In a weak moment I encourage you to send in improvement suggestions and even give examples of suggestions I’ve implemented. Honda Bob needs your help; he needs a bone marrow transplant. You can register by going to https://join.bethematch.org. I learned a ton about Audio Hijack from Dave Hamilton and Don McAllister after I taught a class in it at Macstock and you get to learn what I learn (and maybe the audio is even better on this episode as a result.) Quick review of an elegant and inexpensive Apple Watch stand from Spigen . I run some speed tests on the Transcend Portable SSD and compare to the Envoy Pro Mini. In Chit Chat Across the Pond Bart takes us through the XARA and other security issues this week.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday June 28, 2015 and this is show number 529.
Be the Match
For the long time listeners to the NosillaCast, I have a personal request to make of you. Honda Bob is my mechanic, and our friend, and a NosillaCastaway. He has been on the show a bunch of times and I used to do ads for him. For some reason the idea of creating ads for his services by the NosillaCastaways took off, culminating in Knightwise doing an entire ad as a Klingon War Commander. Anyway, Bob has been diagnosed with a blood disorder called Myelodysplasia Syndrome, which is a bone marrow failure disorder. Basically the bone marrow stops creating enough healthy blood cells. The good news is this is curable, the bad news is it requires a bone marrow transplant. The good news is that healthy people can donate bone marrow without much trouble. The best chance of a match for bone marrow is in a sibling but while Bob’s two siblings are a perfect match for each other, they’re only a 50% match for him. Unfortunately I’m not a match and in any case they say that people over 50 are not great matches.
So this is where you come in. I would love it if you would register to be a bone marrow donor. It’s pretty easy, you go to https://join.bethematch.org and they send you a kit. You do a swab of the inside of your cheek and send it back. Boom, you’re done. Now I should warn you of a HUGE danger in doing this. You could potentially save someone’s life. So you’d have to be ready to live with yourself after that.
Bob told us that the bone marrow registry is international, so we’re not leaving you out if you’re in Japan, Uzbekistan, New Zealand or Australia! Thanks for considering doing this, Honda Bob could really use your help!
I realized this week that I hadn’t yet set up ClamXav anti-virus on my new Macbook so I toodled off to download it. I was surprised but not disappointed to see that the developer, Mark Allen has decided to make this into a commercial product. I say I’m not disappointed because if I can pay for it, I’m helping to ensure that it will stay in ongoing development. After a decade of free development, he’s now going to provide official support channels, fast response to support requests, fast turn-around of bug fixes, new features (he says they’ll be exciting!) and regular updates. It’s $30 but Mark is doing a 25% off sale right now to bring in the existing customers, so it’s only $22. I put a link in the shownotes to clamxav.com. When you listen to this week’s security section from Bart, you’ll realize that it probably is more than time to run an anti-virus on your Mac.
Now that I had my paid-up version of ClamXav, I needed to configure it. Like I mentioned before in this show, it’s awesome to have everything you ever knew documented, so I knew I could just toodle over to the tutorials section on podfeet.com, look for security tutorials and find my instructions. I realized in looking at them that they needed a wee bit of updating, especially with the news that ClamXav is a commercial product now. One of the great things about documenting stuff with Clarify is that it’s so easy to modify and re-upload. I opened Evernote where Clarify stores all of my tutorials…and it wasn’t there!
That’s when I realized I’d been running it so long that I had done the tutorial using Blue Mango’s older deprecated tool, ScreenSteps Desktop. I still have a copy of it, and sure enough there it was. But I wanted it in Clarify! Now who do you think probably has even BETTER help documentation than me? I went to clarify-it.com, did a search on how to move from ScreenSteps to Clarify and there were fabulous instructions showing me step by step with pictures and everything and in about 30 seconds I had my document over in Clarify. I made a couple of changes, saved it to Evernote, and then pushed the WordPress button and posted the new tutorial to podfeet.com.
If you make instructions for yourself or others, or wish you would but it’s too hard with the tools you have, go over to clarify-it.com and download the free trial for Mac or Windows.
