{"id":33778,"date":"2025-05-11T13:18:10","date_gmt":"2025-05-11T20:18:10","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=33778"},"modified":"2025-05-11T13:18:10","modified_gmt":"2025-05-11T20:18:10","slug":"sb-2025-05-11","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/05\/sb-2025-05-11\/","title":{"rendered":"Security Bits \u2014 11 May 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>A great example of why it&#8217;s important to patch \u2013 this is one of the things the Apple updates we called out last time patched: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-airborne-flaws-can-lead-to-zero-click-airplay-rce-attacks\/\">Apple &#8216;AirBorne&#8217; flaws can lead to zero-click AirPlay RCE attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a> (RCE is Remote Code Execution)<\/li>\n<li>Yet another call to bin those old unpatchable routers ASAP: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-end-of-life-routers-hacked-for-cybercrime-proxy-networks\/\">FBI: End-of-life routers hacked for cybercrime proxy networks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 While Apple dropped their similar case to avoid having to reveal internal data during discovery, Meta continued theirs, and won: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/legal\/nso-group-fined-167m-for-spyware-attacks-on-1-400-whatsapp-users\/\">NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> Apple has sent out its latest round of notifications to users who they have evidence were targeted by Pegasus-style advanced spyware \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/25\/04\/30\/apple-sends-warnings-about-mercenary-spyware-attacks-on-ios\">appleinsider.com\/\u2026<\/a> (Recipients reported to be in 100 countries around the world)<\/li>\n<li><strong>Related:<\/strong> Google&#8217;s 2024 threat intelligence report suggests this problem is getting worse, not better: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-97-zero-days-exploited-in-2024-over-50-percent-in-spyware-attacks\/\">Google: 97 zero-days exploited in 2024, over 50% in spyware attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 There has been a small but significant development in the Trump Administration&#8217;s misuse of Signal for privileged military communications, AKA <em>SignalGate<\/em>, and it provides a teachable moment \u2014 <a href=\"https:\/\/www.404media.co\/mike-waltz-accidentally-reveals-obscure-app-the-government-is-using-to-archive-signal-messages\/\">www.404media.co\/\u2026<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/unofficial-signal-app-used-by-trump-officials-investigates-hack\/\">www.bleepingcomputer.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.wired.com\/story\/tm-signal-telemessage-plaintext-message-archive\/\">www.wired.com\/\u2026<\/a>\n<ul>\n<li>Thanks to the power of modern telephoto lenses, and the fact that the then National Security Advisor Mike Waltz was sneakily checking his phone in a cabinet meeting, we now know the problematic Signal chats happened using an uncertified third-party client named TeleMessage that offers centralised cloud-hosted message archiving as a feature.<\/li>\n<li>Shortly after, security researchers tested the app&#8217;s security and found it very wanting, accessing many supposedly secret US government chat transcripts.<\/li>\n<li>The app promptly suspended its services<\/li>\n<li><strong>This illustrates the boundaries of End-to-End Encryption<\/strong> \u2014 it secures messages all the way from one end of a conversation to the other, without being decryptable by any servers en route, even if messages get cached or stored there for hours, weeks,  months, or years. But, before a message is sent, and after it is received, it can be accessed by software running on the sending and receiving devices, most especially including the actual messaging clients doing the sending and receiving! This is no more of a shortcoming than the fact that seatbelts don&#8217;t prevent gas tank explosions \u2014 that&#8217;s not the problem they are designed to solve!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li>The May Android security update is out, and it fixes an actively exploited Zero-day: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-fixes-actively-exploited-freetype-flaw-on-android\/\">Google fixes actively exploited FreeType flaw on Android \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Patch if you can, or seriously consider a securable alternative!)<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><strong>Student &amp; Professional NosillaCastaways take note:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/education-giant-pearson-hit-by-cyberattack-exposing-customer-data\/\">Education giant Pearson hit by cyberattack exposing customer data \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Many educational and professional certifications and accreditations are examined by Pearson, including my Microsoft cybersecurity certifications \ud83d\ude41<\/li>\n<li>The company are referring to the stolen customer data as <em>Legacy<\/em>, but I&#8217;m not sure that&#8217;s very meaningful, how much of your PII has changed in the last 5 or even 10 years?<\/li>\n<li>The company&#8217;s response is worrying at best:<br \/>\n> &#8220;&#91;W]hen BleepingComputer asked Pearson about whether they paid a ransom, what they meant by &#8220;legacy data,&#8221; how many customers were impacted, and if customers would be notified, the company responded that they would not be commenting on these questions.