Security conferences set for in-person return
Organizers for both Def Con and Black Hat security conferences announced that they will hold hybrid events this year, offering remote elements but also returning to in-person meetings. Def Con will require pre-registering for the event for the first time, with attendees required to wear masks, maintain social distancing, and be vaccinated. A Def Con spokesperson said the conferences goal is “ to collect and store as little data as possible for as short a time as possible.” Black Hat will not require proof of vaccination and is limiting venue capacity to 50%.
Apple approves Parler’s return to the App Store
In a letter to Congress, Apple said it approved the return of the social network Parler’s iOS app to the App Store. Apple informed Parler on April 14th that its changes to content moderation were acceptable to approve the app, and that the app will be available for download as soon as Parler releases it. Apple initially removed Parler from the App Store in early January for failure to moderate content that incited violence around the January 6th Capitol riots. Apple said this decision was independent and not done in coordination with similar takedowns by Google and Amazon.
Geico exposed driver’s license numbers for months
Geico filed a data breach notice with the California attorney general’s office that attackers were able to “obtain unauthorized access to your driver’s license number through the online sales system on our website” using third-party information. This occurred between January 21 and March 1, and filing the breach notice indicated over 500 California residents were impacted. Geico believes the information was obtained in an attempt to fraudulently apply for unemployment benefits. The insurance startup Metromile disclosed a similar data breach earlier this year, which went unresolved for six months.
WordPress says FLoC is a security concern
The company announced it will treat Google’s third-party cookie alternative Federated Learning of Cohorts, or FLoC, as a security concern, and proposed blocking the technology by default starting with WordPress 5.8, and considering backporting the block to earlier versions. This block could be overwritten in code by site admins, and WordPress is considering adding a setting to enable FLoC directly. WordPress said its concern is that enabling FLoC by default would make site owners accept it without fully realizing what FLoC is storing and collecting about users. The update to block FLoC is expected by July 2021, although WordPress is currently taking user feedback on the decision.
Thanks to our episode sponsor, Palo Alto Networks
Feds are investigating Codecov breach
We reported yesterday about Codecov’s breach disclosure, which allowed attackers to modify its Bash Uploader script. Now CEO Jerrod Engelberg confirmed that federal investigators are looking into the breach, which the company already reported to law enforcement. Codecov has also hired a third-party forensics team to help determine how its users might have been impacted. The company recommends clients re-roll all of their credentials, tokens, or keys used by Bash Uploader.
Coding errors lets someone delete Facebook Live videos
Security researcher Ahmad Talahmeh published details of the flaw on April 17th, which allows unauthorized third-parties to cut a video down to five milliseconds, effectively deleting previously streamed Facebook Live videos, with no way to undo the trim. Video trimming is typically used to take the beginning and ends of streams off a video after a stream has finished. An attacker would need a target live video’s ID and current user ID to trim the video. Facebook has issued a fix for the flaw.
Medtonic partners with Sternum on pacemaker security
The medical device maker announced it will work with the IoT cybersecurity startup Sternum to help prevent its pacemakers from getting hacked through their internet-based software updating systems. Medtonic’s previous solution to the problem was simply to disconnect the pacemakers from the updating system, but did not consider that a long-term solution. Sternum claims to offer “autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities.” A spokesperson said this would mitigate risks not just to patients, but also prevent pacemakers from being used as an attack vector on a medical systems overall network.
IoXT expands certification to mobile apps and VPNs
The Internet of Secure Things Alliance’s criteria for certification was developed by security labs and testing vendors like NCC Group and NowSecure as well as Google and Amazon. To get certification, a mobile app has to have secure interfaces, automatic updates, secure password management, security by default vulnerability, reporting programs, end-of-life policies and more. VPNs must pass those tests and ALSO tests for data leakage, automatic reconnects and killswitch functions and checks for TLS intercepts and script injections.