HOW TO TURN YOURSELF IN
No audio player below? Listen directly on Soundcloud.
With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.
READ THE TRANSCRIPT
DOUG. Honeypots, patches and the passing of an icon.
All that and more on the Naked Security podcast.
Welcome to the podcast, everybody.
I’m Doug Aamoth; he is Paul Ducklin.
Paul, how do you do?
DUCK. Very well, Douglas.
Welcome back from your vacation!
DOUG. It’s good to be back… I do have a little surprise for you.
We start the show with the This Week in Tech History segment, and some weeks there are so many possible topics to choose from (just a little peek behind the curtain for everyone) that we have to go back and forth and decide which one we’re going to choose.
So I took the liberty of building a Topic Wheel that we can spin, and whatever topic it lands on…
…that’s the topic we discuss.
On the wheel this week, we have a ton of topics.
We’ve got the first computer convention, the Altar Convention in 1976; we’ve got the Melissa virus from 1999; we’ve got the first long distance phone call in 1884; the invention of the phototransistor in 1950; the unveiling of the UNIVAC in 1951; the first city to go to full electric lighting in 1880; and Microsoft Bob in 1995.
So I’m just going to give the wheel a spin, and wherever it lands – that’s the topic.
DUCK. This is Wheel of Fortune stuff, is it?
Wheel is spinning…
[FX: Click-click-click (gradually slowing down)]
DUCK. I know where I want it to stop, Doug!
DOUG. And it has landed on [EXCITED] the Melissa virus!
[FX: Dramatic chord]
It’s right in our wheelhouse….
DUCK. I was secretly hoping for Microsoft Bob.
Because we have spoken about it before, and it was a great opportunity for me to have a very slight rant/complaint, and to introduce Clippy.
But I can’t mention either of those again, Doug.
DOUG. Alright, well, the wheel has spoken.
This week, in 1999, the world felt the wrath of the Melissa virus, a mass-mailing macro virus targeting Microsoft Word and Outlook users.
The message emailed itself, along with a poisoned Word document, to the first 50 people in the victim’s Outlook contact list, while at the same time disabling protective features of both programs.
The Melissa virus was eventually connected to David L. Smith of New Jersey, who spent 20 months in federal prison and paid a $5,000 fine.
And Paul, you were there, man.
DUCK. [SIGHS] Oh, dear, yes.
This wasn’t the first mailing malware – we’ve already spoken about
CHRISTMAS EXEC haven’t we, which was 10 years before that, on IBM mainframes.
But this was a sign that now we were all connected, and a lot of us were using Microsoft Word with its macro programming language, and we were relying heavily on email…
…things could go a bit pear-shaped if there was a virus.
The problem was it wasn’t 50 people, it was the first 50 *addresses*.
Most people ,somewhere shortly after
Aamoth, Doug and
Aardvark, Christopher had somebody called, for example,
All Users, or something to that effect.
So, yes, it was an absolutely huge thing.
It had a Bart Simpson reference, didn’t it?
KWYJIBO. [FAKE SCRABBLE WORD ONCE USED BY BART SIMPSON]
DUCK. Occasionally it would actually stick that into a document, wouldn’t it?
David Smith fell foul of the law because he quite simply should have predicted the level of disruption that it caused.
So, as you say, 20 months in federal prison, and the beginning of a dramatic era of mass-mailing malware.
DOUG. Alright, let’s move from macros to Moore.
Rest in peace, Gordon Moore, 94 years young, Paul.
I had a strange conversation over the weekend when I bumped into someone over coffee and they said, “Oh, what have you been doing on the weekend so far?”
I said, “Actually, I’ve just been at work; I was writing an RIP, an In Memoriam piece for a very, very famous person in the IT industry. Gordon Moore has died at 94.”
And this person looked at me and said, “Oh, I’ve never heard of him.”
DOUG. [LOUD GASP OF DISBELIEF]
DUCK. And I said, “But you’ve heard of Moore’s Law?”
“Oh, yes, of course. Moore’s Law, I know about that.”
And I said, “Well, same Moore.”
And so I hope they rushed off to read the article!
I republished the graphs that he put in his original little piece that led to Moore’s Law.
That was before he founded Intel, actually.
DOUG. Yes, he was so much… more, if you catch my drift.
