Bart and I pushed out a new episode of Taming the Terminal in both the Chit Chat Across the Pond Taming the Terminal feeds. I’ll tell you why Rogue Amoeba is the gold standard of customer support. Then we’ll hear about Ricoh’s next generation 360 camera. I’ll then go on a rant of all of the quality assurance work I’ve done for so many companies in the last few weeks, including AirPods, iPads Pro, iPad Pro keyboards, Ring video software and website, Apple Watch activity sharing, Screenflow and even macOS. Bart Busschots is back with a new edition of Security Bits. He explains subtleties of the WannaCry ransomeware that I’ve heard nowhere else, then he explains how Apple is going to institute a requirement for app-specific passwords for third party apps with access to your iCloud calendar, contacts and mail. Very important listening.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday May 28, 2017 and this is show number 629. Next week Steve and I are headed off to finally see Yellowstone and Grand Teton National Parks with our friends Bill and Diane. We leave on Thursday so the NosillaCast will actually come out super early next week – on Wednesday night. For those of you who enjoy coming to the live show, there obviously won’t be one next week. That doesn’t mean you can’t go hang out in the live chat room without us of course. From what I can gather during the show no one pays attention to my blather anyway.
Steve sent out a note this week on social media suggesting that you guys can certainly hang out together in the live chat room during WWDC on Tuesday. June 5th at 10am. We’ll be on the road probably and unable to join but that shouldn’t stop you from having fun. If you want to join in and haven’t played in the live show before, the easiest way is to go to podfeet.com/live. There’s a web-based chat client there, and links to tutorials to how to set up standalone clients too. Of course the video on that page won’t be live but the chat room should be fun. We’re sorry to be missing it but hopefully you’ll keep us informed of anything we miss.
Chit Chat Across the Pond
This week’s Chit Chat Across the Pond was actually a new episode of Taming the Terminal. When I split off the propeller beanie and lite versions of Chit Chat, it didn’t occur to me that this would happen. So when I said propeller beanie, I actually meant Programming By Stealth. So now there’s the main Chit Chat feed that has everything, or you can subscribe separately to Chit Chat Across the Pond Lite, or Programming By Stealth, or Taming the Terminal, or all three if you just like to have them in separate files. And remember, if you change nothing, you’ll still get all of the Chit Chats in the main feed.
So anyway, in this episode of Taming the Terminal, Bart teaches us about SSH Agents and how to regain some capability with them that we lost in upgrading to El Capitan. Bart does a great job of reminding us of what we learned about SSH back in parts 29 and 30 of Taming the Terminal so it’s easier to get back up to speed to follow along. Go check it out either in the Taming the Terminal feed or in Chit Chat Across the Pond in your podcatcher of choice.
Blog Posts
Rogue Amoeba – the Gold Standard
NAB 2017: Ricoh’s New Generation Theta Camera
I’m In Charge of QA for All the Things
Patreon and Amazon
Next week, Chit Chat Across the Pond Lite is going to be a conversation with Bruce Wilson, Chief Technology Officer for Information Technology at Oak Ridge National Laboratory. I’m really excited about talking to him about the crazy cool work they’re doing there on things like an ultrasonic clothes dryer and a method to convert carbon dioxide into ethanol. Anyway, the reason I’m bringing him up is because not only is he going to make a huge contribution by being. a guest on the show, he also just became a patron of the Podfeet Podcasts. Becoming a patron is one of the best ways to show your continued support of the shows. You can join Bruce and the other cool kids by going over to podfeet.com and tapping the Support the Show button from there you’ll see the Patreon button along with PayPal and Amazon for the affiliate links. Once you go to Patreon, you sign up with an account and choose the amount you’d like to pledge. I really appreciate all of you who have shown your support in this way.
Security bits
Followup – More Details on WannaCry
When we last recorded the WannaCry malware story was just breaking, so we knew there'd be some gaps that needed filling in.
