{"id":34580,"date":"2025-09-28T11:32:15","date_gmt":"2025-09-28T18:32:15","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=34580"},"modified":"2025-09-28T11:32:15","modified_gmt":"2025-09-28T18:32:15","slug":"sb-2025-09-28","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/09\/sb-2025-09-28\/","title":{"rendered":"Security Bits \u2014 28 September 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The industry is fighting back against the recent spike in supply-chain attacks targeting shared library platforms like NPM, PyPi, etc.: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-tightens-npm-security-with-mandatory-2fa-access-tokens\/\">GitHub tightens npm security with mandatory 2FA, access tokens \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Details are of course sparse, but there appears to finally be a resolution to the TikTok question in sight: <a href=\"https:\/\/cyberinsider.com\/us-strikes-tiktok-deal-to-keep-user-data-on-american-soil\/\">US Strikes TikTok Deal to Keep User Data on American Soil \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>Note there is no conformation from China yet, so may be wish-casting<\/li>\n<li>Appears the algorithm will stay under Chinese control, why else would Oracle need to <em>&#8216;oversee&#8217;<\/em> it?<\/li>\n<li>Might meet the letter of the <em>Protecting Americans from Foreign Adversary\u2011Controlled Applications Act<\/em>, definitely seems to violate the laws intent!<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa European users get a reprieve on Windows 10 end-of-support: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-will-offer-free-windows-10-security-updates-in-europe\/\">Microsoft will offer free Windows 10 extended security updates in Europe \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Apple&#8217;s New OSes Offer More than Just Liquid Glass!<\/h2>\n<p>Apple didn&#8217;t just add a new UI and some nice new features with this year&#8217;s round of OS updates, they also added some nice security enhancements to their ecosystem.<\/p>\n<h3>New Parental Controls<\/h3>\n<p>Earlier in the year Apple released a white paper outlining their updated approach to child safety, and those new feature have now been delivered. If you have a family this is probably the most significant update, and the changes apply across Apple&#8217;s ecosystem.<\/p>\n<p>The highlights are:<\/p>\n<ol>\n<li>More fine-grained age ranges for ratings<\/li>\n<li>A new privacy-protecting age-range-indication API for developers to restrict parts or aspects of their apps as appropriate, or to add age-aware content filtering.<\/li>\n<li>More detailed rules for developers, and new content-related labels in the apps store<\/li>\n<li>Tweaks to the controls parents have over their kids communications<\/li>\n<\/ol>\n<h4>Links<\/h4>\n<ul>\n<li>A nice overview \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/25\/09\/15\/apple-adds-new-tools-to-help-parents-manage-kids-device-use-and-app-access\">appleinsider.com\/\u2026<\/a><\/li>\n<li>Apple&#8217;s Press Release \u2014 <a href=\"https:\/\/www.apple.com\/newsroom\/2025\/09\/apples-latest-tools-to-help-protect-kids-and-teens-online-now-available\/?1757955572\">www.apple.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>FileVault Enhancement in macOS Tahoe<\/h3>\n<p>One of the biggest risks with full-disk-encryption is losing all your data because you forget your password. This is why FileVault has always offered recovery keys, but the options for storing those keys were not great. You could either print your own key and keep it somewhere safe, or you could have Apple keep it for you. This option to have Apple hold the key was added before Apple added full end-to-end encryption to for sensitive data to iCloud, so it was not protected in the same way as your health data or the passwords in your iCloud KeyChain, instead it was protected like your files in iCloud, meaning Apple had it to hand over to law enforcement on request, or, to lose should they ever get hacked.<\/p>\n<p>That piece of technical debt has now been paid down, with your recovery key being secured in your iCloud KeyChain with full end-to-end encryption, just like all your other passwords.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/sixcolors.com\/post\/2025\/09\/filevault-on-macos-tahoe-no-longer-uses-icloud-to-store-its-recovery-key\/\">FileVault on macOS Tahoe uses iCloud Keychain to store its Recovery Key \u2014 sixcolors.