A busy month for Apple’s PR department, Microsoft’s customer relations department, and Google+ finally pays (settlements)!
- Massive T-Mobile Breach
- QNAP/Synology Targeted
- Zoom Settlement for False Claims
Two of the biggest names in WordPress security – Wordfence and WPScan – combined forces this month to create a mid-year report on the state of WordPress security.
The report highlights just how many WordPress sites have come under attack so far in 2021. For example, from January – June:
- Over 600 vulnerabilities were discovered in WordPress plugins and themes.
- 86 billion password attacks were blocked. These use either brute force (use a password manager) or leaked password databases (never reuse password).
- 4 billion attacks against known plugin vulnerabilities were blocked. This is why you must keep your site up-to-date.
And speaking of vulnerabilities to patch, there’s just been two major vulnerabilities discovered this month.
- SEOPress: This plugin is designed to improve the SEO (search engine optimization) of a WordPress site. If you’re running this plugin, make sure you’re patched up to version 5.0.4. A cross-site scripting (XSS) vulnerability in this plugin would allow any authenticated user (no matter their permission level) to inject malicious scripts that would run anytime a user access the “All Posts” page. Depending on the injected code, this vulnerability could allow a wide range of bad outcomes – up to the takeover of the infected site.
- Booster for WooCommerce: This plugin offers additionally functionality for WooCommerce-enabled WordPress sites. A vulnerability in the plugin would allow an attacker to impersonate any user and send a login token to their own email address, allowing them to login as a user with increased privileges. Make sure you have version 5.4.4 (or later) installed to patch this vulnerability.
Lots of PR missteps for Apple this month.
Probably the biggest announcement was Apple’s announcement about a whole bunch of new features that landed it in more than a bit of hot water with privacy advocates. Here’s my brief attempt to clarify what Apple actually will (and won’t) be doing.
Communications Safety in Messages
In the Messages app, Apple will be adding what is essentially just an image filter. This filter is only available for child account set up in Family Sharing and parents must opt-in to enable it. It will not be on by default.
When enabled, if the Message app detects that an image (either sent or received) could be sexually explicit, it will blur the image and ask the child if they want to view the image. If the child is 12 or younger, it’s possible to notify the parent account(s) if the child chooses to view or send the image (this is another feature that must be manually enabled). For children 13-17, parental notification is not sent (but the image is still blurred and the child is asked for confirmation to view or send).
The images are analyzed on-device, and Apple does not see the contents of the image. Additionally, this feature would not work for 3rd-party messaging platforms (like Facebook Messenger or WhatsApp).
Siri Safe Search
If users (either children or adults) use Siri or Search to seek out child sexual abuse material (CSAM), they will be present with resources designed to help children in unsafe situations or explain to users that these searches are problematic and damaging and provide resources to get help.
This is probably the biggest issue – and the one that Apple has done the poorest job communicating about.
This feature will apply only to images that are set to be uploaded to iCloud Photos. These images are run through a process called NeuralHash, which translates an image into a (very long) number. This number is then compared (on-device) to the hashes of known CSAM images. This process will not discover new CSAM material, and Apple cannot see the contents of the image in this new process (but keep reading).
If a certain number of matches are found in a user’s photo library, then a human at Apple is made aware of the matches and is able to view the (presumably lower-quality) images to determine if the images are actual CSAM or false positives.
While this may sound like a privacy violation (“Apple is scanning your photos”) there are several things to consider:
- Google, Microsoft, Facebook, and other large companies already engage in this behavior. Last year, Facebook found over 20 million CSAM images while Apple found 265.
- If you read Apple’s white paper on the security modeling of this feature, it all sounds very reasonable and well-thought-out.
- The scanning only applies to photos that are uploaded to the iCloud Photo Library. If you’re really worried about this, don’t back up your photos to iCloud Photo Library (but remember if you use an alternative service like Google Photos, they are also scanning your pictures).
- Remember that iCloud backups may be encrypted, but Apple holds the decryption keys, and they can already access that data if they need to (remember the San Bernardino iPhone that Apple couldn’t decrypt – but they were able to hand over the most recent iCloud backups of that same iPhone).
- If you trust Apple (and, if you’re using computers or cloud services, you are implicitly trusting someone), the fact that they are building technology to be able to scan for CSAM without being able to see the content of the images (unless a threshold is reached) is impressive. They didn’t have to go through all this trouble – remember they have direct access to your iCloud Photos and backups – this may mean that end-to-end encrypted iCloud backups are a feature that they are working toward in the future.
- One valid concern is that countries like China can add NeuralHashes of additional images to devices in China (think Tiananmen Square). The first (and more depressing) consideration is that Chinese iCloud users currently have their data stored in servers located in China, and with the security keys also stored in China. Their data is already visible to the Chinese government. The second is that Apple has said that the only image hashes will be from the National Center for Missing and Exploited Children (NCMEC) and that it will be possible for users to verify that the hash table is the same for all devices.
App Store is A Mess
Apple has also been fighting a PR and court battle for the past several months, arguing that its 30% cut from App Store sales is good for consumers and developers, and that allowing 3rd-party app stores or sideloading apps would open up consumers to untold harm.
So it’s not really a great look for Apple when developers have to point out scam apps to Apple. It’s even worse when those obvious scam apps (which made it past Apple’s “review” process) aren’t removed until these complaints are amplified – either by social media or news outlets.
Some of these scam apps are directly copying already-popular apps, while some of them are charging outrageous prices ($5-10/week) for barely functional apps. Even worse, some of them are being actively highlighted on the App Store – making them more likely to be found by users.
