With SMS-based two-factor authentication no longer free on Twitter, we discuss the more secure and free way of protecting your account using an authenticator app. We also look at new details about Apple’s latest security updates, Windows on M-series Macs, and a WhatsApp warning about reused phone numbers.
- Update Now: Urgent fix for macOS Ventura 13.2.1, iOS 16.3.1 resolves major vulnerability
- Microsoft officially blesses Parallels as a way to run Windows on M1, M2 Macs
- How to Run Windows 11 for Free on an M1 or M2 Mac
- Accidental WhatsApp account takeovers? It’s a thing
- An update on two-factor authentication using SMS on Twitter
- How to Set Up Two-Factor Authentication on Twitter
- Scam Authenticator App Steals QR Codes
Transcript of Intego Mac Podcast episode 280
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, February 23 2023.
This week’s Intego Mac Podcast security headlines include: Apple has clarified the security and privacy features of its latest operating system updates; running Windows on a modern Mac just got a little easier; thanks to Twitter, more people are hearing about two-factor authentication over SMS, authenticator apps and security keys. We break down the security pros and cons of each; and speaking of authenticator apps, of course, there are scam authenticator apps. We’ll tell you about just one of them. Now, here are the hosts of the Intego Mac Podcast, veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:54
Good morning, Josh, how are you today?
Josh Long 0:56
I’m doing well. How are you, Kirk?
Apple posts information on the security and privacy fixes contained in its recent operating system updates.
Kirk McElhearn 0:59
I’m doing fine. Let’s start by talking about some new information that Apple gave us about old security updates. Now, this isn’t uncommon that this happens. But I seem to recall you when talking about these recent updates, saying Apple didn’t tell us anything about this. And we don’t know. And we don’t know the CVE numbers. And yet there they came again, giving us another reason to talk about the update because now they’ve told us more about it.
Josh Long 1:20
Yeah, it’s kind of funny. So last week, we talked about how Apple released macOS Ventura 13.2.1 and iOSs 16.3.1. And we got a couple of other updates that Apple just didn’t tell us anything about which were TV OS and watchOS updates. We finally got information about those updates on Monday of this week. So an entire week later, they finally added the details about what was patched in those updates. And the same vulnerability, by the way, was also patched for the new Ventura and iOS 16 updates as well. So they went back and added an additional entry to those security release notes.
Kirk McElhearn 2:05
So what do we need to know about this hidden security update that is now unhidden?
Josh Long 2:10
Okay, so for this particular update, they say that processing a maliciously crafted certificate may lead to a denial of service. They say that this issue was addressed with improved input validation. So it’s a little bit vague. They do say that a Google Chrome person reported this to Apple. So my guess is that, like you were saying last week, this is probably one of those coordinated disclosure things. Maybe there was a particular certificate issuer that had a problem that they needed to fix. And so maybe, you know, Apple and Google and other companies had to wait until that issue was fixed before they announced this because they didn’t want bad guys to go phishing and try to figure out what exactly this was and how they could exploit it. In any case, this was patched across the board in all of the Apple updates last week.
Kirk McElhearn 3:04
So let’s talk about these certificates for a minute. A certificate is basically a cryptographic signature that proves that a website is a website that it’s supposed to be or an app is made by a certain developer. If this is a web certificate, are these cached on servers around the world, in the sense that when the certificate is updated, it takes time to propagate. So could that be a reason to delay talking about this vulnerability?
Josh Long 3:30
Well, I don’t think it would be something related to any kind of caching concerns. I think what may have happened is there was a particular certificate issuer that had some problems; somebody was able to exploit a vulnerability in their website and create malicious certificates that appeared to be from a legitimate company. I mean, we really don’t have a lot of information. So it’s hard to say we can only really speculate, but I’m guessing it was probably something along those lines.
Kirk McElhearn 3:55
Were there any other fixes that we weren’t about?
Josh Long 3:59
Well, yeah. So we just got 16.3.1 last week, and the previous release was 16.3. And it turns out that there were some interesting new things revealed about 16.3. There were three vulnerabilities about which Apple added entries in the 16.3 release notes. They say there was a crash reporter issue, there was an issue where an app may be able to execute arbitrary code out of its sandbox with certain elevated privileges, and….
Kirk McElhearn 4:29
Way, way, wait. Can you translate that into English? “Execute arbitrary code out of its sandbox with elevated privileges”?
