Checklist 173: Are you smarter than the average startup?

On this week’s Checklist, we’ll talk about the malware that’s infected millions of Macs worldwide, a social media service with data privacy issues, and the most common security problems facing startups. 

Checklist 173 will cover:

• The malware infecting one in ten Macs
• The less than heroic tale of Social Captain
• What do you and unicorns have in common? 

Are you in the 10%? 

According to a recent report put out by the security firm Kaspersky, Shlayer malware infected 1 in 10 Mac users in 2019.

Shlayer is classified as a Trojan horse — a type of malware which disguises itself as an innocent program but when clicked on or downloaded installs malicious software like adware, keyloggers, or tools which give a bad actor the ability to access your system remotely.

Shlayer most often attempts to trick users by telling them that their version of Flash is out of date. If that sounds suspicious, it should: Flash is on its way out, with major browsers now disabling it by default and even Adobe planning to end support for Flash by the end of 2020. Nevertheless, Flash has been around for so long that millions of users around the world were still fooled by Shlayer’s fake alerts.

So how does Shalyer malware actually work in practice?

First, a victim clicks on a malicious download link found on infected websites or fake Flash download sites. These sites themselves are sometimes linked to from legitimate websites, for example via a link in the description of a YouTube video.

The malicious software then guides the unsuspecting user through a non-standard app installation process, prompting them to right click and open the package directly. Once installed, Shalyer then downloads its payload of adware or other malicious software. Normally, an app shouldn’t be allowed to do this, but Shlayer has a trick to get around Mac’s built-in safety features: It overlays the “Trust” button that you would usually see with one that simply says “OK”. That button isn’t an actual button, though, and if you try to click on it, you’re actually clicking through it and telling your Mac that you trust Shlayer to install other software, at which point the malware is granted the necessary permissions to install its payload.

While we don’t have hard data on the general profile of the users who were infected by Shlayer malware, it’s a good bet that these were mainly less technically-savvy folks who didn’t find it strange that they were being asked to update a nearly obsolete technology like Flash. So if you have a relative, friend, or coworker who doesn’t seem to know much about cybersecurity issues, you might want to take a moment this week to let them know that Flash downloaders are almost always bad news — and that there’s very little reason (if any) that anyone should still be using Flash. 

In terms of what you yourself can do to avoid a Shlayer infection, most of the standard advice for good digital hygiene applies. 

• Keep on top of your OS updates. 
• Download Mac apps from trusted sources only — in 90% of cases, this will mean downloading exclusively from the Mac App Store. The only exceptions should be reputable third-party Mac app developers who you know and trust.
• Get a good malware scanning tool and run regular system checks to make sure you aren’t harboring any adware or other malicious software.

If you think you may have been infected already — for example, if you’re noticing odd behavior or a sudden surge in ads — or if you just want to make sure that your system is clean, you can download a malware detection and removal tool to find and purge any Shlayer malware that might be lurking on your Mac.

When doing it for the ‘gram goes wrong

Instagram can be a goldmine for social media marketing, and some “influencers” on the platform have turned this into a full-time job. Because of the financial rewards that can come from increasing an account’s followers, many users of the platform have turned to consultants and third-party apps to give their numbers a boost.

Social Captain is one such service, designed to increase an Instagram user’s follower count. The service works by linking a personal account to their site — which requires the user to give Social Captain their Instagram username and password. 

Unfortunately, it turns out that Social Captain was storing its users’ Instagram passwords in the least secure way possible: plain text. Worse yet, due to the website’s implementation, these passwords could be seen by anyone who plugged a user’s account ID into Social Captain’s web address!

This still might not have been a dangerous flaw, except for the fact that Instagram IDs happen to be sequential numbers, meaning that it would be fairly simple to write a snippet of code to start at “1” and run through millions of possible account IDs, thus granting access to a treasure trove of credentials. Security researchers were able to do just this, demonstrating how an attacker could make off with thousands of usernames and passwords in seconds. To make matters worse, the researchers found that some premium users of the service had their billing addresses exposed along with their credentials.

Some of this is on Instagram: There are certainly better, more secure ways to define unique users on a site — even something as simple as using a combination of upper and lowercase letters in addition to numbers would significantly enhance security. But most of the blame lies with Social Captain, who definitely dropped the ball somewhere along the line for this to happen. 

This story underscores a couple of things that we frequently stress on The Checklist. 

For one thing, it once again demonstrates the importance of enabling two-factor authentication on all of your accounts whenever possible. Yes, it’s bad if your login credentials are stolen in a data breach. But if you use 2FA, a bad actor who has your password still can’t get into your account without that second authentication factor — which could mean the difference between simply having to change a password…or having to deal with full-blown identity theft.

Secondly, this story shows us why it’s crucial to be very, very careful about giving out your passwords. As a general rule, you should never do this. If a third-party app or integration such as Social Captain requires your login details for another app or service, think twice before proceeding. Do you really trust them with your account details? Are they a reputable, well-established company with a good track record on security? And can you protect your main account with two-factor authentication? If you feel unsure about any of these points, you may want to reconsider trusting that service with your data.

