Category Archives: News

S3 Ep34: Apple bugs, scammers busted, and how crooks bypass 2FA [Podcast]

[06’13”] Duck’s “breathtaking” hairstyle.   [08’26”] Apple patches a raft of serious security holes.   [18’36”] Police arrest eight suspects in an online scamming ring.   [31’36”] We explain how WhatsApp messages from hacked accounts are helping cybercrooks bypass 2FA.   [37’36”] Oh! No! of the week.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Apple patches dangerous security holes, one in active use – update now!

We’ve seen several news stories talking up some great new features in Apple’s latest software update for iOS, which was released yesterday.

However, we’re much more interested in the security patches that arrived in the update to iOS 14.6, because Apple fixed 38 significant bugs, covered by 43 different CVE bug numbers.

For what it’s worth, the update to macOS Big Sur 11.4 shared many of those bugs with iOS, as well as adding a raft of its own, with 58 significant bugs patched, covered by 73 different CVE bug numbers.

Perhaps even more importantly, one of the Big Sur bugs that was patched, now dubbed CVE-2021-30713, is a security flaw that is already known to criminals and has already and quietly been exploited in the wild.

In fact, this exploit was only recently reported to Apple after lurking unnoticed in Mac malware known as XCCSET that dates back to last year.

Ironically, this bug exists in a system component called TCC, short for Transparency Consent and Control, a part of macOS that is supposed to make sure that apps don’t do things they aren’t supposed to.

According to security researchers at Mac management software company Jamf, this bug provides a sneaky way for a simple AppleScript utility with no special permissions at all to “leech off” the permissions of an an already-installed app.

Usually, malware that blindly ran an AppleScript utility to record your screen would cause a giveaway security warning to pop up asking you if you wanted to let the malware go ahead.

Unless and until you clicked through into the Security & Privacy page in System Preferences, and manually approved the malware by adding it to the list of apps allowed to record your screen, the cybercrooks would be out of luck.

Jamf researchers, however, realised that by judiciously inserting the malicious screenshotting AppleScript utility into the application directory of software that already had Screen Recording permissions…

…they could then launch their AppleScript under the assumed authority of the so-called “donor” app and take screenshots covertly without any warnings popping up.

The researchers used Zoom as the “donor” app in their research article, but noted that the average Mac user is likely to have numerous screenshot-ready programs already installed, such as Discord, WhatsApp, Slack, WeChat, TeamViewer and many others. This trick is not limited to Screen Recording permissions, either, so other installed apps could be “piggybacked” too. This means that an attacker could invisibly acquire unauthorised access to other permissions such as Location Services, Photos, Camera, Microphone, and files and folders that would otherwise be off-limits.

Other potentially serious bugs that are shared between iOS/iPadOS and macOS, and therefore necessitate that you patch your iDevices as well as your Macs, include:

  • RCE bugs in the handling of audio, image and 3D-modelling files. RCE is short for remote code execution, and it typically denotes a security flaw that can be triggered by an attacker who simply sends you a file to look at, without needing to login to your system first. RCE bugs in handling image or audio files are particularly dangerous because those files are commonly used in web pages, where your browser reads them in and processes them automatically even if all you do is look at a website.
  • RCE, cross-site scripting and data leakage bugs in WebKit. Webkit is Apple’s core web browsing engine, used whenever you open the Safari browser. In fact,on mobile devices, Apple requires all browsers to use WebKit, even those that usually provide their own web engines. Additionally, WebKit is commonly used by non-browser apps as a convenient way of displaying rich content such as manuals and help files. As a result, RCE bugs in WebKit may have far-reaching consequences and can’t be sidestepped simply by avoiding the use of Safari.
  • RCE and data leakage bugs in the kernel. Getting unauthorised kernel-level access is one of the ultimate prizes in a hacking attack, for the simple reason that the kernel controls the rest of the system. This includes determining which programs get to run, regulating access to memory and devices such as the camera and microphone, deciding which programs are allowed to open what files, and even keeping control over the Administrator account (root on Apple systems) itself.
  • An RCE bug in Apple’s network security code. This bug apparently exists in Apple’s implementation of TLS, short for transport layer security, the protocol that makes HTTPS possible and puts the padlock in your browser’s address bar. Apple says simply that “processing a maliciously crafted certificate may lead to arbitrary code execution.” What this seems to mean is that simply by browsing to a URL that starts with https://, a booby-trapped server could trick your iPhone or Mac into installing malware right at the very start of the connection process, before any web content even shows up.

