In Chit Chat Across the Pond #413 Bart is back with a rather short installment of his series Programming By Stealth, this time taking a look at in-line elements for HTML. Download that episode here: podfeet.com/blog/2015/11/ccatp-413. I have a rather mushy discussion of how much the NosillaCastaways mean to me, I ask and answer the question of whether the Apple Pencil will make an artist out of you, and I tell you how I finally succeeded in getting a photo of star trails using the Olympus E-M10’s built in function called Live Composition. In Security Lite Bart sheds some light on what exactly went wrong with Apple’s certificates that caused so much grief for users of the Mac App Store this week.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Monday November 23, 2015 and this is show number 550.
On Chit Chat Across the Pond Bart is back with a rather short installment of his series Programming By Stealth, this time taking a look at in-line elements for HTML. Remember that to get Chit Chat Across the Pond you have to go subscribe either in iTunes or in your favorite podcatcher simply by searching for it. I also put together a little table of how to subscribe to all three of the podcasts, the NosillaCast, Chit Chat Across the Pond and Taming the Terminal at a link in the menubar at podfeet.com that should help if you get lost, including links to the RSS feed and how to find them in Stitcher Radio.
I mentioned that Chit Chat Across the Pond was rather short, and that’s because Bart is still in the habit of keeping Chit Chat short if he’s got a longer Security Lite, which means we have a big one this week. He explains the intricacies of what happened in the Mac App Store that caused people to get the messages that their apps were corrupted and needed to be reinstalled. Pretty interesting stuff along with the usual security tomfoolery.
We’re halfway through November and the gift giving season is upon us. If you’re looking for that very special Festivus gift you know you’ll probably wait till the last minute and need to have free Prime shipping on Amazon, so why not use the Amazon Affiliate link for the show? If you do it sends a few percent back to help us keep the lights on here and I’d really appreciate it. Simply click on the big, fat Amazon image on the left sidebar and everything you buy during that session will go to help the show while not costing you a penny more.
Security Lite with Bart Busschots
Security Medium 1 – What really happened with the Mac App Store
One of the security technologies Apple uses to protect Mac users is code signing. This protects Mac users from trojanised versions of apps, but, this week things went wrong when one of the certificates Apple uses to validate signed apps was replaced.
Initially, reports were that Apple forgot to renew the cert, but those early reports were not correct.
Here is what happened:
1) in the lead up to the old cert expiring, Apple issued a new Cert, using the newer, and more secure SHA2 hashing algorithm.
2) due to a bug in the App Store app, the old cert was cached beyond it’s expiration date, so while the new cert was ready on time, it did not make it into people’s computers fast enough, so signatures were failing to validate. A reboot was all that was needed to fix this caching problem, and Apple have promised an update to the App Store app to stop this happening again.
3) some apps are using very old code to validate digital signatures, and they cannot deal with SHA2, this caused a number of apps to remain ‘broken’ even after the updated cert was downloaded by people’s computers. Apple fixed this problem by issuing a new cert with the old SHA1 algorithm. This is a short-term patch, and the real fix will be for developers to update their apps to use modern crypto libraries.
- Explanation from iMore: http://www.imore.com/heres-whats-happening-mac-app-store-and-damaged-apps
- Apple’s apology to developers: http://www.imore.com/apple-issues-apology-developers-over-recent-mac-app-store-certificate-issues
Security Medium 2 – Paris Doesn’t Change Maths
There is a maxim in politics – ‘never let a good crisis go to waste’. There is a lot of that going on in the aftermath of the vile attacks in Paris, and part of that is the perversion of this tragedy to attack our security by attempting to outlaw effective cryptography in various ways.
Emotions and anger do not change reality. All the reason banning effective encryption were a bad idea are still valid. It is still impossible to have a secure back door.
The key points:
1) a government mandated backdoor will make all of us less secure, and be a boon for the burgeoning cybercrime industry.
2) no matter how invasive a government-mandated backdoor is, there is nothing to stop people adding their own layer of encryption before their data is sent through the backdoored service, so no back door can actually be counted on to work when it really matters.
