The Mac Security Blog

Intego Mac Security Podcast

Patches, Data Breaches, and Too Many Messaging Protocols – Intego Mac Podcast Episode 339

Posted on by

Both Apple and Microsoft have patched a lot of security vulnerabilities in updates to their operating systems. A new scam uses AI to put the squeeze on victims. Info from a years-old AT&T data breach has been made public and data from 10s of millions of users has been exposed. And Apple has said that the RCS messaging protocol is coming to its operating systems later this year. Just how many messaging protocols is too many?

  • From the Department of Spending Tim Cook’s Money: Online Photo Storage Is Surely Expensive to Offer, but Apple Should Offer More
  • Behind the scenes at Scary Fast: Apple’s keynote event shot on iPhone and edited on Mac
  • Microsoft’s biggest Patch Tuesday in history: 147 vulnerabilities, 2 actively exploited
  • A ‘Law Firm’ of AI Generated Lawyers Is Sending Fake Threats as an SEO Scam
  • Google Chrome Adds V8 Sandbox – A New Defense Against Browser Attacks
  • AT&T data breach exposes 70 million records; here’s how to protect yourself
  • Sunbird, the security nightmare that tried to bring iMessage to Android, is returning
  • Beeper was just acquired by Automattic, which has big plans for the future of messaging
  • Beeper & Texts – Matt Mullenweg’s blog

    • If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

    **Intego Mac Premium Bundle X9** is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

    **Get Apple security news delivered straight to your inbox, for free.** Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.

    Transcript of Intego Mac Podcast episode 339

    Voice Over 0:00
    This is the Intego Mac Podcast—the voice of Mac security—for Thursday, April 11 2024.

    This week’s Intego Mac Podcast security headlines include: A comparison of the number of patched security vulnerabilities in the most recent updates to Apple and Microsoft operating systems. A new scam doesn’t want your money or personal info, but it does want your eyeballs. We’ll explain how it uses AI to put the squeeze on victims. Info from a years-old AT&T data breach has been made public and data from 10’s of millions of users has been exposed. And Apple has said that the RCS messaging protocol is coming to its operating systems later this year. Just how many messaging protocols is too many? Now here are the hosts of the Intego Mac Podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.

    Kirk McElhearn 1:00
    Good morning, Josh, how are you today?

    Josh Long 1:02
    I’m doing well. How are you, Kirk?

    Kirk McElhearn 1:04
    I’m doing just fine. Are we going to launch a new segment of the podcast called iPad watch as we’re waiting for Apple to release iPads or even announced an event to release iPads.

    Josh Long 1:15
    You know what? I just want to push iPads kind of out of my mind because I’m otherwise I’m gonna go out of my mind. Because I’m so tired of Apple not releasing iPads at this point. It’s it’s, it’s not even funny anymore.

    Kirk McElhearn 1:30
    Hey, listeners, I’ll tell you a secret. Josh doesn’t even use an iPad.

    Josh Long 1:33
    No, I don’t. But I am one of those people that everybody goes to for advice on technology. And I’ve had several people talk to me over the past several months and even just in the past week, asking me when’s Apple come out with a new iPad? Like, I really need a new iPad. Josh, what should I get? Which one and I’m like, don’t get any of them. They’re all really old at this point. And Apple’s probably going to be releasing some soon. So I’m tired of it.

    Kirk McElhearn 2:00
    So two possibilities. One as the rumors have been talking about May or early May mid May late May keeps changing, or just waiting until WWDC because maybe as I’ve been thinking, there’s something new in the entire iPad wine that merits a long explanation from Johnny down in the CPU basement at Apple.

    Josh Long 2:17
    Well, maybe I don’t know, we’ll see. In the meantime, though, if you want to get an Amazon Fire tablet, and they’re not terrible. I mean, they won’t be able to run any of your iOS apps. But if you if really, you’re just kind of using it as a web browser. And you know, watching streaming video, there’s a lot of the major streaming video apps are available on Amazon’s App Store. So, you know, maybe get that in the meantime. But honestly, at this point, I think Apple’s probably releasing new models next month, so maybe wait a month if you can.