While Social Captain has already fixed the issue, not all users have yet been made aware of it. Needless to say, if you have an Instagram account and have used Social Captain, you should change your Instagram password immediately.

Three cheers for Checklist listeners

We came across an interesting Medium post this week in which the author discusses 11 security issues facing startups and gives some solid advice for how to deal with them. But what was most encouraging was how many of these things will already be familiar to regular listeners of this program!

1. 1

   Don’t rush security

   Startups face investor and market pressure to grow quickly, but this often leads to hastily written code that contains bugs which put users at risk. The author of the Medium piece advises startups to change their mindset and put security first, as the foundation for their growth — which is definitely a mentality that our hosts and listeners share!

2. 2

   Don’t reinvent the wheel

   There are tons of great tools available that can help make startups more secure. Where many startups go wrong, however, is in trying to develop their own version of a technology that’s already in wide use (and thus has already been extensively tested and shown to be reliable). While a DIY approach has its place in certain situations, in the area of security it’s often wise to let someone else do the heavy lifting — which is one reason why you hear us recommend password managers so frequently.

3. 3

   Take advantage of the cloud…

   Cloud providers like AWS or Azure invest a tremendous amount of time, money, and human resources into making their services secure. Smart startups use this fact to their advantage, and rely on the robust design and scalability of cloud services in order to grow safely.

4. 4

   …But don’t shoot yourself in the foot

   While cloud service providers work hard to offer excellent security, it’s still possible to undermine their efforts with careless development practices. Startups should follow basic best practices for secure development such as making all programmers use password managers and never including API keys in the codebase. This point reminds us of what we say so often about Apple’s products: They’re well-made and generally very secure, but only if you’re following best practices for cybersecurity like protecting devices with strong passwords and keeping on top of your updates.

5. 5

   Lock down mobile devices

   Things like mandatory use of Face ID and Touch ID are excellent first steps toward company-wide security. In addition, enabling two-factor authentication is as important at work as it is for home users — if possible with an authenticator app like Google Authenticator or Authy.

6. 6

   Get a Mac

   Many employees report being happier, more creative, and more productive working on a Mac, according to surveys done by such major corporations as IBM. This is why many startups are choosing to go with Apple at the office. But while some people will tell you that Macs are far more secure than Windows machines, this is, to put it diplomatically, a major oversimplification. It is true that for many years there were fewer malware threats directed at Macs, largely due to the fact that there were simply fewer Macs overall compared to Windows computers. However, as we’ve noted multiple times on The Checklist, this is changing fast. Experts say Mac malware is on the rise — which is why it’s a good idea for startups to invest in dedicated Mac security tools.

7. 7

   Remember to back up

   Ransomware is a major threat to governments, organizations, and businesses of all sizes — which is why it’s crucial for startups to have a good backup plan in place to protect their data and systems. As Checklist listeners know, if hackers manage to encrypt your files, having a backup gives you the option of wiping your system and restoring it with minimal data loss.

8. 8

   Update, update, update

   It’s something we say nearly every week, and the reason we titled Checklist 138 “Any time’s a good time for an update”: You need to update your OSes and apps regularly, because this is the only way you will have access to the latest security patches you need to keep yourself safe from the bad guys. Busy companies can sometimes let updates slide, which is an unnecessary and unacceptable risk. Automatic updates or managed updates handled by a third-party provider are good ways for overstretched teams to keep up with their patches in order to keep the company and its users safe.

9. 9

   Plan for turnover

   Startups are exciting places to work, but they’re also relatively volatile, with lots of people coming and going as the company grows. That can mean trouble if a former employee still has access to core systems and social media accounts, so startups need to have a clear process in place to deal with the security issues associated with a termination. If there is no dedicated human resources person to handle this, then a trusted employee should be designated as the point person for this function.

10. 10

    Guard against BEC scams

    Business email compromise (BEC) attacks are a threat to any company. In this type of cybercrime, malicious actors send fraudulent emails in an attempt to get someone to pay a fake invoice or release confidential information. Employee education is essential: Every member of a startup should be aware of these scams and how they work. But perhaps even more importantly, the movement of money and sensitive data should be left in the hands of a few trusted, senior employees only — both to minimize the attack surface and to ensure that only the most highly trained members of the company would ever have to deal with a BEC attempt. Being aware of the phishing and social engineering threats that can appear in our inboxes is something that, once again, Checklist listeners will be very familiar with.

11. 11

    Test, test, test

    Startups succeed — or fail — on the strength of their products. That’s why it’s vital that they test and retest everything before its ships, whether we’re talking about a physical product or referring to the code which underlies a digital offering. In terms of security, startups should seriously consider hiring a penetration tester or third-party consultancy to assess the relative vulnerability of their network, because the perspective of someone who is trained to think like an attacker (a description which likely applies to many Checklist listeners) is invaluable in cybersecurity.

That takes us to the end of this week’s Checklist. While you’re waiting for the next episode, be sure to check out our archives for past podcasts you may have missed — and as always, if you have a security question or want to suggest a topic for a future Checklist, write to us at Checklist@SecureMac.com.