I was on the inaugural episode of the Conversations of Things podcast with Joe Dugandzic. I’ll explain how to make photo albums with Apple Photos that people actually want to see (spoiler, it’s about keywords). I’ll challenge some assumptions Bart Busschots made in his Let’s Talk Photography podcast about subscription models for software. And Bart is back with another fine edition of Security Bits.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday July 9, 2017 and this is show number 635. Before I get started this week I want to warn you that this coming week, the show will probably be late. We’re going to Macstock Expo in Chicago Friday through Monday. I thought about trying to cram the show in early but there’s likely to be juicy content during the show that I’ll be itching to tell you about right away, so I think we’re looking at Tuesday for the show to come out. That also means there’s no live show this coming Sunday. Tell you what, why don’t you guys just come to Chicago for Macstock and see us there? Perfect.
Chit Chat Across the Pond
I’ve been asking Bart a lot of questions in the back channel as I struggle to understand the documentation he has provided in our latest few sessions of homework assignments for the Programming By Stealth series. To be honest, I’ve been pretty frustrated every time he and Dorothy tell me to read the documentation because it doesn’t make sense to me. He had an epiphany last week that he had never explained the documentation methods itself, because the structure is second nature to him but he was making an assumption that we all understood how it worked.
His solution to this is unique. While we recorded the audio podcast, he showed me in video how the documentation is created using JSDoc and it became clear to me during the show. But that would be really mean to everyone else, so he created a screencast without me asking questions where he walks through all of the same content. It’s pretty darn cool
Anyway, go check out Programming By Stealth in either the dedicated podcast feed or in the Chit Chat Across the Pond feed.
Blog Posts
Conversation of Things Podcast – Episode 1 with Allison Sheridan
Make Apple Photo Albums People Actually Want to See
Subscription Models for Software – More Profit and Better Software?
Patreon and Amazon
I want to give a special shout out to a long time listener and friend I haven’t yet met in physical space, Tim Gregoire. Tim decided this week to become a Patron of the Podfeet Podcasts. He went to podfeet.com/patreon and selected a dollar amount that worked for him and now he helps the show keep going every single week. I can’t thank you enough Tim and Steve and I are really excited about actually getting to meet you this week in Chicago.
Security Lite
Security Medium 0 – Petya
The big news story of the last two weeks is obviously that there was another wannacry-like attack, this time named Petya (or rather confusingly, NotPetya).
IMO this is just a re-hash of the same story, so I’m not going to bother going into the detail on air. I’ve included the links below in case you do want to dig into it.
Ultimately, the take-away is exactly the same – keep patched and don’t use obsolete OSes or software.
Links:
- A new ransomware outbreak similar to WCry is shutting down computers worldwide – arstechnica.com/…
- ‘Petya’ Ransomware Outbreak Goes Global – krebsonsecurity.com/…
- Deconstructing Petya: how it spreads and how to fight back – nakedsecurity.sophos.com/…
- ‘Petya’ ransomware: Everything you need to know – www.imore.com/…
- New Petya ransomware: everything you wanted to know (but were afraid to ask) – nakedsecurity.sophos.com/…
- Tuesday’s massive ransomware outbreak was, in fact, something much worse – arstechnica.com/…
- Tuesday’s massive ransomware outbreak was, in fact, something much worse – arstechnica.com/…
- Breach at US nuclear plants raises concerns in wake of Petya – nakedsecurity.sophos.com/…
- Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak – arstechnica.com/…
- Organisations count the cost of Petya as the storm abates – nakedsecurity.sophos.com/…
Security Medium 1 – The Password Reset Man in the Middle Attack
In a paper presented at the 38th IEEE Symposium, security researchers have described a new attack scenario users need to be wary of.
TL;DR – when you’re registering a new account on a site, you are very vulnerable, only register on sites you trust.
The insight the security researchers had is that if you can trick someone into registering an account on a malicious site you run, you can ask them what ever questions you need to hack into their email account.
The process would go something like this – you start by trying to access or download something you want, and are presented with a registration page that asks for your email address. You hit submit, and the malicious code immediately initiates a password reset request on the address you entered. If your mail provider pops up a CAPTCHA, no problem, display that to the registering user as if it was part of the registration process, then pass their answer back to their email provider. The same works with security questions, and, potentially, even for 2FA, though that might trigger some alarm bells depending on the specifics.
How can you protect yourself? I don’t think perfect protection is possible, but I can suggest some strategies:
1. avoid registering for sites that don’t have a pedigree/reputation – a well known newspaper is a very different thing to a random blog!
