Apple has updated many of its operating systems, but there don’t seem to be any security fixes. Can we be sure? We also discuss BlueNorroff hackers, Google deleting unused accounts, and new AI tools, including Grok, and how there are already scam apps pretending to offer access to it.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, November 9 2023.
This week’s Intego Mac Podcast security headlines include: Apple releases updates to its operating systems. Were there any security fixes? Google is updating its policy on abandoned Gmail addresses. Do you have any you’ve forgotten about? And we’ve got a roundup of recent announcements from several new and increasingly popular AI services. Now, here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:45
Good morning, Josh, how are you today?
Josh Long 0:46
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:48
I’m doing just fine. And I know you’re happy that for once Apple released the updates before our podcast, instead of waiting until we finish recording. So we’ll record on Wednesday afternoon. And usually in the past few months, Apple has released security updates. Just as we’re finishing recording here. They released it yesterday. Thank you apple.
Josh Long 1:07
There’s actually no security updates. This time. It’s a purely bug fix release across the board. We got macOS Sonoma 14.1.1, iOS and iPad os 17.1.1. Watch OS updates, a bunch of things that got updated. But none of them contain security patches this time. How can we be sure of that? Well, okay, I should actually make a little caveat on that. What that actually means is that on Apple’s Apple security updates and rapid security responses, that’s the name of the page. And if there are security updates in a particular patch, then what they do is they create a new link on this page. And the give you a bunch more details. If however, there’s no CVE entries, meaning that it’s not a numbered vulnerability, then they’ll just say instead, they’ll put an entry but not a link. And it’ll just say underneath it, this update has no published CVE entries. So that’s what we got for iOS, macOS Sonoma. WatchOS 10.1.1. And we got a minor update for certain Mac models for macOS Ventura.
Kirk McElhearn 2:16
But this still could be some security fixes without CVE numbers, right?
Josh Long 2:21
Theoretically, that’s true. I’ve never seen Apple do this before, where there was an update that they specify there were no published CVE entries, but they still credited other researchers. So possibly what Apple might do in that situation is they might save those additional credits for the next version of macOS or iOS, that actually does patch security issues. Maybe that’s where they would credit those additional researchers for their help.
Kirk McElhearn 2:49
Okay, we’ll keep our eyes on it. So we have new Mac malware. And we’re trying to figure out how to pronounce this BlueNoroff or Blue Noroff. BlueNoroff is a division of the Lazarus group. The Lazarus group is North Korean hackers. And I was looking at BlueNoroff on Wikipedia, and their most infamous attack was a 2006. Bangladesh Bank robbery. They tried to transfer a billion dollars from the Bangladesh banks Federal Reserve Bank of New York’s account, and they managed to transfer about 100 million, but then the Federal Reserve Bank of New York blocked the remaining transactions due to suspicions raised by a misspelling.
Josh Long 3:30
There have also been some Mac specific threats attributed to this APT or advanced persistent threat group. One of them was last year there was something that the US government told us about in mid April 2022, they said something called trader traitor, also known as Oh rat was targeting blockchain companies. And also earlier this year, we had something that was called rust bucket, you might remember we talked about that back in May. This is the same group that’s responsible for those threats that’s now got this new, it’s called a couple of different things depending on who you ask. It’s either called Objective C Shells O-B-J-C shells, meaning objective “c-shells” like seashells haha. It’s a variant of RustBucket, which is the one we talked about earlier this year.
Kirk McElhearn 4:18
God, these names are childish, they really are. And the worst, the worst thing is, they’re really confusing to keep track of right. And it’s not the hackers who come up with the name. In fact, they didn’t come up with a name BlueNoroff. It’s different security companies who name this malware in different ways, without any consistency. So three different companies could call the same malware different things and it makes it confusing for people, which is the advantage of CVE numbers for vulnerabilities and threats because everyone can agree on what the CVE number is.
Josh Long 4:48
Well, not only that, but it’s you’ve got different names for malware, but then you’ve also got different names for APT groups. They might be called by a number like APT 38 Or they might be called BlueNoroff. Or they might be called Stardust Chilima, or any number of other like ridiculous names that people come up with. So the thing is like all of these different companies that track these groups, they have their own ways of identifying those groups. And so there may be some disagreements sometimes on who the actual threat actor is, for example, this particular group is believed currently to be a subgroup of the Lazarus group, which is another North Korean hacking group. Is it the Lazarus group? Is it just like a subgroup of them? Are they unrelated but kind of work together? Like who really knows? Like we’re all basing this on circumstantial evidence for the most part. Yeah, it’s complicated, but everybody tracks them all differently.
Kirk McElhearn 5:44
Okay. I just asked Chet TP to give me 10 generic names that a security company could use to name malware it has discovered you want to hear what it comes up with (Sure. Why not?) These are good. These are good. Intego should use these. Cyber Storm. Dark Net Rider, MaliciousBite B-Y-T-E, Shadow Strik, InfraGard, StealthBot, VirusVortex–that’s my favorite Virus Vortex. CodeCrusher, Threat Titan and Rogue Wave. These are great names, come on. These are much better than BlueNoroff. And objective seashells by the seashore.
