Security Bits — 13 September 2020

Feedback & Followups

• Recently we were alerted by Allister Jenks and Joe Preiser in our slack at podfeet.com/slack to a problematic idea I had on the last Security Bits. We were talking about how choosing an alphanumeric password was better than a 6-digit pin, even if you only typed in a 6-digit number. I said it would cause the hacker to have to try more character types because they wouldn’t know you’d only used numbers. But Allister and Joe explained that if you only have a numerical value password, iOS helpfully only brings up the numerical keypad instead of the full keyboard, letting the hacker know you only used numbers.
• Social Media sites continue to fight abuses of their platforms
  • Facebook announces forwarding limit to stop spread of misinformation on Messenger — www.imore.com/… (forwarding of Messenger messages will be limited to 5 people or groups at a time)
  • Zoom rolls out two-factor authentication for all users — www.imore.com/…

Deep Dive 1 — Apple & Google’s COVID Exposure API Takes a Big Step Forward

From the beginning Apple & Google promised that their system would roll out in two phases. First, there would be support for an API in the OSes, and health authorities would need to write their own apps to make use of that API. Then, there would be OS-level support for exposure notifications. What exactly that meant was not all that clear.

Well, now we know — Exposure Notifications Express rolled out in iOS 13.7, and is coming to Android later in September.

Local health authorities will no longer need to create their own apps if they don’t want to. The existing API will continue to work, so countries that want do add additional features above and beyond basic exposure notification can continue to do so, but that’s now purely optional.

Local health authorities will need access to some kind of back-end systems to manage their notifications workflow, and they’ll need to build a configuration file and send to Apple and Google. The two software giants will take it from there.

On iOS there will be no need to install any app for localities that sign up to Exposure Notifications Express, they’ll simply be able to enable exposure notifications from the iOS settings app.

On Android things will be a little different. Google will use the configuration file submitted by the local health authority to build an app for them and publish it in the Play Store.

Colorado in the US became the first state to make use of this interesting new option, and Maryland, Nevada, Virginia, & Washington DC have apparently also signed up.

Meanwhile, other countries continue to roll out full apps using the API, including Scotland, and England & Wales.

Links

• Apple and Google Rolling Out Simplified COVID-19 Exposure Notification System — www.macobserver.com/…
• iOS 13.7 Integrates Apple’s COVID-19 Exposure Notifications — tidbits.com/…
• Google creating COVID-19 apps w/ Exposure Notifications Express — 9to5google.com/…
• Colorado Signs up to Apple COVID-19 Exposure Notifications Express — www.macobserver.com/…
• Related — Full Apps Launched:
  • 🏴󠁧󠁢󠁳󠁣󠁴󠁿 Scotland launches anonymous ‘Protect Scotland’ contact tracing app — www.imore.com/…
  • 🏴󠁧󠁢󠁥󠁮󠁧󠁿 🏴󠁧󠁢󠁷󠁬󠁳󠁿 COVID-19 App to Launch in England and Wales on September 24 — www.macobserver.com/…

Deep Dive 2 — Notarised Malware Attacking Macs

Leading Mac security researcher Patrick Wardle found a malware attack targeting Macs in ads being served on the homepage of the popular Mac-focused command package manager Home Brew. What’s worse is that the malware was notarised by Apple!

Wardle reported the problem to Apple, they revoked the certs, and all was well again. Briefly. Just a few days later the malware campaign was back, and their malware was freshly re-notarised with a different Apple ID. The date of notarisation was the 28th of August, after the first set of certificates had been revoked.

The malware was also not obscure, it was OSX.Shlayer, a well-known adware trojan which has been doing the rounds since 2019. The malware presented itself as a Flash installer the website told the user they needed to install. A real classic!

As of the last update on Wardle’s blog on the 30th of August the second affected certificate had not yet been removed by Apple.

