Since Steve and I took a little vacation, Steven Goetz from stevengoetz.ca jumped in to give me a hand with a review of his new Brother multi-function laser printer. I’ll tell you the story of how the magic of Apple Photos helped me have fun with the wine pourer at Fess Parker Winery. George from Tulsa also jumped in to fill the gap as I lazied about on vacation with a review of the fun little wide-angle HTC RE Camera. I explain why I had to keep getting new tripods and finally purchased the Manfrotto Compact Action Tripod (in Red). In Chit Chat Across the Pond Bart gives us a deep dive on this XcodeGhost story that let a huge number of infected apps into the iOS App Store and as usual tells us whether or not we should light our hair on fire about it. After that he tells us about two really good accessories for his iPhone while cycling. First he tries (and mostly succeeds) at convincing me that the iGadgitz Reflective Anti-Slip Neoprene Sports Gym Jogging Armband is the first armband I might actually like, and the Damson Headbones – bone conducting Bluetooth headphones that I’m sure I would like.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday September 27, 2015 and this is show number 542. As it turns out, being retired is awfully hard work, so Steve and I have been forced to take vacations to get away from our hectic life of getting up late, drinking coffee, and fooling around on the Internet. Last week we went wine tasting for a few days and then up into the mountains, where we got up late, drank coffee, and fooled around on the Internet…while looking at and smelling pretty pine trees.
I put out a plea for some help with the show, and both Steven Goetz and George from Tulsa came through for me with great reviews. I did a LITTLE bit of work for the show so you’ll get to hear from me too. Let’s start off with Steven’s review:
In Chit Chat Across the Pond you’ll hear Bart tell us about a new set of Bluetooth headphones he just purchased, and in our discussion he mentioned that using iOS 9, you can actually see the battery status of Bluetooth connected devices under the Today widget. I thought this sounded pretty slick since I never know when my headphones are going to die! I worked out how to turn this feature on and tested with my $17 Biena headphones, my Apple Watch, and then repeated it on my iPad with the Jawbone Jambox.
It’s not a super obvious thing to set up, so I decided to make a Clarify tutorial on how to do it. I took a half dozen screenshots on my iPhone, and then exported them from Photos on my Mac and dragged them into Clarify. It’s easy to reorder steps in Clarify by just dragging them up and down in the left sidebar. I put in some annotations, like an arrow to show scrolling, a box around a button to be pushed and some text on screen. It’s fun to mess around a bit with the colors and transparency, and how roundy you like the boxes too. I noticed something a teeny bit personal on one of the screenshots so I dropped in a blur rectangle to obscure it.
Now for some text to explain what we’re doing. I pushed the button to post it as a tutorial on podfeet.com in draft mode and then went over to see how it looked. Here’s the best part, I saw a few things I’d missed and some things I wanted to change, so back over to Clarify, make a few quick edits and push the WordPress button again. Clarify very quickly assesses what’s changed and only uploads the changes and boom, I was done.
After that I hit the Save to Evernote button and I knew I had it safely stored both locally and in the cloud and so accessible from all of my devices should I ever need to edit the document.
I just love making these tutorials for people. If you want to be a hero too, or just help remember things for yourself, go get yourself a free trial of Clarify from clarify-it.com and be sure to tell them Allison sent you!
Chit Chat Across the Pond
Security Medium – XcodeGhost
This week we have seen the first dramatic security issue on the iOS app store. It’s not a catastrophe, but it’s not a non-story either. Attackers did not actually compromise the App Store, but they did manage to sneak malware into apps available through the app store.
The attack worked by tricking developers in China to use a counterfeit version of Xcode to develop their apps. Because of the Great Firewall of China, downloads of the official Xcode from Apple’s servers is slow. Xcode is a big package, so that slowness is very annoying. To get around this, some Chinese developers download Xcode from unofficial mirrors within China.
The counterfeit version of Xcode did not have a valid digital signature, so GateKeeper blocked it, so clearly, some Chinese developers run their Macs with GateKeeper disabled.
The counterfeit version of Xcode injected botnet code into all apps compiled with it.
