A new Link History setting in the Facebook mobile app has a big catch buried in the small print. Some important open source software on macOS hasn’t been updated by Apple despite known vulnerabilities. Stealer malware and session cookie theft continues to be a problem in the new year. And we have a look back at some of the security stories we covered in 2023.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Transcript of Intego Mac Podcast episode 325
Voice Over 0:00
This is the Intego Mac podcast—the voice of Mac security—for Thursday January 4 2024.
This week’s Intego Mac Podcast security headlines include: a new Link History setting in the Facebook mobile app has a big catch buried in the small print. Some important open source software on macOS hasn’t been updated by Apple despite known vulnerabilities. Stealer malware and session cookie theft continues to be a problem in the new year. And we have a look back at some of the security stories we covered in 2023. Now, here are the hosts of the Intego Mac Podcast. Veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:50
Good morning, Josh. Happy New Year to you.
Josh Long 0:53
Happy New Year. How’s it going, Kirk?
Kirk McElhearn 0:54
It’s going okay. We have news. We have a look back at Apple security and privacy in 2023. It was a really busy year, we’re gonna get to it in a few minutes. First, we want to talk about a Facebook data gathering tool that you should really disable.
Facebook mobile app’s List History feature gives all of Meta your data.
Josh Long 1:09
Right, I’ve seen a lot of headlines about this. This is a new setting. So you may have already seen this pop up if you’re a regular user of Facebook, in the Facebook mobile app, the first time that you tap on a link, you’ll get a new prompt a dialog box that says new Link History. It’s got a little graphic and says never lose the link again, easily get back to recent links you visited with your Facebook browsing activity now saved in one place, which actually kind of sounds okay. Like, oh, okay, yeah, maybe I feel like I know, I visited a page recently that I saw a link to on Facebook, and what was it so it’s It sounds nice. Like I can go back and find that link again. But it goes on when you— By the way, this is all kind of fine print. So you have to like sit here and read this whole dialog box to know what’s really going on. When you allow Link History, we may use your information to improve your ads across Meta technologies. Wait a minute, hold on. So it’s not just like a nice beneficial feature. For me. This means that if I opt into this, now everybody is going to have access, like everyone at Meta is now going to have access to my Link History. No.
Kirk McElhearn 2:25
And remember, that’s Facebook, Instagram, Threads, anything else?
Josh Long 2:29
Well, it may also apply to the Meta Quest, you know, the formerly known as Oculus headset thing.
Kirk McElhearn 2:35
So when you’re playing a game with the Meta Quest you get ads in VR, technically,
Josh Long 2:40
I have one, but I haven’t really ever use it. So I’m not sure about that. But it wouldn’t surprise me right. And they’re sharing data across all these platforms. They’re all tied to your Meta account. So when you see this dialog box pop up, it will by default, auto enable the setting allow Link History. And so if you just dismiss it quickly and hit confirm, yeah, whatever, then you are opting in, which is kind of a another way of saying you don’t really know that you’re opting in, but they can claim that you’re opting in because you actually have to tap on Confirm. So if you have not seeing this dialog box yet, then when you do see it the first time that you you know, tap on a link in somebody’s Facebook post, make sure that you turn that setting off, if you don’t want Meta to have access to all of this and use it across Meta properties for advertising purposes. Then just tap on on that slider, it turns to the left, it sets it to off and then hit Confirm. If however, you’ve already done this, and or maybe you’re not sure if you’ve done it and you tap on the next time you tap on a link, you notice that you don’t get this prompt, then you have to go into Settings then and and there is a setting to turn this off after the fact as well.
Kirk McElhearn 3:57
There are actually two different ways to turn this off. And Facebook has support document explaining one way but will have an article on the Intego Mac Security blog explaining both ways if you want to turn it off. Now you might want to keep it on because you might want to keep a record of all the links that you’ve tapped or clicked in Facebook. This only applies to the Facebook app. And you said this earlier the mobile app on iOS and Android. So I use Facebook in a browser to avoid all this data collection. I can’t see this. If you only use Facebook in a browser. Or if you only use Facebook on your Mac, you won’t have this setting.
