We’ll start with a clarification from Bart on how this two-factor authorization works. Then we’ll have fun with redirects as I explain that there’s a podfeet url for whatever you want. I’ll tell you about our amazing adventure trying to figure out what was killing just our 2.4GHz wifi network. In Security Bits, Bart will bring us up to speed on the latest with the FBI vs. Apple story, and he’ll explain how no users lost data in the first real world Mac Ransomware Attack.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday March 20, 2016 and this is show number 567.
In Chit Chat Across the Pond this week, Bart takes me through Programming By Stealth Episode 11. You know how he convinced us to stop using tables to format block of information and instead taught us how to use the Flex Block model? Well now he comes back to teach us how to use tables! He explains that there is a time and place for tables, and that’s to display tabular data. He teaches us how to add titles and captions, add footers to tables, make nice borders and to justify the text just the way we want to. We even learn how to color the boxes into the old fashioned “greenbar report” format (ask your parents about this one if you haven’t heard of it). I really enjoyed gaining more power over html and css in this tutorial. If you haven’t subscribed to Chit Chat Across the Pond yet, please do a search in your podcatcher of choice and join us.
Update on Authy vs. 1Password with Two-Factor Authentication
Last week on the show Joe LaGreca did a review of Authy for two-factor authentication that he uses instead of the built-in tool inside 1Password from AgileBits. Jeffrey Lambert from Agilebits weighed in on the topic on podfeet.com and I asked Bart to help me understand what he meant. There were some crucial bits of information no one had ever explained to me before so it takes a while for Bart and I to communicate but we get through it in the end.
The main thing I hadn’t ever heard about was that a lot of two-factor authentication is done by an open source algorithm developed by Google, called Google Authenticator. Use of either Authy or 1Password is predicated on understanding that. Hope our discussion helps you as well.
Blog Posts
What Could Kill Just the 2.4GHz WiFi Network?
There’s a Podfeet URL for That (AKA Fun With Redirects)
Amazon Affiliate Links
I’m happy to say that the new Amazon Affiliate Links for countries other than the US are starting to take off. Folks from England and Germany are starting to use the links so that’s awesome (but Canada hasn’t kicked off yet!). If you haven’t heard me explain it before, when you buy anything from Amazon after starting with one of my links on the Fun with Flags page, at https://podfeet.com/amazon, a small percentage goes to help pay the bills to keep the shows afloat.
Last week I said that the new countries’ Amazon accounts started me over at 3% but I was wrong, it just has to do with what you buy. Someone in England paid for their Microsoft Office 365 subscription through Amazon and that earned 5% back for the show. Isn’t that cool? I don’t even know you could rent Office 365 through Amazon. Someone in German bought some kids books and those earned 7% for the show!
In case you’re wondering I can’t tell who buys what, I can only see what gets bought and how much goes back to help the NosillaCast and Chit Chat Across the Pond. I sure hope when you’re shopping on Amazon you’ll start at podfeet.com and then go to Amazon from there. Thanks to everyone who’s already been shopping this way, it makes a huge difference!
Security Bits
Apple -v- FBI Update
- the FBI become openly hostile towards Apple – threaten to go after their source code and private key if Apple don't write GovtOS – www.theguardian.com/…
- Ars Technica lay out some of the ways the FBI could decrypt the iPhone without help from Apple, or GovtOS (they involved lasers, acid, and de-soldering chips) – arstechnica.com/…
- The UN high Commissioner for Human Rights comes out on Apple's side, warning of serious global ramifications for human rights if the wrong precedent is set – www.ohchr.org/…
- As expected, the DOJ have appealed the similar case they lost in NY recently – www.macobserver.com/…
- The FBI come under fire for playing fast and loose with the facts in their court filings – www.macobserver.com/…
- Former CIA director James Woolsey comes out in support of Apple's side of the argument (not explicitly in support of Apple) – www.imore.com/…
- Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States, comes out in support of Apple, slamming the FBI's pursuit of weaker encryption – www.macobserver.com/… & daringfireball.net/…
- A great summary of the 6 key points in Apple's latest filing in the case – www.macobserver.com/…
- Harvard Law professor Susan Crawford says the Law is Clear – the FBI cannot make Apple rewrite its OS – daringfireball.net/…
- Reporting from the New Your Times suggests that, should Apple lose, the programmers with the skills and knowledge to create GovtOS could refuse to do the work on moral grounds, and may even resign rather comply – www.imore.com/…
- Anti-Terror Hawk Lindsey Graham switched sides after getting briefed by people in the intel community fortune.com/…
- In a surprise move, the FBI have changed the hearing scheduled for next Tuesday into an Evidentiary Hearing (being interpreted by commentators as a sign of weakness) – www.macobserver.com/…. Apple's product security expert will give evidence at the hearing – www.theverge.com/…
-
John Oliver's exploration of this case is too good not to link to: www.youtube.com/…
KeRanger – the first real-world Mac Ransomware attack – sort of
Security researchers discovered that the download for the popular Mac bit torrent client Transmission had been compromised, and that it was infecting computers with the KeRanger malware. The malware was digitally signed with a developer certificate, so it initially passed GateKeeper.
The thing is, there was no actual damage done for a combination of three reasons:
1) the malware was designed to stay dormant for 72 hours (presumably to make it harder to figure out where it came from)
2) Transmission responded promptly with clear and accurate messages to users, and, with an updated version of Transmission that removed the malware.
