{"id":35477,"date":"2026-02-28T18:05:31","date_gmt":"2026-03-01T02:05:31","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=35477"},"modified":"2026-02-28T18:05:31","modified_gmt":"2026-03-01T02:05:31","slug":"sb-2026-02-28","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2026\/02\/sb-2026-02-28\/","title":{"rendered":"Security Bits \u2014 1 March 2026"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/notepad-plus-plus-boosts-update-security-with-double-lock-mechanism\/\">Notepad++ boosts update security with \u2018double-lock\u2019 mechanism \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Following the embarrassing compromise of their update infrastructure that required all users to do a manual upgrade late last year)<\/li>\n<li>\ud83c\uddec\ud83c\udde7 A little movement on the UK&#8217;s ongoing attempts to break iCloud encryption for everyone: <a href=\"https:\/\/appleinsider.com\/articles\/26\/02\/25\/us-lawmakers-request-briefing-on-the-uks-icloud-encryption-backdoor-plans\">U.S. lawmakers request briefing on the UK&#8217;s iCloud encryption backdoor plans \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>Some timely reminders:\n<ul>\n<li>Attackers continue to target developers: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/flaws-in-popular-vscode-extensions-expose-developers-to-attacks\/\">Flaws in popular VSCode extensions expose developers to attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Browser Plugins continue to be used to target users: <a href=\"https:\/\/cyberinsider.com\/proton-warns-of-malicious-chrome-extensions-impersonating-its-vpn-service\/\">Proton warns of malicious Chrome extensions impersonating its VPN service \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 \ud83e\uddef Password Manager Vulnerabilities<\/h2>\n<p><em><strong>TL;DR<\/strong> \u2014 the issues identified are real, but they are not an immediate threat, and the password managers are responding by hardening their defences, so this is actually a good news story in disguise!<\/em><\/p>\n<p>Security researchers at the Swiss university ETH Zurich have published the results of their research into whether or not the cloud infrastructure of three specific password managers (<em>Bitwarden<\/em>, <em>LastPass<\/em> &amp; <em>Dashlane<\/em>) would protect user vaults if attackers were to completely compromise them.<\/p>\n<p>They did discover some weaknesses, but none pose an immediate danger to users. The various attacks require a lot of luck for the attackers. If we use the Swiss cheese model of security, a lot of quite small holes in a lot of layers would need to line up for the attacks to succeed. Not impossible, but very unlikely.<\/p>\n<p>In general, the companies are responding positively, embracing the findings and working to address them. The end result will be more secure password managers in the hands of millions of users.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>The original research: <a href=\"https:\/\/eprint.iacr.org\/2026\/058\">Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers \u2014 eprint.iacr.org\/\u2026<\/a><\/li>\n<li>News Coverage:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/popular-password-managers-fall-short-of-zero-knowledge-claims\/\">Popular password managers fall short of \u201czero-knowledge\u201d claims \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/security\/2026\/02\/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true\/\">Password managers\u2019 promise that they can\u2019t see your vaults isn\u2019t always true \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion and analysis: \ud83c\udfa7 <a href=\"https:\/\/twit.tv\/shows\/security-now\/episodes\/1066?autostart=false\">Security Now 1066: Password Leakage \u2014 twit.tv\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 New <em>AirSnitch<\/em> WiFi Vulnerability<\/h2>\n<p><em><strong>TL;DR<\/strong> \u2014 even on captive portal networks, time to turn back on those VPNs \ud83d\ude41<\/em><\/p>\n<p>An exceptionally powerful feature enterprise-grade WiFi offers is <em>client isolation<\/em>. This means devices using a wifi network (clients) can talk to the internet, but not to anything else using the same wifi network (isolation). This stops things like malicious guests in a hotel or coffee shop from intercepting other guests&#8217; connections or attacking their devices.<\/p>\n<p>A simpler form of similar technologies has made its way into many home routers in the form of a separate guest network that is theoretically isolated from the homeowner&#8217;s own network.<\/p>\n<p>These features are very powerful, but they&#8217;re not actually part of the official WiFi standard; they&#8217;re bonus extras developed by vendors to out-compete their rivals. This means each router does things a little differently, but all without the kind of rigour you get from a well-studied and deeply understood open standard.<\/p>\n<p>The very talented computer scientists at the KU Leuven in Belgium (their work regularly makes enough new things to get mentioned in these segments) wondered how secure these features really were, since they&#8217;re all so bespoke.