Josh Long 4:28
One more interesting note, if you happen to manage a page, there’s a different setting for that page than for your main account. So you may actually see this when you’re managing that page and not realize that you haven’t yet seen it on your own personal account. So that’s another thing to watch out for.
Apple has yet to update the vulnerable SSH components of macOS.
Kirk McElhearn 4:44
Okay, we want to talk about something that we’ve talked about before, but the reason we’re talking about it again, is because there are some Mac’s that are still at risk. Now. Not a lot of people have this software enabled, but nearly 11 million SSH servers are vulnerable to this new attack that’s called Terrapins. You might have a Mac that’s set up to accept SSH connections remotely. So you’re away from home, and you want to connect to your own Mac over SSH. If you do, well, the SSH that’s built into macOS is way old, two major versions behind.
Josh Long 5:19
Right. Well, it’s not terribly old in the sense of the timeline. Oh, so So this version that’s built into macOS came out in August, but it’s open SSH version 9.4, which is problematic because 9.4 and 9.5 are vulnerable to this particular attack. And so only if you have 9.6, or later, are you safe, and Apple has not built that into macOS yet. This is kind of a problem, because we’ve known about this now for some time. And you know, I know we’ve just had the holidays, but we’re back, nobody’s on vacation anymore. Like hopefully you have some engineers there who are working on building this. And anytime that there’s like a zero day vulnerability, right? Something that will, as Apple describes it is actively exploited, right? Actively split it in the wild, you expect that Apple should be alright on top of that, and they’re not doing that here. So the reason that we bring this up 11 million SSH servers vulnerable to terror pin attacks, you may not realize that your Mac might be one of those servers. So that’s why we bring this up if you have remote logging enabled for your Mac, and you also have that port exposed to the internet, either because maybe you’ve got your Mac directly connected to the internet, that doesn’t usually happen. But it can happen in some cases. Or if you’re forwarding that port through your router, then it’s entirely possible that somebody could be trying to hack into your Mac right now and they could be successful. So just something to be very careful about until Apple finally patches this by including the latest version of open SSH.
What are “zombie cookies” and how can hackers use them against me?
Kirk McElhearn 7:01
Okay, if you don’t understand what Josh just explained, you probably don’t have this turned on, and you don’t need to worry about it. Probably. Okay. So you have, I don’t want to call it a crusade, a mini crusade, you’ve been on any crusade in recent months about session cookies. A session cookie is a file on a computer that indicates you’re logged in to this service on this account. And if you go back later in a web browser and open a new page, you don’t have to sign in again. It’s a shortcut, right? To enable you to not have to go through the hassle of signing in maybe getting to factory codes, etc. These can be stolen by malware. But new malware has been discovered that can actually I guess get zombie cookies and bring them back to life. Can you explain this?
Josh Long 7:45
Sure. Yeah. So let me back up just a little bit. So yes, and the reason why I’ve been bringing this up for many months now is because over the course of the past year, we’ve seen an increase a really significant rise in stealer malware. So sometimes they’re really just focused on, you know, stealing cryptocurrency wallets. But other times they gather other data as well from your browser, such as your cookies. And that might not sound so bad. If you assume that cookies are just like something that websites use to store some information about how you’ve interacted with that website. But cookies can also be session cookies, that keep you logged in to that website, as you were talking about. So that’s where things get a little sticky. Because if you’ve got malware on your machine, it has full access to just grab those cookies and send them off to a third party to whoever designed that malware. Right? They can, they can take those cookies from your computer and reuse them on their computer to be signed in as you they don’t need to know your password. They don’t have to have access to your two factor authentication, they can just sign in just by having a copy of those cookies, which sounds really crazy. Like why is it that in 2024? We still have that ability to just grab a cookie and login is you from anywhere else in the world. In this particular case, this zombie cookie that they’re talking about has to do with Google services. So if you suspect that some attacker may have gotten access to your Google account, and remember, there’s lots of different things all tied to your Google account, then you might go to change your password. And you might assume that that would lock out all the bad guys. But the problem is, developers have some of the Steeler malware have actually found that it’s possible in some cases to stay authenticated to continue to maintain that access even after the legitimate user has changed the password on their account. So there are ways to continue using those cookies after the fact. Now Google is no about this since October at this point and still hasn’t fixed this problem, which that’s kind of a big deal. Again, this speaks to the same thing that I keep harping on for months like that. This is a major problem that the whole industry really needs to take is much more seriously because stealer malware is out there. It’s all over the place. And it’s only going to continue to increase this year.
