We have a huge show today. Steve’s put out two more video interviews from NAB in Las Vegas, I’ve got a pretty big announcement about Chit Chat Across the Pond, and we’ve got another giant Security Bits with Bart Busschots. I told him maybe when there’s such a big security news week we should call it Security Blobs!
There are five Security Mediums in this episode. We’ll talk about a remote code execution built in Intel CPUs, Bart will explain what can go wrong with two-factor authentication through SMS, we’ll cover the Google Docs phishing worm and how Google could have prevented it, we’ll learn about how the beloved Handbrake servers got hacked causing distribution of malware, and as if that isn’t enough we’ll talk about the WannaCry worm that has indiscriminately taken down networks across the globe.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday May 14, 2017 and this is show number 627.
Would you believe the NosillaCast started 12 years ago yesterday? We’ve had a lot of celebrations at major milestones so I won’t make a big deal about it, but if you’re new to to the show, having a podcast go on that long without interruption every single week is a pretty big deal. Heck, podcasting wasn’t even invented until October of 2004! There are shows older than the NosillaCast but I’m not sure there are any with such consistent delivery of content. Ok, enough patting myself on the back!
Three Chit Chat Feeds are Better Than One
Chit Chat Across the Pond Lite
Speaking of three feeds, on Chit Chat Across the Pond Lite this week I was joined by the awesome Joe Dugandzic from Smarter Home Life (smarterhomelife.com) to talk about the huge set of product and capability announcements from Amazon about their Echo line of devices. We talk Echo Show, Echo Look, ecobee4, and the new voice calling in the Alexa app for your existing Echo devices. Joe is really into home automation with a fabulous YouTube channel so he really knows his stuff. Plus he’s fun and entertaining.
During that episode, I expressed concern about the concept of loading my contacts into the Amazon cloud. Since the discussion with Joe, I’ve talked to a lot more people about, They helped me put the concept in perspective. I’ve given my contacts to Apple through iCloud. Apple has pretty good security around thing so that’s good. But I’ve given my contacts to Google through Gmail and they’re not nearly as trustworthy, in my opinion at least, as Amazon. If you’ve used Yahoo, you’ve given them your contacts, and they’ve certainly proven themselves to be poor stewards of our information. So I’m not saying I 100% trust Amazon, but I give them a lot of money every few days and so far they’ve protected the information I’ve given them.
I also got information from someone we’ll call, “people familiar with the matter”. Here’s a quote:
I can’t comment on this publicly, however I can tell you as someone who builds systems inside Amazon, and interacting with systems that contain customer data… i whole heartedly trust them. The number of approvals and discussions and defenses of systems and mitigations of risks that we have to go through is more than any other company I’ve worked for.
Customer data is considered more sensitive than data about the products we’ll be releasing in the future.
Bottom line is that I’ve decided to trust Amazon with my contacts, in spite of my initial trepidation.
Steve Sheridan on the 12th anniversary of the NosillaCast
Hi Allison, this is your biggest fan Steve. I’d like to congratulate you on 12 continuous years of the NosillaCast podcast – What An Accomplishment!
When you began your podcast adventure back on the 13th May 2005, neither of us had any idea where it would take us. Since then you’ve produced a podcast every week like clockwork for over 12 years. That’s a rare feat in the podcasting community and one of which you can SURE be proud. Throughout this period the NosillaCast community has grown up around you, providing their support and content for your show and a lot of good times.
I think what really makes the NosillaCast special IS your community. Through reviews, comments, dumb questions and interviews, many of your listeners enhance the NosillaCast and are integral to your show. Many people have also noted how accessible you are. Your show reflects the respect you have for your listeners. What strikes me is how involved you are with the NosillaCast community and how active they are. You continually interact with your listeners and they with each other. The community of people that has collected around the NosillaCast is remarkable.
I think one of the benefits we didn’t anticipate with the NosillaCast was the number of good-hearted people we’d meet on line and in real life as a result of your show. In the 12 years we’ve been doing this every person we’ve gotten to know through your show has been truly fun and interesting and we share common interests with them. Many of the people we’ve gotten to know are what I consider, and I know you’d agree, life-long friends.