<\/p>\n<p>Thankfully, they didn&#8217;t find a single gaping hole that just works, but they came much closer than we&#8217;d hope. Rather than a single attack, they developed a small suite of attacks, each of which worked across multiple products, and every implementation they tested was at least somewhat vulnerable to at least some of the attacks.<\/p>\n<p>The impact varied from Adversary-in-the-Middle (AiTM) attacks to full plain-text password stealing on some poorly configured enterprise networks using single-sign-on (e.g., Active Directory username+password to access WiFi). If that attack had been without caveats, it would have been a really big deal, but thankfully, that one only works when the organisation uses weak RADIUS keys.<\/p>\n<p>The last time we did a deep-dive on WiFi security, it was around the question of whether or not we still needed VPNs. Thanks to the power of client isolation, I didn&#8217;t bother anymore when using wifi I recognised as enterprise grade (no pre-shared key) because I knew it almost certainly had client isolation. Now, that safety net has proven to be leaky \ud83d\ude41<\/p>\n<p>It&#8217;s still true that just about every website is secured, and no WiFi-level attack can break into HTTPS; it does mean that clicking past a certificate warning could be all it takes for an attacker to get into your bank account when you&#8217;re on a public WiFi network. If you&#8217;re not certain everything you do is properly encrypted, or if you&#8217;d like to work with a bit of a safety net, it probably is worth investing in a trustworthy VPN after all \ud83d\ude15<\/p>\n<p>More details \u2014 <a href=\"https:\/\/cyberinsider.com\/new-airsnitch-attack-bypasses-client-isolation-in-wi-fi-networks\/\">cyberinsider.com\/\u2026<\/a><\/p>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-patches-first-chrome-zero-day-exploited-in-attacks-this-year\/\">Google patches first Chrome zero-day exploited in attacks this year \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers\/\">Zyxel warns of critical RCE flaw affecting over a dozen routers \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/previously-harmless-google-api-keys-now-expose-gemini-ai-data\/\">Previously harmless Google API keys now expose Gemini AI data \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>E.g., a Google Maps API key on your website<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cargurus-data-breach-exposes-information-of-124-million-accounts\/\">CarGurus data breach exposes information of 12.4 million accounts \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Sensitive data, and the company is not being forthright, so no notifications to affected users from them \ud83d\ude41<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>We may have passed peak-ransomeware: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-payment-rate-drops-to-record-low-despite-attack-surge\/\">Ransomware payment rate drops to record low as attacks surge \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Cybercriminals are motivated by money, so as payments dry up, attacks will need to reduce in cost, either by reducing in volume, or, more likely, in complexity, focusing more on the low-hanging fruit, allowing more diligent organisations to fall out of the cross-hairs more.<\/li>\n<li>This is a good example of why no-pay mandates\/laws make so much sense \u2014 kill the revenue!<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddec\ud83c\udde7 <a href=\"https:\/\/cyberinsider.com\/uk-plans-age-checks-for-vpn-users-to-enforce-social-media-limits\/\">UK plans age checks for VPN users to enforce social media limits \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> This is getting insane, this won&#8217;t work, this will just drive kids to free and very dodgy VPNs \u2014 you can&#8217;t use technology as a substitute for parental oversight!<\/li>\n<li><strong>Related:<\/strong> the iOS 26.4 beta contains test versions of new age-verification APIs for use by apps in some countries, including the UK \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apple-launches-new-age-verification-measures-for-developers\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The two sides of AI on display again:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/hacker-used-ai-to-breach-600-fortigate-appliances-across-55-countries\/\">Hacker used AI to breach 600 FortiGate appliances across 55 countries \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><em>&#8220;A financially motivated, Russian-speaking threat actor used commercial generative AI services to compromise more than 600 FortiGate devices across 55 countries. Rather than exploiting zero-day flaws, the campaign relied on exposed management interfaces and weak credentials, with AI acting as a force multiplier that enabled large-scale, parallel intrusions.