Kirk McElhearn 10:24
I was just thinking about earlier, you said that Apple still has an updated open SSH? What if an update comes out just after we finished recording the podcast, which has happened several times in recent weeks? I’m gonna bet it doesn’t happen. I’m gonna bet this doesn’t get updated for weeks.
Josh Long 10:40
No, I don’t I don’t think that Apple’s probably going to update it for a while. You know, it’s really frustrating because this is something that as a security researcher, right, like, I try to shout it from the rooftops and let everybody know about this. But unfortunately, my reach is a security researcher does not necessarily go all that far. It’s really hard for some reason to get new sites to pick up on stories like this, like this is a big deal that everybody shouldn’t be talking about. And it’s not something that really gets a lot of mainstream coverage.
Kirk McElhearn 11:11
Okay, we’re gonna take a break. When we come back, we’re going to talk about Apple security and privacy in 2023. There was a lot of stuff there.
Voice Over 11:20
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
What were some of the most important Mac security stories of 2023?
Kirk McElhearn 12:36
Okay, so it’s a new year and we like to look back at the old year, don’t we it’s kind of a habit to think of a year as a self contained unit write that from January 1 to December 31. Everything happens in that period. And then we start over again, it’s not really the case. But it’s a good way to look at the trends in Apple security and privacy. We have a very long article on the Intego Mac Security blog, “Apple Security And Privacy In 2023”. The year-in-review next week, we’ll be talking about malware more specifically, that affects Macs and Apple devices. We’re going to talk about some of the issues that came up last year to in 2023. Not all of them. This is quite a long article. Where do you want to start, Josh? What’s the first one that really stands out for you?
Josh Long 13:17
Well, I think one of the first things that we’ve got to talk about is the LastPass data breach. So technically, the service was hacked in August 2022. But as the months rolled on, like it became a lot more evident that there was a bigger issue than what LastPass initially disclosed. And so by January, we pretty much knew that the LastPass data breach was a really big deal. There were actually user password vaults that were compromised. And they weren’t using very good security, in some cases to protect some of those vaults. So between a combination of weak security that they were using on the on the back end. And a number of other factors is and especially if you were using a weak password on your vault. Well, now bad guys have access to your vaults, and they may have already, you know, if you had cryptocurrency and you had credentials for that in your LastPass Vault. Well, that’s probably long since gone at this point. So ever since then, we’ve had to tell people, we don’t recommend using LastPass they’ve made too many mistakes. There have been a couple of things in the past too. And this was the last straw like we just can’t recommend LastPass anymore.
Kirk McElhearn 14:30
“The last straw for LastPass”. Good one, Josh. You mentioned cryptocurrency but I think just as important is if they have the credentials for your email account, which would allow them to reset passwords on accounts and take over your account that is just as serious.
Josh Long 14:44
Right and not to mention, you could have your bank account credentials and all sorts of other things in your LastPass Vault. So if you’re still using LastPass at this point, we highly recommend that you consider switching to a different password manager.
Kirk McElhearn 14:59
So for your bank accounts in the States, do you just have a username and a password and a second factor because here, everything uses a hardware device or some sort of advanced additional factor. For example, one of my accounts, I have a little, it’s a calculator size thing, and I put a bank card into it, and I tap a bunch of things, and it comes up with a code that I enter. So a username and password wouldn’t be enough to get into any of my bank accounts here in the UK.
