Checklist 83: More Security Fails

It’s that time again — time for us to pull back for a “big picture” look at some of the big missteps in computer security over the recent weeks and months. Some of today’s stories relate to Apple, some don’t, but all of them fall into the category of a classic “security fail.”

From Apple accidentally exposing secret information in their own logs to the return of a familiar ransomware foe, we’ll get you up to speed with some of the latest headlines in the security world. It’s important to remember that even though many of us — and that includes big companies like Apple — understand the inherent value of security, we’re all still only human. Mistakes happen, and they can have consequences, as we’ll see with some of today’s stories.

Here’s what on our list for today:

• Apple’s leaky logs
• WannaCry makes Boeing employees want to cry
• Siri loves to gossip
• MyFitnessPal suffers a data breach
• Apple strikes out with QR codes

We’ll kick things off with a pretty big series of unfortunate moments Apple recently experienced with the logging functions in macOS.

Apple’s leaky logs

Log files contain tons of different information and can track data that originates from all kinds of system events, whether it’s installing a new app, uninstalling old software, or doing practically anything that alters the system’s settings in any way. For that reason, logs can be a beneficial tool for diagnosing problems; they’re also useful for understanding what malware can get up to, and for examining the contents of a computer in a forensic or investigative context. For as helpful as they can be, though, they aren’t without their pitfalls.

Unfortunately, sometimes the information saved into a log file is not something you want a permanent record of — it can serve as a potential security vulnerability. If prying eyes get a look at the info in some logs, it could expose you to some significant privacy risks. As it turns out, macOS has been logging things it certainly shouldn’t have been, and Apple didn’t nail their response on the first time around. The issue: certain system actions were resulting in the logging of your hard disk passwords — in plain text!

That’s a pretty serious issue, and it seems to have flown under the radar for some time now. The story with this flaw begins back on March 21st when a forensic computer analyst by the name of Sarah Edwards posted an article on her site about the issue she discovered. Terming it as both a valuable tool for forensic research but an absolute disaster for user security, Edwards uncovered that hard drive passwords were ending up in logs in a few places around your system.

Here’s how it worked, with affected versions including macOS 10.13 and 10.13.1. If you fired up your Disk Utility app and used it to create a brand new APFS hard drive volume and you also chose to encrypt it to keep its data safe, the system would record the encryption password in the system’s unified logs. These logs stay on your computer for several weeks until they reach a certain age, at which point macOS deletes the old log files; think of it as a running tab of events that gets recycled every so often. Even though that means the password would eventually disappear out of your logs, it shouldn’t be in there in the first place, and still leaves you vulnerable in the meantime!

After reporting on the initial issue, Edwards continued to dig deeper into the problem. During this second round of research, she discovered the password wasn’t just going into the unified logs, but into your macOS system install log as well! Whereas the unified logs are like ticker tape printing slowly into a trash can, the system install log is highly persistent. The only time macOS ever wipes out this log is when you re-install the operating system or perform a major version upgrade. That means your encryption passwords hang around in plaintext until you hit a major version milestone, such as going from 10.11 to 10.12; incremental versions won’t touch these logs. Exfiltrating this log off your machine would potentially give an attacker the ability to get into your data with ease.

With the release of macOS 10.13.2, Apple fixed the bug — but only partially, as it turns out. This version corrected the issue for encrypting a new volume through Disk Utility. What if you wanted to apply encryption to a disk volume you’ve already used for a while? Well, the issue was right back front and center again! Apple’s update only fixed the bug in the most obvious case. It took Apple until the release of macOS 10.13.4 to fix this vulnerability for good. Even so, this is a pretty big slip-up coming on the heels of other recent password-related issues in macOS.

WannaCry makes Boeing employees want to cry

Remember WannaCry? This particularly virulent form of ransomware struck the world in May of 2017 and wreaked havoc over a weekend that proved long and tiresome for many a system administrator. We covered the topic in detail back when it happened, and if you’d like a more in-depth refresher, you can check that out on Episode 38 of The Checklist.

To summarize, though, WannaCry (also known as WannaCrypt) is malware that leverages, among other things, a leaked NSA exploit, known as EternalBlue, to infect unpatched machines. Once on the computer, it locks down a user’s files with unbreakable encryption and demands the user pay a ransom, most often in Bitcoin. There is some speculation that WannaCry originated within the North Korean regime, but there is little hard evidence to indicate its true origins. After an infection, WannaCry could probe an infected computer’s network connections, looking for other vulnerable machines it could spread to and lock down as well.

After a weekend last year in which everything from hospitals to banks suffered from the effects of this malware, it seemed as though we were mostly out of the woods with this threat. As it turns out, that’s apparently not the case — and aerospace giant Boeing just learned that the hard way when a series of Wannacry infections struck one of its major production plants.

