SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 148: Playing Games with Security

Posted on August 1, 2019

When you find yourself with some free time, do you like to fire up some video games to spend an hour or two hacking, slashing, and blasting your way through the competition? Did you know that you might be exposing yourself to security risks in the process? It’s true — as will become apparent during our discussion this week, fun and games aren’t always fun and games. We’ll tackle that subject, take a look at an email from one of our fabulous listeners, and then turn our attention back to a topic we left unfinished recently — the subject of automatic updates. Those stories and all their details are coming your way this week as we work our way down the list:

  • Games as a Security Threat
  • August Answers a Listener Email
  • Turning On Auto-Updates, Revisited

Games as a Security Threat

We’ve said it before: those darn Smurfberries will get you every time. Our top story this week comes to us courtesy of VentureBeat, which reports that Akamai, a “cloud” company, released information and analysis that concluded the gaming sector remains one of the biggest new avenues of security threats and data breaches across the web. According to Akamai’s report, more than 12 billion “credential stuffing attacks” have taken place against a variety of video game websites over the past year and a half. One popular site for hosting copies of retro games for emulation, Emuparadise, is just the latest victim of one of these attacks.

Before we go any further, we know you might be asking yourself: “What the heck is credential stuffing, and how is it used in an attack?” A quick definition can clear that up — it’s not as complicated as it might sound at first.

Simply put, credential stuffing involves taking known information from one source and stuffing tons of it into the login fields of another site or service in the hopes of finding another valid account. Let’s use an example to explain: suppose you create a new account on a site to talk about video games, and you make your username “admin” and your password “password.” Remember, those who don’t routinely listen to the show and hear us talk about password security tend to re-use usernames and passwords across a wide variety of sites. Now you log in and go about your business.

In the meantime, a hacker targets the site and breaks in, and because the site wasn’t very smart about securing its user details, the hacker makes off with everyone’s username and password combos. Knowing that people re-use passwords, all the hacker has to do is write a simple program to plug combos from their database into all kinds of different sites. Sites might include other gaming platforms, banks, Amazon, Apple, and so on. Many might not work, but some do — and when they find a combo that grants access, they note that down. The hacker may take over your accounts on other sites for nefarious purposes, or they might simply sell the validated password combos on the dark web. 

VentureBeat wonders, “Why is gaming such a weak link?” However, if you’ve listened to this show before, you know that many industries suffer from poor security almost as a rule. The piece points to the perception that gaming sites aren’t as stringent about security as banks or an e-commerce site, which we could generally assume to be true. After all, you’re much more likely to forgive and forget until and unless it involves your money. 

Certainly everyone should implement the same rigorous safeguards, but in practice, not everyone in the gaming industry — especially the smaller players — follows the rules. Independent and fansites tend to have fewer safeguards, such as encryption, often because they’re set up on the fly and without long-time foresight about security. When money is involved, though, you’re more likely to encounter security that at least passes basic levels of muster. 

Is it really the fault of the gaming industry in particular, though? Sure, they could and should take steps such as securing password databases with strong encryption, but in the end, there’s still one problem at the root of all this: the propensity people have to re-use their passwords repeatedly. According to the VentureBeat article, Google estimates that at least 59% of users online will re-use a password at some point. We think the other 41% are probably lying.

All of us can do a better job with password security. Strong and unique passwords, a common refrain here on the show, truly are one of the biggest barriers to hackers out there. It’s why we suggest using a password manager to keep track of your secure logins all in one place, so you don’t have to memorize tons of strange passwords to stay safe. However, it’s also important to recognize that every password you create should be strong — not just the most important ones.

How many times have you signed up for a website thinking the account is pretty much a throwaway because you were required to make it to gain access? How many times did you reuse the same password for every new site you encountered? The reality is there are no throwaway sites — and in fact, those are the ones that are most likely to have the bad security features on them. All it takes is reusing one of those “throwaway” passwords in one important place, and you’re vulnerable to the ramifications of a credential stuffing attack many sites away. 

Gaming sites are hit harder by these attacks not just because they’re passion projects, and not just because the industry moves at a breakneck pace. There’s also the high percentage of children who use these sites, a group that is typically less privacy- and security-focused. Ultimately, though, when you consider how many people re-use passwords along with the generally lax attitude from the public towards security, it’s not solely the gaming industry’s fault. These are issues that are common to the entire Internet.

Are you wondering if there’s anything you can do? Well, if you have kids who are probably using these gaming sites, it’s important to talk to your kids about these things early on. You want your kids to be on board with safety, so it’s essential to approach the conversation from the right perspective. Check out commonsense.org for a ton of useful articles on how to talk to your kids about security online, for example, and show them how to get set up with a password manager. While the industry may not fix itself as a whole, there is still plenty of action we can take to stay safer.

August Answers a Listener Email

At the end of the show every week, we like to encourage you to send in your emails — and many of you do! (Thanks for that, by the way). We’re reaching into the mailbag this week to answer some questions from listener Corrie, who wanted some clarification on a discussion we had in an episode a few weeks back. Corrie wrote:

In the July 4, 2019 episode, August makes the analogy between fences and firewalls but left me wanting. 