2. consider having a separate disposable email account for registering on sites you don’t really care about
3. keep your mail client open while registering on sites and keep an eye for emails telling you a password reset has been requested
4. be very suspicious of 2FA notifications coming in for one site while you’re registering on an other
Links:
- Naked Security’s Coverage of the story – nakedsecurity.sophos.com/…
- The research paper (includes nice clear diagram) – www.ieee-security.org/…
Important Security Updates
- Google have released their July 2017 security update for Android, and it contains fixes for 18 remote code execution bugs, including a particularly nasty bug in the drivers for some Broadcom wifi chips which as been named BroadPwn – nakedsecurity.sophos.com/…
- Joomla has been updated to version 3.7.3, which includes a patch for a critical vulnerability that allows remote attackers to take over Joomla-powered sites – www.us-cert.gov/…
Important Security News
- McAfee’s latest threat report shows Mac malware on the rise (editorial by Bart: no need to panic, but be aware that Mac users are being actively targeted. I consider this to be a timely reminder that we all need to be more careful about doing the right things like keeping patched, being suspicious of all email, and being very careful about what apps we install and run) – www.macobserver.com/…
- The latest IC3 (The FBI’s Internet Crime Complaints Center) report shows that scams, extortion and CEO fraud are the top cyber crimes in the US (Editorial by Bart: a timely reminder that you should always be suspicious about that email that appears to be from the boss asking you to transfer money) – krebsonsecurity.com/…
- Google to stop scanning emails for ad targeting – free Gmail accounts will still see ads, but they’ll be based on everything else Google knows about you, not your email – www.bloomberg.com/…
- Contrary to some reporting, Snapchat did not start sharing people’s location without their permission – they did introduce a new Snap Map feature that does indeed share your location each time you open the app, but you have to opt into it – nakedsecurity.sophos.com/…
- US health insurance giant Anthem agree to a record $115m settlement in lawsuits over it’s 2015 breach of 80m people’s health records – nakedsecurity.sophos.com/…
- Facebook is fighting gag orders preventing it from informing users of search warrants – nakedsecurity.sophos.com/…
Suggested Reading
- Notable Breaches
- PSAs, Advice & Tips
- US IRS warns of summer-time scams – www.irs.gov/…
- US FTC warns of charity scams – www.consumer.ftc.gov/…
- macOS: Installing Flash Updates (The Safe Way) – www.macobserver.com/…
- Google Drive users might be interested in some recent changes to how the services works – Google Drive: Everything you need to know! – www.imore.com/…
- Inside the Dark Web: What Every Parent Needs to Know – www.intego.com/…
- GDPR: who needs to hire a data protection officer? – nakedsecurity.sophos.com/…
- News
- FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators – arstechnica.com/…
- WikiLeaks releases more documents on CIA hacking tools, including Brutal Kangaroo, a suite of tools for attacking air-gapped computers – arstechnica.com/…
- Chinese Researches Find Way to Decrypt Satphone Calls in Near Real-Time – www.macobserver.com/…
- Facebook pilots additional profile picture protections in India – nakedsecurity.sophos.com/…
- Election-related stories
- Analysis, Editorial & Opinion
- A fantastic Planet Money back-episode detailing just how much information leaks when you use wifi or another unsecured network – www.npr.org/…
- (Editorial by Bart: this story illustrates perfectly why PayPal are so wrong to have changed to SMS as their ONLY 2FA option just a few months ago – it’s a really dumb and retrograde move in 2017, and I really hope they see the light soon!)I Got Hacked and All I Got Was This New SIM Card – carpeaqua.com/…
- The iPhone at 10: Still No Major Malware – www.intego.com/…
- Month in Review: Apple Security in June 2017 – www.intego.com/…
- Some Researchers Think Apple’s Bug Bounty Program Isn’t Competitive – www.macobserver.com/…
- Bad things happen to good people – but you can help stop that – nakedsecurity.sophos.com/…
- Is it Time to Can the CAN-SPAM Act? – krebsonsecurity.com/…
- How I learned to stop worrying (mostly) and love my threat model – arstechnica.com/…
- Who’s watching? Face recognition means goodbye to hiding in crowds – nakedsecurity.sophos.com/…
- The US’s annual wiretapping report for 2016 has been released – Encryption thwarting investigators as federal government taps increase – nakedsecurity.sophos.com/… & The Report – www.uscourts.gov/…
- Propellor Beanie Territory
- A fantastic explanation of the big problem with our current HTTPS system (revocation is broken), and the solutions that are on the horizon – arstechnica.com/…
- So You Think You Can Spot a Skimmer? – krebsonsecurity.com/…
- Microsoft bringing EMET back as a built-in part of Windows 10 – arstechnica.com/…
- This Windows Defender bug was so gaping its PoC exploit had to be encrypted – arstechnica.com/…
- How Spora ransomware tries to fool antivirus – nakedsecurity.sophos.com/…
- Who is the GovRAT Author and Mirai Botmaster ‘Bestbuy’? – krebsonsecurity.com/…
Palette Cleaners:
* What does WiFi really stand for? (It’s probably not what you think) – www.macobserver.com/…
* My two favourite non-tech Planet Money episodes:
* Episode 601: The Chocolate Curse – www.npr.org/…
* Episode 627: The Miracle Apple – www.npr.org/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, normally you can head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time (except not next weekend) and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.