DUCK. [NOT QUITE AS AMUSED AS DOUG HOPED] Yes.
It’s a fascinating little paper.
It was published in… essentially in a popular magazine as a short piece – just a few pages in Electronics magazine in 1965.
It was almost jocular in that he was saying, “You know what we’ve noticed at Fairchild?” [COMPANY CO-FOUNDED BY MOORE BEFORE INTEL]
In 1962-63-64-65, if you take the number of transistors on the chips that we’re building each time (the chips are roughly the same size), and you take the logarithm base 2 of the number of transistors, and you draw a graph, you get a straight line.
Which means exponential growth.
In other words, you can’t just keep making the chips bigger and bigger and bigger because they start failing…
..you have to learn how to change the manufacturing process as well, so you can basically get more transistors in there.
And the paper is called Cramming more Components onto Integrated Circuits. [LAUGHTER]
Literally cramming more in.
And you see that, by 1975, 10 years into the future, it would suggest that you might have single circuits that could have as many as 65,000 (or 216) transistors on them, Douglas.
That was his theory about how we might innovate.
It didn’t quite work out like that… by 1975, he said, “It doesn’t look like the doubling every year is going to continue, but it could be roughly doubling every two years.”
And even though we haven’t quite doubled every two years, we’re not far off.
Because if you go from 1978, when the 8086 came out, that had about 215 transistors on it.
And 22 doublings (44 years) later, the Apple M2 chip came out, so that should have roughly 237 transistors on it, which is well over 100 billion.
Isn’t that impossible?
Not far off: 20 billion transistors on an Apple M2 chip.
Amazingly prescient, Doug.
Alright. The Windows 10 Snip & Sketch app has been patched, and the Windows 11 Snipping Tool has been patched.
DUCK. Just to revisit, in case you missed this story, this started with a bug in the Google Pixel photo cropping tool.
You could crop an image (a photo or a screenshot that you already had on the phone), and just hit [Save] over the original, and you’d get the brand new file…
…followed by the leftover content from the previous image.
Which you wouldn’t notice when you loaded the image back, because inside the data that was written back over the old file is a marker that says, “You can stop here.”
So a tester who cropped a file and loaded it back would find that it looked correct, but it potentially had left-over cropped data.
So it’s exactly the bug you don’t want, isn’t it?
And, of course, the bug was nothing specific to Google, or Pixel phones, or Android programming, or Java run-time libraries.
It turns out that some Windows image and screenshot cropping tools had exactly the same bug, albeit for different reasons.
What we don’t know, Doug, is how many *other* apps of this sort (they may not be image editors; they might be video editors or audio editors, or whatever) have a similar sort of problem.
If you go to Microsoft Store and you go and update your Snipping Tool, you will get a version that no longer behaves this way.
And if you have Windows 10, what’s it called there, Doug?
DOUG. Snip & Sketch.
I’m happy to report I do use the Snipping Tool all the time, and I’m happy to report that mine has been updated.
I didn’t do it manually, so it either got rolled into a previous update or was updated automatically.
But it’s always good to check.
DUCK. Yes, we put a link to Microsoft’s article about it, along with the new version numbers to look for, in the Naked Security article.
Because, Doug, I didn’t quite agree with Microsoft’s assessment of this.
I don’t know what you thought…
They said it was a low severity bug because, and I’m quoting, “Successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control”.
And the problem to me with that statement is that this isn’t about someone attacking you or trying to trick you into revealing an image that you didn’t intend to.
The problem is that you’re editing the image specifically to remove something that you don’t want in there, and the data that you visibly had removed *did not get removed*.
DOUG. Speaking of removing things, we have something called [GRUFF VOICE] Operation PowerOFF.
Is it fair to call this a DDoS honeypot?
DUCK. I think it is, Doug.
It’s a multinational thing – as far as I know, at least the FBI, the Dutch police, the German Bundeskriminalamt, and the UK’s National Crime Agency are involved in this.
As far as I know, he idea is to try and provide what you might call “high pressure discouragement” to youngsters who think it would be cool to hang out on the fringes of cybercrime. [LAUGHTER]
It seems pretty well established that quite a lot of youngsters who want to dip their toes in the water of operating on the Dark Side tend to get drawn towards what are called DDoS (or booter, or stresser) services.