The exact number of apps compromised is unclear – depending on which reports your read, it’s somewhere between 40 and 4,000. What is certain is that the epicentre of this attack was China. The affected apps were all written by Chinese developers, and most Chinese apps do not have much popularity outside of China – with one very notable exception – WeChat.
Initial reports suggested that the malware could be used to steal credentials, but both the security researchers at Appthority, and Apple say that is not true, and the malware has only very limited capabilities.
Apple have removed the affected apps from the store, and are working with affected developers to get their machines cleaned of the malware, and updated versions of the apps uploaded to the app store. Apple have also added the counterfeit version of Xcode to the XProtect anti-malware service built into OS X. Apple are also going to host official Xcode mirrors in China to help developers get the official Xcode more quickly.
- Apple’s FAQ – http://www.apple.com/cn/xcodeghost/
- A great post explaining the economics of the XcodeGhost malware – http://tidbits.com/article/15939
Important Security Updates:
- Patch Tuesday has been and gone – MS patched Windows, IE, and Edge – http://krebsonsecurity.com/2015/09/microsoft-pushes-a-dozen-security-updates/
- Microsoft also patched Office for Mac – http://www.intego.com/mac-security-blog/microsoft-issues-office-for-mac-2011-14-5-5-with-security-bug-fixes/
- Adobe patches another 23 flash bugs – http://www.intego.com/mac-security-blog/adobe-issues-flash-player-update-patches-23-flaws/
- RELATED – Brian Krebs warns users that even fully patched versions of Adobe Shockwave are vulnerable – strongly recommends uninstalling it if you have it – http://krebsonsecurity.com/2015/09/adobe-flash-patch-plus-shockwave-shocker/
- FireFox 41 fixes critical security bugs that could allow remote code execution – https://www.us-cert.gov/ncas/current-activity/2015/09/22/Mozilla-Releases-Security-Updates-Firefox
- Apple release iOS9 with 101 security fixes – http://www.intego.com/mac-security-blog/101-security-minded-reasons-you-should-update-to-ios-9/
- Apple Watch 2 patches many security bugs as well as adding new features – http://www.intego.com/mac-security-blog/apple-watch-2-update-patches-security-holes/
- iTunes 12.3 fixes bugs, and adds two-factor auth to the app – https://nakedsecurity.sophos.com/2015/09/18/itunes-12-3-brings-support-for-two-factor-authentication/
Important Security News:
- A careless photo exposes all users of TSA-approved locks – anyone can now 3D-print a WORKING key to any TSA-approved lock – http://arstechnica.com/security/2015/09/video-3d-printed-tsa-travel-sentry-keys-really-do-open-tsa-locks/
- A bug in AirDrop allows apps to be silently installed on iOS. The bug is also present in OS X, though it’s not clear what it lets attackers do to Macs. iOS 9 mitigates against the attack, but there is no patch for OS X yet. For now, either disable airdrop, or limit it to people in your address book – http://www.intego.com/mac-security-blog/airdrop-bug/
- Another iOS Lockscreen bypass (though only a partial one this time) – you can protect yourself by turning off Siri on the lock screen – http://arstechnica.com/security/2015/09/how-hackers-can-access-iphone-contacts-and-photos-without-a-password/
- Android 5 users are less fortunate, there is also a lock screen bypass for this version of Android, but it gives attackers full access to the phone – Google have released a fix, so now users just have to wait on their manufacturers and carriers to pass it on – http://arstechnica.com/security/2015/09/new-android-lockscreen-hack-gives-attackers-full-access-to-locked-devices/
- Google’s project Zero team finds many ‘easily exploitable’ bugs in Kaspersky AV, and warn that AV may actually make your computer LESS secure (editorial by Bart: AV runs with a very high privilege, so a bug in AV is a BIG problem. Such critical code should be as small and simple as possible to make it as robust as possible, but that’s not what marketing wants!) – http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/
