Review of Alternote, an alternative GUI for Evernote from alternoteapp.com, I tell you the saga of how it took Steve and I and all of our strength to put a flash drive into an iPod Classic, Dorothy wrote a script we’re sharing with the world to extract high resolution icon image from Applications we’re calling ExtractIcons. We also have a tiny little Automator script I wrote with my very own fingers to scale those images to any size you like and append the size information onto the image title. You can download ScaleImage too! And we have Bart Busschots; with us for Security Lite.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, one of the fine podcasts in the Podfeet Podcast Empire hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday November 8, 2015 and this is show number 548.
I have to say, whoever was in charge of reminding me to post Chit Chat Across the Pond as soon as I record it TOTALLY fell down on the job. It just got published a few hours before the NosillaCast! It was also suggested to me that I really should mention on the NosillaCast each week who the guest was on Chit Chat Across the Pond.
This week on CCATP #411 I was joined by Bart Busschots with Part 3 of X of his Programming By Stealth series. In this installment we start looking at HTML block elements. I knew a fair amount of this part but I’ve learned by hacking my way around so it’s great to get this foundational structure under my belt.
Last week on CCATP #410 (since I neglected to mention it) I had Mark Pouley of Twin Lakes Images on the show to talk about how he takes photographs that stand out as unusual even though what he’s photographing has been shot a zillion times. As an example he walked me through how he got this extraordinary photo of a duck standing on a log in the middle of Niagara Falls.
So far only about a third of you have subscribed to Chit Chat Across the Pond as a standalone podcast so maybe this will help remind you to do that if you’re interested. Bart pointed out that I still had only the NosillaCast on my page “Subscribe to the Podcasts” so I spent a bunch of time setting that up to s how you how to subscribe to the NosillaCast, Chit Chat Across the Pond and Taming the Terminal via iTunes, an RSS link and Stitcher Radio. I haven’t gotten approval on Taming the Terminal for Stitcher yet but I only submitted it this morning so that should come along shortly.
Now what else could be fun in a hectic week like this? How about changing out my blogging software? Yup, I did that too. I’ll talk about that more next week but it’s ben super fun learning a new tool and screwing things up in whole new ways. Ok, let’s dig into the NEW material for this week!
When I explained last week that the show is no longer sponsored, I mentioned that I’ll be relying on the kindness of the listeners, a whole bunch of you pushed the Paypal button under “Ways to Help the Show” on Podfeet.com. That was wonderful of you! That’s one way to help directly but if you can’t afford to do that, an easy way to help is to click the Amazon image in the left sidebar (that is NOT tracking you) and do your shopping in Amazon from there, and a small percentage goes to help the continued funding of the show. The holidays are upon us so it would really help out if you could use that link. Thanks in advance!
Security Lite with Bart Busschots
Security Medium – KeeFarce
A piece of malware that waits for you to unlock your KeePass vault, and then reads out all the data and phones home with it has captured a lot of media attention. The malware has been given the name KeeFarce.
You might assume this means there is some kind of flaw in KeePass, or, that this means we should stop using password vaults in general, but I think you would be wrong on both counts.
Firstly, while this particular piece of software is keyPass-specific, it is just one of a breed malware that targets password vaults. It’s a simple fact that it is IMPOSSIBLE to secure anything on a computer that is infested with malware. ALL ENCRYPTED VAULTS OF ANY KIND are vulnerable when your computer is infested with malware. Anything you can do, the malware can do too – and, if the malware manages to elevate it’s privileges, it may well be able to do MORE on your computer than you can! LastPass, 1Password, KeePass, TrueCrypt, VeraCrypt, encrypted disk images, you name it, they are ALL vulnerable when unlocked on an infected computer.
Remember, the way the attack works is that the malware sits silently on your computer, and waits for you to unlock your KeePass vault. Once you do, the malware springs to life and extracts all your usernames and passwords. It then uploads them to a server or place on the internet controlled by the attackers. The only way to read the content of an encrypted file is to decrypt it. The only way to decrypt it is with the key, and the key MUST be entered into the computer, so malware MUST be able to snatch the key.
If you’re KeePass user, this is absolutely no reason for changing to another vault.
So, given that vaults can’t protect us when our machines are hacked, shouldn’t we just stop using them? I would say not. Once your machine is infested, all bets are off. Every password you enter can be snagged, so even if they don’t get your vault, they’ll still get everything important. If you don’t use a vault, where will your keep your passwords? Your brain? Not possible! So, you’ll either have then written down next to your computer, or you’ll do one of the most dangerous things you can do on today’s internet – reuse the same few passwords all over the place. A password vault is not perfect, but it’s still much better than nothing at all!
This is another example of the seat-belt fallacy (as I call it) – abandoning password vaults because they can’t protect you when your computer is infected with malware is like not wearing a seatbelt because it can’t protect you if you drive off a cliff. Don’t let the fact that a password vault is no panacea put you off – it’s still a very good security tool!