Software Updates and Mouse Vulnerabilities
Another month, another (big) round of vulnerability and bug fixes for Windows.
The good news is that it looks like Microsoft finally closed the PrintNightmare vulnerability that I mentioned last month. Additional severe vulnerabilities closed this month include a severe (rated 9.9 out of 10) vulnerability in the TCP/IP component and an actively exploited vulnerability in the Windows Update Medic service – a service in Windows update that lets users repair damaged components.
As always, makes sure that you update ASAP to keep your systems as secure as possible.
And, while you’re updating Windows, make sure to update software for other peripherals, since they can be attack vectors too. Just a few days ago, a vulnerability in Razer installation software (Razer is a maker of gaming mice and keyboards) would let any user plugging in a mouse gain full system privileges. Gaining these privileges would allow the user to do essentially anything on the system, including install malware.
While Razer has said that they will patch the exploit, the simplicity of it makes it likely that other installation software suffers from the same exploit and may never be patched.
It appears that while Windows 11 may look better than Windows 10, it’s not getting the best reception from the Windows community.
Microsoft released a video earlier this month titled “Windows 11 upgrade paths and deployment tools” that spent about an hour answering questions about upgrading current systems from Windows 10 to Windows 11.
Microsoft has come under lots of criticism for requiring some very specific motherboard requirements (mainly TPM 2.0), and this video did very little to change those minds. According to this post on Windows Central, the video comments were not exactly positive – and so Microsoft turned off (and removed) all comments.
As of writing this post, the video has 272 “Thumbs up”, and 6,200 “Thumbs down”.
Google is Killing…
This month, Google is killing “Android Auto for phone screens” (yes, that’s what it’s called).
This is not to be confused by Android Auto, which loads a simplified interface onto a car’s infotainment screen. Android Auto for phone screens presents a similarly simplified interface on the – you guessed it – phone screen.
If you were using Android Auto for phone screens, there is a replacement app – “Google Assistant driving mode”. To enable this new app (which is not an app, just a feature of Google Maps), go to Google Maps → Navigation Settings → Google Assistant Settings and you can set the feature to turn on when you start navigating.
Pixel 6 Teased
The details are fairly light, but here’s what we know:
- There will be two models the Pixel 6 and Pixel 6 Pro
- The standard model will have 2 cameras, the Pro will have 3 (adding a telephoto)
- Both models will use a new Google-designed chip (called the Google Tensor) instead of the Qualcomm chips that have been used in all previous Pixel phones.
The website and tweets say that the phone will be out in the Fall of 2021, so we’ll hopefully get more information soon.
Launched in 2011 to challenge the major social media players, it was essentially abandoned by Google around 2014 or 2015.
Then, in 2018, a report by the Wall Street Journal reported that Google+ had not only exposed the “private” data of hundreds of thousands of users from 2015-2018 but that when Google discovered and fixed the flaw, they opted not to disclose it, for fear of increased regulatory scrutiny. Google+ officially shut down in April of 2019.
This month, one of the class-action lawsuits brought against Google for their “lax approach to data security” was settled, with Google agreeing to pay out $7.5 million. After legal and administrative fees, each of the 1.7 million claimants got about $2.
And people thought Google+ was useless!
T-Mobile is another company having a pretty crummy August.
On August 16, T-Mobile reported that attackers had breached their servers and stolen files containing personal information from about 48.6 million customers. The stolen information comes from both current and former postpaid and prepaid customers, as well as prospective customers.
And then, it got worse.
On August 20th, an investigation by T-Mobile showed that the leak actually involved 8 million more accounts, bringing the total of compromised accounts to 54 million.
The exposed information includes:
- Phone numbers
- Security PIN
- Social Security number
- Driver’s License number
- IMSI (Individiual Mobile Subscriber Identity) – a 64-bit identifier that identifies every user on a mobile network
- IMEI (International Mobile Equipment Identity) – an identifier that identifies every unique device connected to a mobile network.
Several threat actors are already offering some of this information for sale on the dark web. Make sure you’re on the lookout for an increased amount of SMS or phone spam. And make sure to keep an eye on your credit report.
I briefly talked about malware targeting QNAP Network Attached Storage (NAS) devices last month.
Some new threats have emerged this month, and they target both QNAP and Synology NAS devices.
The eCh0raix ransomware (which began as QNAPCrypt) has added support for infecting and encrypting both QNAP and Synology NAS devices. This ransomware mainly tries to infect devices by either brute-forcing NAS login credentials that are accessible on the internet or by exploiting vulnerabilities in NAS software (like the QNAP vulnerability discussed last month).
And a botnet called StealthWorker – originally designed to compromise e-Commerce websites – has been modified to also attempt to brute-force NAS devices that are publicly accessible. StealthWorker uses lists of passwords that have shown up in previous data breaches.
The advice is almost always the same – don’t reuse passwords, and keep your NAS software up-to-date.
Zoom Payout for Lying About Encryption and Data Sharing
Zoom has claimed that it’s offered end-to-end encryption from 2016-2019 in numerous HIPAA-compliance documents, blog posts, and white papers.
However, the FTC claims that “Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s ‘Connecter’ product…because Zoom’s servers…maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings.”
Additionally, Zoom failed to adequately make it clear to users that Zoom would be collecting certain personal information with Facebook and Google. Additionally, users were never asked for permission to allow these (and other) 3rd parties to use this data.
Zoom has agreed to pay out $85 million dollars to settle these claims.