    Apple’s iCloud free storage tier is likely not enough for some iPhone users

    Kirk McElhearn 2:53
    Okay, we’ll check back next week. We want to open with a story about iCloud. Now, we talked last week about this class action suit that a bunch of people had watched about iCloud storage being insufficient, even insufficient for backing up devices, which means that you have to pay that extra 99 cents a month to be able to backup your iPhone, which is a little ridiculous. John Gruber had an article today entitled, from the Department of spending Tim Cook’s money. online photo storage is surely expensive to offer. But Apple should offer more. And he’s pointing out how both Google and Apple charge for online storage and the fact that that five gigabytes. Even if it’s not big enough for backing up your device, it’s not big enough to store a lot of people’s photos and videos. And he points out in the article that a lot of iPhone users aren’t even shooting in 4k because they don’t have enough storage, either on their devices or in iCloud. 4k video at 60 frames per second. Now let’s face it, you don’t really need for kids 60 frames per second 30 is fine, but it takes up 440 megabytes per minute, that’s 26 gigabytes per hour. You can’t put that on an iPhone very easily. If you’ve got a bunch of other stuff. I mean, if you’ve got 128 gigabyte iPhone, you might have enough room for 26 for one hour video. Of course, you’re maybe not going to shoot in our video. But imagine you’ve got a kid’s birthday party, you’re going to be shooting a number of videos during the day, that could be an hour, an hour and a half, two hours. Not only might you not be able to keep it on the phone, you might not be able to put it up to iCloud unless you pay for additional storage. Remember that a lot of people don’t have Mac’s to be able to offload the videos, and they have to go through the cloud.

    Josh Long 4:34
    Right? And these are all good points. I mean, Apple does advertise that the iPhone 15 shoots up to 4k 60 frames per second and well you’re not gonna be able to shoot a lot of video at that resolution and frame rate. At the same time. You know if you’re actually a professional and you really need to shoot in 4k at 60 frames per second. You’re probably going to be attaching an external storage device now I know the average consumer not doing this right like that. That’s kind of silly. But even Apple when remember, they filmed one of their keynote presentations using an iPhone just to show off how beautiful the picture is that you could actually do this on an iPhone. And they used external storage. If you watch the behind the scenes video, the scary fast event on October 31, behind the scenes, it’s scary fast Apple’s keynote event shot on iPhone and edited on Mac. And of course, they used external storage.

    Kirk McElhearn 5:27
    And it wasn’t just one guy holding an iPhone, it was a complicated rig with a gimbal, and whites and storage and everything like that. But the point is, imagine, so your kids birthday party and your brother in law was there and you’re showing off your iPhone 15 Pro, and he says, I heard he can shoot 4k at 60 frames per second. And you go into settings you watch and you shoot for about 30 seconds and all sudden it stops because there’s no room. But this is what people might want to do because they’ve seen ads that say you can do it with an iPhone. Okay, in the department of vulnerabilities, Microsoft’s biggest Patch Tuesday in history, what’s the number?

    Josh Long 6:01
    147 vulnerabilities, and two of them were actively exploited. And also, I think there were 60, some remote code execution vulnerabilities too. So a lot of really serious vulnerabilities in this round of updates this month. Now that’s across Microsoft’s entire software product line. So this is not just windows, this is other products included in that as well. By comparison, Apple has had some similar big numbers in the past, most of the time when Apple patches a ton of vulnerabilities. It’s with a point oh release of an operating system. We were just kind of looking back at the last few Mac OS versions when they came out. And as of right now, the Mac OS Ventura 13.0 release notes say that they patched 156 CVE. So these are vulnerabilities with individual numbers assigned to them. And there were other security issues, of course that they patched besides that, but it’s pretty rare for Apple or Microsoft to patch these giant numbers that are around 150 vulnerabilities at a time. So that’s kind of a big deal. So if you know people and you probably do, who are using Windows, remind them to check for Windows updates because there’s a bunch of vulnerabilities that just got patched.

    How is AI being used by internet scammers?