Chit Chat Across the Pond
If you learn from Bart every week, go support Bart by pushing one of the support buttons over at lets-talk.ie
Security Medium – 1 – XARA AKA CORED (OS X & iOS Inter-app communication issues)
A new set of vulnerabilities has been found in OS X and iOS, and they have been lumped together under the collective name XARA, for “cross-app resource attack” (X is often used for ‘cross’ in security acronyms). This is not one issue, but four separate ones:
Issue 1 (OS X ONLY) – keychain chicanery (DOES NOT ALLOW PREVIOUSLY SAVED DETAILS BE READ)
OS X uses access control lists, or ACLs to control access to each entry in the keychain, so it is possible for a single keychain entry to be accessible by multiple apps (On iOS the model is much simpler, only the app that wrote the entry can access it). Malicious apps cannot read entries they have not been granted access to, but they can delete them, and they can create new entries. This does not sound like a problem, but it actually is because you can combine these two facts in a dangerous way.
1) you install a malicious app on your computer, or get infected by malware through an un-pateched bug
2) that malicious app deletes the keychain entry for Facebook from your keychain – IT CANNOT READ WHAT IS IN ANY ITEM IT DID NOT CREATE
3) it creates a new keychain item for FaceBook that BOTH the malicious app, and your browser are granted access to. Next time you go to log in to FaceBook, the password can’t be auto-filled because the saved password has been nuked, but, if you re-enter the password and ask the browser to save it again, it will now be saved into the keychain item accessible by BOTH your browser AND the malicious app.
These permissions cannot be kept secret though, the app would be listed as having permission if you checked the permissions on the item using the Keychain Access utility. (right-click a entry in your keychain, select ‘get info’, then switch to the ‘Access Control’ tab in the popup, and you’ll see all apps with access).
Issue 2 (OS X, iOS in theory, and Windows): Web sockets are first-come first-served
Multi-part apps can use web sockets to communicate between their separate parts. A good example of this is apps consist of a regular OS X app, and a browser extension. Browser extensions can’t just do what ever they want (for obvious security reasons), so they need to use some kind of OS-mediated communication channel pass information over and back to their parent app. A good example of this is 1Password, which has a main app, and a browser extension.
Web sockets are one of the mechanisms OS X apps can use to communicate with each other. An app listens for incoming connections on a given port, and the browser extension then connects to that port to do its communicating. Port numbers are not tied to any specific app. Any app listen on any port, as long as no other app got there first, so, while 1Password may be the only legitimate app to use the port they chose, it is not theirs, it’s just a port number!
The way the attack would work is as follows:
1) you install a malicious app on your computer, or get infected by malware through an un-pateched bug
2) the malicious app starts before 1Password’s little menubar app, and starts listening on 1Password’s port number
3) the browser is then started, and the plugin connects to the 1Password port, and starts chatting to the wrong app.
It is important to note that the only readable data of note that 1Password sends through that web socket is NEW passwords on their way from the browser to the app for storage. Attackers don’t get to see existing passwords.
Web sockets are not an Apple thing, they are an HTML5 thing.The problem is that web sockets are not designed to do authentication, not that Apple made a boo boo in implementing web sockets. This means that every OS that implements web sockets has the exact same problem, and, the industry as a whole will have to agree on how to deal with this problem.
Issue 3 (OS X Only): Insufficient App ID Verification
On OS X, sandboxed apps are confined to a given folder, their sandbox. Permissions to the sandbox folders are controlled by ACLs, so it is possible to let multiple apps see into each other’s sandboxes. An app is tied to a sandbox by it’s unique ID.
Every app uploaded to the app store has a unique ID, and Apple make sure no one is using anyone else’s IDs. Unfortunately their checking is not very thorough, and helper apps within a main app can sneak through with the wrong ID. When that happens, the helper app can see into the sandbox of the app who’s ID they are abusing.
This is very easy for Apple to fix – they just need to check the IDs more carefully.
You can always tell when an app is answering for a URL scheme, because when the URL is invoked, the listening app will come to the foreground (remember, that is the whole point of these schemes in the first place!).