Josh Long 4:36
Yeah, as a matter of fact, there were two vulnerabilities, nearly identical descriptions that both said the same thing. So a sandbox is something that in when you’re talking about software technology, a sandbox is something that helps to contain an app or some programming code, so that it’s separated from the rest of the system. So The rest of the system is protected from anything that that particular app might try to do. This also means that that app has limited access to other parts of the system in terms of readability of other things. So it won’t be able to well like sandbox apps on the Mac, for just one example. They can’t have access to your Downloads folder unless you specifically grant that permission. That’s, that’s one example. And same thing with Documents folder. And there’s a number of other things that a sandbox app can’t do by default, unless you specifically grant it permission. So what Apple said that these vulnerabilities allowed for was that arbitrary code could be executed out of its sandbox or with certain elevated privileges. So basically, that means that a maliciously crafted maliciously designed app could use some things that it wasn’t supposed to be able to do could access maybe parts of the system that it wasn’t supposed to access, or it had extra privileges, things that a normal app from the App Store is not supposed to be able to do.
Kirk McElhearn 6:09
Right. So arbitrary code doesn’t mean just random code. It’s just shorthand for saying, well, any code, the app can do anything. And execute means run. So basically, an app can do things outside of the sandbox, it can get out of its fetters and mess around in the operating system.
Josh Long 6:33
Right. And, you know, it’s kind of funny, because we’ve recently been talking about ChatGPT, and how people have been able to jailbreak ChatGPT, they’ve basically been able to trick it into thinking that it is another AI called DAN, Do Anything Now. And and they’re able to get ChatGPT to respond as though it is this other bot that can you know, respond to anything without any restrictions. And this is kind of like that, it’s breaking out of the sandbox, in the same way that you can trick ChatGPT into breaking out of its sandbox, you can potentially have malicious apps breaking out of their sandbox and doing bad things on your device.
Kirk McElhearn 7:18
So the best example you gave of the Downloads folder is you don’t want any app to access your Downloads folder. And you grant permission to those which need to access the Downloads folder. And if another app, particularly something in the background that you’re not even aware of can access your Downloads folder, it can take files of yours and send them to a remote server, or as you like to say it can exfiltrate files.
Josh Long 7:40
Right, exactly. So obviously, this is something that we wanted to make sure was patched that Apple wanted to make sure it was patched. And so they did so. However, they took a little bit of time to finally explain the details of this. And I think that what they were doing is they were waiting for Trellix, the company that found these vulnerabilities, to finish writing up their blog post, which they just published. And so Apple went back and added these entries to the iOS 16.3 and other related security updates.
How to run Windows on M1 and M2 Mac processors.
Kirk McElhearn 8:09
Okay, this is mainly a Mac and iOS podcast. But we do talk about running Windows. Occasionally, we’ve discussed how you can run Windows on a M1 or M2 Mac. Now previously, with apps like VMware Fusion and Parallels Desktop, you could emulate Windows on an Intel Mac. But it’s different with the M1 and M2 Macs, because these are ARM type processors. Now Microsoft has had an unofficial build of Windows 10, and then Windows 11 that you could get access to by joining the Insider Program. It all felt kind of seedy, like you’re going around the back of the bar and getting something from a guy right. And yet it was legal to do even though Microsoft is not at least not yet releasing a version of Windows for ARM processors. So Microsoft has as Ars Technica said officially blessed Parallels as a way to run Windows on M1 and M2 Macs. So you won’t have to go around the back of the bar to join the Insiders Program and get the you know, version of Windows that fell off the truck. But you’ll be able to do it the normal way. And what’s interesting is that they really only talked about Parallels Desktop. Now, when the M1 Macs came out, I used to use VMware Fusion, I need to use Windows very occasionally. And VMware Fusion did absolutely nothing to update for Apple, silicon Macs and I moved over to Parallels which is worked since a couple months after the M1 Macs came out. So it looks like Parallels is going forward is going to be the best way to run Windows on an M1 or M2. Mac.
Josh Long 9:42
Right. That’s the official Microsoft blessed app for doing this. Of course you can use VMware Fusion. I think one reason that Microsoft didn’t bless VMware solution is that they took a really long time to come out with compatibility for M1 and M2 Macs. It also might just be that Parallels has some deal behind the scenes with Microsoft. And maybe they’re paying Microsoft for kind of an official blessing or something like that. Who knows. Now it is possible to use freely available software to do this as well. We’ve talked about that before that you can use an app called UTM, which is based on Q-E-M-U, which is an open source emulation and virtualization software. So UTM is kind of interesting because it will also emulate Intel hardware, if you choose to run the Intel version of Windows on your M1 Mac. If you want to do that, that is an option. With an emulator. If you’re just using a virtualization app that doesn’t do emulation, then you can only run Windows for ARM on M1 or M2 Macs. And you can’t run the Intel version of Windows, the standard everyday version that everybody uses of Windows.