Josh Long 6:20
Yeah. Okay. Well, it’s not bad. It’s not bad. I don’t know that one sort of sounded more like a security product then then malware but…
Kirk McElhearn 6:29
InfraGard. That sounds like a security product. Yeah. But this is good. I’ll send you these names. You can pass them on to the Intego threat team and you know, we can use some of these. (Sure.) Anyway, we want to move on to talk about the iMac we talked about the new M3 Macs last week and Apple has announced officially that there is no Apple silicon 27 inch iMac coming. But does that mean that they might make a 28 inch or a 29 inch or a 30 inch because if you remember the so the current iMac is 24 and a half inch it replaces the 21 and a half inch iMac. So the speculation since the M1 iMac has always been that the larger iMac would be larger because the bezels are smaller, and the computers are not big. So maybe they’re saying we’re not going to make a 27 inch iMac and then next week, they’re going to announce a 30 inch iMac. A lot of people have been discussing about the iMac and I want to link to an article in The Verge today. An iMac review it says the iMac has become a computer in search of a purpose. And the reviewer is saying what’s the point of this computer if it’s not got a display big enough for me to use? And if it doesn’t have enough memory for me to use, and it’s one of these reviewers who’s saying, Well, this computer isn’t for me. So it’s in search of a purpose. The iMac is an extraordinary computer for people to use at home for me, I use it for my work. A lot of people who don’t want to have 350 Chrome tabs open would be very happy with an iMac. Do you need a 30 inch or a 27? I mean Apple is really probably trying to get people to buy the Mac studio and the Studio Display, which costs twice as much. But the fact that they came out and said that they’re not making the 27 inch iMac is curious because Apple rarely says what they’re not going to do. Right?
Josh Long 8:12
This was an actual Apple representative saying this not just like leak through Mark Gurmann or whatever. So yeah, that is pretty unusual. I will say I’m, you know, I don’t think it matters that much. I don’t and I also agree with you that this particular reviewer was talking as though their own personal views represent the majority of people, which is absolutely not the case. I think for most people, an iMac is a great product. And there’s no reason why not to get an iMac. If you really want a bigger display, then sure get a Mac studio, get a Mac mini and hook it up to an external display doesn’t even have to be an apple display. There’s a lot of really good displays from other companies that you can hook up to a Mac mini, MAC studio or Mac Pro. And it’ll look really great.
Kirk McElhearn 8:59
We want to briefly talk about some comparisons between the M3, the M3 Pro, the M3 Max and we discussed these last week. But I want to link to an article on AppleInsider and points out something that I didn’t mention last week when we’re talking about this. The different chips don’t only have different cores, but they also have different memory bandwidth. And memory bandwidth is important when you’re doing any kind of processing because it means that the data can get to the chip faster. The M3 has 100 gigabyte memory bandwidth, 100 gigabytes per second, the M3 Pro 150 and the M3 Max either 300 or 400 depending on whether you have the 14 core or the 16 core. So this can make a difference in speed if you’re doing really really demanding tasks. But there’s something I thought about yesterday when I was recording a different podcast about photography and we’re talking about you know, do photographers need this Do they need a Pro or a Max and you can always argue that someone editing video benefits from this sort of thing. And then I realized, Apple is marketing these MacBook pros to its developers using Xcode. If there is one app that really benefits from processors, it’s Xcode. And yes, there are people who are sequencing genomes, and folding proteins and all that that we saw in Apple’s presentation. But they’re making these Macs for all the people who are developing apps for iPhones and iPads who need Xcode to run faster, and Xcode is notoriously slow.
Josh Long 10:29
Fair point. And just to reiterate, something we mentioned last week, you know, if you don’t have a new Mac, and you don’t particularly need something that’s like ridiculously fast, that’s you’re not going to be coding, you’re not going to be encoding a lot of video or things like that, then you don’t really need an mp3, like, honestly, you could buy an M2 machine and be super happy with it. So if you don’t have to buy the latest iMac or MacBook Pro that they just came out with and get an M3 processor for the majority of people, and two, or even really M1, it’s still a great processor.
Kirk McElhearn 11:03
And if you have an Intel Mac, this would be the best upgrade you’ve ever made. If you bought any of the M processors, we still on like the 27 inch Intel iMac, which was the last one that Apple released, upgrading, even if it’s only a 24 and a half inch, you’ll really like it. I want to talk about an email I received last week. And this kind of surprised me. It came from Google, it talked about an account. I won’t mention the name of the account. But I didn’t remember creating this account. And I contacted Josh and I said, Well, this looks like it might be scammy. But it’s not because all the links really go to Google. And when I looked into it, I realized it’s an account that I created in 2005 18 years ago, I think Gmail came out in 2004 probably created it for some sort of an article that I was testing to have another Google account, never used it since then, when I logged into Gmail, well, first of all, I had to use the recovery link to get my password to log into the account, they would have logged into Gmail, I found some messages. The oldest one was from 2012. And I eventually found the first setup email message from 2005. So here’s what’s happening. Starting December 1, Google is going to start deactivating accounts that have not been used in at least two years. If you have an old Google account that you set up, for whatever reason, in my case, I forgot about it, so I didn’t even need it. But you may have an old Google account that you set up for some reason that you don’t want to lose. In that case, you need to log in once you log in once, then you’re fine for another two years, we’re going to link to Google’s inactive Google account policy article to explain this. But if you do have an old Google account, you want to keep it make sure you log in.