Important Security News:
- Ransomeware Authors deploy a new tactic – ‘pay us or we’ll publish your private data’ – http://arstechnica.com/security/2015/11/booming-crypto-ransomware-industry-employs-new-tricks-to-befuddle-victims/
- A cautionary tale – be careful what you post to social media – it could cost you a lot of money! – https://nakedsecurity.sophos.com/2015/11/05/you-just-won-a-100-to-1-bet-what-harm-could-a-happy-selfie-do/
- US residents beware – what you post on social media can affect your credit score! – https://nakedsecurity.sophos.com/2015/11/05/boasting-about-your-binges-on-facebook-could-hurt-your-credit-score/
- Security researchers warn of a dangerous new strain of Android malware that is appearing on unofficial app stores – the malware is injected into pirated apps, and once it gets onto your phone is turns itself into an almost impossible to remove system app – http://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/
- The PageFair anti-ad-blocking analytics engine was injecting malware into all websites using the service for 83 minutes on Halloween – just the latest example of malware being added to reputable sites via third-party relationships – https://nakedsecurity.sophos.com/2015/11/04/pagefair-analytics-hacked-and-used-to-distribute-malware-on-halloween/
- After many years of pressure from Native Americans, political activists, and members of the LGBT community, FaceBook has finally made some changes to it’s real-name policy to address the very real problems with the policy – https://nakedsecurity.sophos.com/2015/11/03/facebook-finally-changes-real-name-policy/
- The US Senate passes the controversial Cybersecurity Information Sharing Act (CISA) despite protests from tech companies and privacy advocates – http://www.macobserver.com/tmo/article/senate-thumbs-its-nose-at-privacy-with-cisa-approval & http://krebsonsecurity.com/2015/10/cybersecurity-information-oversharing-act/
- The Librarian of congress has added a DMCA exemption for vehicle software as long as you are doing so for for “good faith security research” or “lawful modification” – http://arstechnica.com/tech-policy/2015/10/us-regulators-grant-dmca-exemption-legalizing-vehicle-software-tinkering/
- A real-world example of the dangers of tap-to-pay (without auth, so not including Apple Pay) – A British man gets e-pick-pocketed on the train – https://nakedsecurity.sophos.com/2015/10/26/train-rider-has-his-contactless-card-e-pickpocketed/
- PSA – if you run a Joomla site, make sure you are patched to version 3.4.5, or your site could be taken over by attackers – http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-websites-at-risk-of-remote-takeover-hacks/
- UK telecom TalkTalk is hacked, but no one seems to know just how much or how little data was taken – http://arstechnica.co.uk/tech-policy/2015/10/talktalk-hit-by-significant-cyberattack-millions-of-customer-records-compromised/, http://arstechnica.co.uk/information-technology/2015/10/15-year-old-boy-arrested-in-connection-with-talktalk-data-breach/, http://arstechnica.co.uk/information-technology/2015/10/talktalk-says-it-was-not-legally-required-to-encrypt-leaked-customer-data/ & http://arstechnica.co.uk/tech-policy/2015/10/london-police-arrest-another-teenager-in-connection-with-talktalk-hack/
- 13 MILLION plain-text usernames and passwords for the webhost 000webhost have appeared online – http://arstechnica.com/security/2015/10/13-million-plaintext-passwords-belonging-to-webhost-users-leaked-online/
- Securely deleting files in OS X El Capitan – http://www.intego.com/mac-security-blog/how-to-securely-empty-trash-in-os-x-el-capitan/
- A cautionary tale from Brian Krebs – be careful what address you use as your recovery address on online sites – your entire security could hinge on that choice (and ISP supplied email is probably a bad choice) – http://krebsonsecurity.com/?p=32713
- Five tips for safer online dating – https://nakedsecurity.sophos.com/2015/10/29/5-tips-for-safer-online-dating/
- A disturbing look at how public safety agencies react to vulnerabilities in surveillance tech like automatic licence plate recognition systems from the EFF – http://arstechnica.com/tech-policy/2015/10/lprs-exposed-how-public-safety-agencies-responded-to-major-vulnerabilities-in-vehicle-surveillance-tech/
- A new trend – apps to help people record their interactions with the police, and get them quickly and easily to civil liberties groups when needed – https://nakedsecurity.sophos.com/2015/11/04/keep-calm-and-hit-record-mobile-apps-help-little-brother-watch-big-brother/
- Google gets tough with Symantec after their recent certificate blunders – http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-google-gives-symantec-an-offer-it-cant-refuse/
- Unlatched browser weaknesses allow websites to partially re-construct a visitor’s browsing history, even if they delete their history and clear al their cookies – http://arstechnica.com/security/2015/10/unpatched-browser-weaknesses-can-be-exploited-to-track-millions-of-web-users/
- A critical vulnerability in the Xen hyper-visor that has gone un-noticed for 7 years causes chaos in the cloud hosting space – https://nakedsecurity.sophos.com/2015/11/02/critical-xen-vulnerability-went-undiscovered-for-seven-years/
- Researchers use wifi to ‘see’ through walls – https://nakedsecurity.sophos.com/2015/10/30/researchers-use-wi-fi-to-see-gestures-identify-individuals-through-walls/
- Top German official infected by highly advanced spy trojan with NSA ties – http://arstechnica.com/tech-policy/2015/10/top-german-official-infected-by-highly-advanced-spy-trojan-with-nsa-ties/
- Security researchers find a way of abusing the old and hence insecure NTP protocol to successfully attack HTTP (NTP facilitates ‘time-travel’ which allows old certs to become new again!) – http://arstechnica.com/security/2015/10/new-attacks-on-network-time-protocol-can-defeat-https-and-create-chaos/
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.