I’d like to take this opportunity to thank all of you … the community. That includes NosillaCast listeners, those that join the live show on Sunday nights and everyone who contributes to the show – whether it be through Patreon, podfeet’s Amazon affiliate link, writing an iTunes review, or sending in audio or written reviews, or even comments through social media. YOU are the people who keep the NosillaCast running and provide Allison the feedback and motivation she needs to keep the show going, every week. So pat yourselves on the back – I thank you.
I must say Allison, it’s been really enjoyable seeing the NosillaCast evolve over the past 12 years. And it continues to evolve with you splitting CCATP into three podcasts that are better tailored to your listeners’ interests. You put your heart and soul into the show and you dedicate a good portion of your life to it. Several people have asked how do you do it all? The secret is simple – anything you love to do, you find the time to do … and you love doing the NosillaCast. I love being part of the NosillaCast community and I’m extremely proud of what you’ve accomplished.
So I’ll close by congratulating you, Allison, on 12 tremendous years of the NosillaCast. You know you have my full support in this adventure and I very much look forward to seeing how the NosillaCast progresses over the next 12 years, and beyond. And in case you had any doubts, you can rest assured that I will stay subscribed.
Speaking of Steve’s contributions, here’s two more interviews from NAB:
NAB 2017: Akyumen Projector Smartphone
NAB 2017: Cinamaker Multi-Cam Live Production
A few people asked whether this interview was with the same company that makes Multi-Cam that I’ve told you about before, and no, this is an entirely new product. There’s definitely some overlap, but Cinamaker has some capabilities that are more advanced. Cool that we have lots of options.
Patreon and Amazon
This show isn’t supported by ads, instead we rely on listener and reader contributions. I want to give a special shoutout to Bo Hanson for signing up with Patreon to start the gift that keeps on giving. If you want to support the show, go to podfeet.com/patreon and give the value you feel you get from the show like Bo did. It’s simple and easy for you and means a lot to me when you show your support in this and other ways.
Security Bits
Security Medium 1 – Remote Code Execution Bug in Intel CPUs
A modern CPU is a lot more than just a CPU – modern CPUs from Intel actually have a little management computer inside the CPU to allow the CPU to be managed remotely. This means that if your actual computer crashes, you can still remotely connect to the little computer within the computer to reboot your computer. This little computer within a computer is known as a management chip, and Intel uses multiple brand names for this type of technology including Active Management Technology (AMT), Intel Small Business Technology, and Intel Standard Manageability (ISM). In general, these technologies are included in Intel vPro CPUs.
Because these management chips run as totally separate little computers within a computer, and because they control the CPU, their level of access to a system is amazingly high. They have more power than any admin account, more power than the system kernel, and even more power than virtualisation hypervisors – they have more power than something that has more power than an admin account. For example, the output to the physical display is made available over VNC, and hardware level mouse and keyboard inputs can be sent remotely. Network packets can also be re-directed for remote inspection.
As well as existing in hardware, Intel have also provided software for communicating with this little computer within a computer from within regular computer operating systems. On Windows this is done through the so-called LMS service. The thing to bear in mind is that the presence or lack thereof this services tells you nothing about whether or not your CPU has one of these management chips within it.
Obviously, the security of these chips is critical, but, Intel treat them as trade secrets, and don't even release information on what the chips can do, or how they are even theoretically secured. There is no equivalent of Apple's white paper on OS X and iOS security for these über-powerful little chips. This has worried some in the security industry for years – what if there was a bug in here? These things have staggering power, and, there is no easy mechanism for Intel to push out updates. We basically have to trust that Intel implemented these devices perfectly, and all without any kind of supervision from the security community.
Well – those fears have come to pass – on May Day (kind of ironic given the meaning of the obvious homophone mayday) Intel announced that they have discovered, and patched, bugs in the firmware for all three of the management technologies mentioned above. In theory these powerful management chips require authentication to log in to them, but there is a bug in that validation, so anyone can get in and start managing affected computers!