    Kirk McElhearn 7:17
    Okay. Sometime last year, I talked about how I got an email address to a website that I managed saying that I was using some copyrighted images, and that I had to pay the person who owned them a certain amount of bitcoin, obviously, it was a scam. And we discovered that the same message have been posted as comments to a number of websites. There’s a new scam that’s coming out, which is a and I’m going to use the 404 website’s headline a quote law firm of AI generated warriors sending fake threats and SEO scam. So this one is saying the same thing. It’s talking about that you’ve got some, you know, copyrighted images, and it says we’re reaching out on behalf of the intellectual property division of a notable entity, a notable entity in relation to an image connected to our client. They’re not asking for money, they’re not asking for Bitcoin. What they’re asking is that the user put a clickable link beneath the photo to a website called I won’t mention the name, but it’s like some cheap website that’s hawking whatever kind of scam or whatever, or the law firm will take action, so the law firm is not real. And the pictures of the lawyers are AI generated, you know, they could have just taken pictures off of LinkedIn.

    Josh Long 8:23
    Yeah, well, that’s a fair point. But this seems to be a something that we’re gonna see a lot more of right? People using AI-generated photos to make things seem more plausible, people using ChatGPT, or similar tools to write the text of these scam messages, basically. Because if even even using ChatGPT proper, like, you don’t necessarily have to go to some designed for bad guys version of it, you can actually tell ChatGPT, hey, I’m a lawyer. And I need to send a letter on that sounds like this that talks about these points to to somebody who’s violating copyright law. So write this letter for me, and it will do that for you. Because it doesn’t know that you’re actually a fisher, who’s trying to scam people. So the idea behind this, it sounds like is they’re trying to just increase their own search engine placement by getting a lot of prominent websites, or high ranking websites to link directly to them to this actual scam site or malware site, or whatever it is they’re trying to push. Search engine optimization is this whole thing that we don’t have time to get into. But basically, this is one of the ways that you can convince Google that you have a prominent site is if you get a whole bunch of high ranking sites to link directly to you. So that’s what this particular version of the scam is all about.

    Kirk McElhearn 9:49
    You know, my website doesn’t get a lot of traffic. I don’t really publish new content on it and I haven’t in years I publish links to all the articles I publish my podcast episodes, etc. So Several times a week, I get offers to buy links for old articles or guest articles, which would include links to services. So it’s not even they’re looking for high traffic websites or high authority websites, I guess they’re just trying to get the top million websites in the world. Because it’s a pyramid, right? Once you get down below, people get very few hits. But this is extremely common. This is something that as you say, every incoming link adds to the value of a website.

    Josh Long 10:29
    By the way, I noticed something the other day. So you know how I’ve been researching a lot of scam apps and things like that in the App Store. So I happened to notice that in the web version of these App Store listings, Apple will link back to the homepage and privacy policy of the original company. And when Apple is putting these links on their website, I noticed that Apple is not using a nofollow tag for these links. So it means that these sketchy apps are able, if they can get into the app store, they can link back and sort of get apple.com to promote their sketchy websites. I hadn’t really thought of this before. But this is kind of a problem. And maybe if somebody’s in Apple’s listening, you might want to do something about that you should really be using nofollow links when you’re linking back to these companies home pages.

    Google further secures its V8 browser engine

    Kirk McElhearn 11:21
    Okay, in other security news, and I have no idea what this means Google Chrome adds V8 sandbox, a new Defense Against browser attacks. Can you explain this in two minutes?

    Josh Long 11:30
    All right, well, so V8 can mean a lot of different things. It’s a beverage that’s based on eight vegetables. It’s also an eight cylinder engine configured in a V shape. But V8 is also a special engine that’s used by the Google Chrome engine and other chromium based browsers. And so each web browser has kind of its own rendering engine. So the main one that’s used by Safari, Apple’s Safari browser, is WebKit. And the main one that’s used by Google Chrome is called Blink, which is actually a fork of WebKit, meaning they took WebKit and kind of made their own version of it several years ago, I think it was in 2013. But they also have another engine that Chrome uses, which is called V8 and V8 is the engine that’s specifically used to render JavaScript and web assembly. And this VA engine has been exploited in live real world attacks many times over the past couple of years. You might remember that several times last year, we talked about these Chrome’s zero day vulnerabilities that were being actively exploited. They had to patch the browser and all the other chromium based browsers had to patch as well. And some of those vulnerabilities were vulnerabilities specifically in the VA engine. So what Google is doing is they’re putting a sandbox around it. And so basically, they’re trying to mitigate all of these attacks all in one fell swoop so they don’t have to worry and issue these emergency patches quite so often, because they’ll already be sandboxing or putting these things in a specialized container. So they can’t do bad stuff on your system.

