{"id":35641,"date":"2026-03-24T12:51:31","date_gmt":"2026-03-24T19:51:31","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=35641"},"modified":"2026-03-24T12:51:31","modified_gmt":"2026-03-24T19:51:31","slug":"sb-2026-03-24","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2026\/03\/sb-2026-03-24\/","title":{"rendered":"Security Bits \u2014 24 March 2026"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 We&#8217;ve known, unofficially, that the US government uses commercial data brokers to by-pass the 4th amendment and get geolocation data on US citizens for some time, but now it&#8217;s on the record: <a href=\"https:\/\/arstechnica.com\/tech-policy\/2026\/03\/fbi-started-buying-americans-location-data-again-kash-patel-confirms\/\">FBI started buying Americans\u2019 location data again, Kash Patel confirms \u2014 arstechnica.com\/\u2026<\/a>\n<ul>\n<li>Note that VPNs do not provide any protection from this (sorry to who ever I saw suggest this proved their VPN was a good investment on the <a href=\"https:\/\/www.podfeet.com\/slack\">NosillaCast Slack<\/a> \ud83d\ude41)<\/li>\n<li>This data is coming from data brokers, so the data is coming from many sources including:<\/li>\n<li>Ad networks<\/li>\n<li>Apps that monetise with ads<\/li>\n<li>Apps that monetise by selling data to data brokers<\/li>\n<li>Web stores that double-dip and sell you products (probably unrealistically cheap), and make up the difference by selling your data too<\/li>\n<li>Devices that double-dip by selling surprisingly cheap hardware and then making up the difference by selling your data (unrealistically cheap Smart TVs are among the biggest offenders)<\/li>\n<li>Pirated software and software designed for pirating content \u2014 they didn&#8217;t sell you the software or content, so they make their money by selling your data and\/or enrolling your devices into anonymous proxy services sold on the dark web<\/li>\n<li>Some good protections to limit your exposure (you&#8217;ll never get it down to zero):<\/li>\n<li>Avoid all apps that monetise with ads or have no clear revenue stream<\/li>\n<li>Avoid apps and services that monetise with ads or have no clear source of income, especially:\n<ul>\n<li>Weather apps (<strong>must<\/strong> have location access)<\/li>\n<li>Email apps and services (<strong>crown jewels<\/strong>, remember, and why I choose to pay for Office365 + Exchange Online, why Allison uses iCloud+, and why I recommend people consider the <a href=\"https:\/\/proton.me\">Proton suite<\/a>)<\/li>\n<li>Search engines (this is why I highly recommend <a href=\"https:\/\/kagi.com\">Kagi<\/a>)<\/li>\n<li>AI Chatbots (this is why I highly recommend <a href=\"https:\/\/lumo.proton.me\/guest\">Lumo<\/a> and the Microsoft CoPilots)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Related:<\/strong> if you&#8217;ve been on the fence about a paid search engine, this news might finally push you over the edge, even the actual titles in the search results now contain hallucinations: <a href=\"https:\/\/www.theverge.com\/tech\/896490\/google-replace-news-headlines-in-search-canary-coal-mine-experiment\">Google Search is now using AI to replace headlines \u2014 www.theverge.com\/\u2026<\/a> \ud83e\udd2c<\/li>\n<\/ul>\n<\/li>\n<li>We have some resolution on the botnet Allison asked about some time ago (KimWolf) that had been highlighted by Brian Krebs and introduced us to the concept of residential proxy services and the risks they pose: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/aisuru-kimwolf-jackskid-and-mossad-botnets-disrupted-in-joint-action\/\">International joint action disrupts world\u2019s largest DDoS botnets \u2014 www.bleepingcomputer.com\/\u2026<\/a> &amp; <a href=\"https:\/\/krebsonsecurity.com\/2026\/03\/feds-disrupt-iot-botnets-behind-huge-ddos-attacks\/\">krebsonsecurity.com\/\u2026<\/a> (\ud83c\uddfa\ud83c\uddf8 \ud83c\udde9\ud83c\uddea \ud83c\udde8\ud83c\udde6 United States, Germany &amp; Canada)<\/p>\n<\/li>\n<li>I like to describe email as <em>the crown jewels<\/em> because access to your inbox allows attackers to reset just about any online password, and to learn enough about you to <strong>really convincingly<\/strong> phish you, but remember it&#8217;s also the crown jewels for organisations, and while big companies make big headlines when their mail infrastructure gets abuse, it can happen to even the smallest mon-and-pop venture: \ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/nordstroms-email-system-abused-to-send-crypto-scams-to-customers\/\">Nordstrom&#8217;s email system abused to send crypto scams to customers \u2014 www.bleepingcomputer.com\/\u2026<\/a> (with a St. Patrick&#8217;s Day theme \ud83c\udf40\ud83d\ude41)<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 <em>Advanced Flow<\/em>, Google&#8217;s Side-Loading Compromise for Android<\/h2>\n<p>Google has been struggling for many years to find the right balance between <em>open<\/em> and <em>safe<\/em> when it comes to side-loading apps onto Android. They&#8217;ve settled on a very reasonable compromise (in my opinion at least).