Weekly Security News for the Week Ending December 13, 2019
Apple’s Ad Tracking Crackdown Shakes Up Ad Market
Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them. Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users. Thus was born Intelligent Tracking Prevention. This makes it much more difficult for advertisers to micro-target Safari users.
The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%. The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).
So it is kind of a win-win. Apple puts a dent in Google’s revenue and the users get tracked a little bit less. Source: Slashdot.
Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices
Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle. The bug is in AirDrop, Apple’s file sharing feature. The good news is that a patch is available, so you just need to install it. Source: Techcrunch
KeyWe Smart Lock is Broke and Can’t Be Fixed
KeyWe is a smart lock for your house. You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.
But you probably shouldn’t. Because, apparently, ANYONE can unlock your house from their phone.
Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.
Worse yet – the software in the lock cannot be upgraded. Ever. By any method, local or remote. You get to buy a new lock.
So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT). Source: The Register
Over 1 BILLION Userid/Password Combinations Exposed
There is a bit of good news in this (at the end). Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine. The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them. The researchers contacted the ISP hosting the database and it was eventually taken offline. It is not clear who owns the database or what its purpose is. It looks like it is a collection aggregated from a number of breaches. The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords. Source: Info Security Magazine
New Orleans Hit By Ransomware Attack
In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack. As of right now, 911 is using their radios in place of computers to manage emergencies.
The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage. They then went from floor to floor to check if people really did that.
A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to). Doing that eliminates the communications path for the malware. Once that is complete, you can power off individual computers. Source: NOLA.Com
by 