SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 115: A Cornucopia of Security Stuffing

Posted on November 22, 2018

We’re stuffed on security news this week, with a cornucopia of subjects to sort through in our discussion. We’ll be chatting about a major online retailer fumbling with some of your data just before the biggest shopping season of the year, as well as crypto-miners striking some surprising targets, and a founder of the Web as we know it trying to make the online world a better place. So, we hope you’ve saved room for seconds, because cooking up on this week’s list, we have:

  • A bit of an oops from Amazon,
  • Making a wish on crypto-coins (or vice versa),
  • And Tim Berners-Lee wants to save the day…

We talk all the time on The Checklist about data breaches, data leaks, data thieves, and practically any possible way someone could lose your information online — so these stories are rarely shocking or surprising. That doesn’t mean they aren’t interesting, though, and that’s the case with our first story for today. If you’re an Amazon customer, you may have recently received an email that left you with some questions. Let’s look at what that email was, what happened, and what it all really means for you.

A Bit of an Oops from Amazon

Shoppers started receiving emails from Amazon some time on Tuesday, and by Wednesday, publications such as CNET were reporting on what Amazon called an “accidental disclosure” of the names and email addresses of some of the online shopping giant’s customers. In the email, Amazon stressed that only names and emails were disclosed, and that there was no reason for customers to change their passwords — or to do anything, really. Furthermore, CNET reports that the technical problem was all on Amazon’s side and that there was no “hack or breach” that caused the information to be exposed deliberately.

So, Amazon said “Oops, sorry,” but not much else. They didn’t disclose anything about what went wrong, how many of its users had their emails exposed, or even where someone might have been able to view their emails. In other words, we know that something happened, that it was ostensibly minor, but also that it was important enough for Amazon to feel that they should disclose the incident to its users.

Overall, this seems like a case of Amazon working to build trust between itself and its users when it comes to user handling of information. Since there are currently no clear-cut laws requiring immediate notification of such issues to users, it seems to have been done on their own prerogative. So, was anybody threatened by this? In other words, could something bad come out of exposing names and emails? If things happened as Amazon said they did, then the answer is “no.” If no one outside the company obtained or saw these emails, there’s virtually no threat. It’s simply a matter of accountability.

What about the fact that Amazon didn’t disclose the number of people affected — is that important? To an extent, yes. If it was only one or three or even ten emails exposed, that’s rarely ever a significant issue. If we’re talking about tens of thousands of email addresses, or even more, that’s a clearer problem. It would be good to know the real number, but Amazon has decided to keep the real numbers to themselves.

Long-time listeners know the importance of good security for user data. But will anyone really hear about it (aside from glancing at the email if they received one) or take action? CNET points out that the disclosure’s timing was unfortunate, given its proximity to Black Friday and Cyber Monday, but that’s also the thing — everyone is busy with the holiday and the subsequent shopping frenzy. Plus, although this is “a deal,” it isn’t necessarily a “big” deal. Could it be a black eye for Amazon? Maybe, but only if something else develops out of this story.

One example: Amazon said that affected users did not need to change their passwords or take any other corrective steps. A quick-thinking scam artist might see that and start trying to send out emails with a “Change Your Password” link that led users to a phishing website. While that isn’t necessarily out there happening, it is one way the bad guys could try to use a situation like this to take advantage of those less savvy with their security. That’s why it’s such a good idea to always be on your toes!

Making a Wish on Crypto-Coins (or Vice Versa)

Sometimes, you have to wonder if the hackers out there are truly heartless. TheNextWeb reported that some baddies infected the official website for the Make-a-Wish Foundation with cryptocurrency mining malware. Yes, Make-a-Wish! Is nothing sacred? It’s hard not to wonder about that question after professionals from Trustwave, a security research company, discovered a Foundation website infected with a type of malware well-known to researchers. Called CoinImp, the malware uses malicious code to trick a visiting user’s computer into forking over processing power in the background. While the user browses the site, they’re unknowingly earning the hackers cryptocurrency.

We’ve talked about this issue a few times before on The Checklist, but it’s always a bit strange to encounter it — so let’s break down how this all works one more time. How can your day possibly start with merely visiting a website, and end with crypto-mining malware affecting your computer? There are a couple of things to unpack here. The most important distinction here is that the site is not actually downloading any malware to your machine.

CoinImp is just one of the services out there that uses specially crafted JavaScript to implement browser-based crypto-mining. In fact, CoinImp itself is not technically malware. It’s an open-source project that is ostensibly meant to be used as a way for websites to monetize their content and support operating costs without resorting to the use of advertising. Of course, this is a highly controversial move because it’s often done in the background without informing users; in this case with Make-a-Wish, it’s even worse than merely unethical, since a third party placed the code on their website.

So, was this a lone wolf just looking to make money off Make-a-Wish? Actually, it appears it was likely part of a much more widespread crypto-mining scam, and it starts with a completely different problem. As always, the way the hackers got inside was through outdated software that hadn’t yet received an update to the latest version. That software would be Drupal, a content management system that allows people to create and maintain complex websites. Make-a-Wish, like many other websites, was not up to date. It’s likely they were targeted by hackers linked to a much larger attack that occurred earlier this year in which more than 100,000 Drupal-based sites were attacked with malware.

