Let’s Encrypt root certificate may cause problems for older devices

Let’s Encrypt is a non-profit and one of the largest issuers of HTTPS certificates, the backbone of encrypting traffic. However security researcher Scott Helme noticed that the IdentTrust DST Root CA X3 certificate used by Let’s Encrypt is set to expire on September 30th, meaning that after that date, devices won’t trust certificates that have been issued by this certificate authority. This won’t be an issue for most devices, but older devices could face issues. Older game consoles, smartphones, and computers running Windows XP or macOS releases prior to 2016 could be impacted. For older Android devices, Let’s Encrypt recommends switching the default browser to Firefox to avoid issues. 

(TechCrunch)

Now we have to worry about PhaaS

Microsoft’s security team announced it discovered a Phishing-as-a-Service organization dubbed BulletProofLink, that provides phishing services to cybercriminal organizations. Clients pay BulletProofLink $800 to register, after which it provides built-in hosting for phishing URLs, email-sending services, and collecting credentials from attacks. BulletProofLinks also maintains a separate store for new phishing email templates. Interestingly, Microsoft also saw signs that the organization is keeping copies of compromised credentials for its own purposes. Microsoft described the group as “technically advanced,” evidenced by the group using hacked sites to host phishing pages. 

(The Record)

Time to patch all the VMware things

VMware disclosed 19 new security vulnerabilities, one of them critical for vSphere and vCenter which it recommends patching immediately. This bug opens the door for “an arbitrary file upload vulnerability in the Analytics service” that’s part of vCenter Server. According to an extremely specific warning from VMware, “[a] malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.” VMware also provides a workaround mitigation to buy organizations more time while patching gets underway, although the company said given how the vulnerability could be exploited by ransomware operators, patching should be considered an “emergency change.”

(The Register)

Apple secretly and ineffectually patches zero day

Security researcher Park Minchan disclosed a security vulnerability in how macOS handles  Internet location files, which could let an attacker run commands without warning or prompts. macOS Finder allows files with the .inetloc extension to execute arbitrary commands. These files could be embedded in emails and triggered with a click. It appears Apple attempted to fix the issue without assigning a CVE identification number, blocking execution of embedded commands with a file:// prefix. However the fix appears to be case specific, meaning if you change the capitalization of “file” to anything but all lower case, it would still work. As of the time of this recording, Apple hasn’t acknowledged the issue or modified its mitigation.

(Bleeping Computer)

Thanks to our episode sponsor, Kanu Solutions

Over the next few weeks Kanu Solutions is offering a series of educational sessions on a variety of topics in security, such as endpoints, networks, privileged access management, Internet of things, and governance, risk management and compliance, or GRC. Attend these sessions to get some savvy education from the security experts at Kanu Solutions. You could also get a twenty dollar UberEats Gift Card just for attending. You can participate in Kanu Solutions’ Lunch-n-Learn by registering at kanusolutions.com/events.

Lithuania warns about phones from China

Sorry if you’re in Lithuania and just upgraded to the latest Xiaomi flagship phone. Lithuania’s Defense Ministry recommended consumers avoid buying and dispose of current Chinese mobile phones. This follows a report from the country’s National Cyber Security Center, which found that Xiaomi phones have the ability to detect and censor specific terms on devices. Though this software is off on devices sold in the EU, the report alleges this can be turned on remotely. The report also alleges that information from Xiaomi phones is being routed through a server in Singapore. 

(Reuters)

Epic isn’t getting back in the App Store anytime soon

The legal fight between Epic Games and Apple about the App Store has been nothing if not acrimonious since Epic was suspended from the online store last August. Now Epic CEO Tim Sweeney published a letter Apple sent the company, which said “Apple will not consider any further requests for reinstatement until the district court’s judgment becomes final and non-appealable.” In other words when Epic has no other legal options available. In a decision that sided with Apple in the dispute, Judge Yvonne Gonzalez Rogers concluded that Apple was within its rights to suspend Epic accounts if it desires. 

(The Verge)

Scraped LinkedIn user data leaks online

A data leak containing information on roughly 700 million LinkedIn users is being shared on private Telegram channels. This comes after someone attempted to sell the dataset on hacking forums back in June. The Record obtained the dataset and verified the contents were authentic, including profile names, LinkedIn IDs, location and email addresses. Having been scraped from public LinkedIn profiles, most of this information was already out there. However many of the emails included were not ordinarily viewable on the site. LinkedIn reiterated that no data breach occurred.  

(The Record)

Who watches the watchers? iOS 15 evidently

Apple released iOS 15 this week, and one of the new features in the Privacy settings is “Record App Activity.” Users can either wait a few days for the OS to generate a report in settings, or export a JSON file with the data any time. According to developer documentation, this feature will show if an app accesses the photo library, camera, microphone, contacts, the media library, location, screen sharing, and what domains an app reaches out to. 

(ZDNet)