This week I’ll tell you about my experience installing the ecobee3 and later in the show I’ll review it. I’ll tell you why even though it’s awesome you shouldn’t buy it. We’ll have the first of our NAB 2017 interviews – Quarterback for Live TV on a phone. Then I’ll explain why you seriously want to avoid buying the TrackR (not because it’s awesome). Then we have a great episode of Security Bits with Bart Busschots. It’s got four Security Mediums which gave us a lot to chew on.
mp3 downloadHi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday April 30, 2017 and this is show number 625. This is going to be a positively jam-packed show. I installed the ecobee3 Smart Thermostat with only a little help from Steve and I’ll explain that adventure, then we’ll hear the first of our interviews from the National Association of Broadcasters conference that Steve and I just attended. This first interview is about a cell phone case called Quarterback that will give you over the air TV on your phone, I’ll tell you why you should not buy the TrackR, then I’ll come back to the ecobee3 Thermostat and why it’s so awesome and why you shouldn’t buy it anyway.
Then we’ll have a great session of Security Bits with Bart Busschots. It ran longer than usual but it was super meaty. Instead of a giant list of news, it was four security mediums that are very nuanced so the explanation and discussion on each is pretty important. I found all of it fascinating. I guess we’d better kick in!
Chit Chat Across the Pond
Bart and I JUST recorded Chit Chat Across the Pond today, so we’re a wee bit late in the week. In this installment of his Programming By Stealth series, we review our test code using QUnit, and then learn how to use QUnit to test our code within a real browser page. We do that using the API we built together, the Bartificer Link Toolkit that identifies external links on a web page, makes them open in new tabs, adds the tag rel=noopener, and adds a cute icon to identify them as external links. As always Bart’s terrific written tutorials and downloadable examples are available at bartbusschots.ie/….
We’re going to come back to talk more about the ecobee3 and how well it works, but let’s take a break and listen to the first interview from NAB 2017.
Patreon and Amazon
We just finished talking a bit ago about the TrackR and what a hot mess it is. Imagine if I had been an advertiser for those folks. It would have created quite a conflict of interest for me if that had been the case. Now I’m not saying I’ll never advertise again, but I have to say I feel completely unfettered to say what I really think because I don’t have advertisers. This show is completely supported through donations by listeners who push the “Support the Show” button on podfeet.com.
From there you can do a one time PayPal donation, you can become a Patron of the show through Patreon and donate just a little bit every week, or you can push the Amazon button and buy your toys through the affiliate link. All of these methods are great ways to demonstrate that you find value through the show. And thank you to all of you who continue to support our efforts here.
Security Medium 1 – 'DoublePulsar'
In the previous security bits we mentioned that the latest dump of CIA hacking tools from the group named Shadow Brokers contained hacking tools that targeted many versions of Windows. At the time it was not clear whether or not the latest patches from Microsoft protected users from the vulnerabilities exploited by these tools.
The good news is that we now know that Microsoft's March patches did indeed plug the holes uses by these tools. However, that has not been enough to prevent tens of thousands of machines being taken over by one of the released hacking tools – DoublePulsar.
The exact number of infections is not clear, different scans of the entire internet by different companies are giving different numbers, but while the numbers are not the same, they are all of the same order of magnitude – it's not clear exactly how many tens of thousands of devices are infected at any given moment, but it is clear that we are talking about tens of thousands of devices.
It seems that many people are too slow to patch, and since the cat is now out of the bag, it's easy for anyone to hack into un-patched Windows machines, and many people appear to be doing just that.
Make sure your Windows machines are all patched!
Security researchers have also released a tool for remotely removing a DoublePulsar infection.
- Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers – arstechnica.com/…
- more than 10,000 Windows computers may be infected by advanced NSA backdoor – arstechnica.com/…
- NSA backdoor detected on more than 55,000 Windows boxes can now be remotely removed – arstechnica.com/…
Security Medium 2 – Microsoft Introduce Phone Sign-in
Microsoft have rolled out a new authentication option for Microsoft accounts which they have named phone sign-in.
You start by installing and configuring the Microsoft Authenticator app on your phone. Then, when you try log in to your Microsoft account from another device, you won't need to enter your password – you simply enter your email address, hit next, and a message will pop up on your phone asking if the login should be allowed – if you allow it, then the login will succeed without you ever needing to enter a password.
There are many advantages to this approach, the most obvious of which is convenience! There is also nothing for key loggers to capture, so it is a more secure option than a basic password without a second factor.
Really, the only controversy here is that Microsoft are not being honest in their descriptions of this feature – they insist on referring to it has two-factor authentication when it simply isn't – what it is one-factor authentication where that one factor is better than the one-factor authentication we are used to – passwords. What Microsoft have done is replaced the single "something you know" factor (your password), with the single "something you have" factor (your phone). I guess two-factor auth is seen as a buzzword rather than a technical term by Microsoft, but it's very disappointing to see them play so fast and loose with technical terms.
