{"id":35566,"date":"2026-03-15T14:36:41","date_gmt":"2026-03-15T21:36:41","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=35566"},"modified":"2026-03-15T14:36:41","modified_gmt":"2026-03-15T21:36:41","slug":"sb-2026-03-15","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2026\/03\/sb-2026-03-15\/","title":{"rendered":"Security Bits \u2014 15 March 2026"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>A timely reminder to keep your routers patched and to bin un-supported models via listener BG in the Podfeet Slack: <a href=\"https:\/\/arstechnica.com\/security\/2026\/03\/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns\/\">14,000 routers are infected by malware that\u2019s highly resistant to takedowns \u2014 arstechnica.com\/\u2026<\/a> (ASUS routers, mostly in the US, in this case)<\/li>\n<li>A timely reminder that Mac users are not immune to malware: <a href=\"https:\/\/www.macobserver.com\/news\/macos-users-should-be-careful-of-new-password-stealing-malware\/\">macOS Users Should Be Careful of New Password-Stealing Malware \u2014 www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><em>\u201cSecurity researchers at Malwarebytes uncovered the campaign and warned that attackers rely on social engineering rather than technical exploits.\u201d<\/em><\/li>\n<\/ul>\n<\/li>\n<li>The two sides to AI are still on display:\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks\/\">Microsoft: Hackers abusing AI at every stage of cyberattacks \u2014 www.bleepingcomputer.com\/\u2026<\/a> (from Microsoft&#8217;s latest threat intelligence report on AI)<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/03\/anthropic-finds-22-firefox.html\">Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Listener Questions<\/h2>\n<aside class=\"small-aside\">Submit your questions for future shows to Allison using the contact details at the end of the show, or post them in the <em>security-bits<\/em> channel in the <a href=\"https:\/\/podfeet.com\/slack\" target=\"_blank\">Podfeet Slack<\/a>.<\/aside>\n<h3>Passkeys Question From Ed Tobias<\/h3>\n<p><strong>Ed ask if it&#8217;s possible for passkeys to replace passwords completely given passkeys are device-bound, and we need to be able to renew our devices?<\/strong><\/p>\n<p><em><strong>TL;DR<\/strong> \u2014 Yes!<\/em><\/p>\n<p>Fundamentally, <strong>authentication<\/strong> and <strong>account recovery<\/strong> are two completely different problems, and always have been. Replacing your device and hence losing the passkeys on it is similar to forgetting your passwords. Similar, but actually a slightly easier problem to solve in many situations.<\/p>\n<p>No matter how you authenticate, it&#8217;s always possible to get locked out, so there has always been a mechanism for getting back in, and there always will be. That mechanism is completely separate from how you authenticate, and the details depend entirely on the context. Some example processes include:<\/p>\n<ol>\n<li>Websites often use an email loop to recover accounts<\/li>\n<li>Cellphone-number-based messaging apps like Signal, Telegram, and WhatsApp use an SMS loop<\/li>\n<li>Banks often require you to visit a branch with photo ID<\/li>\n<li>Organisations often require you to visit IT with your work or student ID<\/li>\n<\/ol>\n<p>Passkeys don&#8217;t change any of this. But, passkeys do offer some nice simpler yet equally secure additional options for onboarding new devices that don&#8217;t yet have a needed passkey.<\/p>\n<p>For example, if you use Entra ID (Microsoft&#8217;s identity provider for the work\/school versions of Office365), a short-lived <em>temporary access pass<\/em> (TAP) can be given to the user by the service desk to allow them register a new passkey. These TAPs can be configured with very short lifetimes, and to be single-use.<\/p>\n<p>However, because we generally have more than one device these days, you can often handle the need for a new passkey without needing to resort to account recovery at all, simply by using a device that does still have a valid passkey to securely authorise the generation of a new passkey on the new device. There are infinitely many ways to implement this concept, but here are some examples I seen in the real world:<\/p>\n<ol>\n<li>Using a passkey manager that synchronises passkeys securely between devices, for example, 1Password (how I manage all my passkeys that are not device-bound by corporate policy).<\/li>\n<li>Presentation of a QR code on an existing device to be scanned by the new device to authorise the creation of the new passkey.<\/li>\n<li>Generation of a one-time code on a logged in device with a existing passkey to authorise the creation of a new passkey on a new device.<\/li>\n<\/ol>\n<p>So, in short, neither the need for device replacements nor the need for account recovery prevent the complete death of passwords in the hopefully near future \ud83d\ude00 Thank goodness!