#529 Be the Match, Audio Hijack Audio Unit Effects, Spigen Apple Watch Stand, Transcend SSD, XARA Security

In a weak moment I encourage you to send in improvement suggestions and even give examples of suggestions I’ve implemented. Honda Bob needs your help; he needs a bone marrow transplant. You can register by going to https://join.bethematch.org. I learned a ton about Audio Hijack from Dave Hamilton and Don McAllister after I taught a class in it at Macstock and you get to learn what I learn (and maybe the audio is even better on this episode as a result.) Quick review of an elegant and inexpensive Apple Watch stand from Spigen . I run some speed tests on the Transcend Portable SSD and compare to the Envoy Pro Mini. In Chit Chat Across the Pond Bart takes us through the XARA and other security issues this week.


itunes
mp3 download


Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday June 28, 2015 and this is show number 529.

Blog Posts

Keep Sending In Improvement Suggestions

Enhanced Sound with Audio Hijack’s Built-In Effects

Elegant and Inexpensive Apple Watch Stand from Spigen

Transcend 128GB Portable SSD for $83

Be the Match

Honda BobFor the long time listeners to the NosillaCast, I have a personal request to make of you. Honda Bob is my mechanic, and our friend, and a NosillaCastaway. He has been on the show a bunch of times and I used to do ads for him. For some reason the idea of creating ads for his services by the NosillaCastaways took off, culminating in Knightwise doing an entire ad as a Klingon War Commander. Anyway, Bob has been diagnosed with a blood disorder called Myelodysplasia Syndrome, which is a bone marrow failure disorder. Basically the bone marrow stops creating enough healthy blood cells. The good news is this is curable, the bad news is it requires a bone marrow transplant. The good news is that healthy people can donate bone marrow without much trouble. The best chance of a match for bone marrow is in a sibling but while Bob’s two siblings are a perfect match for each other, they’re only a 50% match for him. Unfortunately I’m not a match and in any case they say that people over 50 are not great matches.

So this is where you come in. I would love it if you would register to be a bone marrow donor. It’s pretty easy, you go to https://join.bethematch.org and they send you a kit. You do a swab of the inside of your cheek and send it back. Boom, you’re done. Now I should warn you of a HUGE danger in doing this. You could potentially save someone’s life. So you’d have to be ready to live with yourself after that.

Bob told us that the bone marrow registry is international, so we’re not leaving you out if you’re in Japan, Uzbekistan, New Zealand or Australia! Thanks for considering doing this, Honda Bob could really use your help!

Clarify

I realized this week that I hadn’t yet set up ClamXav anti-virus on my new Macbook so I toodled off to download it. I was surprised but not disappointed to see that the developer, Mark Allen has decided to make this into a commercial product. I say I’m not disappointed because if I can pay for it, I’m helping to ensure that it will stay in ongoing development. After a decade of free development, he’s now going to provide official support channels, fast response to support requests, fast turn-around of bug fixes, new features (he says they’ll be exciting!) and regular updates. It’s $30 but Mark is doing a 25% off sale right now to bring in the existing customers, so it’s only $22. I put a link in the shownotes to clamxav.com. When you listen to this week’s security section from Bart, you’ll realize that it probably is more than time to run an anti-virus on your Mac.

Now that I had my paid-up version of ClamXav, I needed to configure it. Like I mentioned before in this show, it’s awesome to have everything you ever knew documented, so I knew I could just toodle over to the tutorials section on podfeet.com, look for security tutorials and find my instructions. I realized in looking at them that they needed a wee bit of updating, especially with the news that ClamXav is a commercial product now. One of the great things about documenting stuff with Clarify is that it’s so easy to modify and re-upload. I opened Evernote where Clarify stores all of my tutorials…and it wasn’t there!