Firstly – the news of the so-called kill switch was just breaking. It seemed like a strange story at the time, and we definitely knew its effect would be short-lived. It now seems like the kill-switch was a ham-handed attempt by the malware to detect when it was in the kind of virtualised environment security researchers use to examine malware. One of the tools security researchers use to analyse a piece of malware is to run it in virtual machines that are designed to watch the apps behaviour closely and log everything it does. Obviously, malware vendors don't want their software analysed like this, so they build in tests to try detect the virtualisation, and hey presto – another cat-and-mouse game is born!
One of the things a virtual malware testing environment will do is intercept DNS queries and reply with the IP address of a server controlled by the researchers. The hope is to trick the malware into using the researcher's server as their command-and-control server, allowing the researchers to see what kinds of information is flowing through that channel, and to see how the malware responds when sent different commands. As a malware author, you can try protect against this by having your code resolve a domain you know should not exist, and if you get an answer, then you're probably in a virtual environment. If you're a smart malware author you'll have your code randomly generate a different bogus domain name at execution time. If you're a bit naive you might hard-code a single test domain into your malware. It appears this is what WannaCry did. Once a security researcher found the domain name, all he had to do was register it in the real world, and every copy of WannaCry would think he real world is virtual, and deactivate itself so it could not be studied!
We said at the time that the kill-switch would not last long, and that has indeed borne out. New versions without it started spreading almost immediately.
Something that's still not clear to me is exactly what the situation is Windows XP. Some researchers say the malware can't infect XP machines, but we have reports of lots of infected XP machines. Maybe the reports of infected XP machines were inaccurate? Numbers form Kaspersky labs seem to support the idea that XP is not big-bad in this outbreak, but that the real problem is Windows 7, which they say accounts for 97% of the infections they've seen. Numbers from BitSight agree that Windows 7 is the biggest problem, but the numbers are not similar at all – BitSight's numbers give Windows 7 a 67% share.
Personally, I think the focus on Windows XP in the discussions misses the real point – the importance of keeping systems fully patched. Since you can't fully patch an un-supported OS, you should not run them. And, just running a supported OS is not enough, you need to actually patch it!
Some good news is that it's possible to decrypt the files encrypted by WannaCrypt on some computers in some cases. Ironically, the malware uses crypto APIs provided by Windows to generate the keys for doing the encryption, and in older versions of Windows, those APIs don't clean up after themselves properly, so they leave enough information floating around in RAM temporarily to re-create the keys. Obviously this trick only works for a while, if the RAM gets re-used, or the machine rebooted, the leaked information will be lost for ever. The first tool to make use of this leak for recovering files was named WannaKey, and only worked on XP, but that was followed by another tools named WanaKiwi which definitely works on Windows XP, Windows 7 & Windows Server 2003, and there are some reports that it may also work on Windows Vista & Windows Server 2008.
A few days after the attack Microsoft came out strongly against governments hoarding critical vulnerabilities like the one underpinning WannaCry. They renewed their calls for kind of Digital Geneva Convention where governments would sign up and agree to disclose vulnerabilities they find to vendors instead of hoarding and exploiting them.
A lot of media reporting focused on how "little" money the attack generated for the perpetrators. The linked bitcoin wallets "only" gathered in the order of tens of thousands of dollars with of bitcoin in the days following the start of the attack. A few days of coding to turn a leaked exploit into tens of thousands of dollars seems like a good ROI to me!
There's some evidence suggesting that WannaCry may have been created by the so-called Lazarus Group, an apparently North Korean hacking group that rose to fame by hacking Sony Pictures.
While researching WannaCry, researchers found a previously un-known botnet of some 200,000 computers that used the same vulnerabilities as WannaCry to spread. Unlike WannaCry, this malware did its best to be stealthy, because it used infected computers to mine for bitcoins. This malware campaign started some time between the 24th of April and 2nd of May, so before WannaCry broke out.