And these are pay-as-you-go services run by other crooks, where you can essentially take vengeance on someone’s website.
You don’t fling malware at it; you don’t try and hack into it; you don’t try and steal data.
So it kind of feels like a very low level of criminality: “I’m just paying to have a whole load of random computers around the world gang up on a website, ask for the homepage all at the same time and it won’t be able to cope. And that’ll teach them.”
And so, as you say, what Operation PowerOFF was about… was essentially a honeypot.
“Hey, are you interested in getting into booting and stressing? Are you toying on the fringes of cybercrime? Sign up here!”
And of course, you weren’t signing up with cybercrooks; you were actually signing up with the cops.
And after a little while, when enough people have signed up, then the site suddenly goes dead and then you get contacted…
…and you get to have, how can I put it, a “special discussion” [LAUGHTER], which I think is meant to dissuade you from doing this.
As funny as it might seem to you, neither the owner of the site, nor the police, nor the magistrates are going to find it amusing if you get hauled into court, because it does affect people’s businesses and their livelihoods.
And the other thing that the cops say that they’re keen to do is essentially sewing some kind of discord among the cybercrime community.
When you sign up for one of these dark web services, how do you know whether you’re signing up with fellow criminals, or with undercover cops?
DOUG. This is the danger of when people hear about botnets or zombie networks…
…maybe an old computer I have that’s unpatched, that’s turned on in my closet or whatever and I’m not really paying attention to.
If it can be leveraged into a bot network or a zombie network, it can be used for things like this.
Even though I don’t mean to, and I don’t want to take any site down, if I have an infected computer, it can be used for stuff like this.
That’s why, if you’re still running XP, if you haven’t patched your home router for three years…
…you are part of the problem, not the solution.
Because your computer or your router could be used in this way.
DOUG. On the subject of time-wasting, lest you think penetration testing is a waste of time, we’ve got a penetration testing win for e-commerce giant WooCommerce.
DUCK. Yes – fortunately, that’s the way round it worked.
They haven’t disclosed any real details about the bug, for obvious reasons, because then anyone who hasn’t patched… you’d be giving away the secret for people to jump in.
It sounds like an unauthenticated remote code execution where you could trigger some PHP script, and while you were about it, you could grab admin privileges on the site.
Now, if someone’s breaking into your WordPress site and they might then suddenly start putting up bogus links or printing fake news, that’s bad enough.
But when the WordPress site you’re talking about is in fact one that deals with online payments, which is what WooCommerce is all about, then it gets very serious indeed!
As you say, fortunately this was disclosed responsibly, and it was patched.
WordPress and the Automattic team (the people who run WordPress) were informed, and for most people, patches were pushed out automatically.
But it’s really important, if you run a WooCommerce site, that you go and make sure you’re up to date.
Because if you aren’t, there’s a possibility that crooks may come looking for this backdoor hole that allows them to get admin access.
And, of course, once they’re in, they can get all sorts of stuff, including hashed login passwords, and what are known as API keys or authentication tokens.
In other words, those magic strings of characters that you can put in future web requests that allow you to interact with the site as if you were pre-authorised.
DOUG. And how do we feel about the verbiage?
These passwords were salted and hashed, so “it’s unlikely that your password was compromised”.
How does that make the hair on the back of your neck?
Is it standing up or is it still lying down?
DUCK. You put it more dramatically than I was willing to do in print in the article, Doug… [LAUGHTER]
…but I think you’ve hit the nail on the head.
DOUG. Yes, I’m going to change my password just in case.
DUCK. Yes, they sort of said, “Well, the passwords were hashed.”
They didn’t say exactly how, and they didn’t give any details of how hard it might be to crack them by trying a massive dictionary against them.
And they said, “So you probably don’t need to change your password.”
Surely this is a very good reason to change your password?
The idea of hashing passwords is if they get stolen, the fact that the hashes do need cracking first, and that might take days, weeks or months or even years…
…it gives everybody time to go and change their passwords.
So I would have thought they’d just say, “Go and change your password.”
In fact, I was almost expecting to see those weird words “out of an abundance of caution”, Doug!
DOUG. Yes, exactly. [LAUGHTER]
DUCK. So I don’t agree with that.
I think this is *exactly* the sort of reason why you would go and change your password.