The bug manifests in two distinct ways – firstly, regardless of which product you have, and whether or not you've explicitly set up management, any local user can abuse the bug to escalate to über-admin powers. If you have explicitly enabled remote management on ISM or AMT, then anyone who can reach TCP ports 16992 & 16993 or 623 on your computer can get the über-admin powers remotely.
On the whole, this will have much more of an effect on enterprise users than home users. For a start, most consumer-level PCs don't ship with vPro CPUs. Even if you do have a higher-end home PC which does have vPro, you're not likely to have enabled remote management, and if you did, you're probably behind a NAT firewall, so unless you explicitly port-forwarded, you're not vulnerable from the internet, just from your LAN and from on the PC itself (does mean that even minor vulnerabilities become a big problem because they can be escalated to über-admin power by exploiting this bug).
So – if you have a vPro CPU, probably best to apply the patch.
BTW – as best as I can figure out, the Intel CPUs Apple use for Macs do not contain any of these vulnerably management chips.
Links:
- Intel's notification of the bug – security-center.intel.com/…
- Intel's mitigation guide – downloadcenter.intel.com/…
- Ars Technica's initial reporting on the bug – arstechnica.com/…
- More detailed reporting on the bug from Ars Technica – arstechnica.com/…
Security Medium 2 – When SMS-based 2-FA Goes Wrong
I was initially just going to include a story in suggested reading where security researchers warn of the danger of so-called SIM-swaps. If you use SMS two-factor-auth, then the security of your second factor depends on the robustness of your cell provider's support processes. If a bad guy can convince your cell company that they are you, and to please transfer your number to a new SIM card, or to please issue you a new SIM card to a given address, or to hand you one over the counter in a store, then they have just taken over your cellphone number, and hence, your second factor. This is obviously an important warning, and yet another reason to favour time-based codes like those used by Google Authenticator over codes sent via SMS.
But, while the cell phone companies are definitely a weak link in the chain, there is a weaker link, one we have talked about before on this show – the SS7 signalling protocol used to interconnect cell companies around the world. This protocol is ancient, and lacks any kind of message authentication, so its easy to send spoofed commands that redirect voice and SMS traffic to any arbitrary server. This made news when US Congressman Ted Lieu agreed to have the exploit used against him for demonstration purposes in April last year, but security researchers have been trying to highlight the problem since at least 2008.
This has been a theoretical problem for years, but now it's not theoretical any more!
According to a report published this week, the flaws in SS7 were used to bypass SMS-based 2FA and drain money from German bank accounts in January of this year. The attack came in two parts, first, a traditional phishing attack to get usernames, passwords, and cellphone numbers, then an attack on SS7 to divert the SMS-based 2FA codes and allow the attackers to initiate the fraudulent bank transfers.
Bottom line – any 2FA, even SMS-based 2FA is better than no 2FA, but if you have the choice of multiple 2FA options, avoid SMS-based 2FA.
Links:
- The warning about the danger of SIM Swaps – nakedsecurity.sophos.com/…
- The Ted Lieu story from last year – arstechnica.com/…
- Ars Tecnnica's reporting on the German bank hacks – nakedsecurity.sophos.com/…
- Naked Security's reporting on the German bank hacks – nakedsecurity.sophos.com/…
Security Medium 3 – The Google Docs Phishing Worm
Another security threat to go from hypothetical to real hit Google users this week. Security researchers had warned Google that OAuth could be abused to phish people, but Google took no steps to mitigate the problem, until this week, when a successful email works started to spread rapidly across the internet.
Victims would receive an email from someone they probably knew (how will becomes obvious later) which appeared to be a link to a shared Google docs document. When the victim clicked the link they would be taken to a legitimate Google OAuth page (like you get from every 3rd-party service where you log in with your Google Account) where you would be asked to log in. Once you logged in, you would be asked to grant permission to a web app that identified itself as Google Docs. This was not in fact Google Docs of course, but a malicious web app named Google Docs. This malicious web app would use the granted access to read your address book, and then send more emails as you to everyone in your address book.
