The Checklist 77: Mix and Match Part II

As 2018 continues, so does the flood of new stories, threats, and developments in the security world. Just recently, we reached into the grab bag to take a quick look at a variety of different stories; this week, we’re going back again to pull out a mixture of the most prominent topics making a splash in the headlines over the past couple of weeks. From the consequences of tracking your exercise with an app to the pitfalls of perfectly proper grammar, we’ve got a lot of ground to cover in today’s show, and we’ll check these topics off our list:

• Strava fitness tracking unveils secret information
• Intel’s questionable judgment with Spectre disclosures
• Grammarly exposes user data in a big way
• MacUpdate hacked to push a new Mac trojan
• Phishers try a new tactic: fake bribes

Let’s kick things off by taking a look at a scandal surrounding  Strava, a popular fitness tracking app used by more than a million people around the world.

Strava fitness tracking unveils secret information

Many of us look to our devices as a way to accomplish more in our daily lives. Just like computers revolutionized the business world and changed the way we interact with one another, smartphones and other devices (like the AppleWatch) have also caused mini-revolutions of their own. Of those, one of the most popular is the way that our smart devices can enhance the way we exercise. From the Apple Watch’s built-in swim tracker to apps that chart how far you can bike in a week, there’s no shortage of ways to motivate yourself or fine-tune your approach to exercise. That means a lot of personal data collection, though — and what happens when that data ends up causing problems of its own?

Strava recently found itself in some hot water for just that reason. One of the core functions of the app is to use the GPS location services on your phone to track where you work out; most often, that means running and jogging routes. Billing itself as something of a social network, Strava even lets you share location data with friends and other Strava users as pre-determined workout runs. In other words, the idea is to design runs that you enjoy and then share them with others. All this adds up to a ton of recorded user activity, and indeed, it’s a popular service. After all, if you’ve found a great hiking trail up in the hills, why not share that with your friends?  While it might mean making privacy trade-offs, many of us buy our devices to be able to do things like this. Strava, though, didn’t quite think things through with a recent marketing stunt.

Late last year, Strava opted to post up a “heat map” made of all the activities their many users had logged. This is a way to visualize data regarding activity and intensity by making certain areas of the map more intensely colored than others; high “heat” areas are those with lots of logged activity. The result: a beautiful global image that shows how hard many people work out, where they do it, and when they use Strava as a part of their routine. Sounds pretty cool, right? It was until some security experts took a closer look and realized that the company hadn’t thought about one thing: the secrecy needed by the military.

As it turns out, a significant number of US servicemen and women use Strava while working out on their bases or deployment. Those logs got snatched up by Strava, too, who didn’t differentiate them from other users. As a result, the global heat map Strava put out revealed the potential locations of some sensitive US military bases and forward operating positions. When the soldiers on the ground worked out and logged it with Strava, it all went into the heatmap. As a result, it would be easy for someone to analyze the image and determine patterns of movement and shifts in personnel with time. The result: a significant security problem.

Strava has since apologized and stated that they intended to work closely with the military, which is no stranger to problems with soldiers accidentally revealing their locations through digital behavior. This is an excellent point to dwell on: it is worth thinking about what your GPS coordinates, especially tracked en masse, could reveal about what you do – even if your data isn’t linked to you personally. While it’s not likely that the bad guys will target the average Joe in the suburbs, it’s still something to consider when you set up your devices and start installing apps. So far, Strava seems to be tweaking various elements of their service, looking for ways to shore up its location data handling to avoid a repeat of this problem in the future. This whole scenario is quite a fascinating look at what can go wrong with GPS data that seems innocent at first.

Intel’s questionable judgment with Spectre disclosures

Next up, more news related to the massive Spectre and Meltdown processor flaws that we’ve talked about in recent weeks. Not only is the first proof-of-concept malware (for Windows machines primarily, it seems) beginning to get noticed by security researchers, but some companies have actually rolled back their fixes in an attempt to get things right. Many of the initial patches were rushed to market and didn’t adequately address the issue or did so in a way that introduced many other problems on the side. However, today’s Spectre-related news item has more to do with Intel’s disclosure than anything else.

If you’d like to develop a more detailed mental timeline of the way things went down, we suggest going back to Episode 73 and checking out our discussion there. However, to recap, the major flaws were initially discovered and reported to Intel back in June of 2017. At that point, efforts to develop fixes began behind the scenes. Nothing public was released at the time due to the severe and fundamental nature of the flaws. Intel originally planned to hold a press conference to explain their findings on January 9; however, the flurry of activity related to pre-announcement plans meant that some resourceful journalists broke the story early. As a result, Intel was forced to go public with what they knew before they planned to.

It turns out, though, that Intel did inform some major players about the flaws well in advance of the leak — but not the United States government or any of the agencies that might have been most concerned about the problem. Instead, Intel opted to inform a number of their primary business partners, including some primarily Chinese customers such as Lenovo and Alibaba. While Intel says that they informed their customer partners as a matter of course to solicit help in developing fixes, it does seem unusual that no one in the US government was made aware. In fact, several agencies — including the head of the NSA — said that their first knowledge of the flaws came from the media as the story broke.