- The set of related Android bugs known as StageFright are back in the news – security researchers have released proof-of-concept code – https://nakedsecurity.sophos.com/2015/09/11/androids-stagefright-back-in-the-limelight-what-you-need-to-know/
- RELATED: Google’s Project Zero team show that ASLR in Android is not effective at protecting users from the StageFright bug – making a mockery of Google’s PR on the bug – http://arstechnica.com/security/2015/09/googles-own-researchers-challenge-key-android-security-talking-point/
- More shenanigans from MS – Windows 7 & Windows 8 users with Automatic Updates turned on are finding themselves mysteriously losing disk space and consuming bandwidth as Windows 10 is downloaded silently, without permission, to a hidden folder on their computers – depending on the version, we are talking about 3.5 to 6GB, which is a very significant hit on many people’s monthly download cap – https://nakedsecurity.sophos.com/2015/09/14/microsoft-downloads-windows-10-to-your-computer-even-if-you-dont-want-it-yet/ & http://arstechnica.com/information-technology/2015/09/microsoft-is-downloading-windows-10-to-pcs-even-if-you-dont-reserve-a-copy/
- GCHQ (the UK’s CIA) tried to track everyone on the web (editorial by Bart: the sooner the whole web switches to HTTPS the better!) – http://arstechnica.com/security/2015/09/gchq-tried-to-track-web-visits-of-every-visible-user-on-internet/
- OPM lost a few million more fingerprints than they originally thought – http://arstechnica.com/security/2015/09/opm-breach-included-five-times-more-stolen-fingerprints/
- RELATED – US DHS CISO says government officials who fail a phishing test should have their clearances revoked – http://arstechnica.com/security/2015/09/dhs-infosec-chief-we-should-pull-clearance-of-feds-who-fail-phish-test/
- Ashely Madison passwords not as well protected as first though – over 11 million now cracked (while Ashely Madison did do a great job with their password hashes, they also stored a completely insecure ‘security token’ that was built from the password and a few other pieces of information, and then hashed with the utterly obsolete MD5 algorithm) – https://nakedsecurity.sophos.com/2015/09/10/11-million-ashley-madison-passwords-cracked-in-10-days/
- A leaked report shows that the Obama administration considered four different options for bypassing crypto, but found problems with all of them – http://arstechnica.com/tech-policy/2015/09/obama-administration-explored-backdoors-for-bypassing-smartphone-crypto/
- US federal judge rules that smartphone PINs are covered by the 5th amendment – https://nakedsecurity.sophos.com/2015/09/25/smartphone-passcodes-are-protected-by-the-fifth-amendment-says-us-court/
- VW caught using software to falsify emissions tests, BMW reported to be at it too – http://www.cnbc.com/2015/09/24/bmw-shares-slip-on-report-of-high-emission-levels.html
- Belgian privacy officials compare Facebook to the CIA – Facebook respond by claiming their ubiquitous tracking us good for us because it protects the world from terrorism – https://nakedsecurity.sophos.com/2015/09/23/facebook-our-cookies-keep-you-safe-from-cyber-terrorists/
- Senator Ron Wyden blocks a propposed US law that would force Google and Facebook to spy on users on behalf of the US government in the name of counterterrorism – https://nakedsecurity.sophos.com/2015/09/23/tech-alliance-defeats-us-bill-requiring-them-to-report-terrorist-activity/
- French data protection officials reject Google’s appeals, and insist it block right to be forgotten URLs world-wide – Google refuse – Google cannot appeal the ruling again unless the get fined for not complying – https://nakedsecurity.sophos.com/2015/09/23/googles-right-to-be-forgotten-appeal-france-says-non/
- Brian Krebs reports on a confidential internal study commissioned by Target in the aftermath of their spectacualr breach – if authentic it shows just how poorly secured their network was: http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/
- Security firm FireEye find evidence of a state-sponsored attack against big-iron Cisco routers at major ISPs around the world – http://arstechnica.com/security/2015/09/attackers-install-highly-stealthy-backdoors-in-cisco-routers/ & http://arstechnica.com/security/2015/09/malicious-cisco-router-backdoor-found-on-79-more-devices-25-in-the-us/