Hello, welcome to the Monday, September 30th, 2019 edition of the Sansand-Stormsanders Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

A reminder for users of Polycom devices.

Your configuration files are still very much looked for by attackers,

scanning the internet for them. Xavier ran into another scan for them and posted some of the

URLs requested. The IP that Xavier was observing in his logs has been doing this for quite a while now,

and according to some of our other Honeypot logs that we are collecting,

and it's hosted in a cloud service provider in Iceland.

And Apple finally released the security details for the various

updates. It released these last two weeks. When they came out, I noted that there was an entry

in the Apple security bulletin page, but no actual link yet with any details.

One interesting fix in iOS should make it more difficult to fool Face ID with 3D models.

One of the advertised features of Face ID was its ability to distinguish images and 3D models from actual faces.

Of course, there have been some proof-of-concept exploits where people manage to create 3D masks

that actually allowed them to lock themselves in to iOS devices.

The security advisory does not provide details as to what exactly was changed. The iOS updates also appear to fix the recently revealed lock screen bypass.

The fix is listed as part of iOS 13, even though the vulnerability was still present

in the last iOS 13 beta, which is widely believed to be identical to the finally released

product.

So in iOS 13.1, there is a similar security advisor, a similar note for this particular flaw, possibly

that it wasn't fully fixed until iOS 13.1. Safari for iOS also fixes an address bar spoofing

issue, the standalone Safari 13 patch for

...