S3 Ep133: Apple takes “tight-lipped” to a whole new level

SILENT SECURITY! (IS THAT A GOOD THING?)

No audio player below? Listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.  Passwords, botnets, and malware on the Mac.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

Paul, how are you doing?


DUCK.  [SCEPTICAL/SQUEAKY VOICE] Malware on Macs??!?!?!!?

Surely some mistake, Doug?

[LAUGHTER]


DOUG.  What?

This must be a typo. [LAUGHS]

Alright, let’s get right to it.

Of course, our first segment of the show is always the This Week in Tech History segment.

And this week – exciting! – BASIC.

If you’ve ever used one of the many flavours of the popular programming language, you may know that it stands for Beginners’ All Purpose Symbolic Instruction Code.

The first version was released at Dartmouth College on 01 May 1964, with the goal of being easy enough for non-math and non-science majors to use, Paul.

I take it you’ve dabbled with BASIC in your life?


DUCK.  I might have done just that, Doug. [LAUGHTER]

But even more importantly than Dartmouth BASIC, of course, was that this was when the DTSS, the Dartmouth Time-Sharing system, went online, so that people could use Dartmouth BASIC and their ALGOL compiler.

Lots of different people on teletypes could share the system at the same time, entering their own BASIC programs, and running them in real time as they sat there.

Wow, 59 years ago, Doug!


DOUG.  A lot has changed…


DUCK.  …and a lot has stayed the same!

This could be said to be where it all began – The Cloud. [LAUGHTER]

The “New England cloud”… it really was.

The network became quite significant.

It went all the way up into Maine, all the way through New Hampshire, right down into New York, I believe, and Long Island.

Schools, and colleges, and universities, all connected together so that they could enjoy coding for themselves.

So there *is* a sense of plus ça change, plus c’est la même chose, Doug. [The more things change, the more they stay the same.]


DOUG.  Excellent.

Alright, well, we are going to talk about Google… and this sounds a little bit more nefarious than it actually is.

Google can now legally force ISPs to filter traffic, but it’s not quite as bad as it sounds.

This is botnet traffic, and it’s because there’s a botnet using a bunch of Google stuff to trick people.

Google wins court order to force ISPs to filter botnet traffic


DUCK.  Yes, I think you do have to say “hats off” to Google for doing this obviously huge exercise.

They’ve had to put together a complex, well-reasoned legal argument why they should be given the right to go to ISPs and say, “Look, you have to stop traffic coming from this IP number or from that domain.”

So it’s not just a takedown of the domain, it’s actually knocking their traffic out.

And Google’s argument was, “If it takes trademark law to get them for this, well, we want to do it because our evidence shows that more than 670,000 people in the US have been infected by this zombie malware, CryptBot”.

CryptBot essentially allows these guys to run a malware-as-a-service or a data-theft-as-a-service service…

…where they can take screenshots, riffle through your passwords, grab all your stuff.

670,000 victims in the US – and it’s not just that they’re victims themselves, so that their data can be stolen.

Their computers can be sold on to help other crooks use them in committing further crimes.

Sounds rather a lot, Doug.

Anyway, it’s not a “snooper’s charter”.

They’ve not got the right to say, “Oh, Google can now force ISPs to look at the traffic and analyse what’s going on.”

It’s just saying, “We think that we can isolate that network as an obvious, overt purveyor of badness.”

The operators seem to be located outside the US; they’ve obviously not going to show up in the US to defend themselves…

…so Google asked the court to make a judgment based on its evidence.

And the court said, “Yes, as far as we can see, we think that if this did go to trial, if the defendants did show up, we think Google has a very, very strong chance of prevailing.”

So the court issued an order that says, “Let’s try and interfere with this operation.”


DOUG.  And I think the key word there is “try”.

Will something like this actually work?

Or how much heavy lifting does it take to reroute 670,000 zombie computers on to somewhere else that can’t be blocked?


DUCK.  I think that’s usually what happens, isn’t it?


