2025.01.07.News You Should Know

- 4 mins read

Apple

Apple offers $95M settlement in Siri privacy lawsuit • The Register - Something as simple as a zipper or an individual raising their arms would cause Siri to start recording. Lopez, et al v. Apple Inc will be settled for $95 million if the N. California District Court approves. Apple CEO Tim Cook had previously told Congress that Siri’s recording features required a “clear, unambiguous trigger”, i.e.; “Hey Siri” Siri-enabled Apple users from 2011-to an unknown date will likely be eligible diluting individual payouts. 95m dollars(USD) is roughly less than .001 of Apple’s Profits in 2024.

End-to-end Encryption

Encryption backdoor debate ‘done and dusted’ • The Register - Brothers John and Will Ackerly (fmr. Strategic Planning Dir, US Dept Commerce and fmr. NSA employee and developer of the Trusted Data Format for DNI, respectively) conducted an interview with the Register, discussing whether US intelligence agencies and law enforcement can claim the CALEA breaches were preventable and that encryption requires backdoors. Short answer, you either have privacy or you don’t. We don’t.

Note: CALEA was expanded in the 00’s to include broadband internet providers.

guidance-mobile-communications-best-practices.pdf - CISA provided Congress and the public with the following guidance to secure communications both at home and abroad.

  1. Use End-to-end encrypted messaging (like Signal)
  2. Use FIDO phishing-resistant authentication
  3. Get rid of SMS-based MFA
  4. Use a Password Manager and Strong Passwords (Long 16+, Random, & Unique)
  5. Set a Telco PIN to prevent SIM Swapping
  6. UPDATE EVERYTHING ALL THE TIME
  7. Get a New Phone
  8. Don’t use VPN’s.
  9. Additional, specific recommendations for Android and iPhone are provided.

T-Mobile Breach Comes back to Bite

Washington sues T-Mobile over 2021 data breach that spilled 79 million customer records | TechCrunch - Washington state is suing T-Mobile for losing the data of 79m customers after T-Mobile suffered and failed to effectively remediate 5 different hacks of its corporate systems. Among other things, the company is accused of specific technical misconfigurations, lack of security controls, and improper disclosure to effected customers.

VPN’s?

VPN used for VR game cheat sells access to your home network - Ars Technica - Personal VPNs being used to sell access to users home networks. If it’s Free, you’re the product. And in this case, you may be participating in international criminal rings, political espionage, or worse.

China

Taiwan claims China-linked ship damaged submarine cable • The Register - Believed to be Chinese-linked ship Shunxing 39 damages Taiwanese fiber cables when leaving port. The ship is currently headed to S. Korea where Taiwan is asking for the crew to be detained. This is the second attack in the last few weeks, as November saw a Chinese vessel deliberately cutting cables in the Baltic Sea, likely to support ally Russia in its invasion of Ukraine.

Chinese spies targeted sanctions intel in US Treasury raid • The Register - Chinese hackers specifically targeted the Office of Foreign Assets Control (OFAC) and the Office of the Treasury Secretary. OFAC administers and maintains the economic and trade sanctions “entity” lists.

Three more telcos reportedly join China Salt Typhoon victims • The Register - AT&T, Verizon, Lumen, Charter, Consolidated, Windstream now all identified by the US Government as part of the CALEA attacks. WSJ claims unpatched CISCO and Fortinet devices are to blame. With one report stating that MFA wasn’t enabled on network management accounts, allowing access to over 100k routers.

T-Mobile was also named, though they claim to not be included in “the 9” as they repelled the attack early on. (A rare win for T-Mobile’s security team!)

Note: Long time readers may remember that Volt Typhoon has been using this same technique against Water, Electrical, Waste Water, Gas, and other organizations since January 2021.

Tencent added to US list of ‘Chinese military companies’ • The Register - Tencent, gaming and communications company, added to the Section 1260 list of Chinese Military Companies. Companies that aren’t illegal to business with, but are believed to serve the interest of the Chinese government. Consequently, the US Military can’t do business with companies on the list, including battery manufacturer CATL.

Snowflake Breach

US Army soldier accused of stealing AT&T call logs arrested • The Register -

LongForm

https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/

I’m an experienced home cook, security engineer, people leader, and dedicated father and husband. I can be found on Mastodon at @IAintShootinMis@DigitalDarkAge.cc and on Signal at DigitalDarkAge.98. An RSS Feed of this blog is available here and a copy of my current OPML file is here.