The problem is that attackers were able to make their malicious web app appear to be Google Docs.
Google responded quickly to the worm, disabling the malicious web apps associated with the attack, and removing all the permissions to those apps users had granted.
In the short-term this specific attack was quickly stopped, but the underlying weakness in Google's systems remains.
One of the reasons this phish was so convincing is that the link really did take you to Google. You went to a real Google page, with a valid SSL Certificate issued to Google. The problem is that attackers exploited the utter ineptitude of Google's approval process. The attackers submitted a web app to Google's approval process named "Google Docs", and Google approved it! Google effectively gave this malware their stamp of approval. The way OAuth works is that you are redirected to your identity provider's website where you log in, and then grant access to the site requesting access. You are completely dependent on the identity provider's web interface and vetting processes to allow you to make informed decisions. Google utterly failed, and hence, have undermined trust in the entire idea of OAuth. Yes, this happened to Google, but would other major OAuth identity providers like FaceBook and Twitter have fared any better had the attackers targeted their systems and processes?
In my opinion Google need to respond in two ways:
- Update the design of their OAuth page to show-case the identity of the developer as much as the name of the app. An app named "Google Docs" clearly shown as being developed by someone else would be much easier to spot as fraudulent than what we see on Google's OAuth screen today.
- Re-vamp their approval process. I think one has to assume no human was involved on approving this app – what human reviewer could possibly be incompetent enough to approve an app named "Google Docs" that is not by Google? I believe humans are needed in the process. I don't see how else Google can restore faith in their OAuth system.
While Google deserve praise for their prompt and effective response, they deserve equal condemnation for ever allowing the attack in the first place. Security researchers have been raising the alarm about the inadequacies of Google's OAuth implementation since 2011!
Finally – now might be a good time to check what apps you've granted access to on all services that use OAuth, including Twitter, and FaceBook as well as Google.
Links:
- Ars Technica's reporting on the worm – arstechnica.com/…
- Naked Security's Reporting on the worm – nakedsecurity.sophos.com/…
- TidBits' reporting on the worm – arstechnica.com/…
- An analysis of why this phish was so convincing – arstechnica.com/…
- A good summary of the entire event from Naked Security – nakedsecurity.sophos.com/…
- A nice summary of all the warnings Google got about this vulnerability dating back to 2011 – arstechnica.com/…
Security Medium 4 – Handbrake Servers Hacked – Mac Malware Distributed
Handbrake is a popular open source DVD ripper for the Mac. The project announced this week that one of their official download servers had been hacked, and that the version of Handbrake offered for download from that site for a period of a few days was infected with the OSX/Proton.B malware.
If you downloaded Handbrake between May 2nd and May 6th, there is a 50% change you're infected with malware. The malware asked for admin privileges, pretending to need them to install codecs, so if you entered those, it could have stolen everything in your keychain. This is why Handbrake are advising people who fell victim to this malware to change every single password stored in their keychain (yikes!).
Handbrake is not a signed developer: “Signing HandBrake is problematic for several reasons, including cost, how apple force key management and so on. So right now it’s feasible for us to add without causing ourselves a headache I’m afraid.”
Links:
- Handbrake's official notification of the hack – forum.handbrake.fr/…
- Intego's reporting on the hack and the installed malware – www.intego.com/…
- Ars Technica's reporting on the hack – arstechnica.com/…
- Handbrake explaining why they’re a not a signed developer: github.com/…
Security Medium 5 – The WannaCry Worm
A worm is self-replicating malware, that is to say, a true virus, that spreads itself through over network connections. When a worm infects a computer, it uses that computer's network connectivity to scan for other victims and infect those, who then scan to infect more, and so on. It's been some time since we've had a major worm break out and make news.
What has been much more fashionable these days is ransomware – malware that encrypts your files and extorts money from you in exchange for the key to decrypt them. Most of this ransomware has spread in the form of a trojan – a piece of malware that somehow tricks you into infecting your own computer, like the wooden horse tricked the Trojans into bringing the Greek army through their city's defences in the legend of Troy.