DOUG.  Yes.


DUCK.   We see with cybercrime: you cut off one head, and another grows back.

But that’s not something the crooks can do instantaneously.

They have to go and find another provider who’s prepared to take the risk, knowing that they’ve now got the US Department of Justice looking at them from a distance, knowing that maybe the US has now aroused some interest, perhaps, in the Justice Department in their own country.

So I think the idea is to say to the crooks, “You can disappear from one site and come up in some other so called bulletproof hosting company, but we are watching you and we are going to make it difficult.”

And if I read correctly, Doug, the court order also allows, for this limited period, Google to almost unilaterally add new locations themselves to the blocklist.

So they’re now in this trusted position that if they see the crooks moving, and their evidence is strong enough, they can just say,”Yes, add this one, add this one, add that one.”

Whilst it might not *stop* the dissemination of the malware, it might at least give the crooks some hassle.

It might help their business to stagnate a little bit.

Like I said, it might draw some interest from law enforcement in their own country to go and have a look around.

And it might very well protect a few people who would otherwise fall for the ruse.


DOUG.  And there are some things that those of us at home can do, starting with: Stay away from sites offering unofficial downloads of popular software.


DUCK.  Indeed, Doug.

Now, I’m not saying that all unofficial downloads will contain malware.

But it’s usually possible, at least if it’s a mainstream product, say it’s a free and open-source one, to find the one true site, and go and get the thing straight from there.

Because we have seen cases in the past where even so-called legitimate downloader sites that are marketing driven can’t resist offering downloads of free software that they wrap in an installer that adds extra stuff, like adware or pop-ups that you don’t want, and so on.


DOUG.  [IRONIC] And a handy browser toolbar, of course.


DUCK.  [LAUGHS] I’d forgotten about the browser toolbars, Doug!

[MORE LAUGHTER]

Find the right place, and don’t just go to a search engine and type in the name of a product and then take the top link.

You may well end up on an imposter site.. that’s *not* enough for due diligence.


DOUG.  And along those lines, taking things a step further: Never be tempted to go for a pirated or cracked program.


DUCK.  That’s the dark side of the previous tip.

It’s easy to make a case for yourself, isn’t it?

“Oh, a little old me. Just this once, I need to use super-expensive this-that-and-the-other. I just need to do it this one time and then I’ll be good afterwards, honest.”

And you think, “What harm will it do? I wasn’t going to pay them anyway.”

Don’t do it because:

(A) It is illegal.

(B) You inevitably end up consorting with exactly the kind of people behind this CyptoBot scam – they’re hoping you’re desperate and therefore you’ll be much more inclined to trust them, where normally you would go, “You look like a bunch of charlatans.”

(C) And of course, lastly, there’s almost always going to be a free or an open source alternative that you could use.

It might not be as good; it might be harder to use; you might need to invest a little bit of time learning to use it.

But if you really don’t like paying for the big product because you think they’re rich enough already, don’t steal their stuff to prove a point!

Go and put your energy, and your impetus, and your visible support legally behind someone who *does* want to provide you the product for free.

That’s my feeling, Doug.


DOUG.  Yes.

Stick it to the man *legally*.

And then finally, last but not least: Consider running real-time malware blocking tools.

These are things that scan downloads and they can tell you, “Hey, this looks bad.”

But also, if you try to run something bad, at run-time they’ll say, “No!”


DUCK.  Yes.

So that rather than just saying, “Oh, well, I can scan files I’ve already got: are they good, bad or indifferent?”…

…you have a lower chance of putting yourself in harm’s way *in the first place*.


DOUG.  Let us talk about Apple.

This is a surprise… they surprised us all with the new Rapid Security Response initiative.

What happened here, Paul?

Apple delivers first-ever Rapid Security Response “cyberattack” patch – leaves some users confused


DUCK.  Well, Doug, I got this Rapid Security Response!

The download was a few tens of megabytes, as far as I remember; the verification a couple of seconds… and then my phone went black.