I don’t know if no news is good news — maybe Apple have been able to properly bolt the door this time, and what ever loophole the attackers have used is now closed. I guess if there were wide-scale attacks we’d know about it, so hopefully Apple do have a lid on this problem now.

Details are scant, so the best I can do is speculate, but what seems most likely to me is that the attackers had two things:

1. A cache of somehow stolen developer account credentials.
2. A technique for tricking Apple’s Notarisation Scanners into overlooking malware.

The fact that they were able to slip such a well known piece of malware through means they must have found a way to hide code in plain sight, it’s just not credible that Apple’s scanners would not know about such a pervasive piece of malware.

The fact that the attackers were able to switch to a different developer account so quickly implies they had a cache ready to go. The fact that they were not immediately arrested implies the original account belonged to some poor innocent developer who had a very bad day when all his signatures suddenly became invalid, and he probably had a very uncomfortable call from Apple!

This is probably nothing more than an embarrassing bug in Apple’s back-end scanners that has probably been fixed. The chances are few if any actual Mac users were harmed. But, it does underline that point that there is no such thing as perfect safety, even in a walled garden. Even on modern Macs, don’t download anything you didn’t explicitly go looking for, and only get your software from reputable sources!

Links

• Wardle’s detailed blog post explaining what he found — objective-see.com/…

❗ Action Alerts

• Last Tuesday was Patch Tuesday. Microsoft released a number of important security updates, including patches for Windows, IE & Edge — krebsonsecurity.com/…
• Slack patched a critical bug in their Windows, Linux, and Mac desktop clients — threatpost.com/…

Worthy Warnings

• CNN Investigation Finds AmazonBasics Products Dangerous — tidbits.com/…

Notable News

• Apple have announced a number of developer-related changes, some of which have a privacy impact:
  • Apple have released guidelines for developers to help them fill out their Privacy Nutrition Labels for the iOS 14 version of the app store — www.macobserver.com/…
  • Following complaints from Facebook and others, Apple are delaying the iOS privacy feature that will require users to explicitly opt-in to cross-app tracking — arstechnica.com/… & www.macobserver.com/…
  • Apple updated their app store TOS. Most of the media attention has been on the big change regarding streaming gaming services, but there were some important privacy-related changes too — www.macobserver.com/…
    • No ads allowed in App Clips.
    • Apps can’t force users to things like rate the app, accept tracking, watch a video, or click on an ad in exchange for some kind of benefit like being allowed to use the app at all, access certain function, or get paid.
    • The existing bans on the use of highly sensitive data like health and facial recognition data being used for advertising or data mining were clarified.
• Microsoft have announced new tools to fight deep fakes — blogs.microsoft.com/…
  • The tool getting the most press is Microsoft Video Authenticator, an app that analyses video or stills and gives a confidence score as to its realness.
  • Microsoft also announced that it’s partnering with media organisation to build a toolset for digitally signing media from news organisations, and verification code that can be embedded into browsers to validate those signatures. Assuming the platform gains traction when it goes live, browsers will be able to verify the authenticity of videos claiming to be from participating news networks anywhere they appear on the web.
  • Related: 🎧 An fascinating and eye-opening podcast episode illustrating just how good deep fakes are getting: Twenty Thousand Hertz Ep. 102: Deepfake Dallas — overcast.fm/…
• Facebook’s data transfer tool now works with Dropbox — www.imore.com/…
• 🇺🇸 A new bill to gut the safe harbour provisions in Section 230 of the Communications Decency Act which allows online platforms to moderate content without being considered a publisher has been introduced in the US senate. Meanwhile Fight for the Future has launched a campaign they’ve named Save Online Free Speech to fight both this new bill and the previously announced FCC regulation changes that also aim to gut Section 230 — www.macobserver.com/… & www.politico.com/…
• 🇺🇸 Portland Facial Recognition Ban Strongest in Country — www.macobserver.com/…

Palate Cleansers

• 🎧 Tom Merritt’s Know a Little More explaining Safe Harbor: overcast.fm/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.