It looks to me like the Microsoft technical teams did a good job, and the Microsoft PR department is yet again letting the company down.
- Microsoft's announcement of the feature – blogs.technet.microsoft.com/…
- Microsoft turns two-factor authentication into one-factor by ditching password – arstechnica.com/…
Security Medium 3 – The Punycode Problem
The Domain Name System (DNS) translates between human-friendly domain names and the IP addresses actually used for computer-to-computer communications. DNS is old, very old, dating back to the dawn if the internet. Back then, it never occurred to anyone that there would be a desire to have accented characters in domain names, so the design does not allow for them. In fact, domain names don't even support letter case – WWW.PODFEET.COM is considered identical to www.podfeet.com!
Domain names consist of multiple parts separated by dots, where each part consists only of lower-case letters (a-z), digits (0-9), and dashes (though they're only permitted if they're surrounded by at least one letter or digit on each side).
As we've started to run low on user-friendly domain names, and as the internet has become ever more international, a desire has emerged to retro-fit accented characters and characters from other alphabets into domain names. Altering how DNS works is not really an option, so some clever people can up with a work-around.
The need to represent non-ASCII characters in ASCII-only environments is not unique to DNS, and a solution was developed – Punycode.
Punycode is an encoding scheme that allows unicode character codes to be written in ASCII. You can play around with it yourself on www.punycoder.com. You can see that
Back in 2003 Punycode met the web when the Internationalizing Domain Names in Applications (IDNA) standard was defined. Basically, browsers should support Punycode in domain names, hence, allowing domain names that appear to have accented characters, and characters from non-ASCII alphabets.
You would register
www.xn--clich-fsa.com, and browsers would display it as
www.cliché.com. Also, when you type
www.cliché.com into the address bar, browsers should translate that to
www.xn--clich-fsa.com on your behalf and then go fetch that website.
What could possibly go wrong?
The problem is so-called homographs – characters in different alphabets that look visually the same.
To prove this point, security researchers registered the innocent-looking domain name
www.xn--80ak6aa92e.com, and legally acquired a valid TLS certificate for it. In many browsers, browsing to this domain will bring you to a page that is genuinely secure, so legitimately has a padlock, but the address bar appears to show
www.apple.com. This is clearly phishing heaven!
A new name has been coined for these kinds of domain names, they have been christened confusables. Note that only humans find these domains confusing – computers see homographs as being completely different characters. This means that password managers will not get confused by these confusable domains, and neither will certificate authorities. If you take the time to view the certificate on
www.xn--80ak6aa92e.com you'll see that it clearly shows the cert is for
www.xn--80ak6aa92e.com and not
At the moment, each browser's treatment of Punycode domains is different.
Apple & Microsoft support Punycode, but, they only decode Punycode domain names if you have the relevant language installed. So, if you don't have the Cyrillic alphabet enabled on your Mac or iOS device, you'll see the raw Punycode, not the confusable version.
Google took a slightly different approach, and decided never to decode Punycode if it mixes characters from multiple alphabets. The theory being that mixing alphabets is inherently suspicious, and probably a sign that someone is trying to construct a confusable. Unfortunately, you don't always need to mix alphabets to create confusable domains – case in point, the
www.apple.com example above only uses Cyrillic. Google have since added extra logic to Chrome to better identify confusables, so the problem appears to have been resolved on Chrome.
That just leaves FireFox. Some in the FireFox community feel that banning some characters just because they happen to be homographs would be culturally insensitive, so on a point of principle, they do not want to block any Punycode URLs. They are coming under attack for putting political correctness above user safety, but last I heard, they have not backed down. FireFox users who want to protect themselves need to disable the Punycode feature themselves by browsing to the special URL
about:config, searching for the setting
network.IDN_show_punycode, and setting it to
- Phishing with 'punycode' – when foreign letters spell English words – nakedsecurity.sophos.com/…
- Chrome, Firefox, and Opera users beware: This isn’t the apple.com you want – arstechnica.com/…
Security Medium 4 – OSX/Dok
Security firm Check Point Technologies is warning of a new macOS trojan that is being actively spread at the moment. The malware arrives as a spam email with an attachment that appears to be named
Dokument.zip, hence the name.
This is a true Trojan – you need to take active steps to get yourself infected, just receiving the attachment is not even nearly enough to get you infected. First, you need to attempt to open this oddly named file you received un-solicited from a total stranger, then, you will see a message saying that opening the file failed because it's corrupt. Then, a popup nothing like a standard macOS software update dialogue will appear, and ask you to update your Mac, and to please give your admin password. Only if you actually do that will you get infected.
If you infect yourself, Dok installs a new root CA certificate, a web proxy service that auto-starts on boot, and then re-configures your Mac to direct your internet traffic through that proxy service, where, using the new CA cert it installed, it can intercept all your web traffic, even HTTPS traffic, and read and/or edit it as it passes through.