And, as you have said many times, if you have a password manager and you only have to change one password, it really should be quite a quick process.
The one thing WooCommerce did say, and this you absolutely must do, is this: you do need to go and invalidate all those so called API keys.
You need to get rid of those and regenerate them for all the software that you use that interacts with your WooCommerce accounts.
And WooCommerce have advice on how to do that; we’ve put the link in the Naked Security article.
And last, but certainly not least… I get great joy out of when you do this in a headline; you just say “Apple patches everything”, and you mean everything.
This includes a zero-day fix for iOS 15 users, as well.
DUCK. Yes, that was the curious part of it.
There are fixes for the three supported versions of macOS: Big Sur, Monterey, and Ventura.
There are patches for tvOS and for watchOS.
There’s even a patch, Doug, for the Apple Studio Display…
DOUG. [LAUGHING] Of course!
DUCK. …which is a cool, groovy screen, because it’s not just a screen, it’s got a webcam and all kinds of stuff in there.
You have to plug the screen in in order to apply the patch.
It basically downloads the firmware into your screen.
The bug in the firmware on the screen could allow a crook to reach into the operating system on your Mac and actually get kernel level code execution access.
DOUG. Oooh, that’s bad.
DUCK. That is pretty weird, isn’t it? [LAUGHS]
But the outlier, or the super-important update, was for iOS 15.
Those of you have older iPhones and iPads: their updates include a WebKit zero-day, a remote code execution attack that some crooks, somewhere, are already exploiting.
So if you’ve got an older iPhone and you’re running iOS 15, absolutely it is “Do not delay/Do it today”.
But I would recommend that for anything you’ve got that has the Apple logo on it.
Because, when you look at the range of bugs that they have (fortunately) proactively fixed, they do cover a wide range of sins.
So they include things like (as we said with the display) kernel level remote code execution; data stealing; the ability to send a boobyptrapped Bluetooth packet that then lets the attacker snoop on your other Bluetooth data; the ability to bypass Apple download quarantine checks; and an intriguing bug that just says “Unauthorized access to your Hidden Photos album”.
I’ve not used the Hidden Photos album, but I imagine they are the photos that you wish to keep, but you definitely don’t want anyone else to see!
DOUG. [IRONIC] Probably, yes. [LAUGHTER]
DUCK. The hint’s in the name, Doug. [LAUGHTER]
And also a bug relating to luring you to a booby-trapped website, after which your browsing habits might be tracked online.
So, lots of good reasons to apply the patches.
DOUG. Alright, and we’ve got a very powerful yet succinct comment, as it’s time to hear from one of our readers on the Naked Security podcast.
And at first I was very tickled by this comment, but then I got to thinking, “If you have a bunch of different Apple devices; if you’re an Apple person… it’s actually hard to track all these bugs.”
Paul, you do a very good job of just getting them all in one place for people to see.
And on this Apple article, Naked Security reader Bart comments, and I quote: “Thanks.”
DUCK. I would like to think of that comment figuratively, if not literally, as being two words, because it’s “Thanks. Excalamtion mark.”
DOUG. [LAUGHS] I did leave that out of the quote…
DUCK. As you say, it all gets a bit bitty on Apple’s site, because you click on one link and you think, “Oh, golly, I wonder what’s the important stuff here?”
So the reason for writing them up on Naked Security is to try and distill that information, of which there’s pages and pages and pages, into a list of links all in one place that actually gives you the version number you need after you’ve done the update (so you can verify that you’ve got it) *and* something that tells you, “Here are the really, really important things; here are the bugs that the crooks are already exploiting; these are the bugs that the crooks could have found, but fortunately, if you patch, you can get ahead.”
DOUG. Alright, thank you very much, Bart, for sending that in.
And if you have an interesting story, comment or question or… I suppose, in this case, an interjection you’d like to submit, we’d love to read on the podcast.
DUCK. [DELIGHTED] That is *exactly* the part of speech that it is, isn’t it?
DOUG. It is… an interjection!
It shows excitement or emotion. [LAUGHS]
DUCK. Or both!
DOUG. Or both. [LAUGHS]
You can email firstname.lastname@example.org, you can comment on one of our articles, or hit us up on social: @nakedsecurity.
That’s our show for today; thanks very much for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…
BOTH. Stay secure.