Big Sur also gets patches against a whole raft of serious bugs, including RCE, in the smbx software, which is installed on Macs so that they can connect to Microsoft networks. (The letters SMB are short for Server Message Block, the original name for Microsoft’s file sharing protocol.)

Apple’s mobile platforms don’t include Microsoft-compatible networking code, so they aren’t affected by the smbx bugs, but iOS does get a patch for a Wi-Fi bug dubbed CVE-2021-30667 and explained with the words: “an attacker in WiFi range may be able to force a client to use a less secure authentication mechanism.

We’re not sure what that means, but given that iPhones haven’t supported the old and insecure WEP protocol at all for many years, and that most iPhone wireless connections use WPA2…

…the only step down from there is “no encryption at all”.

What to do?

On iDevices, go to Settings > General > Software Update.

On a Mac, it’s Apple menu > System Preferences > Software Update.

If you’re already up to date, then the updater will say so; if not, it will offer you an immediate opportunity to catch up.

The latest versions to look out for at the time of this article [2021-05-25T12:00Z] are: iOS/iPadOS 14.6, watchOS 7.5 and macOS 11.4.

If you’re still using macOS 10.14 or 10.15 (Mojave or Catalina by name), you’ll be offered updates specific to those versions, and you’ll need to get Safari 14.1.1 as a separate update. (On Big Sur the new version of Safari is included in the main update.)

There isn’t an iOS 12 update this time, so that version stays at 12.5.3.

And, no, we didn’t forget our mantra: Patch early, patch often, because why be behind when you could be ahead?


Eight suspects busted in raid on “home delivery” scamming operation

Police in the UK have announced the arrest of eight suspected “home delivery” scammers in a bunch of early-morning raids across the south of England.

The aptly if not catchily named DCPCU, short for Dedicated Card and Payment Crime Unit, is the law enforcement group behind these busts.

As you can imagine, more people than ever are relying on home deliveries during the coronavirus pandemic.

Sadly, cybercriminals have been quick to join in, using the very simple but effective ploy of emailing or texting you to say that “your parcel couldn’t be delivered.”

Crooks join the home delivery revolution

As Naked Security readers have pointed out before, you don’t always know in advance which courier company an online vendor might might use, so even if the crooks send you a fake message from a company you wouldn’t normally expect, it’s easy to fall for it.

You might think, “Well, I’ll check it out anywyay, just in case,” as in this example that ripped off the well-known brand DHL:

Another way the crooks make the message seem more believable is to pick the name of a courier company that’s specific to your part of the world, giving their message a local touch that somehow makes it feel more likely.

Here’s one from last year where an innocent looking text message

…redirected to a webite tailored to the location of the person who clicked through.

In that case, the message was reported to us by someone in Canada, so the crooks presented them with this:

In the UK, the ripped-off courier company is very often Royal Mail, because of its brand recognition in Britain, but the crooks typically rotate through many different courier brands, or choose them at the time you click through, based on your location at the time.

The crooks only need a rough idea of where you live. Just your country is usually enough, and they can typically figure that our either from the phone number to which they originally sent to the bogus text message, or from a rough idea of the internet service provider you’re using. For example, if you show up from an IP number (network address) that’s allocated to BT (formerly British Telecom), you’re probably in the UK; Telstra means you’re an Aussie; Telkom SA puts you in South Africa; and so on.

A little money goes a long way

The trick you see in the “pay page” above is very common: to set your mind at rest, the crooks ask for very little money, typically from about 99 cents up to amounts such as £1.49, €1.99 or, as shown above, $3.

The idea is that the modest fee sounds believable, and it might feels at though it’s worth the risk of paying out the money anyway, given that it’s only a few dollars, in case it is a real delivery and you miss out.

Of course, the crooks aren’t after 99c, or £1.50 or €2, and in all likelihood they won’t even try to process a payment against your account right away.