Kirk McElhearn 10:57
Well, this could be leading to an officially commercialized version of Windows for ARM processors. If enough PC makers want to adopt ARM processors as well. There are lots of reasons they offer better battery life, among other things.
Josh Long 11:11
Right. And in fact, Microsoft actually has an official developer’s kit that you can buy, kind of like when Apple had sort of a developer kit that you could buy, if you wanted to start programming for the new architecture and test your apps before they were widely available to the public. Microsoft is doing exactly the same thing with an ARM based PC that they’re offering to developers. So Microsoft is definitely looking at expanding to ARM to being willing and open to do that, which is kind of interesting because historically this there’s been this Wintel, you know it Windows and Intel kind of go together. Maybe Microsoft is expanding its options.
Is it possible that someone can take over your account because phone numbers are being reused?
Kirk McElhearn 11:54
So if you use WhatsApp, it’s possible that someone can take over your account because phone numbers are being reused. I’m not sure I understand this.
Josh Long 12:03
Okay. There’s a story on The Register: WhatsApp account takeovers. Yeah, it’s a thing and they say blame it on phone number recycling. Yes, that’s a thing too. The story here is just that. It’s not that if you have always had a particular phone number that somebody else can get access to your WhatsApp account, it’s more that if you let’s say, for example, you you switch phone providers, and you don’t have them move your phone number from your old provider to your new provider. And it’s just easier or cost less, or whatever the circumstance is you just get a new number. In that situation, if you previously had WhatsApp, with your old phone number, it’s theoretically possible. And in fact, it has happened where somebody has been able to recover access to a WhatsApp account using that old number, because WhatsApp knows that number, they can associate it with you, they can send you text messages to that number to sort of like validate and verify that you really own that number. And the whole story is really based on that. So if you have a WhatsApp account, I guess probably what you would need to do, I suppose would be to deactivate that account, and create a new account once you get your new phone with your new phone number.
Kirk McElhearn 13:22
So if you are changing phone numbers, for any reason, you should delete your account with WhatsApp or anything else that is phone number based, because phone companies reuse numbers sometimes as quickly as 90 days after you stopped using it, some claim to take about a year. But what that means is that if you have anything linked to your phone number, and for whatever reason, you have to change numbers, it won’t take long before the phone company gives that number to someone else. And people could be calling the old number thinking it’s you. And that could lead to all sorts of problems.
Josh Long 13:53
Right. The onus is on the user to make sure that they notify all of their contacts that their phone number has changed. That’s really important. And another thing that we should talk about in this context too, is that remember, SMS two-factor authentication, this is a good reason to not use that because if you change your phone number now somebody else is gonna get your SMS codes. That’s really not good.
Kirk McElhearn 14:16
Okay, let’s take a break. When we come back, we’re going to talk about two-factor authentication on Twitter and more.
Voice Over 14:23
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
How is Twitter planning on changing its two-factor authentication login procedure?
Kirk McElhearn 15:41
On Friday, February 17, Twitter announced that they will be turning off SMS-based two-factor authentication. Now interestingly, I’m going to link in the show notes to a Twitter blog article and update on two-factor authentication using SMS on Twitter, dated Wednesday, February 15. This is a lie this is revisionist history. This was announced on Friday, and users started seeing a pretty scary dialogue on Saturday when they logged into Twitter saying that if they didn’t turn off two-factor authentication by March 20, their accounts will be disabled. This is not actually what’s going to happen. Twitter is going to merely disable two-factor authentication. But if you want to keep SMS-based two-factor authentication, you can pay for it with Twitter Blue, which costs is it $8 A month or $11 a month now.
Josh Long 16:29
It’s just gone up to $11 a month this month.
Kirk McElhearn 16:32
Okay, so Twitter is telling you to use a less secure method of two-factor authentication SMS, instead of using a more secure free method using authenticator apps, we’re going to walk through this whole process. But the most disturbing thing is that they’re inciting people to pay for services less secure than something they can get for free. I’ve been trying to wrap my head around this for well, better part of a week. And it really doesn’t make much sense.