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Improved eSIM Protections<\/h3>\n<p>SIM-jacking is a really popular attack these days, and Apple have raised the bar for transferring an eSIM away from an iPhone by adding a step that <strong>requires<\/strong> biometric authentication, there is no password fallback!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/apple-just-made-your-iphones-esim-dramatically-more-secure\/\">Apple Just Made Your iPhone\u2019s eSIM Dramatically More Secure \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Improved Privacy Protections in Safari<\/h3>\n<p>It&#8217;s normal for browser makers to test privacy-protection features in their private browsing modes before later rolling them out universally. That&#8217;s what Apple did with it&#8217;s most recent AI-based privacy protections. In previous versions they were only enabled in private windows and tabs, now they&#8217;re always on.<\/p>\n<p>The features users machine learning to better detect trackers of all kinds and block them. Like all tracking protections, and indeed like everything AI, the protections are not perfect, but they will none-the-less boost the privacy of Safari users.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/apple-is-turning-on-a-powerful-safari-anti-tracking-tool-for-everyone\/\">Apple is Turning on a Powerful Safari Anti-Tracking Tool for Everyone \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li>Apple patched older OSes as well as releasing brand new ones:\n<ul>\n<li><a href=\"https:\/\/www.cultofmac.com\/news\/ios-18-7-ipados-187-security-patch\">iOS 18.7 and iPadOS 18.7 fix major bugs for those not ready for Liquid Glass \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/25\/09\/15\/ios-18-ios-16-macos-sequoia-and-macos-sonoma-got-updates-too\">iOS 18, iOS 16, macOS Sequoia, and macOS Sonoma got updates too \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-backports-zero-day-patches-to-older-iphones-and-ipads\/\">Apple backports zero-day patches to older iPhones and iPads \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>Chrome Users:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-patches-sixth-chrome-zero-day-exploited-in-attacks-this-year\/\">Google patches sixth Chrome zero-day exploited in attacks this year \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>OnePlus Phone Owners:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/unpatched-flaw-in-oneplus-phones-lets-rogue-apps-text-messages\/\">Unpatched flaw in OnePlus phones lets rogue apps text messages \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Popular in EU, not sure about US?)<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A timely reminder that AI in general, and agentic AI in particular are still in their dangerous early phase (like early IoT), and not yet safe for general use: <a href=\"https:\/\/thehackernews.com\/2025\/09\/shadowleak-zero-click-flaw-leaks-gmail.html\">ShadowLeak Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2025\/09\/lastpass-warns-of-fake-repositories.html\">LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer \u2014 thehackernews.com\/\u2026<\/a> (Not LastPass&#8217;s vault, but just a reminder they are nowhere near the best password manger, maybe change if still using!)<\/li>\n<li>A good reminder that Steam&#8217;s games store is just another app store: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/verified-steam-game-steals-streamers-cancer-treatment-donations\/\">Verified Steam game steals streamer&#8217;s cancer treatment donations \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Steam might be game-focused, but games are just apps, and can cary just as much dangerous malware as any other app<\/li>\n<li>Unlike the more traditional app stores, Steam don&#8217;t quite seem to have refined their malware-fighting tools as well as they could just yet, probably because they were mostly ignored by cyber criminals until relatively recently<\/li>\n<li>The <strong>practical advice is to avoid new games with low download numbers<\/strong><\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>LinkedIn Users:<\/strong> <a href=\"https:\/\/cyberinsider.com\/linkedin-to-train-ai-with-two-decades-of-user-data-opt-out-now\/\">LinkedIn to Train AI With Two Decades of User Data, Opt Out Now \u2014 cyberinsider.com\/\u2026<\/a> (Since this is all public data on the web I&#8217;m not sure this is a big deal, and I&#8217;d rather assumed since it&#8217;s on the web it would be in all the models already anyway, but if you want to assert some limited control, you can \ud83d\ude42)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>New reporting reveals cybercriminals are now using backpack-sized portable fake cellphone towers to inject SMS messages directly into people&#8217;s phones, bypassing the cell carriers, and all their recently boosted protection, completely \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/how-scammers-trick-your-phone-into-receiving-phishing-texts\/\">www.macobserver.com\/\u2026<\/a>\n<ul>\n<li>Remain utterly skeptical of all content in all SMS messages, no matter who they claim to be from!