issue advice to switch to E2EE VoIP and messaging apps like Signal over SMS &amp; phone [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-32814","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=32814"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32814\/revisions"}],"predecessor-version":[{"id":32816,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32814\/revisions\/32816"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=32814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=32814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=32814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}