Let’s break in for a moment: July 4 was our Summer Security Blockbuster show, and we were talking about Star Wars and getting past the guns on the Death Star, when August said the following:

“If you think about it, a firewall is sort of like the gate to your home. You’ve got this fence around your house, and if somebody gets on the other side of that fence, you’re toast. But what you really need is more fences — you need a fence between the outermost fence and the front door, and you need one between the front door and the bedrooms, and so on. If a business was really serious about security, they would segment every portion of their business and have firewalls around each important part. That way, just getting in past the front gate doesn’t give you the keys to the kingdom.”

Remember all that? Good — Corrie continues: 

What applications in your analogy represent the other “fences” on a computer or an IOS device? 

The fences we mentioned could be multiple things. They could be firewalls, which in the Death Star example would have been helpful. On your iOS device, those fences include the sandbox that Apple makes each app run inside of for safety. Remember, apps aren’t allowed to access any data or system functions outside their sandbox without your permission. That’s one of the reasons why you shouldn’t jailbreak your phone, and why you should only use enterprise apps from your employer — otherwise, you’re knocking down fences. 

Next, Corrie said:

I am interested in making my devices more secure and would like to know what other software or behaviors you recommend incorporating into my workflow? After listening to all the SecureMac episodes, I think I do use best practices for protecting my devices. I use 1Password to generate strong passwords (where applicable 12 or more alphanumeric characters and symbols), and MacScan to check the computer regularly. I even have Little Snitch running in the background continuously; although the learning curve on this piece of software is rather steep. Configuring Little Snitch is not easy. Are there other applications that you recommend installing to make my home and devices more secure i.e., what other fences are needed? 

First up: thanks for listening, Corrie, and wow — you’re our hero! This is a very sound foundation for security, and you’re very well set up to stay safe. As far as other software, there is the Princeton IoT Inspector we’ve talked about a few times before. It’s a nice piece of software that shows what IoT devices are connected to your network and what traffic they’re sending out to the web. 

Next, what piece of software can tell me if the kid down the street is or has been probing my network – Little Snitch?

Little Snitch is excellent software, but it’s only for outbound connections — in other words, it’s only showing you when things on your computer are sending connections out to the web, rather than what requests are coming in to your Mac. 

If you’re concerned about others on your network, we’d suggest you check out the router you got from your Internet provider. You’ll be able to check the list, then verify it’s only people who should have access. 

There’s one important point we want to make, though: in general, your personal data at home isn’t at risk unless you’re a government official or someone with a ton of money and power. Unless you’re a high-value target, most hackers don’t have any interest in taking the time to hack into your personal computer. There could be individuals who try to use your network to hide their own activity, such as pirating media through BitTorrent, but that typically requires them to know your network password. If you’ve got your Wi-Fi appropriately secured, you should be able to browse in peace. 

Turning On Auto-Updates, Revisited

Last week, we wrapped up the show by talking about all the security updates Apple released during the week and why you should upgrade to them. Less than a day later, Apple pulled a few of the updates — the supplemental updates for Sierra and High Sierra. According to the site Eclectic Light, the issue stems from a particular piece of the OS — called BridgeOS — not playing nicely with the T1 and T2 chips in some older Macs. When the updates were applied, it could cause Macs running High Sierra and Sierra to experience persistent problems in putting the machine to sleep or waking it back up again.

That could lead to kernel panics on sleep or wake events, which is certainly frustrating, to say the least — especially for MacBook users. Users who’ve already updated should disable the system sleep setting and shut down when you’re done using the Mac. There’s no word yet from Apple on when a new fix will be out, but we hope it will be soon.

Now, at the very end of last week’s show, August said:

“If you don’t have automatic updates turned on, then what are you doing?”

We had a bit of a disagreement about that, but we didn’t dive into it at the time. Now we have an interesting example where if you had automatic updates turned on, you now have an annoying problem to deal with because of a patch. So, should you still have automatic updates turned on? August says it’s a resounding “yes.”

Yes, this bug is frustrating, but it doesn’t render the Macs unusable. More importantly, though, it’s likely that the users suffering from this bug updated manually. The automatic update feature typically runs late at night when you are not using the device, and Apple pulled these updates from circulation before the first auto-update ran — meaning that users with updates enabled should not have encountered this problem anyway. 

Bottom line: for the average user, automatic updates are simply worth the peace of mind that they provide. 

Whether you choose to update automatically or not, we hope we’ve given you some food for thought — but unfortunately, that’s the last tasty morsel of security info we have for you this week.

There’s more where this came from, though — plenty more, in fact. We invite you to turn your appetite for security news and how-tos to The Checklist Archives, where you’ll find all our shows from the very beginning to the latest edition, complete with show notes and links to make it easy to catch up or give yourself a refresher. It’s the perfect opportunity to share with friends and family, too

Join our mailing list for the latest security news and deals