Finally, the mystery of how Microsoft ended up patching the bugs exploited by WannaCry before the Shadow Brokers released the exploit has been solved – when the NSA realised what the Shadow Brokers had, and what damage could potentially be done by releasing it, they reported the vulnerability to Microsoft.
Links:
- How I accidentally stopped a global Wanna Decryptor ransomware attack – arstechnica.com/…
- The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
Read more at https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#SMW5meKu54OVOz3Q.99 – blogs.microsoft.com/… - Virulent WCry ransomware worm may have North Korea's fingerprints on it – arstechnica.com/…
- Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry – arstechnica.com/…
- Cryptocurrency-mining malware cashes in on NSA exploit that enabled WannaCry – nakedsecurity.sophos.com/…
- Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft – arstechnica.com/…
- Windows XP PCs infected by WCry can be decrypted without paying ransom – arstechnica.com/…
- More people infected by recent WCry worm can unlock PCs without paying ransom – arstechnica.com/…
- Windows 7, not XP, was the reason last week’s WCry worm spread so widely – arstechnica.com/…
- WannaCry: the rush to blame XP masked bigger problems – nakedsecurity.sophos.com/…
Security Medium – iCloud Security Changes
Starting on June 15th, Apple are changing how 3rd-party apps access iCloud mail, contacts, and calendars.
Because iCloud is such a nebulous thing, it's important to be clear about the scope of this change before we go any further. We're not talking about apps that use Apple's CloudKit API to store data in iCloud. We're not talking about apps that use iOS or OS X APIs to access your contacts – we're only talking about the bit of iCloud that provides email and calendar services like you would get from a Microsoft Exchange server in a corporate setting. In other words, apps like Outlook & Thunderbird.
At the moment, you enter your true iCloud username and password into Outlook & Thunderbird when you set up these clients. This lets them connect to Apple's mail & calendar servers over traditional protocols like IMAP, POP3, SMTP & CalDav to do traditional email and calendar things. But, that same username and password protects so much more these days. You're trusting these apps with a lot!
So whats changing?
From June 15th, your normal iCloud username & password will stop working on these apps. Instead, you'll need to create app-specific passwords for them. This greatly reduces the level of trust you are putting in these apps, and hence, makes you much more secure. But, it does mean a little more effort at the moment you configure the clients.
Links:
- Third-Party Apps Will Need App-Specific Passwords for iCloud Access From June 15 – www.macrumors.com/…
- How to generate app-specific passwords with iCloud on iPhone, iPad, and Mac – www.imore.com/…
Important Security Updates
- Apple releases security updates for just about everything – www.us-cert.gov/… & www.intego.com/…
- WordPress released a critical security update to fix a vulnerability that could allow a remote attacker take over a site – www.us-cert.gov/…
- Joomla released a critical security update to fix a vulnerability that could allow a remote attacker take over a site – www.us-cert.gov/…
- The SAMBA project have released a critical security update that patches a remote code execution bug that could allow a remote attacker run arbitrary code on a SAMBA server – arstechnica.com/… & nakedsecurity.sophos.com/…
- A number of popular media players, including VLC & Popcorn Time, have released critical security updates to patch a bug that allows maliciously crafted subtitle files to execute arbitrary code. Unsettlingly, security researchers note that the bug probably exists in many other media players that have not been patched yet – nakedsecurity.sophos.com/…
Important Security News
- President Trump issued his promised Cyber Security Executive Order, and it's basically a continuation of the approach begun by President Obama – arstechnica.com/…
- Twitter has updated their privacy policy – they're pulling their support of the DNT (Do Not Track) flag, but giving you more switches to toggle on your settings page, and, being more transparent about what they have collected on you – www.macobserver.com/…
- Security firm Elcomsoft find that deleted iCloud notes hang around longer than they are supposed to – they are supposed to be recoverable for 30 days (an advertised feature, not a bug), but there seems to be a bug causing notes to hang around for longer deep in the bowls of iCloud accounts. The good news is that the notes are not leaked – your login details are required to access them – www.macobserver.com/…