    Kirk McElhearn 13:12
    Okay, I’m a bit slow here. If it’s that easy to do, why didn’t they do it before?

    Josh Long 13:16
    That’s a great question. I don’t know. But I’m happy that they’re at least going to start sandboxing in Chrome now.

    Kirk McElhearn 13:23
    Okay, we’re gonna take a break. When we come back, we’re going to talk about a huge data breach that affects 70 million people in the United States and more.

    Voice Over 13:33
    Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

    AT&T data breach from years ago has become public

    Kirk McElhearn 14:49
    So Josh is your mobile phone contract with AT&T?

    Josh Long 14:54
    I have used them actually for a work phone in the past but it was many many years ago. I think it was More than 10 years ago at this point.

    Kirk McElhearn 15:01
    So you’re not one of the 70 million people whose data has been exposed in a huge data breach of AT&T’s records.

    Josh Long 15:09
    Not that I know of, although now you’ve got me wondering, because how many really old records? How far back does it go? Yeah. Okay. Well, we should back up here for a moment and say that there was a big data breach at 18 T. And apparently this may have happened, the actual breach may have happened somewhere around 2019. But the leak of this big dump of data about AT&T Customers happened in August 2021. So it’s been a while since this happened. But a couple of weekends ago, this data that was previously only available from a bad guy selling it on the dark web has now been available on the public Internet. And so now it’s back in the news. And there’s a lot of really sensitive data here that got leaked.

    Kirk McElhearn 15:55
    And AT&T just issued a press release talking about this. So this isn’t something that people discovered and the company didn’t want to talk about. This is something that the company, I guess, had to announce, because it became public. And people knew that this data was out there.

    Josh Long 16:10
    Right. And just to give you an idea of how severe this data is, it includes full names, email addresses, mailing addresses, so probably your home address, phone numbers, dates of birth, 18 T account numbers, okay, that might not be such a big deal and pass codes, which I think means the pins associated with your account, that could be bad if someone’s trying to compromise your 18 T account for some reason. But the worst of all, is social security numbers, which that’s a big deal in the US because you generally can’t change those, like no matter how many data breaches your social security numbers appeared in, you can’t change it. And so it’s kind of a problem.

    Kirk McElhearn 16:50
    AT&T says that the dataset appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders, and approximately 65 point 4 million former account holders. Does that mean they’ve lost 65 point 4 million people since 2019?

    Josh Long 17:07
    Well, possibly, or maybe it includes data on people like me, who had a work phone many, many years ago, and maybe they still had my records. Gosh, I really hope not. Now, I’m worried because I hadn’t even really thought about that until you brought this up.

    Kirk McElhearn 17:21
    Okay, we have an article on the Intego Mac Security blog. And it talks about checking the website haveibeenpwned, which we’ve mentioned often, I hope that after we finished recording, you check that website with that previous work address out of curiosity to see if your data is there. Because, again, it’s not just the email address, it’s all the rest. It’s important. So if haveibeenpwned has that address that means that your entire life history is in the state of reach.

    Josh Long 17:45
    Very interesting. Yeah, I’ll have to check that out. I suspect that my information is probably not included in this data dump. But I’ll double check just to make sure.

    Who is Automattic and how do they plan to get into the messaging business?

    Kirk McElhearn 17:53
    Okay, now we’ve talked a lot last year about messaging iMessage. And the fact that on Android people aren’t happy because the bubbles the wrong color. But we have two messaging stories. sunbird, the security nightmare that tried to bring iMessage to Android is returning according to nine to five Google sunbird had some sort of workaround to try and get iMessage to work. And then they stopped and then they’re coming back. But at the same time beeper, which is the one we talked about several times, with this saga of them introducing a way to get around Apple System to register numbers, or maybe to have you register numbers from a Mac you own to get it to work on your Android phone, Apple shut it down. It’s been acquired by Automattic. Automattic is the company that owns WordPress, and Automattic previously, bought a company called texts, or text.com, which was another messaging app last year. And together they have As The Verge says, big plans for the future of messaging.