<\/p>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2026\/03\/microsoft-patch-tuesday-march-2026-edition\/\">Microsoft Patch Tuesday, March 2026 Edition \u2014 krebsonsecurity.com\/\u2026<\/a> (a relatively quiet one, but patch promptly regardless!)<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/google-fixes-two-new-chrome-zero-days-exploited-in-attacks\/\">Google fixes two new Chrome zero-days exploited in attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Google has released the March Android security update, it patches one actively exploited zero-day \u2014 <a href=\"https:\/\/cyberinsider.com\/google-patches-actively-exploited-qualcomm-gpu-zero-day-on-android\/\">cyberinsider.com\/\u2026<\/a> (If your Android phone can&#8217;t get this patch, it&#8217;s not securable and needs replacing!)<\/li>\n<li>Apple have back-ported fixes for actively exploited vulnerabilities to more old and technically un-supported iOS devices \u2014 <a href=\"https:\/\/cyberinsider.com\/apple-backports-coruna-exploit-fixes-to-older-iphones-and-ipads\/\">cyberinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\udde6\ud83c\uddfa More important iOS updates for <strong>Australian<\/strong> users with older iPhones \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/ios-18-7-6-released-for-iphone-xs-and-xr-with-emergency-network-fix\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>Star Citizen players:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/star-citizen-game-dev-discloses-breach-affecting-user-data\/\">Star Citizen game dev discloses breach affecting user data \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>Viber Users:<\/strong> patch ASAP to fix TLS bug exposing supposedly private user data \u2014 <a href=\"https:\/\/cyberinsider.com\/viber-messenger-tls-flaw-breaks-cloak-proxy-mode-and-exposes-users\/\">cyberinsider.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>AdGuard Home Users:<\/strong> <a href=\"https:\/\/cyberinsider.com\/adguard-home-vulnerable-to-critical-auth-bypass-allowing-admin-control\/\">AdGuard Home vulnerable to critical auth bypass allowing admin control \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><strong>A timely reminder from Matt Mullenweg:<\/strong> <a href=\"https:\/\/ma.tt\/2026\/03\/gone-almost-phishin\/\">Gone (Almost) Phishin\u2019 \u2014 ma.tt\/\u2026<\/a>\n<ul>\n<li>The scammers started by triggering both a real password reset <strong>and<\/strong> opening a real Apple Support case, pretending to be Matt<\/li>\n<li>Those actions triggered genuine emails and alerts from Apple<\/li>\n<li><strong>Then<\/strong> they phoned him pretending to be Apple, and eventually tried to get him to a <strong>fake<\/strong> Apple page and to click a <strong>fraudulent<\/strong> sign-in button<\/li>\n<li>Key points to remember<\/li>\n<li>Apple never call you first! Unless you scheduled a callback, <strong>if Apple call you it&#8217;s fake<\/strong><\/li>\n<li>All legitimate Apple sites are under <code>apple.com<\/code> maybe <code>something.apple.com<\/code>, but anything under <code>something-apple.com<\/code> is fake!<\/li>\n<\/ul>\n<\/li>\n<li>Tread Carefully with Chrome&#8217;s new agentic AI features, there are known bug, including one still awaiting a patch \u2014 <a href=\"https:\/\/cyberinsider.com\/chrome-vulnerability-could-let-attackers-hijack-gemini-ai-sessions\/\">cyberinsider.com\/\u2026<\/a> (advice at the bottom of the article)<\/li>\n<li>\u26a0\ufe0f <strong>Instagram Users:<\/strong> <a href=\"https:\/\/thehackernews.com\/2026\/03\/meta-to-shut-down-instagram-end-to-end.html\">Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 \u2014 thehackernews.com\/\u2026<\/a> (<strong>Lesson:<\/strong> avoid using all social media services for secure messaging, use secure messaging apps for secure messaging!)<\/li>\n<li>\u26a0\ufe0f <strong>Meta Glasses Users:<\/strong> <a href=\"https:\/\/daringfireball.net\/linked\/2026\/03\/09\/kenya-meta-contractors\">Low-Wage Contractors in Kenya See What Users See While Using Meta\u2019s AI Smart Glasses \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>\ud83c\uddea\ud83c\uddfa The EU parliament has sent the EU Council of Ministers and the EU Commission a clear message that they are not OK with their so-far-failed plans to break end-to-end encryption in the name of child protection \u2014 <a href=\"https:\/\/cyberinsider.com\/eu-votes-to-restrict-mass-scanning-of-peoples-private-messages\/\">cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>Reminder to non-EU listeners, there are three European bodies that have to agree on all new laws for them to pass \u2014 the council of ministers (member state government ministers), the commission (an executive branch appointed by the member states), and the parliament (elected by the citizens)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/expressvpn-says-it-now-blocks-csam-domains-without-inspecting-user-traffic\/\">ExpressVPN says it now blocks CSAM domains without inspecting user traffic \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>Cleverly does so without breaking any of their privacy guarantees<\/li>\n<li>All DNS requests for known CSAM domains will be blocked at the network level at the points ExpressVPN&#8217;s networks connect to the public internet, i.e. <strong>after<\/strong> the traffic exists the VPN tunnels but before it reaches the public internet.