Josh Long 15:24
Yeah, I think probably pretty widely most banks require some sort of second factor, but it doesn’t necessarily have to be a hardware dongle or something like that. It could just as easily be Google Authenticator, or some other authenticator app or even text messages. Yeah, a lot of banks still do that.
Kirk McElhearn 15:44
Okay. So the first thing I want to talk about is another one of Josh’s crusades, the Apple Watch Series 3 that Apple was selling, even after it was no longer supported for security updates. And to be fair, they were only selling refurbished units from that point, but it went on for about six months.
Josh Long 15:59
Right. Yeah, so Apple was still selling new units for for quite a while, even after basically, I call it the last update to Watch OS 8. But, and there technically was like one other update that patched one vulnerability last year. But essentially, at this point, there have been a number of in the wild actively exploited vulnerabilities that will permanently affect the Apple Watch Series 3. And Apple continued to sell that Watch as a refurbished unit all the way through March of last year. And at that point, it had been, yeah, many, many months since the last time they ever released a security update. And that means that they missed a whole bunch of even actively exploited vulnerability. So if you do have a series three, I strongly recommend that you upgrade to some newer model, probably not the series four, because Apple might cut off updates for that model this year.
Kirk McElhearn 17:00
Okay, one thing that Apple did, we’re still only in January, there was so much stuff that happened last year, we’re going to skip ahead, but I just want to briefly mention that Apple added support for hardware security keys for your Apple ID account. Not everyone needs this. In fact, most people don’t. But this is a really good security feature, that if you’d need that extra protection for Apple ID account, you’ve got to have that dongle, basically a little USB key or some of them work with NFC on a phone. Really great feature that Apple added. One of the other interesting things that we saw on this is in February, Apple launched advanced data protection for iCloud again, not for everyone. But it added end to end encryption on the services that hadn’t had end to end encryption previously, which meant that the data can only be encrypted on trusted devices, which meant that Apple had no access to it, which meant that if you lost your password, you might lose a bunch of data that Apple might have been able to recover previously.
Josh Long 17:52
Right. So this is basically a good, you know, security and privacy feature. But you do have to take extra responsibility with this. Another point about advanced data protection for iCloud is, if you still had some older devices that were logged into your Apple ID, it would prevent you from turning on this new feature. So you actually needed to make sure that you didn’t have any old devices that were still logged into your Apple ID in order to enable advanced data protection.
Kirk McElhearn 18:21
So in March, we talked about how passkeys had increased in popularity and a passkey is what will eventually replace a password, you don’t have to remember it. it authenticates you through a biometric device that you’ve authenticated in another way. When we first started talking about this, I think the only service I could find here in the UK that was using passkeys was eBay. And I’ve seen more and more now. But I still get the problem. If I log into eBay on a different device, it doesn’t know I have a passkey and ask for a username and password. We’re getting on a year later, because Apple started supporting passkeys in early 2023. I’m not seeing as many services supporting passkeys as I expected. And I’m not seeing that robust passkey experience where a site like eBay always knows that I’ve got a pass key link to my account.
Josh Long 19:13
Right? This is much slower adoption, I think, than a lot of people expected, you know, for something that is supposed to replace passwords, like you would think that everyone would be all over that, right? Doesn’t that sound great? We don’t have to use passwords and memorize things or put them in a database anymore. Like if we could just use passkeys, ah, it would solve so many problems. But it just doesn’t seem like it’s taking off really. Part of it may just be that service operators are seeing that there’s not a lot of people who are really clamoring for them to enable passkeys. I think most people just don’t even know what passkey is, what it is what it means. And so, you know, it’s just not something that a lot of sites are adopting just yet.