The news surrounding this event broke late in March when word began to leak out that the attack had hit Boeing. Initial reports caused some confusion, and it wasn’t clear how widespread the infection truly was, and the result was instant panic among both Boeing investors and others in the aerospace industry. The chief engineer of Boeing’s commercial airliner production, Mike VanderWel, sent out an “all hands on deck” email to staff calling for a massive response. Initial reports indicated that some production abilities might suffer impacts, and given WannaCry’s propensity for rapid propagation, there was a concern it could cripple Boeing’s manufacturing ability for days.

There was good news to be had within only a few hours, though, as it turned out that only a small number of machines had been affected, and none of them governed crucial manufacturing efforts. Boeing stated that they had restored from backups, applied patches, and ensured that there would be no impacts on their production abilities. The fire was put out in short order, but it was certainly a close call. It’s also something we can use to learn a valuable lesson.

We know it’s important to have backups of your information, and that’s truer than ever in the age of ransomware — remember that paying the ransom is never a guarantee of getting your data back, so simply restoring your data is the best bet. More than that, though, staying up to date on patches in a large network environment is critical. Think of how many computers must be a part of Boeing’s network; it’s a Herculean task to keep all that up to date, but it’s also very necessary. WannaCry made headlines more than a year ago, yet some of Boeing’s computers were still unprotected.

No matter how difficult it may be to keep on top of security patches, it’s not something you can neglect. With the right tools for network administration, good record keeping to know your patch status, and the staff to follow through on these efforts, even the biggest networks are manageable. We’re sure Boeing will be taking a hard look at its own procedures after this close call.

Siri loves to gossip

Let’s pivot back to another issue with an Apple product now, this time with our good old friend Siri. Back in Episode 49, we talked about a few situations where Siri was a little too helpful, revealing information to unauthorized users that should have remain secret and private. Apple’s put plenty of work into hammering out bugs like that in Siri, but it looks like a new issue recently cropped up that puts Siri’s gossiping ways back in the spotlight.

This time, the news comes out of Brazil, thanks to the website Mac Magazine which on March 20th shared an article about a privacy bug they identified in current versions of iOS 11. In short, this vulnerability would allow anyone who could physically access your device to snoop through third-party notifications on your lock screen, even if you’ve enabled settings to hide them.

Typically, those settings would keep notifications off the screen until you authenticated, whether by FaceID, TouchID, or your passcode. All that was for naught, though, since someone could just ask Siri to read them out loud to you! It is important to note, however, that this bug only applies specifically to third-party apps; Siri won’t read the content from hidden notifications generated by Apple’s own default iOS apps, including text messages and iMessage.

So, what’s the big deal? You might ask “Who cares if someone can see notifications from my third-party apps? It’s just silly notifications from gaming apps and maybe the occasional calendar reminder.” There are plenty of times when you’d absolutely want to hide notifications from others, especially if they’re likely to contain sensitive or personal information. For example, you probably wouldn’t want a random stranger to be able to read notifications from your personal email account. Likewise, you wouldn’t want to expose the contents of your messages from friends, whether they came in through Facebook Messenger, WhatsApp, or especially an encrypted chat app such as Signal. These are best left hidden, and any Siri vulnerability like this deserves attention.

Apple says it knows about the bug and that a future software update for Siri will rectify the problem. That’s good news, but for now, it’s still possible for someone to ask Siri to share your notifications. If you want to re-secure your phone while waiting for a notification, there are two options you can try.

First, turn off notifications for the apps you don’t want to expose through this bug. Visit your Settings app, tap on Notifications, and then disable “Show on Lock Screen” for the apps you want to silence. If you don’t want to disable that feature, you can instead simply turn off Siri functionality for when you’ve locked down your device. Do that by again visiting Settings, tapping on Siri & Search, and then disabling “Allow Siri When Locked.” Though these are somewhat drastic steps that can reduce functionality you may use, it’s the safest route until Apple gets a patch out the door.

MyFitnessPal suffers a data breach

Speaking of third-party apps, how many of them do you have installed on your phone? For many of us, many different apps have become a normal and even necessary part of our daily lives, enabling us to do and accomplish more. We’ve got apps for practically everything, and today, many of those apps require some form of user registration to use. They’ve come a long way from the basic, simple software we saw on the first versions of iOS more than ten years ago. Think about that, though: if you’re registering an account with an app, that means the app developer must store some of your information, including your password. Useful as their products may be, it means we’re beholden to the security practices of these many different third-party providers.

One such popular app that requires registration is MyFitnessPal, a food and nutrition manager created by fitness apparel brand Under Armour and which boasts about 150 million user accounts. Unfortunately, it turns out Under Armour was a bit “under armored” when it came to protecting their user’s data. At the end of March, we saw headlines breaking about a major data breach at MyFitnessPal involving an unknown intruder accessing data for many of those millions of accounts. MyFitnessPal disclosed that the attackers were able to obtain usernames, passwords, and email addresses — a highly valuable trove that could enable them to break into accounts all over the place.

In other words, this is your regular reminder that you absolutely should not use the same password on different sites and across multiple accounts. If you were an MFP user, you’ll now need to change your password not only in the app (if you choose to continue trusting it with your data), but everywhere else on the web you might have used the same password. Using a password manager from the start and employing unique passwords is easier, less of a hassle, and protects you from the damaging effects of breaches such as these. Thankfully, MyFitnessPal didn’t leak anything as sensitive as a user’s financial or banking information, but hopefully, you weren’t using your exercise app’s password to log in to your bank, too.