That’s when I realized I’d been running it so long that I had done the tutorial using Blue Mango’s older deprecated tool, ScreenSteps Desktop. I still have a copy of it, and sure enough there it was. But I wanted it in Clarify! Now who do you think probably has even BETTER help documentation than me? I went to clarify-it.com, did a search on how to move from ScreenSteps to Clarify and there were fabulous instructions showing me step by step with pictures and everything and in about 30 seconds I had my document over in Clarify. I made a couple of changes, saved it to Evernote, and then pushed the WordPress button and posted the new tutorial to podfeet.com.

If you make instructions for yourself or others, or wish you would but it’s too hard with the tools you have, go over to clarify-it.com and download the free trial for Mac or Windows.

Chit Chat Across the Pond

If you learn from Bart every week, go support Bart by pushing one of the support buttons over at lets-talk.ie

Security Medium – 1 – XARA AKA CORED (OS X & iOS Inter-app communication issues)

A new set of vulnerabilities has been found in OS X and iOS, and they have been lumped together under the collective name XARA, for “cross-app resource attack” (X is often used for ‘cross’ in security acronyms). This is not one issue, but four separate ones:

Issue 1 (OS X ONLY) – keychain chicanery (DOES NOT ALLOW PREVIOUSLY SAVED DETAILS BE READ)

OS X uses access control lists, or ACLs to control access to each entry in the keychain, so it is possible for a single keychain entry to be accessible by multiple apps (On iOS the model is much simpler, only the app that wrote the entry can access it). Malicious apps cannot read entries they have not been granted access to, but they can delete them, and they can create new entries. This does not sound like a problem, but it actually is because you can combine these two facts in a dangerous way.

Attack scenario:

1) you install a malicious app on your computer, or get infected by malware through an un-pateched bug

2) that malicious app deletes the keychain entry for Facebook from your keychain – IT CANNOT READ WHAT IS IN ANY ITEM IT DID NOT CREATE

3) it creates a new keychain item for FaceBook that BOTH the malicious app, and your browser are granted access to. Next time you go to log in to FaceBook, the password can’t be auto-filled because the saved password has been nuked, but, if you re-enter the password and ask the browser to save it again, it will now be saved into the keychain item accessible by BOTH your browser AND the malicious app.

These permissions cannot be kept secret though, the app would be listed as having permission if you checked the permissions on the item using the Keychain Access utility. (right-click a entry in your keychain, select ‘get info’, then switch to the ‘Access Control’ tab in the popup, and you’ll see all apps with access).

Issue 2 (OS X, iOS in theory, and Windows): Web sockets are first-come first-served

Multi-part apps can use web sockets to communicate between their separate parts. A good example of this is apps consist of a regular OS X app, and a browser extension. Browser extensions can’t just do what ever they want (for obvious security reasons), so they need to use some kind of OS-mediated communication channel pass information over and back to their parent app. A good example of this is 1Password, which has a main app, and a browser extension.

Web sockets are one of the mechanisms OS X apps can use to communicate with each other. An app listens for incoming connections on a given port, and the browser extension then connects to that port to do its communicating. Port numbers are not tied to any specific app. Any app listen on any port, as long as no other app got there first, so, while 1Password may be the only legitimate app to use the port they chose, it is not theirs, it’s just a port number!

The way the attack would work is as follows:

1) you install a malicious app on your computer, or get infected by malware through an un-pateched bug

2) the malicious app starts before 1Password’s little menubar app, and starts listening on 1Password’s port number

3) the browser is then started, and the plugin connects to the 1Password port, and starts chatting to the wrong app.

It is important to note that the only readable data of note that 1Password sends through that web socket is NEW passwords on their way from the browser to the app for storage. Attackers don’t get to see existing passwords.

Web sockets are not an Apple thing, they are an HTML5 thing.The problem is that web sockets are not designed to do authentication, not that Apple made a boo boo in implementing web sockets. This means that every OS that implements web sockets has the exact same problem, and, the industry as a whole will have to agree on how to deal with this problem.