    Josh Long 18:50
    Okay, well, I know this is a little confusing, because we’re kind of talking about two different companies at once. But the whole idea behind this is that there are companies out there that still really think this whole lack of iMessage on Android is a big problem, which kind of confuses me, because we know that iOS 18 is going to include RCS support, which is Google’s secure, encrypted, you know, text messages standard that they use from Android to Android. Now, we’re gonna have that in iOS 18 coming out later this year. So I mean, like, is this Come on? Like, really? Are we really that worried about getting blue bubbles and being included in the iMessage ecosystem?

    Kirk McElhearn 19:33
    So Automattic is an interesting company. It started out very slowly. And it basically powers the web with, you know, a huge number of large websites running on WordPress, and lots of others running wordpress.com. It owns Tumblr, and it’s acquiring more and more things. And one of the things that Matt Mullenweg, who runs Automattic said that he wants to create a great private, secure and open source messaging client for people to have control of their communications. Now that made me think about something Why can we not send messages to and from different devices and different apps? It’s like, can you imagine if we couldn’t call each other using different phones, like if you had an iPhone, you couldn’t call someone an Android phone. Or if you couldn’t call someone on a landline made by another company, it really seems like and maybe RCS is a solution. But it really seems like there needs to be one protocol that everyone agrees on, that provides the basic secure messaging service for text and video and photos and audio and all that. If the apps want to add additional features, that’s fine. As long as they don’t prevent people from sending and receiving messages with other apps.

    Josh Long 20:39
    I feel like this is kind of a non issue because we can call each other, we can text each other. You know, if you’re concerned about your text messages not being delivered securely, there’s lots of services for that. There’s signal there’s WhatsApp, there’s, there’s all kinds of things out there.

    Kirk McElhearn 20:56
    But that’s the problem. Everyone you want to communicate with has to use the same app, you can’t just communicate from one app to whatever they’re using. Let me give you an example. I know someone who has an iPhone, and who communicates with someone who has an iPhone, but doesn’t, it doesn’t work, right, and the other person can’t get messages to work. So they end up sending SMS is. And when the first person sends photos to the second person by SMS, they are charged at a very exorbitant rate. Because when you send photos over SMS, they’re treated as what they call them. MMS is multimedia messages, and they’re not in your plan. So that confuses everything. And when someone does that they’re not paying attention to whether the bubble is green or blue. They’re just sending it because they’re used to sending photos.

    Josh Long 21:41
    Yeah, that’s a fair point. I guess. If if you’re paying per text, then yeah, that’s more of a concern for you individually. I think for a lot of people, though, I feel like this is kind of a non issue. And it’s going to be even more of a non issue, especially when we get RCS as a built in thing and the Messages app on iPhones. So assuming that that all actually happens in iOS 18, that we’re making the kind of assumption about that, because Apple has said that it’s coming later this year. And well, we know we’re getting iOS 18 later this year. So it kind of makes sense. The timing of it makes sense. But at the same time, Apple also said that they’re trying to push for better security and the standard rather than using Google’s proprietary extensions for RCS, so that’ll kind of has to line up with when Apple plans to release RCS messaging on iPhone. In any case, once all this actually happens. We have RCS on iPhone, and it’s interoperable with Android. Whenever that exactly happens, then I feel like we’re past the point where we need to worry about blue bubbles, at least your messages are secure. At least you don’t have to worry about your videos being downscaled and blurry and getting charged for those text messages.

    Kirk McElhearn 23:01
    I mean, okay, but can I send messages from Messages on my iPhone to someone else using Telegram, Signal or WhatsApp? That’s what I want. I want this all to work together, right? I want all of these apps to work together. (Okay, but why do you want that?) WhatsApp is very popular here. I don’t want to use WhatsApp. It’s a hassle. I don’t need multiple messaging apps. And so I can’t participate in WhatsApp conversations for people who have Android don’t have iMessage and use WhatsApp. And you talk about Signal because it’s more secure. But if I can’t send from messages to Signal, then I’ve got a download Signal as well. And I’ve got to have telegram just in case someone uses Telegram. And I’ve got to have I don’t know how many other messaging apps. And that’s the problem, there needs to be one common protocol that every app can use.