Kirk McElhearn 19:56
But one thing that’s confusing is Microsoft has what they call “password-less” authentication, but that uses a Microsoft authenticator app. It’s not a passkey. For example, if I want to buy something on my Xbox, it tells me to verify that I am me in the authenticator app. And it gives me a two digit number. The authenticator app gives me a dialog with three different two digit numbers, and I’ve got the type tap the right one. So Microsoft isn’t going into past keys, which they could. So I think that that’s slowing it down. Now, Apple added passkey support for Apple ID accounts, which is good. But still, I think, you know, when we first talked about this a year ago, we were both really excited that this was a relatively simple process. It wasn’t complicated, even on the back end, right. And it was relatively compatible, but it’s been a lot slower than expected. So scammers have been sending emails for years for decades. Now, if you think about it to try and get you to click on links and give up your credentials. And some of them are, you know, pretty rudimentary with bad grammar and spelling and ugly graphics. But they’ve started using legitimate services, in particular into its QuickBooks app to send invoices to you that says, Well, you owe the money for this invoice. And if you disagree, call us on this number, etc. The problem is that Intuit isn’t really doing anything about it, that people were setting up accounts with QuickBooks generating these invoices and intuits just looking the other way, saying not our problem, right?
Josh Long 21:25
You might remember we talked about this on the podcast way back then, about Best Buy Geek Squad invoices is what some of them looked like. But they may impersonate other services as well. But the whole idea is to pretend that you have some charge with some company that you don’t do business with. And you’re like, that doesn’t seem right. And it’s a little bit too much money for me to just let this slide. So I’d better follow up on this and and try to get out of this payment. And so in reality, it’s a scam. But it probably got to your inbox because they’re using a legitimate service and invoicing service. That’s basically whitelisted by all of the major email providers like Gmail, it probably went straight to your inbox, unfortunately. And so that’s why scammers are now using these legitimate services to send their fake invoices. By the way, a couple months after this article was published, we found that other services such as PayPal were also being used to spread these types of scams as well as these fake invoice scams.
Kirk McElhearn 22:28
So in addition, we’ve had a lot of phishing this year, that’s gotten much more efficient. As I mentioned, it used to have bad spelling and grammar. But now scammers are using AI tools to create phishing emails, and it’s a lot harder to tell the bad ones from the good ones.
Josh Long 22:43
Exactly. Yeah, it’s really easy to prompt you know just about any thing like ChatGPT or similar services, you can basically just say, Hey, I work for whatever company and I need to send a message to all of my users saying that they need to reset their password, right. And it’ll produce a nice, well written email, and you just swap out the name of the company with the one that you’re trying to pretend to be. And now you’ve got a perfectly good looking phishing email with no grammar or spelling mistakes. And you can even ask the AI chatbot to translate that into other languages, if you know that some of the people you’re targeting speak a different language natively, so. And of course, it’ll do all that with perfect grammar in those languages as well. So yeah, it’s becoming a lot harder to detect some of these types of phishing emails just because the bad guys are figuring out how to use AI tools to their advantage.
Kirk McElhearn 23:42
So in May, Apple released their first ever rapid Security Response patches now, I kind of thought that this was going to be something that we’d see often. And I think there have only been two of these updates issued in the entire year. So these came out with the 2022 operating systems, but there were no updates issued until May. So they issued one rapid Security Response update. And then there was another one in July that they had to call back and reissue so they kind of debating one for two there. I expected this to be a common thing. Now this, there are still other security updates that happen in the background. Apple’s X protect, which is a sort of rudimentary scanner for some types of malware. But I expected these rapid Security Response patches to be well rapid, like for the SSH thing we talked about in the first half. That’s months out of date.
Josh Long 24:34
Yeah, exactly. I think this Apple had some good intentions here, right. They wanted to make sure that they could patch some things that were like a big deal at being actively exploited in the wild, right, and patch them as quickly as possible, right, hopefully avoiding a reboot if possible. While so far we haven’t seen a rapid security response that didn’t require a reboot. So they’re basically just like every other patch and that sense and maybe not quite so rapid. The one thing that’s rapid about it is that it doesn’t seem to be as well tested. And that was kind of the problem with them in 2023. So, and that may be the reason why we haven’t seen a rapid security response for some time. At this point, you know, Apple had good intentions, they wanted to patch things quickly. But they tried to go a little too fast, and it didn’t work out very well for them.