While getting infected is hard, and while a similar piece of malware on Windows would absolutely not be news in any way, this piece of malware is significant for a few reasons.
Firstly, scale – we're not used to seeing cyber criminals put this much effort into targeting Mac users. They may not be doing it very well in this instance, but they are doing it, and that's a new development.
Secondly, for now (and probably not for very long), the malware is signed by a valid developer certificate. It's quite likely the private key for this certificate has been stolen, but that's not clear year. Everyone expects Apple to push an update to macOS's XProtect system to start blocking this cert and this piece of malware within the next few days, it not within the next few hours.
Just a reminder the GateKeeper is a hurdle for attackers to get over, not a silver bullet. In the digital world people often have a binary view of things, so I'm sure you'll hear someone say that this proves GateKeeper is useless. That is equivalent to declaring seatbelts useless because someone was killed in a car crash last week. We don't buy that kind of dumb illogic in the real world, so don't fall for it in the digital world either!
- Check Point's post announcing the discovery of the malware – blog.checkpoint.com/…
- PSA: Again, another reason not to open attachments from strangers – www.imore.com/…
- DOK Malware Signed by Valid Developer Certificate (for Now) – www.macobserver.com/…
Important Security News
- According to a recently filled law suit, the Bose Connect app that is used to pair control many Bose headphones spies on users, sending information about what they listen to back to Bose – www.reuters.com/… & www.nbcnews.com/…
- Numbers released by Kaspersky show that despite being patched years ago, the bugs that enabled Stuxnet remained the most exploited bugs in the world throughout 2015 and 2016 (Editorial by Bart: clearly, people don't patch nearly enough!) – arstechnica.com/…
- Multiple security vulnerabilities have been found a wide range of Linksys home routers. There is no patch yet, but there are instructions from Linksys on how to protect yourself – nakedsecurity.sophos.com/…
- LastPass fixed another security vulnerability – this time one that allowed their 2FA to be bypassed in some circumstances – nakedsecurity.sophos.com/…
- New, and more powerful, versions of BrickerBot destroying more insecure IoT devices. The author sees himself as a vigilante protecting the world from these insecure devices (if they are destroyed, they can't be recruited into botnets etc.) – arstechnica.com/…
- A double-whammy of scandal for Uber this week – first, the NYT reported that they were caught by Apple using prohibited private APIs to fingerprint iOS devices, and using geofencing to try hide that fact from Apple reviewers, and then it emerged they were buying data on Lyft usage from analytics firm Slice who got the data from Unroll.me, a service that's advertised to users as a service to clean up their email inboxes – www.imore.com/…
- RELATED – You Can Now Delete Uber Account Data Straight From The App – www.macobserver.com/…
- How to set up two-factor authentication for your Amazon account – www.imore.com/… (both SMS & Authenticator app supported, even in Ireland now)
- How to set up two-factor authentication for your Skype account – www.imore.com/… (Microsoft really don't make this easy, but it is worth persevering with)
- The battle against fake news:
- Jimmy Wales is setting up the WikiTribune, a news site focused on tackling fake news by clearly showing where the facts in articles come from. Guy Kawasaki & Jeff Jarvis are advisors on the project – www.wikitribune.com/…
- Google is making changes to its algorithms to push fake news further down in its search results – www.bloomberg.com/…
- Facebook admits it is being used as propaganda tool by 'malicious actors' – nakedsecurity.sophos.com/…
- The US Government's attack on Net Neutrality continues:
- The EFF's latest update report warns that Google are still using their cheap Chromebooks to spy on school kids – appleinsider.com/…
- Facebook have released more details on their up-coming Delegated Account Recovery service – nakedsecurity.sophos.com/…
- UK government reports on business breaches and it’s not pretty – nakedsecurity.sophos.com/…
- Samsung Smart TV flaw leaves devices open to hackers – nakedsecurity.sophos.com/…
- Top secret messages sent via Confide might not be so secret after all – nakedsecurity.sophos.com/…
- Picture this: Senate staffers’ ID cards have photo of smart chip, no security – arstechnica.com/…
- AV provider Webroot melts down as update nukes hundreds of legit files – arstechnica.com/…
- Discovery of 8,800 servers sends warning to Asian cybercriminals – nakedsecurity.sophos.com/…
- Russian-controlled telecom hijacks financial services' Internet traffic – arstechnica.com/…
A Small Palette Cleanser
I discovered a new law to add to my list of favourites – Betteridge's law of headlines:
Any headline that ends in a question mark can be answered by the word no
If you're wondering what my other favourites are:
Never attribute to malice that which is adequately explained by stupidity/incompetence
If an online discussion (regardless of topic or scope) goes on long enough, sooner or later someone will compare someone or something to Hitler or his deeds
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.