News broke on Friday of new malware that has been named WannaCry (or Wanna Decrypter) that blends these two concepts – it is a self-propagating worm that encrypts your data and tries to extort money from you.
The worm is exploiting a bug in the Windows Server Messaging Block that was made public in April as part of the NSA leak by the Shadow Brokers group, but patched by Microsoft in March.
The first big victims to make the news were health institutions within the UK's National Health Services (NHS), but that was soon followed by news of chaos Spanish banks, and as Friday rolled into Saturday, it became clear this was developing into a global problem.
The obvious good news is that it's trivially easy to protect yourself from this worm – apply the March security updates from Microsoft! Microsoft has even issued versions of the patch for unsupported versions of Windows, including XP.
You might imagine that a bug that was fixed in March could not be used by a worm to propagate in May, but that assumes people patch their servers, and that's clearly not a valid assumption. Patches involve change, and change involves risk. Patches also involve reboots, and reboots involve downtime. Organisations are allergic to risk and downtime! My argument has always been that not patching is a bigger risk than patching, but inaction seems easier to make happen than action, so the risk of action seems to make managers more nervous than the risk of inaction.
Links:
- Ars Technica's initial reporting on the worm – arstechnica.com/…
- Brian Krebs' initial reporting on the worm – krebsonsecurity.com/…
- Naked Security's initial reporting on the worm – nakedsecurity.sophos.com/…
- Follow-up reporting form Ars Technica detailing the NSA link, and more attacks around the world – arstechnica.com/…
- Microsoft has extended the patch back to some unsupported versions of Windows technet.microsoft.com/…
Important Security Updates
- Mozilla have released FireFox 53.0.2 (and ESR 52.1.1) to patch a but that could allow a remote attacker to take over your computer – www.us-cert.gov/…
- Adobe released Patch Tuesday patches to fix critical bugs in their products, including Flash – www.us-cert.gov/…
- Microsoft's Patch Tuesday releases are dominated by a fix to a critical flaw in Windows Defender. This vulnerability is extremely dangerous, because Defender has extremely high privileges, and, a very large attack surface – a BAD combination! Apply this months patches promptly! – arstechnica.com/… & krebsonsecurity.com/…
Important Security News
- Security researchers highlight the growth in Android apps that use ultrasound to track users without their consent – in theory no app in the Play store should do any tracking that is not clearly outlined in their privacy policy, and in theory it should be easy to deny access to the microphone, but reality is proving different. Modern versions of Android deal with the mic much like iOS does, asking permission very explicitly when the app is run, but lots of people still use old versions of Android, and, researchers found over 200 apps in the store that use ultrasound tracking, but do not say so in their privacy policies. This includes apps from large companies like McDonalds and Krispy Kreme – arstechnica.com/…
- Data released by AV company G-Data shows they see about 8,400 new pieces of Android Malware a day on average, or, a new piece of Android malware every 10 seconds. In their report, G-Data also highlight one of the big reasons Android is so attractive to cyber criminals – the vast majority of Android devices are running out-of-date versions of the OS that are riddled with known vulnerabilities. Less than 5% of Android devices are running any version of the latest OS, and that number includes those running versions of Nougat that are not fully patched! – blog.gdatasoftware.com/…
- Sophos warn of finding more than 50 apps in the Google Play Store that contain privacy-stealing malware, some with more than 1M downloads – nakedsecurity.sophos.com/…
- Google say they won't fix a 'feature' in Android that's being actively used to attack users until Android version O comes out in a few months. The feature suppresses security warnings about a dangerous feature that lets one app place its content over another, an absolute boon for phishers, if that app came from the Play store. The theory being that all apps in the Play store are safe (editorial by Bart – an absolute farce of a theory) – nakedsecurity.sophos.com/…