- Security researches reveal that Yahoo servers were leaking memory by using insecure versions of open source libraries for years, though the problems have now been fixed. There were two separate problems, and researchers have dubbed this whole mess Yahoobleed (Editorial by Bart: given what we already know about Yahoo's security lapses over the last few years, I don't think this latest revelation changes much, we already knew our data on Yahoo has probably been compromised) – arstechnica.com/…
- 1Password introduces its new Travel Mode to protect user's data as they cross international borders – blog.agilebits.com/… & www.macobserver.com/…
- The master keys for the Crysis Ransomware have been leaked on PasteBin, offering hope to victims – nakedsecurity.sophos.com/…
- At their annual Marketing Next conference, Google announced Google Attribution, technology they say allows them to link what you buy in the real world to what ads you see, so ad purchasers can know how successful their ads are. Google haven't explained how they do this, but they promise they are protecting user privacy. The Washington Post are reporting that Google are using credit card transaction data to do pull this off (Editorial by Bart: the fact that Google won't say how they are doing this makes it even creepier to me) – nakedsecurity.sophos.com/… & www.washingtonpost.com/…
- Security researches find that radio-controlled pacemakers from four leading manufacturers have dangerously poor security – arstechnica.com/…
Notable Breaches
- Breach at DocuSign Led to Targeted Email Malware Campaign – krebsonsecurity.com/…
- Brooks Brothers reveals theft of payment card details – nakedsecurity.sophos.com/…
- MolinaHealthcare.com Exposed Patient Records – krebsonsecurity.com/…
- Chipotle says hackers stole credit card data from some customers during last month’s breach – cnbc.com/…
Suggested Reading
- A nice high-level description of Project Treble from Google – android-developers.googleblog.com/…
- A good op-ed responding to Project Treble from Ars Technica – arstechnica.com/…
- In a sad epilogue to the Handbrake breach we talked about last time, it appears to have resulted in attackers stealing a bunch of source code from Panic (makers of apps like Transmit). It just goes to show how easy it is for even smart people to get p0wn3d – panic.com/…
- Stories related to Net Neutrality in the US:
- Tell the FCC Exactly How You Feel about Ringless Voicemail – www.macobserver.com/…
- Because it's important for US Senate staffers to be able to communicate security, they need end-to-end encryption, and to that end, the Senate Sergeant at Arms has officially approved the use of the Signal messaging app by staffers (Editorial by Bart: it seems ironic to me that the Senate both want and need true privacy, and, are drafting legislation to destroy it at the same time) – www.imore.com/…
- What to look for when choosing a VPN provider – www.imore.com/…
- How to build your own VPN if you’re (rightfully) wary of commercial options – arstechnica.com/…
- The Guardian decided to put Facebook's assertion that it is working to tackle fake news to the test – sadly, it doesn't appear to be working – www.theguardian.com/…
- BostonGlobe.com disables articles when your browser's in private mode – arstechnica.com/…
- How Big Fuzzing helps find holes in open source projects – nakedsecurity.sophos.com/…
- GDPR is just a year away: here's what you need to know – nakedsecurity.sophos.com/…
- U.N.'s North Korea sanctions monitors hit by 'sustained' cyber attack – www.reuters.com/…
- How to stop Facebook from accessing your Microphone – www.imore.com/…
- LastPass's new cloud backup option – sunny skies or a brewing storm? – nakedsecurity.sophos.com/…
- Apple have released their latest privacy report (no surprises, government requests for data are up) – images.apple.com/…
- Here's What Kik Users Need to Know About Kin Cryptocurrency – www.macobserver.com/…
Palette Cleansers
- Apple Launches New Swift Curriculum on iBooks Store for Free – www.macobserver.com/…
- Some really cool tricks for quickly creating commonly needed vector icons or icon components like hearts or wifi symbols – bjango.com/…
- A simply amazing hyper-lapse video of NYC – youtu.be/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show – BUT NOT NEXT WEEK, you can normally head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.