Given the high-level threat these flaws posed, it seems like notifying the government, one of your larger customers by the way, would be a prudent move, especially since Intel is a US-based company. Informing Chinese commercial partners instead of the US government, which relies on many Intel-based products for highly critical and sensitive intelligence and operations, adds another layer of complexity to the Spectre story. While Intel claims they intended to let the government know by their original January 9 deadline, it raises the question of why they felt it wasn’t the right move to share info with the government early on.

While agencies such as the NSA do not have a good track record with security vulnerabilities, the government does typically advise tech companies on how to respond to some threats. It is likely the government would have wanted to dedicate resources to helping mitigate Spectre as it leaves US operations just as vulnerable to exploitation as a foreign adversary’s. Perhaps Intel simply wanted to prevent the flaws from nation-state level abuse, but as it stands, we’re likely to see that occur anyway. With information passed to Chinese companies, there is only a minimal chance the Chinese government did not also learn of the flaws in advance of the US. Overall, Intel’s handling of the entire situation has been less than desirable, especially for a company at the forefront of chip manufacturing.

Grammarly exposes user data in a big way

We all like to sound smart online, right? Whether we’re making an opinionated post on Facebook or typing an email to a business associate, it’s a clever idea to make sure you’re not committing egregious grammar and spelling mistakes that can make you look foolish or degrade the quality of your work. That’s the idea behind Grammarly, a website and a browser extension that checks your documents and the text you write as you type it to ensure you’re following all the rules. If you don’t, it highlights the problems and gives you suggestions so that improving your writing is easier. Sounds pretty useful… right?

Maybe so — if Grammarly hadn’t just been caught leaking a lot of user information by mistake. Tavis Ormandy, a researcher whose name you might already remember from our last grab bag show, was the one who uncovered the bug in the Google Chrome Grammarly extension. So, what was going on? Grammarly didn’t safeguard one of the most important pieces of security any app can use — its authentication tokens. These are what software uses to verify that you are you and have the right permission to access services and data that otherwise remain locked away from prying eyes. Grammarly didn’t protect its tokens; in fact, it exposed them to every single website you visited.

OK so what’s that mean?  Well, a malicious website could have harvested the authentication token from your Grammarly extension and used it to log in as you to the Grammarly.com website. There, the attacker would have access to your uploaded documents, files, and your overall history with the service. Initial reports indicated that the bug could expose not just your documents, but everything that you’ve typed overall, no matter the website! Luckily, that’s all just potential activity, and there was no indication that anyones information was compromised. That doesn’t make the fact that Grammarly was an open door to anyone who knew how to look through it any better, though.

Upon notification of the problem, Grammarly was quick to issue a patch for the issue. That is commendable, as it is always heartening to see companies move quickly to patch issues, even though this flaw shows some serious problems at work with the way Grammarly was put together. However, what is more important is that this security vulnerability highlights a problem that many of us might not think about very often: what extensions expose you to risk?

We often think of protecting ourselves by avoiding shady apps or being careful with what kinds of software we download. Do you give the same level of security priority and thought to the extensions you add into your browser? It’s not just Grammarly that has problems, either; there’s no shortage of vulnerable plugins out there. Remember, not every extension was made by a big company with a vested interest in delivering a secure product. Some of them are the products of hobbyists, while others, like Grammarly, may come with an air of authenticity but can still lack some of the due diligence we’d like to see behind the scenes.

What’s the lesson here? It’s a fairly simple one: don’t install a million extensions on your browser, and take a careful, close look at reviews and other information before you accept the installation. While the Grammarly problem took a trained eye to spot, it is easy enough to ask yourself “Do I really need this?” before installing an extension. This can be true of things beyond browser extensions as well – think about keyboard apps for your phone, which also inspect what you type (it’s the nature of being a keyboard) –what information do they store and accumulate through online databases?  When you give software access to your devices, you’re potentially opening a big window into your life. Be careful that you aren’t running around the proverbial house, opening every window you find! Meanwhile, keep the extensions you do use up to date so that when issues do arise, you can take advantage of the security fixes as soon as they become available.

MacUpdate hacked to push a new Mac trojan

Speaking of staying up to date, that’s advice we give with some frequency on this show and in general. Usually, in fact in just about every situation, it’s good advice — you want to be sure you always have the latest version to stay protected from emerging threats. Except for incidents such as last year’s Handbrake hack, though, downloading updates directly from the developer of the software is typically a very safe thing to do.  Not everyone sees it that way, though; it’s understandable because sometimes keeping up to date with all the many diverse types of software you use can be time-consuming and difficult. As a result, many people turn to sites such as MacUpdate, which aggregate updates from developers into one place where it is easy to download and install the latest and greatest versions.

