While things were (mostly) quiet on the WordPress front, there was stil lots of security news to discuss.
Big news for this month:
- How to corrupt a Windows 10 disk in 16 characters.
- Why you shouldn’t update Flash Player anymore (it’s dead!).
- Facebook pays $300 to Illinois residents for privacy violations.
- The (un)surprising backlash against the WhatsApp/Facebook ultimatum.
- Apple shows you just how easily your data ends up out of your control.
- A terrifying look at a security installation technician hacking into indoor cameras.
Not much to report in the way of newly-discovered WordPress vulnerabilities this month (thankfully!).
The only one that has really made the “news” is in the Orbit Fox by ThemeIsle plugin. A small saving grace is that this vulnerability requires that the Orbit Fox plugin is installed along with Elementor or Beaver Builder theme-creation plugins.
This vulnerability would allow a lower-level authenticated user to create a registration form to make a higher-level account. A patched version of the Orbit Fox plugin (version 2.10.3) was released in mid-December of 2020.
It goes without saying that you should update if you haven’t.
Flash Player – Dead
It’s been a long time in coming, but Flash Player is finally dead!
While it served its purpose, it was a security nightmare and browser dialogues to “update Flash” became a constant malware vector.
If you’ve still got Flash installed, now’s the time to get rid of it – it can’t be used anymore. Recent versions of Flash included a “kill switch” that would deactivate it on January 12th.
And if you see any websites requesting you download or update Flash, you now know that they are 100% malicious.
Internet Explorer: Dead
More (good) end-of-life news from Microsoft, as it slowly takes steps to kill off Internet Explorer.
IE comes from the same era as Flash, but has been replaced at Microsoft by the Chromium-powered Edge browser. Many sites (including the Internet Archive and Microsoft Teams) have stopped supporting IE. Starting in August of 2021 the entire Microsoft Office 365 suite will drop IE support.
16 Character to Corrupt Your Drive
An interesting zero-day/bug can be triggered in Windows 10 by inputting a single 16-character command in the Windows Terminal.
When executed, this command will immediately corrupt an NTFS-formatted hard drive. This simple command can also be embedded in malicious files or in icon shortcuts. In these cases it could cause corruption of the hard drives when a folder is simply opened (without clicking!).
More details (along with the 16-character command, if you’re so interested) can be found here.
Windows Updates: 21H1 & 21H2, Windows X
Microsoft is planning two bigger updates for Windows 10 this year, although they are aiming for minor improvements rather than new features.
It looks like the 21H1 update (for release in the spring) will focus bug fixes and security enhancements, while 21H2 (for release in the fall) will feature a new UI and improvements to things like the Start Menu, Taskbar and other utilities.
Windows X was originally planned for dual-screen devices, but post-pandemic it has changed focus to be designed for lower-end hardware (similar to ChromeOS). Windows X will likely not have Win32 app compatibility, and will only use apps available on the Microsoft Store or Microsoft Edge PWA (Progressive Web Apps).
Like ChromeOS, Windows X will only be available preinstalled on devices. The first Windows X devices are expected in the Spring of 2021.
Facebook vs. Apple
Facebook is taking shots at Apple for some new privacy-related features, and it’s a surprisingly tone-deaf play for a company that has a long line of privacy missteps.
Probably the biggest change is Apple requiring users to opt-in to apps tracking them across sites and services. Facebook has complained that users are unlikely to voluntarily agree to this kind of tracking, and I agree!
Here it’s worth pointing out that Facebook relies on selling ads – lots of ads – for revenue. Currently, Facebook can agreggate data from numerous apps and websites and tie that back to a specific individual. This lets them sell highly-targeted ads to businesses both large and small.
When Apple’s changes take effect, none of that tracking will change as long as users consent to it. If users don’t consent to it, then Facebook won’t have access to Apple’s Identifier for Advertisers (IDFA) – a unique code that identifies your iOS device.
It’s worth noting that it is possible to disable your IDFA right now and prevent this kind of cross-platform tracking. Go to Settings → Privacy → Tracking and turn off “Allow Apps to Request to Track”.
This update hasn’t happened (although it is expected in early 2021), but it will be interesting to see how it plays out.
Facebook Pays Out – To Illinois Residents
Six years after three Illinois residents sued Facebook for violating Illinois’ Biometrice Information Privacy Act (BIPA), a judge has ruled that Facebook must pay out about $300 to millions of Illinois users.
The judge found that Facebook’s use of facial recognition in the “tag suggestions” feature without gaining express consent from IL users violated BIPA. Facebook could have owed up to $1,000 per violation, had the case gone to trial. Facebook settled last June for $650 million.
In a move that surprised no one, Facebook is now making a bid to monetize WhatsApp user data.
Facebook bought WhatsApp in 2014, and built impressive end-to-end encryption into the app. In 2016, WhatsApp also gave users a one-time chance to opt out of sending account data to Facebook.
Now, though, Facebook is requiring all WhatsApp users to agree to share personal and app-usage data with the mothership in order to keep using WhatsApp. Some of the shared metadata includes address books, profile names and pictures, status messages, and app usage data (who you’re talking to, how long, etc.).
While WhatsApp will still keep end-to-end encryption, it’s worth noting that that simply means that the traffic from user to user is encrypted. It says nothing about the data at rest. If you dislike Facebook Messenger, you should probably be worried about WhatsApp.
A Day with Your Data
In honor of Data Privacy Day (January 28th), Apple has released a short story about the numerous ways that your data can be accessed without your knowledge.
The story, which follows a father-daughter park outing, demonstrates how some seemingly-innocuous apps (photo filters, games, and financial institutions) can share data that creates a shockingly complete picture of your movements, habits, likes, and dislikes.
While you probaby know most of it (if you’re reading this), it’s worth reading and sharing with your friends and family that may not realize how much of their information is literally for sale.
The Danger of Indoor Cameras
It’s not just the danger of an improperly-installed camera catching fire – privacy implications of an improperly-secured camera go well beyond that!
An ADT technician recently pled guilty to improperly accessing the cameras of 220 accounts over the course of 5 years. According to the FBI investigation, he explicitly targeted homes of women that he found attractive.
As always, if you’re going to have cameras (especially indoors) make sure you set up strong authentication mechanisms (hopefully with 2FA) and keep the hardware and software up-to-date.
DuckDuckGo, a privacy-focused search engine, ended 2020 by increasing their daily search totals by 62%. Bumping them up to 102 million searches per day.
While DuckDuckGo isn’t quite a good at Google for something, if you’re looking to reduce your Google footprint, I highly recommend using it. I’ve been a DuckDuckGo user for a couple of years, and it’s improving all the time.