Apple advances user security with powerful new data protections.

Advanced Data Protection for iCloud provide users with important new tools to protect their most sensitive data and communications

Unmentioned is that Advanced Data Protection will also preclude Apple from handing over unencrypted backups to law enforcement. Turn on Advanced Data Protection and Apple will no longer hold keys to that data. It’s off by default, primarily.

apple.com/newsroom/2022/12/app


Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars.

A slew of security researchers discovered a fairly easy way to commandeer Hondas, Nissans, Infinitis, and Acuras via their infotainment systems.

By Lucas Ropek

gizmodo.com/sirius-xm-bug-hond


Computer Repair Technicians Are Stealing Your Data.

Thinking about taking your computer to the repair shop?

Not surprisingly, female customers bear the brunt of the privacy violations.

Dan Goodin

arstechnica.com/information-te


Apple’s Device Analytics Can Identify iCloud Users

Apple states in their Device Analytics & Privacy statement that the collected data does not identify you personally. This is inaccurate. We also showed earlier that the AppStore keeps sending detailed analytics to Apple even when sharing analytics is switched off.

mjtsai.com/blog/2022/11/23/app


Android Contact Tracing App Installed Without Consent

A nonprofit law firm has filed a class action lawsuit against the Massachusetts Department of Public Health for allegedly working with Google to secretly install COVID-tracing software onto as many as a million smartphones.

mjtsai.com/blog/2022/11/23/and


Successful Hack of Time-Triggered Ethernet

Time-triggered Ethernet (TTE) is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it:

arstechnica.com/information-te

Paper:

web.eecs.umich.edu/~barisk/pub


Another Event-Related Spyware App

Last month, we were warned not to install Qatar’s World Cup app because it was spyware. This month, it’s Egypt’s COP27 Summit app:

politico.eu/article/cop-27-cli


An Untrustworthy TLS Certificate in Browsers

The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy:

archive.ph/c9fBJ

More details by Reardon.

groups.google.com/a/mozilla.or

Cory Doctorow does a great job explaining the context and the general security issues.

pluralistic.net/2022/11/09/inf

.


The NSA (together with CISA) has published a long report on supply-chain security: “Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.“:

nsa.gov/Press-Room/News-Highli

And

They previously published “Securing the Software Supply Chain: Recommended Practices Guide for Developers.” And they plan on publishing one focused on customers.

cisa.gov/uscert/sites/default/


(I hate linking to the "intercept", it is a garbage site, but every once in a while, they get a scoop.)

Hacked Documents: How Iran Can Track and Control Protesters’ Phones

The documents provide an inside look at an Iranian government program that lets authorities monitor and manipulate people’s phones.

By Sam Biddle, Murtaza Hussain

theintercept.com/2022/10/28/ir


Apple Ventura:

macOS Ventura bug disables security software

"The TCC.db file is a database that maintains all the TCC permissions the user has granted to various apps. According to Mikey, it seems that Apple's fix for the vulnerability involved assigning a new TCC entry for endpoint security clients, like Malwarebytes. Presumably, these would be exempt from the reset command involved in Csaba's vulnerability."

By Thomas Reed

malwarebytes.com/blog/news/202




Apple MacOS Only

macOS has extensive security protection built into it. This article describes how it protects against malware using two related tools known together as XProtect, and how they differ in macOS Catalina and later.

By hoakley

eclecticlight.co/2022/11/01/ev

Adversarial ML Attack that Secretly Gives a Language Model a Point of View

Machine learning security is extraordinarily difficult because the attacks are so varied—and it seems that each new one is weirder than the next. Here’s the latest: a training-time attack that forces the model to exhibit a point of view: Spinning Language Models: Risks of Propaganda-As-A-Service and Countermeasures.”

By Bruce Schneier

schneier.com/blog/archives/202

Backdooring a summarizerbot to shape opinion

That's why attacks on machine-learning systems are so frightening and compelling: if you can poison an ML model so that it usually works, but fails in ways that the attacker can predict and the user of the model doesn't even notice, the scenarios write themselves.

Cory Doctorow

pluralistic.net/2022/10/21/let


(Two Articles on security of America's infrastructure)

The Evolution of Critical Infrastructure Targeting by Violent Extremists
By Ilana Krill

lawfareblog.com/evolution-crit

and

The Emerging Cyber Threat to the American Rail Industry
By Claudia Swain

lawfareblog.com/emerging-cyber

.

Qatar Spyware

Everyone visiting Qatar for the World Cup needs to install spyware on their phone

The Ehteraz app, which everyone over 18 coming to Qatar must download, also gets a number of other accesses such as an overview of your exact location, the ability to make direct calls via your phone and the ability to disable your screen lock.

nrk.no/sport/everyone-going-to


What’s in Biden’s Executive Order on Signals Intelligence?

"On Oct. 7, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. This order is a concrete step taken by the president to fulfill a commitment made in March during an announcement that the U.S. and the European Commission had agreed to the Trans-Atlantic Data Privacy Framework."

By Caleb Johnson, Yang Liu

lawfareblog.com/whats-bidens-e


Regulating DAOs

"The question is whether the First Amendment covers golems. When your words are used not to persuade or argue, but to animate a mindless entity that will exist as long as the Ethereum blockchain exists and will carry out your final instructions no matter what, should your golem be immune from legal action?"

By Bruce Schneier

schneier.com/blog/archives/202


Bulletin highlights risk-limiting audits as efficient means of confirming the accuracy of election results.

This new ACM TechBrief was written to call attention to a specific problem: although risk-limiting audits are a highly accurate, efficient, and economical means of confirming the accuracy of election outcomes, they are infrequently used in the United States and almost never elsewhere in the world.

phys.org/news/2022-10-bulletin

Report:

dl.acm.org/doi/pdf/10.1145/356


Mac OS Only

Do you manage a few Mac computers?
This is a free, must have app, for keeping system security up to date.

SilentKnight version 2.0

eclecticlight.co/2022/10/10/si

Also checkout all this guys utilities.
They’re fantastic.

Show more

Stand with 🇮🇱 🇺🇦

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.