Josh Long 16:59
Yeah, I agree. There’s a lot of weird things about this. One really good take on this came from Troy Hunt, who is the creator of haveibeenpwned, which is a website where you can put in your email address and find out whether it’s ever been in any data breaches. His thoughts were this, I’ve had a couple of people tweeting this at me, he sent a screen, you know, screenshot of the message, the scary message that people were getting. And he said, so let me give you two thoughts on it. Number one, making 2FA a premium service sends a bad message. Now that’s true, but not it’s not exactly what they’re doing. And number two, putting a price on the weakest form of 2FA and keeping two much better alternatives free is good. That’s absolutely correct. I 100% agree on that. Now, the two much better alternatives that he’s talking about here. One of them is authenticator apps, like we’ve been talking about. And the other alternative is security keys. Twitter actually gives three different options, they’re taking away one option. And that option is is the least secure of them, which it’s SMS. We’ve talked about this many times about how if you have no other option, SMS is an OK way to do two-factor authentication. Or really, it should be called two-step verification. Because if you’re signing in on your phone, and you’re getting a text message on your phone, it’s well, it’s not really a separate device.
Kirk McElhearn 18:27
It’s worth noting that uptake of two-factor authentication on Twitter is low only about 2.6% of active accounts use this this is as of December 2021, when Twitter published security document, about three quarters of these use SMS based two-factor authentication, less than 30% an authenticator app and 0.5% use a security key. Now a security key is really for the people who need the ultimate security. It’s for presidents and top level journalists and activists and all that. And we’ve talked about security keys recently, because Apple’s adding them to add additional protection to Apple IDs. So we really don’t want to suggest that anyone use that. But we do have an article on the Intego Mac Security Blog of how to set up two-factor authentication on Twitter talking about using authenticator apps, or using the built in Keychain on Mac, iOS and iPad OS.
Josh Long 19:16
Right. That’s actually something that I don’t think a lot of people are aware of. You hear about apps that are specifically designed as authenticator apps, right. You’ve got Google Authenticator, Microsoft Authenticator, Authy. There’s a number of other apps that do this. And password managers often will do this as well. They have built in functionality. And when we’re talking about these authentication codes, these are codes that change every something like 30 seconds, you get a little timer that that ticks down. It shows you how much time you’ve got left to use this usually six digit code. You can use that code to prove your identity to whatever service you’re logging into. Again, this can show up in multiple different places, you can actually even have multiple authenticator apps that are all configured to show the same code at the same time.
Kirk McElhearn 19:58
Would they show the same code at the same time?
Josh Long 20:00
Yeah, they do.
Kirk McElhearn 20:02
I didn’t know that. See what one of the things that you don’t realize is that this time based — this is called time-based one-time passwords —they have a life of 30 seconds, but the time has to be right on your device. So if your phone somehow is set to the wrong time, you won’t even be able to get to a code to log in any place. Is that right?
Josh Long 20:27
Yeah, I think that’s actually true. I did recently kind of experiment with this. I didn’t actually try logging in using one of these bad codes. But I turned on an old device that I had authenticator apps set up on that I haven’t I haven’t wiped this old device yet. And it’s in Airplane Mode. So it has a was in Airplane Mode before it shut off. It’s still in Airplane Mode now. And it has no access to the internet. It’s not syncing its time correctly, I noticed that the codes were not correct, they were out of sync, which is probably just because it’s not being internet connected. It’s not synchronizing its time with a time server. And so it’s just off just enough that it’s not accurate anymore, and I wouldn’t be able to use those codes live very likely.
Kirk McElhearn 21:14
One thing to point out about Twitter is that they could have offered email based two-factor authentication. Now, when you verify your email address on Twitter, they send you a six digit code by email to prove that you’ve got that email address. Elon Musk replied to a tweet saying that it was costing Twitter $60 million a year for scam SMS requests or something like that. And he said, Yes. It’s hard to imagine that email would cost anything, uh, you’ve got some bandwidth costs. You’ve got some, you know, processor, time for service and stuff. But it’s essentially free. Why do they not assume that email is a usable alternative? That’s a lot easier than setting up this authenticator app. Because let’s be honest, you and I were comfortable with an authenticator app or a password manager, but the vast majority of people don’t understand why they need something else, to be able to log into Twitter.
Josh Long 22:07
Yeah, this is a really good point, because a lot of services are actually doing this now. In fact, many times they give you multiple options, they’ll say, do you want us to send you a text message? Do you want us to call you? Do you want to use an authenticator app? If you’ve got that set up? Or should we send you an email to your registered email address, any one of those options could work. Now, we’ve talked before about how there are some potential risks with email, in particular, if you are logging into a service, where the email address that you’re using to log in belongs to your company. So if you worked at Microsoft, and you have [email protected], email address, for example, then if you were to use that, and then you no longer were employed by Microsoft, it’s theoretically possible that somebody in the IT department could still get emails that were addressed to you and could use that to log into an account that you were the only authorized user of, right. Generally speaking, when you’re logging into websites, it’s best to use a personal email address for this reason.
