Let’s Encrypt root certificate may cause problems for older devices
Let’s Encrypt is a non-profit and one of the largest issuers of HTTPS certificates, the backbone of encrypting traffic. However security researcher Scott Helme noticed that the IdentTrust DST Root CA X3 certificate used by Let’s Encrypt is set to expire on September 30th, meaning that after that date, devices won’t trust certificates that have been issued by this certificate authority. This won’t be an issue for most devices, but older devices could face issues. Older game consoles, smartphones, and computers running Windows XP or macOS releases prior to 2016 could be impacted. For older Android devices, Let’s Encrypt recommends switching the default browser to Firefox to avoid issues.
Now we have to worry about PhaaS
Microsoft’s security team announced it discovered a Phishing-as-a-Service organization dubbed BulletProofLink, that provides phishing services to cybercriminal organizations. Clients pay BulletProofLink $800 to register, after which it provides built-in hosting for phishing URLs, email-sending services, and collecting credentials from attacks. BulletProofLinks also maintains a separate store for new phishing email templates. Interestingly, Microsoft also saw signs that the organization is keeping copies of compromised credentials for its own purposes. Microsoft described the group as “technically advanced,” evidenced by the group using hacked sites to host phishing pages.
Time to patch all the VMware things
VMware disclosed 19 new security vulnerabilities, one of them critical for vSphere and vCenter which it recommends patching immediately. This bug opens the door for “an arbitrary file upload vulnerability in the Analytics service” that’s part of vCenter Server. According to an extremely specific warning from VMware, “[a] malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.” VMware also provides a workaround mitigation to buy organizations more time while patching gets underway, although the company said given how the vulnerability could be exploited by ransomware operators, patching should be considered an “emergency change.”
Apple secretly and ineffectually patches zero day
Security researcher Park Minchan disclosed a security vulnerability in how macOS handles Internet location files, which could let an attacker run commands without warning or prompts. macOS Finder allows files with the .inetloc extension to execute arbitrary commands. These files could be embedded in emails and triggered with a click. It appears Apple attempted to fix the issue without assigning a CVE identification number, blocking execution of embedded commands with a file:// prefix. However the fix appears to be case specific, meaning if you change the capitalization of “file” to anything but all lower case, it would still work. As of the time of this recording, Apple hasn’t acknowledged the issue or modified its mitigation.
Thanks to our episode sponsor, Kanu Solutions
Lithuania warns about phones from China
Sorry if you’re in Lithuania and just upgraded to the latest Xiaomi flagship phone. Lithuania’s Defense Ministry recommended consumers avoid buying and dispose of current Chinese mobile phones. This follows a report from the country’s National Cyber Security Center, which found that Xiaomi phones have the ability to detect and censor specific terms on devices. Though this software is off on devices sold in the EU, the report alleges this can be turned on remotely. The report also alleges that information from Xiaomi phones is being routed through a server in Singapore.
Epic isn’t getting back in the App Store anytime soon
The legal fight between Epic Games and Apple about the App Store has been nothing if not acrimonious since Epic was suspended from the online store last August. Now Epic CEO Tim Sweeney published a letter Apple sent the company, which said “Apple will not consider any further requests for reinstatement until the district court’s judgment becomes final and non-appealable.” In other words when Epic has no other legal options available. In a decision that sided with Apple in the dispute, Judge Yvonne Gonzalez Rogers concluded that Apple was within its rights to suspend Epic accounts if it desires.
Scraped LinkedIn user data leaks online
A data leak containing information on roughly 700 million LinkedIn users is being shared on private Telegram channels. This comes after someone attempted to sell the dataset on hacking forums back in June. The Record obtained the dataset and verified the contents were authentic, including profile names, LinkedIn IDs, location and email addresses. Having been scraped from public LinkedIn profiles, most of this information was already out there. However many of the emails included were not ordinarily viewable on the site. LinkedIn reiterated that no data breach occurred.
Who watches the watchers? iOS 15 evidently
Apple released iOS 15 this week, and one of the new features in the Privacy settings is “Record App Activity.” Users can either wait a few days for the OS to generate a report in settings, or export a JSON file with the data any time. According to developer documentation, this feature will show if an app accesses the photo library, camera, microphone, contacts, the media library, location, screen sharing, and what domains an app reaches out to.