Issue 3 (OS X Only): Insufficient App ID Verification

On OS X, sandboxed apps are confined to a given folder, their sandbox. Permissions to the sandbox folders are controlled by ACLs, so it is possible to let multiple apps see into each other’s sandboxes. An app is tied to a sandbox by it’s unique ID.

Every app uploaded to the app store has a unique ID, and Apple make sure no one is using anyone else’s IDs. Unfortunately their checking is not very thorough, and helper apps within a main app can sneak through with the wrong ID. When that happens, the helper app can see into the sandbox of the app who’s ID they are abusing.

This is very easy for Apple to fix – they just need to check the IDs more carefully.

You can always tell when an app is answering for a URL scheme, because when the URL is invoked, the listening app will come to the foreground (remember, that is the whole point of these schemes in the first place!).

Issue 4 (iOS & OS X): URL Scheme hijacking

On OS X and iOS can register themselves as handlers for any URL scheme. These schemes allow for deep linking into apps, e.g. Facebook registers fb://. Like port numbers, these schemes are not reserved, any app can advertise it’s ability to open any kind of URL.

The issue here is that developers abuse URL schemes. They are supposed to be used to open an app and take you to a particular place within an app, NOT to securely transmit sensitive data. They were simply never designed to be a secure communication channel. Despite this fact, some developers use custom URL schemes to send sensitive data between apps – leaving that data open to interception by another app that advertises the same URL scheme.

Basically, developers are doing the digital equivalent of putting credit card details on a post card – the problem is the bad developers, not iOS, or OS X!

The Bottom Line:

Some of these things are easy for Apple to fix, some are not. Some of these things may require developers to build their apps in more robust ways.

They key point though is that none of these issues allow attackers to infect your computer. They just bypass some of the barriers the OS tries to put in place between running apps. These issues only come into play AFTER you get infected with malware. In effect, the worst-case here is that our security goes back to what is was before sandboxing. That’s not a good thing, obviously, but it’s not catastrophic.

It is also important to note that the research contains an entire section dedicated to detecting apps that are attempting to make use of these techniques, both Apple and AV firms have a lot to work with here, so it seems unlikely malicious apps using this technique could go un-noticed for long, and once they get spotted, both AV and Apple’s XProtect systems can come down on them like proverbial ton of bricks.

Also, Apple say they have already added detection code to combat a lot of this on the app store servers.

The bottom line is, and frankly always has been, don’t install software from untrusted sources! Installing someone’s software means trusting them with your stuff, don’t be blasé about installing stuff!

Further reading:

Security Medium 2 – Samsung SwiftKey bug

Samsung bundles a SwitftKey keyboard with their phones, and does not allow it to be removed. The keyboard uses HTTP to update itself, so, the updates can be tampered with, and hence, the app can be taken over. This is a spectacular gaff. It’s hard to believe that in 2015, there are still employed developers incompetent enough to do app updates over HTTP. This bug affects over 600million devices.

Attackers can inject code into the keyboard to allow them to eavesdrop on phone conversations, turn on the mic and eavesdrop on the phone’s surroundings, access location data, access the camera, and even install other apps without the user’s knowledge.

Note that this bug is only in Samsung’s version of SwiftKey, not in the one in the Google Play store, or the one in the iOS App Store.

Samsung actually patched this in March, providing cell providers with the fix for all versions of Android from 4.2 up. The fact that it’s now June and end users don’t have the patch yet is just another example of Android’s spectacular security problem. Apple have the power to patch users devices immediately, Samsung do not, and thats a real problem!

In fact, there are still phone being sold now that are vulnerable!

I don’t know of any way to protect yourself from this bug short of staying off (non-home) wifi or rooting your phone to install an alternative version of Android like Cyanogen Mod (or, getting a new phone).

One small mitigation is that the attacker can’t make your phone look for an update, and the attack can only be launched as your phone tries to update itself. Unfortunately, it does so automatically, and you can’t stop it from doing so.