Then it rebooted and next thing I knew, I was right back where I started, and I had the update: iOS 16.4.1 (a).

(So there’s a weird new version number to go with it as well.)

The only downside I can see, Doug, is that you have no idea what it’s for.

None at all.

Not even a little bit like, “Oh, sorry, we found a zero-day in WebKit, we thought we’d better fix it”, which would be nice to know.

Just nothing!

But… small and fast.

My phone was out of service for seconds rather than tens of minutes.

Same experience on my Mac.

Instead of 35 minutes of grinding away, “Please wait, please wait, please wait,” then rebooting three or four times and “Ohhh, is it going to come back?”…

…basically, the screen went black; seconds later, I’m typing in my password and I’m running again.

So there you are, Doug.

Rapid Security Response.

But no one knows why. [LAUGHTER]


DOUG.  It’s perhaps unsurprising, but it’s still cool nonetheless that they’ve got this kind of programme in place.

So let’s stay on the Apple train and talk about how, for the low, low price of $1,000 a month, you too can get into the Mac malware game, Paul.

Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram


DUCK.  Yes, this is certainly a good reminder that if you are still convinced that Macs don’t get malware, think again.

These are researchers at a company called Cyble, and they have, essentially, a sort-of dark web monitoring team.

If you like, they deliberately try and lie down with dogs to see what fleas they attract [LAUGHS] so that they can find things that are going on before the malware gets out… while it’s being offered for sale, for example.

And that’s exactly what they found here.

And just to make it clear: this isn’t malware that just happens to include a Mac variant.

It is absolutely targeted at helping other cybercriminals who want to target Mac fanbuoys-and-girls directly.

It is called AMOS, Doug: Atomic macOS Stealer.

It does not support Windows; it does not support Linux; it does not run in your browser. [LAUGHTER]

And the crooks are even offering, via a secret channel on Telegram, this “full service” that includes what they call a “beautifully prepared DMG” [Apple Disk Image, commonly used for delivering Mac installers].

So they recognise, I suppose, that Mac users expect software to look right, and to look good, and to install in a certain Mac-like way.

And they’ve tried to follow all those guidelines, and produce a program that is as believable as it can be, particularly since it needs to ask for your admin password so that it can do its dirtiest stuff… stealing all your keychain passwords, but it tries to do it in a way that’s believable.

But in addition to that, not only do you (as a cybercrook who wants to go after Mac users) get access to their online portal, so you don’t need to worry about collating the data yourself… Doug, they even have an app-for-that.

So, if you’ve mounted an attack and you couldn’t be bothered to wake up in the morning, actually log in to your portal, and check whether you’ve been successful, they will send you real-time messages via Telegram to tell you where your attack succeeded, and even to give you access to stolen data.

Right there in the app.

On your phone.

No need to log in, Doug.


DOUG.  [IRONIC] Well, that’s helpful.


DUCK.  As you say, it’s $1,000 a month.

Is that a lot or a little for what you get?

I don’t know… but at least we know about it now, Doug.

And, as I said, for anyone who’s got a Mac, it is a reminder that there is no magic security that immunises you from malware on a Mac.

You are much less likely to experience malware, but having *less* malware on Macs than you get on Windows is not the same as having *zero* malware and being at no risk from cybercriminals.


DOUG.  Well said!

Let’s talk about passwords.

World Password Day is coming up, and I will cut to the chase, because you have heard us, on this very programme, say, time and time again…

…use a password manager if you can; use 2FA when you can.

Those we’re calling Timeless Tips.

World Password Day: 2 + 2 = 4

But then two other tips to think about.

Number 1: Get rid of accounts you aren’t using.

I had to do this when LastPass was breached.

It’s not a fun process, but it felt very cathartic.

And now I’m down, I believe, to only the accounts I’m still actively using.


DUCK.  Yes, it was interesting to hear you talking about that.

That definitely minimises what’s called, in the jargon, your “attack surface area”.

Fewer passwords, fewer to lose.