Under Armour disclosed the breach and its extent relatively rapidly, a welcome change of pace from a recent string of corporations dragging their feet and waiting months or years to announce data breaches. The sooner these companies disclose attacks that expose user data, the sooner it gives those users an opportunity to take precautions to protect their other accounts. We also think this is an excellent opportunity to remind listeners to take advantage of 2-factor authentication whenever you have the option to enable it; massive breaches like these are now the norm, not the exception. That means it’s likely more a matter of “when,” not “if,” some of your data will end up in a breach – if it hasn’t happened already. Take steps to protect that data now and spare yourself from a big headache later.

Apple strikes out with QR codes

Okay, back to Apple for the last item on today’s list: did you know that your iOS device has its own built-in QR code reader? It wasn’t always there — in fact, it didn’t make its first appearance until iOS 11. QR codes offer a lot of convenience, so it was a welcome addition to the operating system, but it came with a not-so-welcome security vulnerability about which we’re only just now beginning to learn more information. Before we dive into what’s gone wrong, let’s go over a quick rundown of what a QR code is for those who aren’t familiar. Chances are, you’ve seen a QR code in the wild, even if you didn’t know what to call it!

It helps to think of them as an evolved form of the traditional barcodes we all know well. Barcodes, of course, store information in a static, easy-to-scan format that works even the code is partially obscured. Barcodes are on almost everything these days, but especially on products you purchase. It’s how cashiers can quickly ring up your entire order and get the right price at the checkout counter. Barcodes are also used to track inventory, such as in a warehouse or a library. A QR code functions similarly, but it’s formally known as a “matrix barcode.”

“QR” means “quick response,” and its design has origins all the way over in Japan, where it was used in automotive manufacturing. Because QR codes can store a lot more data than your traditional UPC bar code., they spread rapidly outside of car manufacturing, and today you can find them just about anywhere you look. QR codes end up on everything from plane tickets and concert stubs to advertisements and even hiking trail markers. Even print ads in the newspaper now often include a QR code somewhere with an encouragement to “Scan and Learn More!”

So, what happens when you fire up the QR reader on your phone and scan something in the wild? QR codes can do several things, but typically today they’re a shortcut to a webpage with more information related to the object you scanned. It’s a fast way for advertisers to get you to a website without the need to manually type out a URL, and it’s a simple method for straightforwardly sharing important data. Sounds great, right? It can be — but let’s go back to the problem with Apple’s QR reader in iOS 11.

This time, a researcher from Germany uncovered the flaw, which he subsequently posted about online. In iOS 11, the system shows you the linked website contained within a QR code and requests your permission to load the site, which is a precaution meant to safeguard users from stumbling onto malicious sites by mistake. That’s good. What’s bad: the bad guys can fool iOS into showing a completely different URL from the one you’ll actually visit if you press the confirm button.

To test this, the researcher created a custom QR code. When scanned in iOS 11, the user would get the confirmation notification, claiming they were being asked to use Safari to open Facebook. Instead of going to Facebook, though, the code would take you straight to the developer’s website. This is a benign example just intended as a proof of concept — but this could be a serious flaw that lets phishers run rampant in terms of tricking iPhone users into visiting bogus websites and punching in their data.

Consider this scenario: the bad guy prints up a ton of professional flyers at a copy shop, making them look like they came from a real local business. Perhaps these flyers advertise a chance to win a free iPad or some other attractive opportunity, and to enter, all the person must do is scan a QR code on the flyer. Instead of pointing to the real company’s site, though, users would end up on a malicious page designed for harvesting their data. Bad guys could potentially trick you into entering all kinds of data, such as your name and address or even credit card data. It’s easy to see how severe this flaw could be if abused in the right manner.

The researcher says he notified Apple of this problem months ago, on December 23rd, 2017. So far, Apple hasn’t publicly acknowledged the bug or released a patch for it, and the issue remains in play. For now, if you’re going to scan QR codes with your phone, we recommend being very careful about what you choose to scan and open. Never enter your data on a site you arrive at via QR code unless you can verify it is the legitimate site. Hopefully, Apple will have a patch out for this issue before real problems begin to occur.

Does it seem like lately we’re spending a lot more time on “fails” and issues arising out of Apple’s own efforts? While the company generally remains responsive regarding fixing these problems, we’re still seeing plenty of room for improvement. At the same time, we’re seeing repeats of old mistakes, like patches for patches when the problems should’ve been fixed the first time. We’ll be keeping a close eye on these developments as we move deeper into the year.

That’s all we have for you today, but that doesn’t mean the conversation has to end. Got something you’d like to say, or a question about something we discussed today or in a recent episode? We’re always ready to hear from our listeners, so send an email to Checklist@SecureMac.com with what’s on your mind. Missed an episode recently? Hit our archives to delve into full show notes and complete audio going all the way back to episode one.