In the past, MacUpdate has been a vehicle for some malware as a result of intrusions and hacks; early in February 2018, that happened again, and it pushed the newest type of Mac malware to users who thought they were downloading updates for programs such as Firefox, Onyx, and Deeper. The latter two are programs for customizing the way your Mac looks and works, with updates often featuring new tweaks. Firefox updates are also often critical, closing security loopholes to keep users safe. As a result, they made good targets for the hackers to switch things around and try to fool users into downloading their malware, now named CreativeUpdate.

The way it worked was straightforward: the hackers changed the download links on MacUpdate to make it look as though the downloads came from legitimate-looking URLs but in fact, they were links to malicious hosts.  The resultant file that users downloaded, a regular .dmg, would go into the installation folder as usual. While users thought they were installing an update to their software, they were installing malware that also ran a dummy copy of the program in question. Or at least, it tried: in some cases, it launched the wrong software altogether, giving users a clue to the fact that something went wrong.

The goal: mine cryptocurrency by stealing CPU resources from the user. This is a tactic we’ve seen used several times before by malware, and it’s not likely one we’ll see go away anytime soon. The good news is that MacUpdate was quick to notice the problem after users began to complain and quickly fixed the links and restored the proper updates. However, this incident does highlight the risk of relying on a third party to get your updates: you have to trust that sites like MacUpdate are keeping their information appropriately locked down. While CreativeUpdate was relatively weak and poorly implemented in terms of Mac malware, it is conceivable that a more sophisticated attacker could engineer a similar intrusion. In fact, we did see that when the Handbrake download servers were compromised last year briefly.

Overall, we would suggest that you try to rely directly on developers for updates. Watch what you download and install carefully. If something seems out of the ordinary, run your security software or contact your vendor. Any action is preferable to potentially letting a crypto miner or a trojan run freely on your Mac.

Phishers try a new tactic: fake bribes

For our final topic today, we’re taking a quick look at the emergence of a new and insidious type of phishing scheme. Typically, phishers are merely looking for a way to trick you into giving up sensitive account details by masquerading as a service provider or otherwise fooling users into believing they’re speaking to a legitimate business. These attacks typically use fear or intimidation to panic users into handing over info to prevent an imminent problem or fix an imaginary issue. In the latest round of phishing scams sweeping the web and reaching our cell phones, though, the scammers have decided to try something new: enticing users with the offer of cash.

The phishers assumed various digital disguises, from posing as AT&T technicians in one case to the Internet Crime Complaint Center, a government task force that assists consumers who have been defrauded through digital actions. In both cases, the phishers send an email or call a victim to initiate contact. In the case of the IC3, users were told that they were eligible for financial compensation because of the apprehension of an Internet fraudster. Some AT&T customers, on the other hand, received calls letting them know they were going to receive a bill credit due to a service outage.

Victims of the IC3 scam, if they responded, would likely receive further requests for personal information that the scammer could then use to wreak havoc. In other words, it would eventually play out like a typical “Nigerian prince” scam — stringing you along with promises of great financial gain if you just share the right information. The AT&T incident is even more serious, though, as victims were apparently targeted in a manner closer to spear phishing. Callers had a wealth of identifying information on their victims, allowing them to create a reasonable impression that they indeed represented AT&T. They told victims that to receive a bill credit, they only needed to share with them an SMS code they would soon receive via text message.

The bad guys were just trying to bypass the victim’s two-factor account authentication. The code the user would receive would be their 2FA code; the attacker could then punch in the code, gain control of a user’s account information, and terminate the call. Naturally, this is the last thing you want: letting someone into your private account spaces under false pretenses. The potential for personal and financial damage would have possibly been quite extensive.

Some phishers have even taken to impersonating victims in person, going to mobile phone stores and requesting to “port” numbers to a new service. In this way, they hope to directly intercept 2FA notifications to take control of user bank accounts and other information. If you receive a suspicious email or phone call, you should not only ignore it, you should report it to the authorities as well — it can help in the efforts to shut down these phishers. Phone number porting is a more significant issue and one we may need to touch on in a later show; it incorporates elements of both phishing and social engineering and became so severe that Verizon and T-Mobile both pushed an alert to customers to warn them of the scam.

Here’s a good rule of thumb to always keep in mind when browsing the web or hearing about a strange offer over the phone: if it sounds too good to be true, then chances are, it is.

That’s everything we have for you on this week’s mix and match grab bag. As Strava continues to work to repair its service, Intel works to restore its reputation, and more malware keeps creeping up on the Mac, now is an excellent time to head back into our archives and catch up on the show notes you might’ve missed. You can easily find all our previous episodes right here.

Have questions about something we covered? Want to share a news story that you think might yield some good discussion on the show? Send us an email at Checklist@SecureMac.com and tell us what’s on your mind!

As always, thanks for tuning in to listen to The Checklist, brought to you by SecureMac. We’ll return next week with more in-depth discussion and news.