- Google’s project Treble may allow faster OS updates – androidandme.com/…
- Another sign that attackers are turning their attention to the Mac – the venerable Windows malware family Snake has been ported to the Mac. The malware was found in the wild pretending to be a Flash installer and signed with a then-valid developer cert. Apple promptly revoked the cert, denting the Trojan's effectiveness – www.imore.com/… & www.macobserver.com/…
- Security Researchers warn that a bad device driver has been, and is, being shipped with many models of HP laptops. The device driver appears to have accidentally been shipped with debug code included, so it writes every single keystroke to an un-protected file on the computer's hard drive, turning the audio driver into a, presumably inadvertent, key logger – arstechnica.com/…
- Removal instructions – www.macobserver.com/…
- Amazon's new Alexa calling feature comes with a privacy sting in the tail – if you enable it, you can't control who gets to call you through the service – it's anyone, or no one – www.imore.com/…
- Senator Dianne Feinstein is trying to revive her bill aimed at forcing tech companies to give the government access to encrypted data – www.macobserver.com/…
- RELATED – due to a whoopsie by Senator Feinstein, we now know the FBI paid $900,000 to hack the San Bernardino iPhone – www.macobserver.com/…
Notable Breaches
- Breach at Sabre Corp's hospitality unit which processes payments for more than 32,000 hotels and other accommodations – krebsonsecurity.com/…
- RELATED – Sabre is just part of a bigger pattern of attacks against the hospitality industry – Naked Security lays out this bigger trend and offers some advice to travellers – nakedsecurity.sophos.com/…
- Tinder ordered a researcher to remove a data set of 40,000 Tinder profile pictures he had published online – nakedsecurity.sophos.com/…
- The Indian government reportedly leaked details on 100M people – nakedsecurity.sophos.com/…
- Website Flaw Let True Health Diagnostics Users View All Medical Records – krebsonsecurity.com/…
Suggested Reading
- The attack on net neutrality in the US continues:
- FCC and Congress Work to Roll Back Net Neutrality – tidbits.com/…
- John Oliver sounds the warning siren on net neutrality, summoning the internet horde that saved it before – theweek.com/… (well worth a watch)
- John Oliver Makes It Easier to Comment on FCC Effort to Gut Net Neutrality – www.macobserver.com/…
- Editorial by Bart – Americans who care about a free and open internet need to make their voices heard, and John Oliver's shortcut URL for short-circuiting the user-hostile FCC website is an invaluable tool to help you. Bookmark this great URL so you can comment as soon as the FCC re-opens public comment on this issue – gofccyourself.com/…
- Russian Hackers and the French Elections
- What to Look for in a Private and Secure Email Service Provider – www.intego.com/…
- How to Remove Location Data From Photos on Your iPhone – www.macobserver.com/…
- I'm an ex-Facebook exec: don't believe what they tell you about ads – www.theguardian.com/…
- Meet Greyhound.com, the site that doesn't allow password changes – arstechnica.com/…
- Minority Report in Chicago as police aim to stop crime before it happens – nakedsecurity.sophos.com/…
- Would you like a side of facial recognition with your pizza? – nakedsecurity.sophos.com/…
- Soldiers sent hate-SMS messages from rogue base stations – nakedsecurity.sophos.com/…
- Microsoft's recent success in blocking in-the-wild attacks is eerily good – arstechnica.com/…
- More mud in America's 5th amendment waters – defendants in an extortion case ordered to unlock their phones – nakedsecurity.sophos.com/…
- NSA kept an eye on 151m phone records – but wait, didn't bulk collection stop three years ago? – nakedsecurity.sophos.com/…
- Lawyers demand answers after artist forced to unlock his phone – nakedsecurity.sophos.com/…
Palette Cleansers (Badly needed this week)
- Please read all of this Oatmeal comic – please – theoatmeal.com/…
- Pale White Dot – a tribute to Sagan's pale blue dot, and an amazing photo to get as Cassini's mission approaches its dramatic end – www.macobserver.com/…
- XKCD takes on Photo Library Management (as usual, too much truth in this cartoon for comfort) – xkcd.com/…
- A History of the Entire World – very well done, but does contain a handful of mildly NSFW words – youtu.be/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.