Ultimately, 400+ major websites, including those for UCLA, Lenovo, D-Link, and even the National Labor Relations Board, all had cryptominers dumped into their web code. Hackers even struck routers in Brazil and India, using the combined processing power of 300,000 machines to generate mountains of cryptocurrency. Unfortunately, none of this is news. According to McAfee Labs, Q2 of 2018 alone saw well over 2.5 million cryptocurrency hijacking scripts detected — the problem is now widespread.

So, if it’s all happening in the background and you can’t see it, why does it matter? You might not see it happening, but you will definitely experience its effects: these cryptominers are rarely configured to use only a portion of your CPU’s power and will instead aim to sustain maximum output for as long as possible. Since there’s no telling when the user will leave the website, there’s no reason to eke out small bits of currency when you can instead shoot for the moon.

Not only will your computer run incredibly slowly, but over more extended periods of time, it will even use up more power. Want to make sure that Safari isn’t being crypto-jacked? Check your Activity Monitor and see if it’s using a ton of CPU. It isn’t a guaranteed way to know it’s a miner — there are other reasons Safari can use up lots of CPU, after all — but it is a good red flag to know.

Since we’ve covered this topic before, we have an excellent resource for you to consult for more information: Checklist 79, Cryptocurrency and You. In that episode, we discussed how the best way to protect yourself from miners was to keep your security software up to date (always a good idea) and to run a good ad-blocker. That’s just the short version of the show, so we encourage you to go check it out if you missed it or need a quick refresher.

Tim Berners-Lee Wants to Save the Day

Who invented the Internet? Well, we know there’s some debate around that subject, but if you rephrase your question to “Who invented the World Wide Web?” then you have a clear-cut answer: Tim Berners-Lee. Sometimes called the father of the modern Internet, Berners-Lee is responsible for the fundamental architecture that allowed the Web as we know it today to grow and flourish. Of course, the Internet as we know it isn’t exactly the utopia many had envisioned decades ago. Rife with malware, divisive content, and massive numbers of moneyed interests, we know that the Internet has some problems. So, does Tim Berners-Lee — and he’s back because he wants to find a way to make things better.

CNET reports that Berners-Lee has founded a company and begun development of an open-source project whose goal is empowering the average user to take back control of their personal information across the Internet. His company, Inrupt, and the project, Solid, would take our data out of the hands of Google and Facebook and their gargantuan data centers and place it back into your hands to give only to those you want.

Here’s the idea: Solid gives users a “pod” that allows you to store and manage a wealth of personal data. When companies want some of the information in your pod — such as your email, date of birth, or address — they only get it if you grant them permission. Otherwise, they can’t access it or even see it at all; naturally, that would mean a fundamental change in the way we do business and practically everything else online. Creating such a change will be a major challenge, especially because it isn’t just average users that they’ll have to convince — it’s businesses, too.

The good news is that recent trends have seemed to indicate a growing shift towards a more pro-active privacy stance, with more people installing tracker-blocking privacy extensions in their browsers and Europe’s GDPR. That’s the General Data Protection Regulation, which has forced companies around the world to start offering more data management options to their customers. If you don’t remember the ins and outs of GDPR, don’t worry; we’ve got you covered. In Episode 90 — WHOIS GPDR, we hit everything you need to know about it.

Will this work? That’s a good question — it will be a long, hard road to make it happen, as much as it would be an excellent idea. Businesses will be the biggest roadblock to its success, and it’s currently hard to see how it could work. Since the service will have to be voluntary, it only takes one major company refusing to enroll in the program, such as Google or Facebook, to create big problems. Still, for Berners-Lee, the issue is a personal one; after his invention of the WWW in 1989, he’s been an active advocate in making the Internet a better place.

Alongside Solid, Berners-Lee is also working to develop a “web contract,” guidelines which will inform the growth and development of a free and open Internet that also balances the need for privacy, civility, and more. Efforts to develop the contract are ongoing, and Berners-Lee invites the public to contribute their thoughts; the Web, after all, is created by humans, Berners-Lee says, and humans can steer the way in which the Internet grows.

With that inspiring thought, we’ll draw this week’s discussion a close.

Don’t forget that we’ve got an easy way for you to check out the other episodes we mentioned in today’s show — and you don’t even need to go anywhere. Right here in the Checklist Archives, you’ll find complete show notes and easily available recordings of every episode, stretching back to our very first show. That includes Episode 79 — Cryptocurrency and You which we mentioned in today’s discussions, along with another episode that’s worth a listen during this time of year. That would be Episode 12 — Five Tips for Secure Holiday Shopping. While there’s plenty of common sense involved in staying safe during this online shopping season, it never hurts to be informed about the potential risks and what you can do to ensure you have happy holidays.

Join our mailing list for the latest security news and deals