After all, after you’ve filled in the fake payment form on the fake site, the crooks have all your card data anyway, including the all-important three-digit security code (CVV) on the back.

So they can use your card to buy items for themselves later on, such as popular electronics products that they can sell online almost immediately and “cash out”.

Even if you get your money back in the end, the crooks still drain the value of the fraudulent transactions from someone, typically the merchant, who ends up not getting paid.

The scam gets worse

In the UK, and in many other countries, however, these scams rarely end with just a hack of your credit card.

In fact, the crooks may not try to charge your card at all.

Instead, they’re relying on the fact that, after a while, perhaps a few minutes or hours, or perhaps the next day, you will probably realise that you fell for a scam.

Then you’ll rush to cancel your card at your bank, and promise yourself to be more careful when clicking through to websites in future.

Believe it or not, this suits the scammers just fine, because they’re not after some money from your credit card; they’re after all the money in your regular account.

This is where their social engineering skills come in, because they wait a while, perhaps a few days or even longer, and then call you up pretending to be your bank investigating the fraud.

They are likely to congratulate you on reporting the scam and not getting suckered in beyond the original website…

…and then they use their gift of the gab to convince you to move your funds to another account, one that they have thoughtfully set up for you in advance.

They’ll tell you that this is because that the account that was hit by the scammers needs to be shut down and investigated, or will given some other bogus fraud prevention “reason” that they’ll explain in the most positive and helpful terms.

Of course, the unfortunate victims that get drawn along this far often lose everything, because the the premise is, after all, that the defrauded account needs to be shut down completely, which means that all the funds need to be shifted from it first.

LEARN MORE ABOUT SOCIAL ENGINEERING

Listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert, and give yourself the confidence and understanding not to get sucked into saying or doing the wrong thing online:

What to do?

  • Don’t click links in text messages from courier companies. Find your own way to the right website and start from there. It’s a little bit less convenient for genuine delivery messages, but that’s a small price to pay for not paying the huge price of clicking a fake link by mistake!
  • Don’t be in a hurry to enter card details on a website. Stop and check the website name and the site contents carefully first. The crooks don’t always make silly mistakes such as spelling errors, but often they do. If you spot it’s a scam up front, then you can simply bail out before you type any data into the site.
  • Don’t rely on the phone number that pops up when someone calls you. Telephone caller identification is insecure and can be faked by criminals. If a caller tries to convince that you can definitely trust their identity by checking the number on your phone’s display, they’re lying and you can be sure they’re a scammer. Your bank will never make this claim because it’s not true.
  • Never call your bank based on a number you received in a message. If the crooks sent the message, you can be sure the number will just lead back to them and they will pretend to be the bank to continue the subterfuge. The crooks know which numbers they used for which scams, and prepare accordingly, so the answer you hear when the crooks pick up will sound perfectly believable.
  • Never transfer funds out of your bank account on someone else’s say so. Your bank will never ask you to do this. If they needed to freeze your account they could do so without processing a withdrawal first. If someone insists you need to transfer money as an anti-fraud measure they’re lying and you can be sure they’re a scammer.

We can’t emphasis this last point enough.

Your bank will never ask you to “fight fraud” by shifting funds from one account to another using a regular payment in your banking app, for the simple reason that that’s how frauds are committed, not how they are prevented!


Naked Security Live – Jacked and hacked: how safe are tracking tags?

Apple’s AirTag product has been hacked twice since its recent launch, in a pair of fascinating and informative stories that give you some great insights into how cybersecurity researchers think.

The good news is that you don’t need to ditch your AirTags if you already splashed out and bought some – these “hacks” don’t put your privacy at risk – and we explain why.

BTW, at the start of the video also we offer some sideline advice about instant messaging security, where the scams you get are easy to fall for because they often come from a friend whose account has been hacked:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.

Why not join us live next time?

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

S3 Ep33: Eufy camera leak, Afterburner crisis, and AirTags (again) [Podcast]

We look into an unnerving case of mixed-up video feeds. We warn you against “going rogue” when you can’t get the download you want from the regular place. We explain how Apple’s new AirTag product got hacked (again).

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Related stories from the podcast:


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

go top