&#8221; \u2014 the Bleeping Computer Article<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddec\ud83c\udde7 <strong>UK NosillaCastaways take note:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack\/\">Co-op confirms data theft after DragonForce ransomware claims attack \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Includes <em>&#8216;personal details&#8217;<\/em> but not passwords or payment details for <em>&#8216;a significant number&#8217;<\/em> of <em>&#8216;current and past members&#8217;<\/em><\/li>\n<li>Not clear if notifications will be sent<\/li>\n<li>Worrying that the company initially tried to deny this breach had even happened \ud83d\ude15<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/whatsapp-unveils-private-processing-for-cloud-based-ai-features\/\">WhatsApp unveils &#8216;Private Processing&#8217; for cloud-based AI features \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>An example of the best kind of <em>copying<\/em> by Meta \u2014 at a software level, this appears equivalent to Apple&#8217;s <a href=\"https:\/\/security.apple.com\/blog\/private-cloud-compute\/\">Private Cloud Compute<\/a> feature (appears not to be quite as impressive down at the hardware layer though)<\/li>\n<li>Meta even copied Apple&#8217;s approach of providing a mechanism for independent auditing by cybersecurity specialists!<\/li>\n<\/ul>\n<\/li>\n<li>Another example of how AI helps the good side of cybersecurity too: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-chrome-to-use-on-device-ai-to-detect-tech-support-scams\/\">Google Chrome to use on-device AI to detect tech support scams \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/thehackernews.com\/2025\/05\/google-pays-1375-billion-to-texas-over.html\">Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddea\ud83c\uddfa <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/tiktok-fined-530-million-for-sending-european-user-data-to-china\/\">TikTok fined \u20ac530 million for sending European user data to China \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>The Fido Alliance are rebranding <em>World Password Day<\/em> (May 1) to <em>World Passkey Day<\/em>, and one of their biggest members, Microsoft, really got into the spirit of things: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-makes-all-new-accounts-passwordless-by-default\/\">Microsoft makes all new accounts passwordless by default \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> Microsoft has deprecated the password management features they had briefly added to their Passkeys\/MFA Authenticator app, Microsoft Authenticator \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-ends-authenticator-password-autofill-moves-users-to-edge\/\">www.bleepingcomputer.com\/\u2026<\/a> (Burdening Authenticator with legacy features is not useful IMO, let passwords slowly die in the browser \ud83d\ude42)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that are likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><strong>NosillaCastaways Managing Small Businesses take Note:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/uk-shares-security-tips-after-major-retail-cyberattacks\/\">UK shares security tips after major retail cyberattacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>Another smart person&#8217;s take on PassKeys: <a href=\"https:\/\/www.troyhunt.com\/passkeys-for-normal-people\/\">Passkeys for Normal People \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<li>\ud83c\udfa7 A nice re-telling of the incredible SSH hack that very nearly caused a digital Armageddon last year (we covered it extensively in this series): <a href=\"https:\/\/overcast.fm\/+AA4qHqpfo1A\">kill switch: the biggest hack that never happened- the xz utils story \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong>\n<ul>\n<li>\ud83c\udfa7 This recent episode of the wonderful weekly short podcast <a href=\"https:\/\/freakonomics.com\/series\/everyday-things\/\">The Economics of Everyday Things<\/a> is very much in keeping with the NosillaCast&#8217;s evangelism for accessibility: <a href=\"https:\/\/overcast.fm\/+AA-3QikC8p0\">The Economics of Everyday Things: 90. Closed Captions \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>\ud83c\udfa7 This recent episode of the excellent <a href=\"https:\/\/99percentinvisible.org\">99% Invisible<\/a> podcast tells the fascinating story of how my beloved emoji are interacting with the legal system: <a href=\"https:\/\/overcast.fm\/+AAyIOyosQ-Q\">99% Invisible: \ud83d\ude05\u2696\ufe0f \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>From Allison:<\/strong>\n<ul>\n<li>David Spark of the CISO Series Podcast played three fun games on DTNS Live \u2014 one was to guess whether a name on a slide was a security company or a Star Wars character \u2014 it starts at ~37 min. \ud83c\udfa6 <a href=\"https:\/\/www.youtube.com\/live\/WvE0Acd0dW0\">DTNS Live 5011: AI Me Anything! \u2014 www.youtube.com\/\u2026<\/a><\/li>\n<li>Researchers unveil LegoGPT, an AI model that designs physically stable Lego structures from text prompts and currently supports eight standard brick types:  <a href=\"https:\/\/avalovelace1.github.io\/LegoGPT\/\">avalovelace1.github.io\/&#8230;<\/a><\/li>\n<li>Somehow, a few episodes of the NosillaCast are on iMDB: <a href=\"https:\/\/www.imdb.com\/title\/tt26246734\/\">www.imdb.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. A great example of why it&#8217;s important to patch \u2013 this is one of the things the Apple updates we called out last time patched: Apple &#8216;AirBorne&#8217; flaws can lead to zero-click AirPlay RCE [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[956,50,569,5178,3355,2003,7067],"class_list":["post-33778","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-patches","tag-security","tag-security-bits","tag-signal","tag-stay-patched","tag-vulnerabilities","tag-zero-day-2"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=33778"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33778\/revisions"}],"predecessor-version":[{"id":33780,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33778\/revisions\/33780"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=33778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=33778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=33778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}