Kirk McElhearn 25:24
So Apple made a big change in June of last year. Previously, if you wanted to install beta software for Apple’s operating systems, you had to pay $99 a year for a developer account. So last year, they decided to allow anyone who wanted to install beta operating systems without paying for developer account on your Mac, your iPhone, your iPad, your Apple Watch, Apple TV, HomePod, maybe I’m not sure, you might want to be on the cutting edge. But you can always lose data on your devices, because this is beta software. And so if you’re thinking about it, well, I don’t know, be careful, we have a link in this article to an article talking about how to install beta software and whether you should, if you don’t need it, don’t install it. So in September, and October, as usual, all the new operating systems came out. And we have a couple of articles on the Intego Mac security blog talking about the security and privacy features that are in these operating systems. And you can get to them to the links in this article. But you’ve been using these operating systems now for three months, probably. So you might have found them all, if not have a look at our article, you might see something that you haven’t discovered yet.
Josh Long 26:29
And this is a good time to remind everybody that only if you’re on the very latest operating system, whether it’s macOS, iOS, iPadOS, etc, or watch OS, you want to make sure that you always stay on the latest version, because that’s the only way that you’re going to get patches for all the vulnerabilities. Apple does release patches for the two previous versions of macOS and sometimes for previous versions of iOS, but they’re not as complete as they are for the current operating system. So good time to remind people about that as well.
Kirk McElhearn 27:02
So another one of Josh’s mini crusades, I want to make a list of Josh’s many crusades, because he’s got about a half a dozen of them. And this one’s about scammy and dangerous apps in Apple’s App Store. And Apple has always said that the App Store is secure. You don’t want to get apps from third party stores, you only want to get from us because we check them out. And there are lots of scammy apps. And Josh has been paying a lot of attention to a couple of people who’ve been researching this. A lot of these are in Asian countries, many of them are low nap. So we’re talking about financial things going on here.
Josh Long 27:31
Right. And some countries don’t have quite as strict regulations on things like loan apps. And so it’s much more common in countries, for example, like India, loan apps, basically, everybody uses it seems like and so there’s a lot of them out there. And if you search for loan apps in these countries, the App Store is a little bit different depending on the country where you’re located. And if you search for loan apps in those countries, typically the some of the top results are actually going to be scam apps. And sometimes they even buy ads. And well, it takes a long time sometimes for Apple to kick these out of the store, even with independent researchers reporting these to Apple going directly to their contacted apple and saying, Hey, this is a scam, here’s all the evidence for it, take it down. And sometimes it still takes Apple some time to do it. So this is a really unfortunate thing. We’ve seen this also with other types of apps. It’s not just loan apps. We saw for example, there’s a lot of examples of rip off kind of look alike ChatGPT type apps that some of them even say ChatGPT in the screenshots. And if you’re not looking really carefully, you may not realize that these are just apps that leverage ChatGPT s API, but they sometimes will charge you money for things that you shouldn’t be paying a third party for in order to use open API’s ChatGPT service. And there’s a lot of other things like that as well. So you do have to be careful. And this is really sad, because at one point, we were telling people, you know what, you can trust the things in the app store. And lately, it’s, I just have to tell people, you know, still be careful. App Store is probably a safer place to get your apps than most places but still have to be careful.
Kirk McElhearn 29:18
Okay, there’s a lot more in our article Apple security and privacy in 2023. The year and review there is a link in the show notes. Next week, we’ll be talking about malware that affects the Mac, iOS and iPadOS. Until next week, Josh stay secure.
Josh Long 29:31
All right, stay secure.
Voice Over 29:34
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn, and Josh long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.