Kirk McElhearn 23:13
Just before the break, we talked about recycled phone numbers. So if someone gets a recycled phone number, maybe they can find out that the phone number is linked to a certain account, and then get access to that account. Of course, this is an edge case, it’s not like you’re gonna get 1000 recycled phone numbers to try them all out.
Josh Long 23:29
Right, right. So there’s phone number recycling, there’s potential in some cases for email recycling, it can also happen by the way, if you have your own domain, and it expires, the same kind of thing can happen, someone else can register your domain. And now they can get any emails that were addressed to you, and can use that potentially to log into your accounts. There are some problems with both SMS and email. Twitter is not allowing email as an option. I do feel like as a free, simple solution that everyone can kind of understand. It would be nice if they did offer this. And well, they’ve got a little bit of time, they could add this as an option. But maybe they don’t have enough engineers on staff at this point. To add that functionality.
Beware of scam authenticator apps
Kirk McElhearn 24:12
In any case, check out the article on the eighth MX security blog about how to set up two-factor authentication. Now I want to briefly talk about something that’s happened in Apple’s App Stores. A scam authenticator app was stealing QR codes. Now, when you set up two-factor authentication with an authenticator app, you are often presented with a QR code that your device has to read. Of course, this is really easy when you’re on a Mac, and you got the QR code, and you have to figure out how to get the QR code into the software on your Mac. Fortunately, there’s always a link to click if you can’t read the QR code to get like a 16 digit alphanumeric code that you enter into your password manager or authenticator app. When they present a QR code on the screen like that they’re expecting you to use your phone to be setting up the authenticator app on your phone. But if you’re on your phone already, how do you do it? That’s a little bit confusing. Anyway, a scam authenticator app in the App Store was stealing QR codes, which means that, technically, if they’ve got enough data about users and what their account names are, they could use those QR codes to set up two-factor authentication for themselves, rather than you setting it up, or they could set up two-factor authentication at the same time as you because you can set it up on multiple apps and multiple devices,
Josh Long 25:27
Right. This is kind of a big deal. Like, how does Apple vet apps like this? Theoretically, maybe they had somebody who was doing the review process, maybe they created a new account, maybe they added two-factor authentication, and tested to see whether that basic functionality worked, right? Maybe they scanned a QR code with this illegitimate app, and found that that code that they got from it actually worked to log into the site. And I thought, Okay, well, it seems to work just fine. Now, some of these scammy apps, were even using names of other apps like Authy, for example. And so it’s, it would come up if you search for Authy, because they actually had that, somehow, they got away with putting that in the title of the app. That’s a really big problem. And something that we see a lot of on the app store, where developers will give an app this really long, complex name. And they’ll sneak in some keywords there to try to get it to show up higher in search results, things that aren’t really part of the name of the app, but they’re just trying to cram as many keywords in there as they can, including sometimes ripping off other developers’, you know, trademarked names.
Kirk McElhearn 26:46
We’re going to link in the show notes to Michael Tsai’s blog. And Michael is a developer who’s been developing Mac apps for decades. And he has a wonderful blog with links to various people when they’re talking about issues. And he makes a comment about this issue. He says the point is not that Apple should have caught this, but that in general, they can’t. So they should not be claiming to keep you safe. And this is a real problem, because Apple does claim to keep you safe that the App Store keeps you safe. But this kind of behavior by apps is something they simply can’t catch.
Josh Long 27:17
And this is ammunition in the argument against Apple being the only app store provider for the iPhone and iPad. Right? If Apple’s not getting this right, and Apple claims to be doing it the best and we’re you know, we know better than anybody else. We know this whole process. We’ve got this down. We’ve been doing it for years, and anyone else coming in, they’re just gonna mess everything up. Well, you know, Apple, you’re not doing a perfect job right now, either. So,
Kirk McElhearn 27:44
Okay, that’s enough for this week. Now, I want to make you a bet. I bet that we will have something more to say about Twitter next week.
Josh Long 27:51
Okay. What do you think they’re gonna do? They’re gonna add email…?
Kirk McElhearn 27:55
They’re gonna do, they’re gonna do something dumb. I think it’s since Elon Musk has taken over Twitter. They’ve done enough dumb things that affect usability and security, things that we talk about for the reasons of, you know, security and privacy. And I bet they’re going to do something else by next week. Until then, Josh, stay secure.
Josh Long 28:12
All right, stay secure.
Voice Over 28:15
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. Intego.com.
If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.