    Josh Long 23:49
    Well, okay, I can see the argument. At the same time, I feel like that adds so many, like unnecessary complications to all of these messaging services. Net, now they’ve got to have support the same standard that everyone else uses. Now, I also recognize that there is a little bit of an issue here that we haven’t really touched on in this conversation, which is that on Android, you can set a default messaging app, you can’t do that currently on an iPhone. So you’re kind of stuck with if all your SMS messages, your RCS messages, and you’re well in the future. And your iMessage is all go through the one apple Messages app on your iPhone, and you can’t switch to something else by default. So if you wanted to have everything come into WhatsApp, nope, sorry, you can’t do that. Now maybe the EU is going to force Apple to do that. At some point. I would not be terribly surprised if that eventually happens. I don’t know this. This I feel like this is overly complicated. I do agree that it’s kind of annoying that you’ve got to download different apps if you want different people to message you. But at the same time I feel like it’s it’s potentially problematic to cut to force all of these companies to use the same standard and be fully interoperable with each other, because then you don’t get the advantages that are platform specific that for example, iMessage has and for example, maybe Threema has that better than the others, the better than the competitors.

    What is remote code execution?

    Kirk McElhearn 25:18
    Okay, we want to talk quickly about a critical RCE bug. I don’t know what an RCE bug is, you’re putting a lot of things in the show notes. I don’t know anything about. It’s in 92,000 D link NAS devices, and they’re exploited in attack. So NAS is a network attached storage device. D link is a company makes all sorts of network devices. What’s an RCE bug?

    Josh Long 25:36
    Okay, well, RCE is the thing that I mentioned earlier related to the Microsoft patches this week that I mentioned, there was 60, something remote code execution vulnerabilities.

    Kirk McElhearn 25:46
    Why didn’t they put that in the headline, remote code execution that says something?

    Josh Long 25:51
    Probably because RCE is three letters. And this is a nerd site that we’re linking to. (Okay, okay.) Okay. I think they’re making the assumption that you know what RCE stands for, but they do explain it in the article. (So, okay, I’ll remember it next time.) Okay, so remote code execution vulnerabilities are pretty severe. And basically, the problem here is that a lot of people have their Internet of Things devices and other things on their network that are directly attached to the internet, either plugged into a device that’s connected directly to the internet, or if it does go through a firewall, like your router, maybe they have port forwarding turned on, so that you have the ability to from somewhere else in the world, connect to your home network and get to the files on your network attached storage in this case. So the problem is that these devices are no longer getting any firmware updates, or, which means no longer getting security updates. There are known vulnerabilities, they’re being used in active attacks in the wild. And now these devices are being infected with malware, and are being used as part of a botnet basically. And so this is really potentially problematic. Now, I don’t imagine that probably a large percentage of our audience has one of these particular network attached storage devices, and hasn’t directly connected to the internet. But this is something that’s worth paying attention to, we talk all the time about how important it is to make sure that your routers firmware is up to date. So that you’re you’re getting security patches for it. But any device on your network that’s accessible from the public internet also needs to be patched to. And that could include things like network attached storage devices, which you might be using to backup your Mac, you know, you might be using it for time machine backups over your network, for example, or something like that.

    Kirk McElhearn 27:43
    Network attached storage devices are interesting. They’re mini computers that generally run a version of Linux or a proprietary operating system that’s based on Linux. And for many years, I had a Synology NAS and I could run WordPress on it, I could host a WordPress website on it, which would be accessible to the public internet using a dynamic DNS. So if you have something like that, and the device can be attacked, it could take over the site. And you know, it doesn’t hack the site to change the way it works. It puts some pages deep down into some directories, the kind that are used for phishing attacks.

    Josh Long 28:16
    Right. And this, by the way, this happens a lot. I’ve done a lot of research into these types of attacks over the past couple decades, probably. And it’s very common to see good sites that are compromised by attackers. And then sometimes they actually do infect the whole site, meaning that you might land on a page from a Google search result and then get redirected to something malicious. But in other cases, like Kirk was talking about there, you sometimes have sites that are deeply kind of embedded and you only know that exist, if some malicious site redirects there. And so you may have no idea that your WordPress site from the year 2000, which for some reason you haven’t patched for all that time, is now getting infected and disturbing malware or sending people to scam sites or things like that.

    Kirk McElhearn 29:07
    Okay, that’s it for this week. Until next week, Josh, stay secure.

    Josh Long 29:11
    All right, stay secure.

    Voice Over 29:14
    Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.

    About Kirk McElhearn

    Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →