{"id":33455,"date":"2025-03-30T11:41:43","date_gmt":"2025-03-30T18:41:43","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=33455"},"modified":"2025-03-30T11:41:43","modified_gmt":"2025-03-30T18:41:43","slug":"sb-2025-03-30","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/03\/sb-2025-03-30\/","title":{"rendered":"Security Bits \u2014 30 March 2025 (Bart Solo)"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Thankfully Microsoft have not learned the wrong lesson from their recent over-zealous response to possible malware in the VS Code Marketplace: <a href=\"https:\/\/thehackernews.com\/2025\/03\/vscode-marketplace-removes-two.html\">VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>Attackers are continuing to focus their attention on using GitHub to attack developers, given how many NosillaCastaways use GitHub we need to remain vigilant \ud83d\ude41\n<ul>\n<li>Note that GitHub do not use the Issues system to notify repo owners about security issues, and be very wary of granting any app permissions on your GitHub account: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts\/\">Fake &#8220;Security Alert&#8221; issues on GitHub use OAuth app to hijack accounts \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Whenever possible, try to stick to GitHub actions from GitHub themselves and minimise your use of 3rd-party actions: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets\/\">Supply chain attack on popular GitHub Action exposes CI\/CD secrets \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Brian Krebs continues to do sterling work documenting the ways in which the DOGE chaos is endangering America&#8217;s cybersecurity: <a href=\"https:\/\/krebsonsecurity.com\/2025\/03\/doge-to-fired-cisa-staff-email-us-your-personal-data\/\">DOGE to Fired CISA Staff: Email Us Your Personal Data \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>CitizenLabs are continuing their excellent work exposing how governments use grey-hat hacking tools to attack civil liberties: \ud83c\udde6\ud83c\uddfa \ud83c\udde8\ud83c\udde6 \ud83c\udde8\ud83c\uddfe \ud83c\udde9\ud83c\uddf0 \ud83c\uddee\ud83c\uddf1 \ud83c\uddf8\ud83c\uddec <a href=\"https:\/\/thehackernews.com\/2025\/03\/six-governments-likely-use-israeli.html\">Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data \u2014 thehackernews.com\/\u2026<\/a> (Australia, Canada, Cyprus, Denmark, Israel, and Singapore)<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Is Signal \u2018Safe\u2019?<\/h2>\n<p><strong>TL;DR<\/strong> for personal use, and for authorised corporate use in compliance with corporate policies \u2014 <strong>YES<\/strong>!<\/p>\n<p>This is not a foreign affairs or politics podcast, so the details of exactly why senior US officials were discussing military strikes over Signal are not our concern, but it is a big news story, and the President of the United States did (wrongly) call Signal\u2019s security into question.<\/p>\n<p>For our purposes, these are the pertinent facts:<\/p>\n<ol>\n<li>Senior US government officials were chatting about planned military strikes on Signal, including precise details about timing, targeting, and specific military assets. <\/li>\n<li>Somehow, someone, apparently without intending to, added a journalist to the chat. <\/li>\n<li>There are US laws and regulations covering the dissemination of this kind of sensitive military information, and these communications were not compliant.<\/li>\n<\/ol>\n<p>To understand why it is simultaneously true that this kind of use of Signal is not safe, and why both our personal use of Signal and authorised and compliant use of Signal within organisations are safe, it\u2019s important to understand what end-to-end encryption does and does not do, and what makes a public service like Signal different from private government or corporate communications systems.<\/p>\n<p>Signal uses and open and independently audited protocol built on open and independently audited cryptographic algorithms to securely and transparently do the following:<\/p>\n<ol>\n<li>Share the public keys belonging to the participants in conversations <\/li>\n<li>Encrypt all conversations between the devices of all participants so that at no point between leaving one device and arriving at another can anyone, including Signal, decrypt the messages<\/li>\n<\/ol>\n<p>The key point to notice is what Signal does <strong>not<\/strong> do \u2014 Signal does\u2019t and <strong>can\u2019t<\/strong> secure the messages on the user\u2019s devices. If a recipient\u2019s phone is hacked, the attacker can read the messages from the device, just like the user can.<\/p>\n<p>Another key point to notice is that while Signal doesn\u2019t allow anyone to be <strong>secretly<\/strong> added to a conversation, anyone can use Signal, and anyone can be <strong>inadvertently<\/strong> added to any conversations. If the participants don\u2019t check the participant list, or don\u2019t notice someone on the list, that\u2019s not a technological issue, that\u2019s a squishy-organic-bit issue.<\/p>\n<p>The reason governments and some corporations issue users with secured managed devices is to protect data at rest. The reason governments and some organisations choose to run their own private secure messaging systems is to ensure no outsiders can possibly be added to conversations. In these kinds of closed systems humans can still make mistakes, but the scope for error is constrained, and the organisation will have the needed audit trail to reliably determine the scope of any leaks.<\/p>\n<p>This is why governments and organisations have rules about what types of information can be shared which apps on which devices. For US military secrets that absolutely does <strong>not<\/strong> include Signal on <strong>any<\/strong> device, and especially not Signal on personal devices!<\/p>\n<p>For your own personal use Signal is about as secure as messaging services get, and if you work for an organisation that allows for the use of Signal in specific ways from specific types of devices for specific kinds of information, and if you follow those rules, you\u2019re golden!<\/p>\n<p>The question in this latest Trump Administration scandal is not whether or not Signal is safe, but whether the official\u2019s use of Signal in this specific way was both safe and legal, and as best as I can tell based on the available facts, the answer to both is a resounding  <strong>\u2019No!\u2019<\/strong><\/p>\n<p>But equally, is Signal a good choice for NosillaCastaways to stay in touch with friends and family? Heck yes! It\u2019s my preferred secure messages by far, and I highly recommend it. So much so that I\u2019m a donor!<\/p>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li>All the major Windows browsers have received related patches for a type of exploitation observed in the wild by <em>sophisticated<\/em> attackers (probably nation-states):\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw\/\">Mozilla warns Windows users of critical Firefox sandbox escape flaw \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/google-chrome-patches-zero-day-used-to-spread-sophisticated-malware\/\">Google Chrome patches zero-day used to spread &#8220;sophisticated malware&#8221; \u2014 www.intego.com\/\u2026<\/a> (Related patches for the other Chromium browsers too)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Ubuntu Linux Users take note:<\/strong> three security feature bypasses have been discovered in Ubuntu, and while there are no patches, Canonical have released an advisory with recommended changes to harden systems against these kinds of security bypasses \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-ubuntu-linux-security-bypasses-require-manual-mitigations\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>After suffering a very nasty data breach last year, 23andMe have now filed for Chapter 11 Bankruptcy Protection in the US and have informed the relevant court that are seeking to sell to an <em>&#8220;independent bidder&#8221;<\/em> \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/23andme-files-for-bankruptcy-customers-advised-to-delete-dna-data\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>The company insist they nothing will change in terms of data protection <\/li>\n<li>California&#8217;s Attorney General has issued a customer alert recommending users delete their data<\/li>\n<li>Note that this is an area where US &amp; EU law could not differ more, under EU law you always own data about you, so a change of ownership has no effect on your data protections, but under US law the company that has the data owns it, so no promises made by 23andMe can have any legal weight, unless you trust them completely to only see to a fully trustworthy new owner, you should delete your data.