&#8221;<\/em><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/02\/anthropic-launches-claude-code-security.html\">Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>1Password&#8217;s first price increase in very many years is a good opportunity to reflect on decisions likely made a long time ago in a very different world:\n<ul>\n<li><a href=\"https:\/\/www.cultofmac.com\/news\/1password-price-increase-makes-apple-passwords-look-better\">1Password price increase makes Apple Passwords look better \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2026\/02\/25\/should-1passwords-price-hike-push-you-to-apples-passwords\/\">Should 1Password\u2019s Price Hike Push You to Apple\u2019s Passwords? \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>More regulators regulating:\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/texas-sues-tp-link-over-chinese-hacking-risks-user-deception\/\">Texas sues TP-Link over Chinese hacking risks, user deception \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddec\ud83c\udde7 <a href=\"https:\/\/cyberinsider.com\/uk-fines-reddit-19-5-million-over-childrens-data-privacy-failures\/\">UK fines Reddit $19.5 million over children\u2019s data privacy failures \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/cyberinsider.com\/new-york-sues-valve-for-loot-boxes-violating-state-gambling-laws\/\">New York sues Valve for loot boxes violating state gambling laws \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/cyberinsider.com\/samsung-to-update-smart-tv-data-practices-following-texas-lawsuit\/\">Samsung to update smart TV data practices following Texas lawsuit \u2014 cyberinsider.com\/\u2026<\/a> (We reported on this case being filed a few weeks ago)<\/li>\n<\/ul>\n<\/li>\n<li>Some nice product updates:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/duckduckgo-adds-private-ai-photo-editing-to-duck-ai-platform\/\">DuckDuckGo adds private AI photo editing to Duck.ai platform \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/firefox-148-introduces-promised-ai-kill-switch-patches-sandbox-escapes\/\">Firefox 148 introduces promised AI \u201ckill switch,\u201d patches sandbox escapes \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/instagram-to-notify-parents-if-teens-search-suicide-or-self-harm-terms\/\">Instagram to Notify Parents if Teens Search Suicide or Self-Harm Terms \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/apple-iphone-becomes-first-consumer-product-certified-for-handling-classified-nato-data\/\">Apple iPhone becomes first consumer product certified for handling classified NATO data \u2014 cyberinsider.com\/\u2026<\/a> (actual military-grade security!)<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that are likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/round-ups\/the-apple-users-guide-to-safer-browsing-on-mac-and-iphone\/\">The Apple User\u2019s Guide to Safer Browsing on Mac and iPhone \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/android-vs-ios-security-in-2026-is-iphone-still-safer-or-has-google-closed-the-gap\/\">Android vs iOS Security in 2026: Is iPhone Still Safer, or Has Google Closed the Gap? \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>\ud83c\udfa7 One of the most enlightening conversations about AI I&#8217;ve heard on a very long time: <a href=\"https:\/\/overcast.fm\/+AAzXlUXzblo\">StarTalk Radio: The Origins of Artificial Intelligence with Geoffrey Hinton \u2014 overcast.fm\/\u2026<\/a> (if the name is familiar it&#8217;s because he won a Nobel Prize for his work on the very foundations of modern AI, dating back decades!)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>\ud83d\uddbc\ufe0f My pet-peeve about Sherlock Holmes hilariously ridiculed: <a href=\"https:\/\/xkcd.com\/3210\/\">xkcd.com\/\u2026<\/a>\n<ul>\n<li>Reductive reasoning is <strong>terrible<\/strong>, it means the less imaginative you are, the more certain you are you&#8217;re being <em>&#8216;logical&#8221;<\/em>! This kind of smart-sounding idiocy fuels our toxic conspiracy theory culture \ud83d\ude41<\/li>\n<li><em>&#8220;If you&#8217;ve eliminated everything you think is possible, the weirdest thing you can think of must be true&#8221;<\/em> \ud83e\udd2f<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\udfa7 My favourite grammar podcaster (Mignon Fogarty) chats with my favourite typography geek (Glenn Fleishman) about my least-favourite internet habit: <a href=\"https:\/\/bsky.app\/profile\/grammargirl.bsky.social\/post\/3mfalaf54pq23\">Grammar Girl: why do we SHOUT in ALL CAPS? \u2014 bsky.app\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Notepad++ boosts update security with \u2018double-lock\u2019 mechanism \u2014 www.bleepingcomputer.com\/\u2026 (Following the embarrassing compromise of their update infrastructure that required all users to do a manual upgrade late last year) \ud83c\uddec\ud83c\udde7 A little movement on [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[7955,1416,50,569,2003,7956],"class_list":["post-35477","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-airsnitch","tag-password-manager","tag-security","tag-security-bits","tag-vulnerabilities","tag-wifi-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=35477"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35477\/revisions"}],"predecessor-version":[{"id":35478,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35477\/revisions\/35478"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=35477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=35477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=35477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}