Issue 4 (iOS & OS X): URL Scheme hijacking
On OS X and iOS can register themselves as handlers for any URL scheme. These schemes allow for deep linking into apps, e.g. Facebook registers fb://. Like port numbers, these schemes are not reserved, any app can advertise it’s ability to open any kind of URL.
The issue here is that developers abuse URL schemes. They are supposed to be used to open an app and take you to a particular place within an app, NOT to securely transmit sensitive data. They were simply never designed to be a secure communication channel. Despite this fact, some developers use custom URL schemes to send sensitive data between apps – leaving that data open to interception by another app that advertises the same URL scheme.
Basically, developers are doing the digital equivalent of putting credit card details on a post card – the problem is the bad developers, not iOS, or OS X!
The Bottom Line:
Some of these things are easy for Apple to fix, some are not. Some of these things may require developers to build their apps in more robust ways.
They key point though is that none of these issues allow attackers to infect your computer. They just bypass some of the barriers the OS tries to put in place between running apps. These issues only come into play AFTER you get infected with malware. In effect, the worst-case here is that our security goes back to what is was before sandboxing. That’s not a good thing, obviously, but it’s not catastrophic.
It is also important to note that the research contains an entire section dedicated to detecting apps that are attempting to make use of these techniques, both Apple and AV firms have a lot to work with here, so it seems unlikely malicious apps using this technique could go un-noticed for long, and once they get spotted, both AV and Apple’s XProtect systems can come down on them like proverbial ton of bricks.
Also, Apple say they have already added detection code to combat a lot of this on the app store servers.
The bottom line is, and frankly always has been, don’t install software from untrusted sources! Installing someone’s software means trusting them with your stuff, don’t be blasé about installing stuff!
- A good FAQ by Rene Richie on iMore: http://www.imore.com/xara-exploits-mac-iphone-and-ipad-and-what-you-need-know
- A great in-depth article, also from iMore: http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities
- A response from AgileBits (the 1Password peeps): https://discussions.agilebits.com/discussion/42900/osx-and-ios-1pw-keychain-vulnerability-report-on-the-register
Security Medium 2 – Samsung SwiftKey bug
Samsung bundles a SwitftKey keyboard with their phones, and does not allow it to be removed. The keyboard uses HTTP to update itself, so, the updates can be tampered with, and hence, the app can be taken over. This is a spectacular gaff. It’s hard to believe that in 2015, there are still employed developers incompetent enough to do app updates over HTTP. This bug affects over 600million devices.
Attackers can inject code into the keyboard to allow them to eavesdrop on phone conversations, turn on the mic and eavesdrop on the phone’s surroundings, access location data, access the camera, and even install other apps without the user’s knowledge.
Note that this bug is only in Samsung’s version of SwiftKey, not in the one in the Google Play store, or the one in the iOS App Store.
Samsung actually patched this in March, providing cell providers with the fix for all versions of Android from 4.2 up. The fact that it’s now June and end users don’t have the patch yet is just another example of Android’s spectacular security problem. Apple have the power to patch users devices immediately, Samsung do not, and thats a real problem!
In fact, there are still phone being sold now that are vulnerable!
I don’t know of any way to protect yourself from this bug short of staying off (non-home) wifi or rooting your phone to install an alternative version of Android like Cyanogen Mod (or, getting a new phone).
One small mitigation is that the attacker can’t make your phone look for an update, and the attack can only be launched as your phone tries to update itself. Unfortunately, it does so automatically, and you can’t stop it from doing so.
