Friday Five 9/24
New iOS privacy settings, the Exchange autodiscover bug, and subsidiary risk - catch up on the week's infosec news with the Friday Five!
1. UK ICO: ‘The world is coming together’ on data protection, responsible use by Jennifer Bryant
Some optimism here from the UK's Information Commissioner, Elizabeth Denham, about the world coming together on data protection and the responsible use of data. “With the (EU-U.S.) Privacy Shield having been struck down, I see the G-7 countries coming together, I see the G-20 themes coming together, the EU and U.S. conversations about trade and cooperation, and also, the most meaningful change, is that what people want to see in their laws, what people want from enforcement of data protection laws is coming together,” she said in a privacy and cybersecurity roundtable event on Tuesday. The IAPP wrote up some of Denham's thoughts and if you're curious about EU/US data flow discussions, cookies, or the EU's adoption of adequacy decisions, it's worth clicking through.
2. The iOS 15 Privacy Settings You Should Change Right Now by Matt Burgess
Wired UK has been pumping out the educational content lately - we flagged their 6 Things You Need to Do to Prevent Getting Hacked article a few weeks ago and enjoyed their All the Ways Spotify Tracks You - and How to Stop It piece earlier this summer. This week, another helpful high-level piece on some of the privacy changes in iOS 15, which began rolling out to iPhone users this week. Among the updates? Apple has a new feature, Mail Privacy Protection, designed to stop email senders from seeing your IP address. iOS will also supply you with a report recapping your app's sensors; it tells you how often apps have access things like your photos, contacts, etc. If you're paying for iCloud+ - if you pay for more than 5GB of free storage you might be getting it for free - you can also turn on iCloud Private Relay, a VPN-esque service that routes your web traffic through different servers. Matt Burgess of Wired does a good job recapping all the new settings, many which need to be turned on in settings, worth a click.
3. Exchange/Outlook autodiscover bug exposed 100,000+ email passwords by Jim Salter
News via Ars Technica that an issue with Microsoft's autodiscover, a protocol used by Exchange to automatically configure clients like Outlook, appears to be leaking credentials. According to the research, courtesy of Guardicore, a flaw in the protocol could let anyone who registers a domain with the name autodiscover to intercept clear-text credentials of users who are having network difficulty. According to the story, there are three causes to the problem: Autodiscover protocol's "backoff and escalate" behavior when authentication fails, its failure to validate Autodiscover servers prior to giving up user credentials, and its willingness to use insecure mechanisms such as HTTP Basic in the first place. It sounds as if the best fix for this flaw is for network admins to forbid DNS requests for Autodiscover domains. Those seeking more information may want to review Guardicore's blog post on the issue.
4. The parent company trap: Subsidiaries hide sources of cyber risk by Bradley Barth
This SC Media piece recaps a whitepaper released this week that peels back the covers on subsidiary risk. While there's always inherent risk associated with third parties - just consider recent supply chain breaches like SolarWinds and Kaseya - this report, authored by Osterman Research, found that more than half of their respondents (54.7%) experienced a cyberattack at one of their subsidiaries. Almost 12% of respondents admitted they lacked the appropriate visibility into their systems. It's not a huge surprise to see that the COVID-19 pandemic, which has upended life for everyone to some extent, threw these companies through a loop; 69% of them called the shift to a remote workforce very or most impactful.
5. Apple Patches 3 More Zero-Days Under Active Attack by Elizabeth Montalbano
The zero days continue to stack up in 2021 - at least 66 so far according to a Technology Review story this week - and a good chunk of those have been Apple vulnerabilities. Three more got added to the pile this week when the company patched three bugs in iOs and macOS, all apparently being exploited in the wild. Those looking to get down in the weeds on the vulnerabilities can find further information on Apple's advisory pages; everyone else should patch their Apple devices as soon as possible to avoid exploitation.