Oracle’s January 2020 update patches 334 security flaws

By John E Dunn

As the world’s second-largest software company, Oracle has become an organization built on big numbers.

This includes the number of security patches it issues – which with the January 2020 update reached a joint record of 334, matching an identical number released in July 2018.

Unlike rivals such as Microsoft, Oracle only releases security patches every three months so that’s part of the explanation for the size of its updates, which now routinely head towards 300.

Another factor is simply the volume of software in the company’s stable – with around a hundred products and product components in January’s update alone.

Something that jumps out is that 60 individuals and companies are credited with reporting January’s batch of flaws to Oracle, including one, Alexander Kornbrust, credited with 41 CVEs on his own.

Oracle, then, has lots of flaws to fix because, as with rival Microsoft, it has lots of people looking for them. This can only be a good thing.

Database Server

A modest 12 CVEs in total, three of which are stated as being remotely exploitable. Five are ranked ‘High’ severity, which in Oracle’s nomenclature is the top severity level, factoring in how easy it would be to exploit.

Oracle communications applications

A relatively small application category but still able to offer patches for 23 flaws which could be remotely exploited without authentication, six of which have ‘Critical’ CVSS scores above 9.

Read more at https://nakedsecurity.sophos.com/2020/01/17/oracles-january-2020-update-patches-334-security-flaws/

Google will now accept your iPhone as an authentication key

By Lisa Vaas

On Monday, Google pushed out an update for the iOS version of Smart Lock, its built-in, on-by-default password manager.

Smart Lock – which has been available for Google’s Chrome browser since 2017 – now also lets iOS users set up their device as the second factor in two-factor authentication (2FA), meaning that you no longer have to carry around a separate security key dongle.

Smart Lock for iOS uses the iPhone’s Secure Enclave Processor (SEP), which is built into every iOS device with Touch ID or Face ID. That’s the processor that handles data encryption on the device – a processor that oh, so many law enforcement and hacker types spend so much time complaining about… or, as the case may be, cracking for fun, fame and profit.

After you set it up, you’ll just need your iPhone or iPad, and your usual password, to use in 2FA when you sign in to Google on a desktop using Chrome.

A big plus: it uses a Bluetooth connection, rather than sending a code via SMS that could be intercepted in a SIM swap attack. In a SIM-swap fraud attack, a hijacker gets their hands on a phone number – typically by sweet-talking/social-engineering it away from its rightful owner – after which they can intercept the codes sent for 2FA that the phone number’s rightful owner set up to protect their accounts.

SIM swap fraud is one of the simplest, and therefore the most popular, ways for crooks to skirt the protection of 2FA, according to a warning that the FBI sent to US companies in October 2019.

Given that Apple introduced SEP – which stores encrypted security keys on an iOS device – with the iPhone 5S, it won’t work on earlier models. You’ll need to be running iOS 10 or later to run the Smart Lock app.

Read more at https://nakedsecurity.sophos.com/2020/01/17/google-will-now-accept-your-iphone-as-an-authentication-key/

Facial recognition is real-life ‘Black Mirror’ stuff, Ocasio-Cortez says

By Lisa Vaas

During a House hearing on Wednesday, Rep. Alexandria Ocasio-Cortez said that the spread of surveillance via ubiquitous facial recognition is like something out of the tech dystopia TV show “Black Mirror.”

This is some real-life “Black Mirror” stuff that we’re seeing here.

Call this episode “Surveil Them While They’re Obliviously Playing With Puppy Dog Filters.”

Wednesday’s was the third hearing on the topic for the House Oversight and Reform Committee, which is working on legislation to address concerns about the increasingly pervasive technology. In Wednesday’s hearing, Ocasio-Cortez called out the technology’s hidden dangers – one of which is that people don’t really understand how widespread it is.

At one point, Ocasio-Cortez asked Meredith Whittaker – co-founder and co-director of New York University’s AI Now Institute, who had noted in the hearing that facial recognition is a potential tool of authoritarian regimes – to remind the committee of some of the common ways that companies collect our facial recognition data.

Whittaker responded with a laundry list: she said that companies scrape our biometric data from sites like Flickr, from Wikipedia, and from “massive networked market reach” such as that of Facebook.

Ocasio-Cortez: So, if you’ve ever posted a photo of yourself to Facebook, then that could be used in a facial recognition database?

Whittaker: Absolutely – by Facebook and potentially others.

Ocasio-Cortez: Could using a Snapchat or Instagram filter help hone an algorithm for facial recognition?

Whittaker: Absolutely.

Ocasio-Cortez: Can surveillance camera footage that you don’t even know is being taken of you be used for facial recognition?

Whittaker: Yes, and cameras are being designed for that purpose now.

This is a problem, the New York representative suggested:

People think they’re going to put on a cute filter and have puppy dog ears, and not realize that that data’s being collected by a corporation or the state, depending on what country you’re in, in order to …surveil you, potentially for the rest of your life.

Whittaker’s response: Yes. And no, average consumers aren’t aware of how companies are collecting and storing their facial recognition data.

Read more at https://nakedsecurity.sophos.com/2020/01/17/facial-recognition-is-real-life-black-mirror-stuff-ocasio-cortez-says/

EDRi’s guidelines call for more ethical websites

By Danny Bradbury

Most of us want to be good online citizens. That includes developing websites that have their visitors’ best interests at heart. Yet there are so many ways to get that wrong. Even a slight misstep could put visitors’ privacy or security at risk, or exclude people that might be less able than others. How can you know if you’re doing it right?

Enter European Digital Rights (EDRi), a collection of human rights groups across Europe, which has published a set of guidelines for ethical website development. It explains:

The goal of the project, which started more than a year ago, was to provide guidance to developers on how to move away from third-party infected, data-leaking, unethical and unsafe practices.

The document lists recommendations covering areas including security and privacy while listing alternatives to free online services that slurp up users’ data.

One recommendation is to host your own resources as much as possible. That means avoiding call-outs for things like third-party cookies, and avoiding frames with third-party content. It also means avoiding call-outs for CSS files, images, font files, and JavaScript libraries.

The document adds:

If downloading a resource, such as a JavaScript or font file, is not allowed by the terms of its provider, then they may not be privacy-friendly and should therefore be avoided.

It calls out large tech firms as companies offering services that ethical web developers should avoid, and provides a list of alternatives in areas including analytics, video players, and online maps. It points readers to Prism Break, a list of alternative online services that don’t track their users.

When it comes to security, a site can use DNSSEC to authenticate DNS queries, says the doc, also recommending HTTPS. It also asks website owners to provide a Tor-compatible version of their site using the Tor publishing tool Onionshare.

Read more at https://nakedsecurity.sophos.com/2020/01/17/edris-guidelines-call-for-more-ethical-websites/