<\/p>\n<p><em><strong>TL;DR<\/strong> \u2014 Android apps not digitally signed by a registered developer will not install without enabling the new &#8216;Advanced Flow&#8217; installation process, this requires clicking past very blunt warnings about the danger of scams, followed by a 24 hour cooling off period before side-loading of unsigned apps can be enabled for either a week or permanently.<\/em><\/p>\n<p>The issue here is not really about the distribution of the apps, but verifiable authorship. To submit apps to the Google Play Store you need to prove your identity these days, so unless attackers steal a developer&#8217;s signing key, Google can in theory report any malicious app authors to the authorities if the app was published on the Play Store.<\/p>\n<p>Google have expanded this identity verification option in a way similar to what Apple does for Mac developers, and any developer who distributes their app via any third-party store or no store at all can register, get a code signing key, and digitally sign their apps. Users will be able to side-load these kinds of signed apps without needing to jump through any of these new hoops.<\/p>\n<p>Where the new rules kick in is when apps are not digitally signed by a verified developer. For those apps, which can&#8217;t ever be in the store, so must be side-loaded somehow, Google is now adding a new <em>Advanced Flow<\/em> for installation.<\/p>\n<p>When a user tries to side-load an un-verified app they will be presented with a warning screen about the dangers of scams, the risks from installing apps from un-verified developers, and an option to continue. If they choose to continue they will then start a 24 hour cooling off period, before they will finally be able to enable the installation of un-verified apps, either permanently, or for a limited time. Once they agree to that, they need to reboot and then install the app.<\/p>\n<p>For commercial app makers this is just not a problem, so the only people affected are:<\/p>\n<ol>\n<li>Cybercriminals (the intended audience)<\/li>\n<li>Small volunteer-run open-source projects (collateral damage)<\/li>\n<li>Developers who fundamentally object to sharing any identifying information with large corporations, perhaps especially American ones, and hence refuse to verify their identity (collateral damage, sorta, depending on your own views and beliefs)<\/li>\n<\/ol>\n<p>Even with this change, Android remains a lot more open than iOS is, with the resulting tradeoffs between freedom and security. The open source community feared some kind of armageddon, but while some in that community are still cranky, this is nowhere near as catastrophic for the community and many feared it would be.<\/p>\n<h3>Links to News Coverage<\/h3>\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/03\/google-adds-24-hour-wait-for-unverified.html\">Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/android-to-add-24-hour-cooldown-when-sideloading-apps-from-unverified-devs\/\">Android to add 24-hour cooldown when sideloading apps from unverified devs \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-adds-advanced-flow-for-safe-apk-sideloading-on-android\/\">Google adds \u2018Advanced Flow\u2019 for safe APK sideloading on Android \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li>Important and noteworthy updates for Apple users: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-pushes-first-background-security-improvements-update-to-fix-webkit-flaw\/\">Apple pushes first Background Security Improvements update to fix WebKit flaw \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>In <strong>theory<\/strong> these should happen automatically and in the background (hence the name!), but there are at least some caveats<\/li>\n<li>These updates end with a lower-case letter in parentheses, e.g. iOS 26.3.1 (a)<\/li>\n<li>This feature is new, so we&#8217;ve not had much first-hand experience yet, and there is definitely some confusion<\/li>\n<li>It should be enabled by default, but check that you have background security updates configured to automatically install in your devices&#8217; settings apps<\/li>\n<li>The background updates are <strong>only<\/strong> available on the very latest point release, but if you are even point release behind, you will <strong>not be offered two updates<\/strong>, but a <strong>single update<\/strong> that <strong>contains both<\/strong> the very latest regular point update <strong>and<\/strong> the background update<\/li>\n<li><strong>Context:<\/strong> A nice explanation of some back-history for this new type of patch \u2014 <a href=\"https:\/\/tidbits.com\/2026\/03\/17\/apple-relaunches-background-security-improvements-with-webkit-patch\/\">tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple users should be sure to patch all their devices, especially any running on unsupported OSes because a new attack chain affecting not-quite-current versions of iOS has been discovered in use by hostile governments \u2014 <a href=\"https:\/\/cyberinsider.com\/new-ios-exploit-chain-darksword-discovered-on-government-sites\/\">cyberinsider.com\/\u2026<\/a> (named <em>DarkSword<\/em>)\n<ul>\n<li>Apple officially recommend all users patch ASAP \u2014 <a href=\"https:\/\/cyberinsider.com\/apple-publishes-security-guidance-in-response-to-darksword-attacks\/\">cyberinsider.com\/\u2026<\/a><\/li>\n<li>Notice that these kinds of exploits are very difficult on iOS, and need substantial resources, in this case it required chaining <strong>six<\/strong> different vulnerabilities together!