<\/li>\n<li>Wide-spread in the UK, and on the rise in the US \ud83d\ude41<\/li>\n<\/ul>\n<\/li>\n<li>For those interested in a safe, secure, and private non-US VPN: <a href=\"https:\/\/cyberinsider.com\/proton-vpn-publishes-results-of-latest-independent-no-logs-audit\/\">Proton VPN Publishes Results of Latest Independent No-Logs Audit \u2014 cyberinsider.com\/\u2026<\/a><br \/>\n<blockquote><p>\n  Proton VPN has successfully passed its fourth annual no-logs audit, confirming that it does not collect or store user activity data or metadata on its VPN infrastructure.\n<\/p><\/blockquote>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that are likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> I regularly recommend the Have-I-Been-Pwnd API, but Allison often pushes back that it&#8217;s not easy for mere mortals, well, just just got a little easier with the release of their first video demo (more to come!): <a href=\"https:\/\/www.troyhunt.com\/hibp-demo-querying-the-api-and-the-free-test-key\/\">HIBP Demo: Querying the API, and the Free Test Key! \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> <a href=\"https:\/\/www.computerworld.com\/article\/4059383\/openai-admits-ai-hallucinations-are-mathematically-inevitable-not-just-engineering-flaws.html\">OpenAI admits AI hallucinations are mathematically inevitable, not just engineering flaws \u2014 www.computerworld.com\/\u2026<\/a><br \/>\n<blockquote><p>\n  OpenAI, the creator of ChatGPT, acknowledged in its own research that large language models will always produce hallucinations due to fundamental mathematical constraints that cannot be solved through better engineering, marking a significant admission from one of the AI industry\u2019s leading companies.<br \/>\n  \u2026<br \/>\n  The researchers demonstrated their findings using state-of-the-art models, including those from OpenAI\u2019s competitors. When asked \u201cHow many Ds are in DEEPSEEK?\u201d the DeepSeek-V3 model with 600 billion parameters \u201creturned \u20182\u2019 or \u20183\u2019 in ten independent trials\u201d while Meta AI and Claude 3.7 Sonnet performed similarly, \u201cincluding answers as large as \u20186\u2019 and \u20187.\u2019\u201d<br \/>\n  \u2026<br \/>\n  OpenAI\u2019s own advanced reasoning models actually hallucinated more frequently than simpler systems. The company\u2019s o1 reasoning model \u201challucinated 16 percent of the time\u201d when summarizing public information, while newer models o3 and o4-mini \u201challucinated 33 percent and 48 percent of the time, respectively.\u201d<br \/>\n  \u2026<br \/>\n  \u201cUnlike human intelligence, it lacks the humility to acknowledge uncertainty,\u201d said Neil Shah, VP for research and partner at Counterpoint Technologies. \u201cWhen unsure, it doesn\u2019t defer to deeper research or human oversight; instead, it often presents estimates as facts.\u201d\n<\/p><\/blockquote>\n<\/li>\n<li><strong>From Bart:<\/strong> \ud83c\udfa7 An excellent discussion of the effect AI is having on cybersecurity: <a href=\"https:\/\/overcast.fm\/+AA3u0IKQCvk\">Big Technology Podcast: Is Generative AI a Cybersecurity Disaster Waiting to Happen? (With Yinon Costica) \u2014 overcast.fm\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The industry is fighting back against the recent spike in supply-chain attacks targeting shared library platforms like NPM, PyPi, etc.: GitHub tightens npm security with mandatory 2FA, access tokens \u2014 www.bleepingcomputer.com\/\u2026 \ud83c\uddfa\ud83c\uddf8 Details are [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2658,5548,170,7611,7610,50,569],"class_list":["post-34580","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-chrome","tag-cybersecurity","tag-hack","tag-macos-26","tag-macos-tahoe","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=34580"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34580\/revisions"}],"predecessor-version":[{"id":34581,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34580\/revisions\/34581"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=34580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=34580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=34580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}