3) banning crypto will not make it go away – the maths is known, it cannot be made un-known. Encryption exits, and criminals will use it, regardless of the law. The only question is, will we be allowed to use it too to protect ourselves from criminals and foreign governments?
Don’t take my word for any of this:
- Glen Greenwald – “Exploiting Emotions About Paris to Blame Snowden, Distract from Actual Culprits Who Empowered ISIS” – http://theintercept.com/2015/11/15/exploiting-emotions-about-paris-to-blame-snowden-distract-from-actual-culprits-who-empowered-isis/
- Security Journalist Brian Krebs tackles the question – http://krebsonsecurity.com/2015/11/paris-terror-attacks-stoke-encryption-debate/
- Tim Cook warns that the UK’s proposed surveillance bill is very dangerous for us, the regular folks – http://www.theguardian.com/world/2015/nov/10/surveillance-bill-dire-consequences-apple-tim-cook
- Ars Technica on the controversial proposed British Law – http://arstechnica.com/tech-policy/2015/11/the-snoopers-charter-would-devastate-computer-security-research-in-the-uk/
- TMO’s Bryan Chaffin explains it well – http://www.macobserver.com/tmo/article/dont-trade-your-privacy-for-nothing
Important Security Updates
- Patch Tuesday has been and gone, with security updates to Windows, IE, Skype, and Flash from Microsoft & Adobe – http://krebsonsecurity.com/2015/11/critical-fixes-for-windows-adobe-flash-player/
- Microsoft issed a security patch for Office for Mac – http://www.intego.com/mac-security-blog/microsoft-office-for-mac-14-5-8-patches-mac-spoofing-vulnerability/
Important Security News
- New variant of Android malware can install itself even when users explicitly deny permission for the install – http://arstechnica.com/security/2015/11/android-adware-can-install-itself-even-when-users-explicitly-reject-it/
- More trouble for FaceBook’s real names policy – after forcing them to use their real names in the first place, FaceBook bans accounts belonging to women with the common female first name Isis – http://nakedsecurity.sophos.com/2015/11/19/facebook-finally-lets-a-woman-named-isis-back-into-her-account/
- Belgium orders FaceBook to stop tracking logged out users or face a fine of €250,000 per day. FaceBook will appeal the decision, and are saying that spying on people even after they log out is a good thing because it somehow, magically, makes Facebook more secure (as Naked security put it “some type of prophylactic infosec wonder cookie”) – https://nakedsecurity.sophos.com/2015/11/11/belgium-to-facebook-stop-tracking-non-facebook-users-or-face-267k-daily-fines/
- Amazon begins to roll out 2-factor auth – http://www.imore.com/you-can-now-secure-your-amazon-account-two-factor-authentication
- BadBarcode – a Chinese security researchers has demonstrated that many barcode readers and barcode reading apps are badly written, and can be exploited with malicious barcodes. This is not something end users need to worry about – barcode scanner vendors, and barcode-use app developers just need to check that their are doing proper data validation in their code, and all will be well – http://nakedsecurity.sophos.com/2015/11/19/forget-badbios-here-comes-badbarcode/
- Apple & Google pull InstaAgent from their app stores after it emerges that it was stealing Instagram passwords – http://www.macobserver.com/tmo/article/instaagent-pulled-from-app-store-for-stealing-user-names-passwords
- A bug in how the Android Gmail app parses display names allows spammers to trick the app into showing any from address, while bypassing DKIM, which should provide some protection from spoofing. Worts of All, Google replied to the security researcher saying that this spammer’s paradise of a bug is ‘not a security issue’ – if you use Android, be VERY suspicious of EVERY email, you app could be lying to you, and Google don’t seem to care – http://nakedsecurity.sophos.com/2015/11/18/android-gmail-bug-lets-you-spoof-your-email-address/
- Don’t follow Chipotle’s example – never send out email from a domain you don’t own, it’s a gift to phishers and puts your users/customers/employees at risk (worst of all, their comments on the matter imply that they just don’t grok the blunder they made) – http://krebsonsecurity.com/2015/11/chipotle-serves-up-chips-guac-hr-email/