<\/li>\n<li>The cat is now fully out of the bag, with the full source code leaked on GitHub, so the bar to entry is gone \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/the-darksword-iphone-exploit-has-just-leaked-entirely-on-github\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>Ubiquity router owners:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ubiquiti-warns-of-unifi-flaw-that-may-enable-account-takeover\/\">Max severity Ubiquiti UniFi flaw may allow account takeover \u2014 www.bleepingcomputer.com\/\u2026<\/a> (patch ASAP!)<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>\u26a0\ufe0f <strong>Anime Fans:<\/strong> CrunchyRoll is investigating what appears to be a major breach that could even include at least some payment data, but no details yet, so if you use the very popular streaming service, monitor how this evolves \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/crunchyroll-probes-breach-after-hacker-claims-to-steal-68m-users-data\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 The US is banning all future consumer routers not made in the USA (in the name of national security) \u2014 <a href=\"https:\/\/cyberinsider.com\/the-us-bans-new-foreign-made-routers-over-national-security-risks\/\">cyberinsider.com\/\u2026<\/a>\n<ul>\n<li><em>\u201cUnder the new rules, all newly developed consumer-grade routers produced outside the US are <strong>ineligible for FCC equipment authorization<\/strong>, effectively barring them from entering the US market. However, <strong>the restriction applies only to new models<\/strong>. Devices already authorized can continue to be sold and used, and consumers are not required to replace existing routers.\u201d<\/em><\/li>\n<\/ul>\n<\/li>\n<li>Firefox is adding a free tier for their browser-specific VPN, starting in 4 countries for now, with plans to roll out more widely later \u2014 <a href=\"https:\/\/blog.mozilla.org\/en\/firefox\/firefox-148-149-new-features\/\">blog.mozilla.org\/\u2026<\/a>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 \ud83c\uddec\ud83c\udde7 \ud83c\uddeb\ud83c\uddf7 \ud83c\udde9\ud83c\uddea US, UK, France &amp; Germany initially<\/li>\n<li><em>\u201cThe VPN will offer over 50 gigabytes of data per month for free.\u201d<\/em><\/li>\n<li><em>\u201c&#91;The VPN] only protects web traffic viewed through the Firefox browser.\u201d<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>\ud83c\udfa7 We often use the abbreviation CVSS and CVEs in these notes, this podcast explains what they are and where the fit in the whole vulnerability ecosystem: <a href=\"https:\/\/overcast.fm\/+ABI-u77lUMg\">Compiler: Keeping Track Of Vulnerabilities With CVEs \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Apple&#8217;s hardware design is even more secure than I realised \u2014 there is not just a secure enclave for protecting private keys in hardware, there are also secure <em>exclaves<\/em> for adding hardware security to parts of the display, making it possible for the MacBook Neo to have a software camera light <strong>and<\/strong> be close to as secure as a hardware light (and the same tech has been protecting the indicators on out iPhones for ages!) \u2014 <a href=\"https:\/\/daringfireball.net\/2026\/03\/apple_enclaves_neo_camera_indicator\">daringfireball.net\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2026\/03\/18\/whats-new-in-apples-platform-security-guide\/\">What\u2019s New in Apple\u2019s Platform Security Guide \u2014 tidbits.com\/\u2026<\/a> (nothing earth-shattering, but an interesting read)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> \ud83c\udfa7 A touching listener-reported story about a family member who finally opted for a cochlear implant after 35 years of deafness to hear his grandkids sing \u2014 <a href=\"https:\/\/overcast.fm\/+AAMLcaha9Cw\">Twenty Thousand Hertz: He was deaf for 35 years + Listener Stories kickoff \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. \ud83c\uddfa\ud83c\uddf8 We&#8217;ve known, unofficially, that the US government uses commercial data brokers to by-pass the 4th amendment and get geolocation data on US citizens for some time, but now it&#8217;s on the record: FBI [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[8044,515,8047,8046,8043,2021,2232,7801,7690,1246,8045,8048],"class_list":["post-35641","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-advanced-flow","tag-android","tag-background-security","tag-crunchyroll","tag-data-brokers","tag-fcc","tag-geolocation","tag-kimwolf-botnet","tag-router-vulnerabilities","tag-routers","tag-side-loading","tag-ubiquity"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=35641"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35641\/revisions"}],"predecessor-version":[{"id":35642,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35641\/revisions\/35642"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=35641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=35641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=35641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}