DOUG.  And then another one to think about: Revisit your account recovery settings.


DUCK.  I thought it’s worth reminding people about that, because it’s easy to forget that you may have an account that you are still using, that you do know how to log into, but that you’ve forgotten where that recovery email goes, or (if there’s an SMS code) what phone number you put in.

You haven’t needed to use it for seven-and-a-half years; you’ve forgotten all about it.

And you may have put in, say, a phone number that you’re not using anymore.

Which means that: (A) if you need to recover the account in the future, you’re not going to be able to, and (B) for all you know, that phone number could have been issued to someone else in the interim.

Exactly the same with an email account.

If you’ve got a recovery email going to an email account that you’ve lost track of… what if someone else has already got into that account?

Now, they might not realise which services you’ve tied it to, but they might just be sitting there watching it.

And the day when you *do* press [Recover my password], *they’ll* get the message and they’ll go, “Hello, that looks interesting,”and then they can go in and basically take over your account.

So those recovery details really do matter.

If those have got out of date, they are almost more important than the password you have on your account right now, because they are equal keys to your castle.


DOUG.  Alright, very good.

So this year, a Very Happy World Password Day to everyone… take some time to get your ducks in a row.

As the sun begins to set on our show, it’s time to hear from one of our readers – an interesting comment on last week’s podcast.

As a reminder, the podcast is available both in audio mode and in written form.

Paul sweats over a transcript every week, and does a great job – it’s a very readable podcast.

So, we had a reader, Forrest, write about the last podcast.

We were talking about the PaperCut hack, and that a researcher had released a proof-of-concept script [PoC] that people could use very easily…


DUCK.  [EXCITED] To become hackers instantly!


DOUG.  Exactly.


DUCK.  Let’s put put not to fine a point upon it. [LAUGHTER]


DOUG.  So Forrest writes:

For the whole disgruntlement over the PaperCut PoC script. I think it’s important to also understand that PoCs allow both good and bad actors to demonstrate risk.

While it can be damaging to an organisation, demonstrating risk or witnessing someone get owned over it is what drives remediation and patching.

I can’t count the number of times I’ve seen vulnerability management teams light fires under their IT resources only after I’ve weaponised the 10-year-old CVE they have refused to patch.

Good point.

Paul, what are your thoughts on that?

PaperCut security vulnerabilities under active attack – vendor urges customers to patch


DUCK.  I get the point.

I understand what full disclosure is all about.

But I think there is quite a big difference between publishing a proof-of-concept that absolutely anybody who knows how to download a text file and save it on their desktop can use to become an instant abuser of the vulnerability, *while we know that this is a vulnerability currently being exploited by people like ransomware criminals and cryptojackers*.

There’s a difference between blurting that out while the thing is still a clear and present danger, and trying to shake up your management to fix something that is 10 years old.

I think in a balanced world, maybe this researcher could simply have explained how they did it.

They could have shown you the Java methods that they used, and reminded you of the ways that this has been exploited before.

They could have made a little video showing that their attack worked, if they wanted to go on the record as being one of the first people to come up with a PoC.

Because I recognise that that’s important: you’re proving your worth to prospective future employers who might employ you for threat hunting.

But in this case…

…I’m not against the PoC being released.

I just shared your opinion in the podcast.


DOUG.  It was more a *grunting* than *disgruntled*.


DUCK.  Yes, I transcribed that as A-A-A-A-A-R-G-H. [LAUGHS]


DOUG.  I probably would have gone with N-N-N-N-N-G-H, but, yes.


DUCK.  Transcribing is as much art as science, Doug. [LAUGHTER]

I see what our commenter is saying there, and I get the point that knowledge is power.

And I *did* find looking at that PoC useful, but I didn’t need it as a working Python script, so that not *everybody* can do it *anytime* they feel like it.


DOUG.  Alright, thank you very much, Forrest, for sending that in.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…


BOTH.  Stay secure!

[MUSICAL MODEM]