- Security researchers found Conficker on police body cams – http://arstechnica.com/security/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/
- Another reason to be diligent about updating the software that runs your website – ransomeware moves to target websites – http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/
- Vizio provide yet another reason to avoid Smart TVs – they spy on what you do BY DEFAULT, tie it to your IP address, then sell that to advertisers who can then target you on your other devices because every device in your home shares your IP. They can do this because laws outlawing this kind of behaviour are written so they only cover traditional content providers like cable companies, and not TV manufacturers – http://arstechnica.com/security/2015/11/own-a-vizio-smart-tv-its-watching-you/
- Microsoft have announced that beginning mid 2016, their non-US customers will have the choice to have their data stored in Germany instead the US, as protection from US government overreach – https://nakedsecurity.sophos.com/2015/11/12/microsoft-to-host-data-in-germany-to-evade-us-spying/
- The US FCC have revised a recent rule change that seemed to require router manufacturers to attempt to prevent their devices being flashed with third party software like DD-WRT – the newly clarified rules make it clear that that is not the intention of the rule – it’s about stopping the radio firmware being updated to take the device “out of its RF [radio frequency] compliance” – http://nakedsecurity.sophos.com/2015/11/17/feel-free-to-hack-your-wi-fi-routers-says-fcc/
- Comcast resets 200,000 passwords after they appeared for sale on the dark web. Comcast say it was not hacked, and that’s probably true, this is very likely a cache of passwords from other breaches that were found to be re-used on Comcast – yet another illustration of the dangers of password re-use – https://nakedsecurity.sophos.com/2015/11/10/comcast-resets-200000-passwords-offered-for-sale-on-dark-web/
- A timely reminder to parents – do you know what’s on your kids smart phones – they could be getting themselves into some serious trouble – http://www.intego.com/mac-security-blog/sexting-scandal-erupts-parents-urged-to-check-kids-phones/
- a timely reminder from Intego’s Mac Security blog to set up Medical ID on your iPhone – http://www.intego.com/mac-security-blog/why-you-should-set-up-medical-id-on-your-iphone/
- a good PSA from MacWorld – never download software from Software download sites – http://www.macworld.com/article/3000984/mac-apps/never-download-software-from-software-download-sites.html
- avoiding phishing by example – three real-world examples of the most common kinds of phishing from Naked Security – https://nakedsecurity.sophos.com/2015/11/09/three-little-phishes-security-lessons-from-the-week-just-past/
- The TOR, Carnegie Mellon & FBI Debacle – https://nakedsecurity.sophos.com/2015/11/13/tor-project-says-fbi-paid-carnegie-mellon-1m-to-unveil-tor-users/, http://arstechnica.com/security/2015/11/why-the-attack-on-tor-matters/, http://arstechnica.com/tech-policy/2015/11/fbi-the-allegation-that-we-paid-cmu-1m-to-hack-into-tor-is-inaccurate/ & http://nakedsecurity.sophos.com/2015/11/20/carnegie-mellon-denies-fbi-payment-for-tor-cracking-technique/
- Privacy advocates warn of a new use for BadBios-like use if inaudible sounds to track users across multiple devices – http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/
- Why Algebraic Eraser may be the riskiest crypto system you’ve never heard of – http://arstechnica.com/security/2015/11/why-algebraic-eraser-may-be-the-most-risky-cryptosystem-youve-never-heard-of/
- New malware surfaces using Twitter DMs as the command and control channel – http://nakedsecurity.sophos.com/2015/11/18/free-tool-uses-twitter-direct-messages-to-control-hacked-computers/
- eBay scammer steals identity of agent investigating him, then uses that identity to set up more eBay scams – http://nakedsecurity.sophos.com/2015/11/20/ebay-scammer-steals-identity-of-agent-investigating-him/
- More CAs caught doing more improper things – http://arstechnica.com/security/2015/11/https-certificates-with-forbidden-domains-issued-by-quite-a-few-cas/
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at email@example.com, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.