<\/li>\n<\/ul>\n<\/li>\n<li>Some nice software security improvements and developments\n<ul>\n<li>BitWarden joins the list of devices with OS-level passkey integration into Windows 11 \u2014 <a href=\"https:\/\/cyberinsider.com\/bitwarden-now-lets-users-log-into-windows-11-using-passkeys\/\">cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-entra-brings-phishing-resistant-sign-in-to-windows\/\">Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Expands OS-level passkey support via Windows Hello to personally owned devices connecting to corporate Office365 environments)<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/mullvads-new-gotatun-protocol-passes-first-independent-audit\/\">Mullvad\u2019s new GotaTun protocol passes first independent audit \u2014 cyberinsider.com\/\u2026<\/a> (we reported on this new open-source protocol a few weeks ago when it was first published)<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/meta-adds-new-whatsapp-facebook-and-messenger-anti-scam-tools\/\">Meta adds new WhatsApp, Facebook, and Messenger anti-scam tools \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/whatsapp-introduces-parent-managed-accounts-for-pre-teens\/\">WhatsApp introduces parent-managed accounts for pre-teens \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/ibm-partners-with-signal-to-develop-quantum-safe-messaging-encryption\/\">IBM partners with Signal to develop quantum-safe messaging encryption \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>The free open source (and Belgian \ud83d\ude00 \ud83c\udde7\ud83c\uddea) tool <em>GitLeaks<\/em> has been re-built, improved, and renamed to <em>BetterLeaks<\/em> \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/betterleaks-a-new-open-source-secrets-scanner-to-replace-gitleaks\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>A tool to help find secrets like private keys accidentally committed to Git so they can be revoked and renewed as appropriate. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Listener Kantor on Slack:<\/strong> <a href=\"https:\/\/pridever.org\/\">Pride Versioning \ud83c\udff3\ufe0f\u200d\ud83c\udf08 0.3.0 \u2014 pridever.org<\/a> (nice reference to SemVer <a href=\"https:\/\/pbs.bartificer.net\/pbs109\">discussed on PBS<\/a>)<\/li>\n<li><strong>From Allison:<\/strong>\n<ul>\n<li>@NotMathClub on TikTok explained that the 20th President of the United States, James Garfield, developed his own proof of the Pythagorean Formula: <a href=\"https:\/\/www.tiktok.com\/t\/ZP8qKEMco\/\">www.tiktok.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>From Bart:<\/strong>\n<ul>\n<li>\ud83c\udfa7 <a href=\"https:\/\/podcasts.apple.com\/ie\/podcast\/the-history-of-the-octothorpe-sir\/id173429229?i=1000752856568\">The Grammar Girl Podcast has an episode on the history of the octothorpe. Sir Fragalot and sentence fragments. Dribzle. \u2014 podcasts.apple.com\/\u2026<\/a> (Appropriate given how much hassle saying the <code>#<\/code> character causes us on PBS \ud83d\ude42)<\/li>\n<li>\ud83c\udfa7 Learn about one of the finest female SciFi screen writers ever: <a href=\"https:\/\/overcast.fm\/+AAWnAMSnNkw\">Imaginary Worlds: How D.C. Fontana Helped Star Trek Live Long and Prosper \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. A timely reminder to keep your routers patched and to bin un-supported models via listener BG in the Podfeet Slack: 14,000 routers are infected by malware that\u2019s highly resistant to takedowns \u2014 arstechnica.com\/\u2026 (ASUS [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2060,5281,8011,1931,569],"class_list":["post-35566","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-malware","tag-passkeys","tag-password-stealing-malware","tag-phishing","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=35566"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35566\/revisions"}],"predecessor-version":[{"id":35567,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35566\/revisions\/35567"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=35566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=35566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=35566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}