Important Security Updates:
- Patch Tuesday has been and gone, including updates to Office, Windows Media Player, and Windows from Microsoft, and updates to Flash from Adobe – http://krebsonsecurity.com/2015/06/adobe-microsoft-issue-critical-security-fixes-4/
Important Security News
- A bug in mail.app on iOS allows HTML emails to render fake login windows that may trick some users – Apple are working on a fix, so in the mean time, just be suspicious of login prompts while you are in mail.app, especially ones that don’t grey out all the other buttons on mail.app – http://arstechnica.com/security/2015/06/serious-ios-bug-makes-it-easy-to-steal-users-icloud-passwords/
- The security researches behind the free Android security app AppBugs have released research showing that many even high-profile Android apps do not properly secure communications between the apps and their servers, either by not even using HTTPS, or by not using it properly. Match.com and an NBA app are just to examples of affected apps – http://arstechnica.com/security/2015/06/game-over-https-defects-in-dozens-of-android-apps-expose-user-passwords/ (AppBug will scan an Android device for apps with known security problems)
- The EFF have released their annual “who has your back” report, and Apple & Drop Box are among 9 companies that get 5 out of 5, Microsoft and Google are middle-of-the-road with 3 out of 5, and WhatsApp gets 1 out of 4, and a special mention for “lagging behind the industry in standing by users” – http://www.macobserver.com/tmo/article/eff-gives-apple-top-marks-for-protecting-customer-data-from-government
- Snowden encourages consumers to support Apple’s stance on privacy – http://www.macobserver.com/tmo/article/edward-snowden-consumers-should-support-apple-to-incentivize-privacy
- A number of important sites are (finally) going all HTTPS:
- Wikipedia – http://arstechnica.com/security/2015/06/wikipedia-goes-all-https-starting-immediately/
- Bing – https://nakedsecurity.sophos.com/2015/06/17/bing-arrives-better-late-than-never-to-the-encryption-party/
- Reddit – http://arstechnica.com/security/2015/06/reddit-goes-all-https-joining-wikipedia-netflix-and-even-the-feds/
- The US OPM breach just gets worse and worse and worse: http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/ & http://krebsonsecurity.com/2015/06/opms-database-for-sale-nope-it-came-from-another-us-gov/
- Wikileaks posts another 276,000 Sony documents – https://nakedsecurity.sophos.com/2015/06/19/sonys-post-breach-woes-continue-as-wikileaks-dumps-276000-more-documents/
- Do you use open proxies to watch TV from one country in another (or for any other reason)? If so, you need to read this article by Brian Krebs: http://krebsonsecurity.com/2015/06/free-proxies-arent-necessarily-free/
- Do you have a car with one of these new-fangled keys that you just have to bring near the car for it to unlock? You should probably read this: http://arstechnica.com/cars/2015/06/mysterious-car-burglaries-signal-amplification-or-brute-force-hacking/
- Do you have an automatic garage door opener? It may be a lot less secure than you hope – https://nakedsecurity.sophos.com/2015/06/08/gone-in-10-seconds-man-hacks-kids-toy-to-open-garage-doors/
- A British company has launched an emoji-based alternative for banking PINs – https://nakedsecurity.sophos.com/2015/06/16/could-emojis-replace-passcodes-in-online-banking/
- Talks on a developing voluntary code of conduct for use of facial recognition technology by US companies broke down when all nine civil liberties groups walked out because not a single industry representative would agree to facial recognition being opt-in – https://nakedsecurity.sophos.com/2015/06/17/privacy-groups-walk-out-of-us-talks-on-facial-recognition-guidelines/
- Snowden documents reveal that the GCHQ & the NSA attacked AVI companies, especially Kaspersky Labs (editorial by Bart – attacking the tools that protect everyone is an example of supposed security agencies making the whole world less secure, it’s not OK for governments to use tax payers money to make tax payers less secure IMO!) – http://arstechnica.com/security/2015/06/us-uk-intel-agencies-worked-to-subvert-antivirus-tools-to-aid-hacking/
- Google extends it’s bug bounty program to Android – https://nakedsecurity.sophos.com/2015/06/17/google-launches-android-bug-bounty-program/
- IRS announces 2016 anti-fraud arrangements – https://nakedsecurity.sophos.com/2015/06/12/irs-announces-2016-anti-fraud-arrangements/
- Security hole in hospital drug pump could allow attackers to dispense a lethal dose – https://nakedsecurity.sophos.com/2015/06/10/security-hole-in-hospira-hospital-drug-pumps-could-let-through-fatal-doses/
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.