3) Apple responded quickly by revoking the developer cert used to sign the malware, and adding the malware itself to XProtect. Revoking the cert stopped the malicious installer from passing gatekeeper, and adding the malware itself to XProtect prevents it from running, even on systems that installed the malware before the dev cert was renewed.
The end result of all this is that it seems like none of the few thousand people who contracted this malware lost any data. So – in real terms this was not actually a major disaster, it was however a near miss!
Links:
AceDeciever – a trojan for non-jailbroken iPhones (sort of)
Details have emerged of a new strain of malware that can install malicious iOS apps onto non-Jailbroken iPhones.
It's not actually iOS malware though, it's Windows malware!
AceDeciever is a Windows trojan that pretends to be iTunes, and pushes malware to iOS devices that are connected to it over USB. The apps run on the iOS devices because the malware exploits a known bug in Apple's FairPlay DRM to trick the iPhone into thinking the app is from the App Store.
The bug in FairPlay is not new, but in the past it was only used to install pirated copies of real apps, using it to install malware is new.
ATM attacks are only happening in China, but don't expect that to remain the case for ever. If you never plug your iOS device into your computer over USB, you can't be affected by this, and, running AV on your Windows PC is a good defence against getting infected with this kind of trojan in the first place.
Links:
Metaphor – a re-vamped Stage Fright Affecting 275M Android Phones
Security researchers have demonstrated a new, more powerful, variant of the Stage Fright bugs from last year. Stage Fright did not defeat Address Space Layout Randomisation (ASLR), which meant limited it's effectiveness – it had to guess where in memory items it needed were, so the exploit did not work every time. The big difference with this new attack is that ASLR has been circumvented, so this exploit succeeds much more frequently than the Stage Fright ones from last year did.
A vast range of Android versions are affected, but, the good news is that any Android phone with a patch-level of 1 October 2015 or newer is not vulnerable. Of course, we have the continuing problem of handset makers and carriers not pushing updates out to older devices.
Links:
Important Security Updates
- Patch Tuesday has been and gone, and there were important updates released by Microsoft and Adobe – krebsonsecurity.com/…
- Adobe issues and emergency Flash update to patch an actively exploited bug – arstechnica.com/…
Important Security News
- The US IRS have suspended the 'Get IP PIN' service that was being abused by identity thieves to gather data needed to file fraudulent tax returns – krebsonsecurity.com/…
- Another reason to get Java out of your browser – security researchers have revealed that a patch Oracle put in place 30 months ago to fix a major bug did not actually fix the bug properly – bypassing the 'fix' is trivial – arstechnica.com/…
- the US FCC have given Verizon a slap on the wrist ($1.35M fine) for breaching their customers privacy by injecting super-cookies into their web browsing – www.macobserver.com/…
- The FBI warns automakers and owners about the vehicle hacking risks – www.reuters.com/…
- Brian Krebs warns that spammers are abusing badly configured government servers to leech credibility – the problem is open redirects, allowing attackers to use Government servers as very legitimate looking URL shorteners! – krebsonsecurity.com/…
- Mac users are being targeted with typo-squatting malware-hosting websites – that is, using domains are are a simple typo away from a real domain, say google.om instead of google.com – type carefully and keep patched! – www.intego.com/… & threatpost.com/…
- Ryan Collins, the guy behind the mass-release of explicit images of celebrities has pleaded guilty in court – www.imore.com/…
- Security researchers warn of an outbreak of malicious ads on legitimate websites through a compromised ad network – the malicious ads used the Angler malware toolkit to try exploit victims, using attacks against out-dated versions of web plugins like Flash and Silverlight – it's vital to install as few plugins as you need, and to keep them religiously patched! – arstechnica.com/…
- The NSA will start formally sharing data it started gathering under the PATRIOT act for counter terrorism purposes only with other US law enforcement agencies – proving what we all knew anyway – when law enforcement do something "only against terrorists", it never stays that way – www.washingtonpost.com/…
Notable Breaches
- An ISIS defector has stolen a USB thumb drive containing the identities of 22,000 ISIS members (nice to have a data breach that is good news for a change!) – nakedsecurity.sophos.com/…
Suggested Reading
- A cautionary tale – from a stolen wallet, to ID theft, to wrongful arrest in a very short time (big take-away, if your wallet is stolen, report it to the police so there is a record of that theft) – krebsonsecurity.com/…
- "Two-Factor Authentication: How It Works and Why You Should Use It" – www.intego.com/…
- "7 tips for securing the Internet of Things" – nakedsecurity.sophos.com/…
- Pwn2Own produces 15 new browser bugs for vendors to patch, including bugs in Safari, Flash, Chrome & Edge – www.macobserver.com/…
- Security researcher finds gaping holes in Telematic Gateway Units used on trucks allowing anyone to track the location of affected trucks – nakedsecurity.sophos.com/…
- China is going use the vast amounts of data it collects to try detect crimes before they happen – yes, if you gather enough data and metadata, you can set up a pre-crime unit! – arstechnica.com/…
- Security researchers find malware gangs stealing caches of code signing certificates to make their malware look legitimate – arstechnica.com/…
- It turns out, DDR4 memory is vulnerable to Rowhammer after all – arstechnica.com/…
Some Nerdy Fun
- A great video demonstration of the Diffie Helman Key Exchange Protocol (a central cog in the public key crypto wheel) – www.youtube.com/…
- How many decimal places of Pi do you need to be accurate to a few inches over the size of the solar system? WAY fewer than you think! – www.jpl.nasa.gov/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community and our Facebook group at podfeet.com/facebook. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.
The conversation with Bart on two factor authentication was very helpful; like you I have been confused by it, and do not use it.