<\/li>\n<li><strong>Related:<\/strong> \ud83c\udfa7 An excellent discussion of why, and more importantly how, to remove your data \u2013 <a href=\"https:\/\/overcast.fm\/+AAHLr7FWGUc\">Checklist 417 &#8211; 23andMe Goes Bankrupt and a Crash Course in Signal \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Americans may want to be aware that there is a confirmed breach in Oracle Health, specifically in the data from the cloud provider <em>Cerner<\/em> whom Oracle acquired a few years ago and merged into their Oracle Health branded suite of offerings to healthcare providers like hospitals \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/oracle-health-breach-compromises-patient-data-at-us-hospitals\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Oracle are being noticeably and disappointingly evasive about this breach, and making it needlessly difficult for patients to discover whether or not they are affected<\/li>\n<li>The best thing to do if you&#8217;re concerned would appear to be to contact your hospital or clinic and ask if they were Cerner users, hardly a good solution \ud83d\ude41<\/li>\n<li><strong>Editorial by Bart:<\/strong> this is a real ding on Oracle&#8217;s reputation in my eyes, I consider their evasiveness here as nothing short of scandalous \ud83d\ude41<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>\ud83c\uddea\ud83c\uddfa The European Commission is continuing to enforce regulations on US tech giants \u2014 <a href=\"https:\/\/arstechnica.com\/apple\/2025\/03\/eu-accuses-google-and-apple-of-stifling-competition-under-digital-markets-act\/\">arstechnica.com\/\u2026<\/a>\n<ul>\n<li>Apple have been ordered to make a list of specific changes to how it supports third-party hardware integrations to iPhones in order to be considered in compliance with the Digital Markets Act<\/li>\n<li>A preliminary finding has been issued against Google finding that they are referencing in Google Search (this is like an indictment under US law \u2014 a formal accusation of guilt with associated evidence, and the accused now get the right to defend themselves from the formal accusation)<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/appleinsider.com\/articles\/25\/03\/26\/utahs-new-law-forces-tech-companies-to-add-age-verification-but-apple-is-already-prepared\">New Utah law forces big tech to add age verification, Apple is already prepared \u2014 appleinsider.com\/\u2026<\/a>\n<ul>\n<li><strong>Opinion from Bart:<\/strong> this approach of entrusting just our chosen platform with this kind of sensitive data is a lot better for privacy than making each site gather and store the data separately. You should never use a phone on an ecosystem you don&#8217;t trust since our phones have so much sensitive data on them, so this shouldn&#8217;t change who we choose to entrust with our data.<\/li>\n<\/ul>\n<\/li>\n<li>A timely reminder of why it&#8217;s important to stay patched: <a href=\"https:\/\/appleinsider.com\/articles\/25\/03\/19\/now-patched-vulnerability-left-apple-passwords-open-to-targeted-phishing-attacks\">Apple Passwords was open to targeted phishing attacks, before patch \u2014 appleinsider.com\/\u2026<\/a>\n<ul>\n<li>Thanks to responsible disclosure Apple were able to patch before the details were published<\/li>\n<li>The way the vulnerability worked it&#8217;s extremely unlikely any NosillaCastaway who stays patched has anything to worry about<\/li>\n<\/ul>\n<\/li>\n<li>A timely reminder that it can happen to anyone: <a href=\"https:\/\/www.troyhunt.com\/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list\/\">A Sneaky Phish Just Grabbed my Mailchimp Mailing List \u2014 www.troyhunt.com\/\u2026<\/a>\n<ul>\n<li><strong>Key Takeaway 1:<\/strong> you&#8217;re extra vulnerable when you&#8217;re tired and\/or rushing, so try to be aware of that and keep your proverbial shields up<\/li>\n<li><strong>Key Takeaway 2:<\/strong> the value experience being informed brings is that you&#8217;ll realise what you&#8217;ve done within seconds not hours or days, so you have the power to limit the damage<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>\ud83c\udfa7 An excellent new four-part mini-series on AI from the <a href=\"\">Future Perfect Podcast<\/a>: <a href=\"https:\/\/overcast.fm\/+AAQKiQu1E9Y\">Good Robot 1: The Magic Intelligence in the Sky \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Thankfully Microsoft have not learned the wrong lesson from their recent over-zealous response to possible malware in the VS Code Marketplace: VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware \u2014 thehackernews.com\/\u2026 Attackers are continuing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147],"tags":[7227,5164,7228,50,569,5178,2003],"class_list":["post-33455","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","tag-cisa","tag-european-commission","tag-secure-messaging","tag-security","tag-security-bits","tag-signal","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=33455"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33455\/revisions"}],"predecessor-version":[{"id":33456,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33455\/revisions\/33456"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=33455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=33455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=33455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}