More Info:

Security Lite

Important Security Updates:

Important Security News

  • Microsoft AV has started flagging most versions of the Ask Toolbar as unwanted software – http://arstechnica.com/security/2015/06/ding-dong-the-witch-is-dead-microsoft-av-gets-tough-on-ask-toolbar/
  • New Twitter feature makes blocking of trolls easier by allowing communities to share blocklists – https://nakedsecurity.sophos.com/2015/06/12/twitters-new-block-together-enables-en-masse-blocking-of-trolls/
  • The French data protection agency has told Google that it has to really remove right to be forgotten results, not simply hide them from Google.fr – https://nakedsecurity.sophos.com/2015/06/15/france-orders-google-to-scrub-search-globally-in-right-to-be-forgotten-requests/
  • Noteable Breaches

    Suggested Reading

    That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at allison@podfeet.com, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

    4 thoughts on “#529 Be the Match, Audio Hijack Audio Unit Effects, Spigen Apple Watch Stand, Transcend SSD, XARA Security

    1. Donald Burr - June 29, 2015

      Love my Spigen stand. The Watch charging puck would frequently disappear behind the headboard where I charge my watch at night, requiring me to every few days pull the whole headboard assembly away from the wall (including the bed) so that I could go hunting for it. I agree that the base does need to have some more weight to it, it tends to flop over if I accidentally pull on the charging cable or whatever. My workaround to this was to hot-glue a couple of lead fishing weights to the base; It’s ugly but it works.

    2. Donald Burr - June 29, 2015

      Drat, how did you know my password was ?! I even came up with a cute little story to help remember it: “One night, aliens tried to steal my goat, but he pooped on them, and that just made me smile.” 🙂

      Seriously though, brilliant idea, I hope it catches on.

      Also, “correct horse battery staple” would not be possible with this new emoji-based password system. There is unfortunately neither an emoji for a staple nor a stapler. The closest equivalent would be “✔️” (correct horse battery paperclip) which doesn’t quite have the same ring to it.

    3. Donald Burr - June 29, 2015

      Apparently the WordPress commenting system doesn’t understand emojis. Nooooooooooo!!!!

    4. George - June 29, 2015

      If you read this, and happen to have a Samsung device, you might want to visit Google Play and choose one of the several applications that automatically turns off WiFi when you leave a pre-selected “known network.”

      “WiFi Auto Turn Off” is one option.

      Your phone can’t be hacked unless it is on a malicious WiFi network.

      As an amateur security freak, I consider all “open” WiFi networks potentially malicious, and understand even known “good” ones can be spoofed. So I just don’t connect my devices to any WiFi I don’t control and rely on LTE when away from home and work. I use WiFi Auto Off to disconnect my devices from WiFi by turning it off when I leave the networks I control.

      If you absolutely must use an unknown WiFi network when away from your own, and I’m not sure why that would be, enforcing a VPN connection might help, though there’s those nanoseconds needed to connect to the unknown network then connect the VPN . . .

      As a practical matter,the Samsung Swiftkey vulnerability is unlikely. It requires a device be connected to a malicious WiFi network, and the operator of the network be targeting the Samsung Swiftkey implementation by force-feeding a language module udate.

      I’ve read phones from the S4 (May, 2013) forward are protected by Samsung’s “Knox Security Framework” that secures the Android kernel. I don’t know if “Knox” is enabled by default, or requires user choice to turn on.

      If you have a Samsung device, best to check.

      I also understand it may be possible to retroactively add Knox to an S3, but I think I’d rather keep WiFi OFF than start loading up my phone with more stuff it wasn’t originally designed to include.

      Like fellow Castaway Knightwise, I’m a slider, using OS X, Android, Chrome OS, Linux/Ubuntu, and even a bit of Windows. Each and every system has unique advantages and disadvantages, though they’re all more alike than different, and one major commonality is exploitable insecurities, known and yet to be discovered.

    Leave a Reply

    Your email address will not be published.

    Scroll to top