Josh Long 12:38
One thing that we don’t know for sure yet is whether Google is going to allow people to register a previously registered email address, I really hope that Google does not allow this because this would be really bad for people security, if that old email address was ever used for any kind of service, right to register to sign up for a service. So if that email address has ever been, for example, in a data leak, then it’s out there on the dark web, like somebody can find a database that has that email address. And if they discover that, hey, this address isn’t registered anymore, I can now register this address. Now they can whoever that hacker is that person who goes and creates that address, again, can now break into any of your accounts by just sending a password reset request to that email address that now they are in control of. So hopefully Google doesn’t allow reuse of these addresses that are expiring. Maybe they’ll just stick them in a separate database and say these are held in reserve and will never be available again. If Google does that, that would be the right approach. If Google allows them to be reused, then we’ve got a problem on our hands.
Kirk McElhearn 13:52
So what Apple does with iCloud email accounts as they allow you to have three active aliases, and if you deactivate an alias, you can never use it again. So Apple is keeping track of aliases, so they can’t be reused. And that seems to be just the way it should work. Okay, when we come back, we’re going to talk about this week’s AI news and more.
Voice Over 14:13
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 15:29
So before we get to AI, here’s a little security feature that I guess every one of these apps should have WhatsApp is now letting you hide your IP address when you’re making calls. Shouldn’t every app that connects you directly to another user offer this as a feature?
Josh Long 15:45
Well, yeah, it seems like sort of an obvious thing, right? Like, why would you want to leak your IP address. But at the same time, I kind of understand why this was the case before. So the way a lot of these technologies tend to work is it’s peer to peer. So like it’s directly from one device to another. And there’s no proxy or something in between. And so in those cases, where it’s one user connecting directly to another user, then it kind of makes sense that those devices know the other person’s IP address. And so it’s nice that WhatsApp now allows you to hide your IP address during calls. I agree with you is this seem kind of crazy that this already wasn’t an option, but I also kind of get it. Now I wanted to say that this is a good reason to use a VPN. Because if you’re using a VPN all the time, then you don’t ever have to worry about your IP address leaking, and potentially giving away the neighborhood where you live or things like that, which can sometimes be inferred from your IP address. So using a VPN all the time, you know, some people will think that oh, well, you know, a VPN is going to slow me down, I use a VPN 24/7 on all of my devices. And it I don’t have any kind of issues with speed. If you do experience an issue, like maybe you’re downloading a really giant update or something, you can turn it off temporarily and download those multiple gigs and then turn your VPN back on if you want to. But I definitely recommend leaving a VPN just on all the time, because it prevents your IP address from leaking, you may not realize this, but every website that you go to gets your IP address just by visiting that site, it’s in a log somewhere in there server access logs. So you’re giving away your IP address all the time, whether you realize it or not.
Kirk McElhearn 17:32
Okay, we’ve talked about software called QEMU. We don’t know how it’s pronounced, we’ve talked about it to run Windows on a Mac, an interesting proof of concept has come out a developer has been working on a QEMU based iPhone OS emulator, and it’s running iPhone OS 2.1. 2.1, that’s old. That’s what 2008, 2009? That’s really old. There’s not much you can do with it. But it’s kind of interesting that if they could come up with an iPhone OS emulator, a little bit more recent, and you could play old iPhone games, if you can find the old game files.
Josh Long 18:10
This is actually kind of amusing. So if this were something where you could run, you know, recent versions of iOS, I would be a lot more interested in this. But guess what I mean, you actually kind of can already run iOS on macOS if you’re using developer tools. So I don’t know how useful this is. But it’s kind of cool that somebody was able to put this act together and, and run really old versions of iPhone OS. So good, good for them. It’s a fun hack, if nothing else.
Kirk McElhearn 18:42
So the guy who devalued that really well known social media app recently, has released an AI tool. It’s called Grok, because he’s so original, that he uses science fiction terms for all of his things. This is only available to Premium Plus users on that social media service, and which is really complicated to become a Premium Plus user. The problem is that both Apple and Google are already hosting fake Grok chatbot apps in the app stores. And these are we don’t know if they’re actual scams or whether they’re just trying to sell the app to make money or sell the app to collect information because you give a lot of personal information to these chat bots when you’re asking for things.
Josh Long 19:25
Right, we’re talking about xAI is the name of the company with a lowercase x and a capital AI. And this is one of Elon Musk’s companies. And yes, anyway, so if you are a user of X Premium Plus, which is this new tier they just introduced that you can easily upgrade to if you fall into all those criteria, you may be able to get access to this new Grok platform soon. So this is basically Elon Musk’s answer to ChatGPT. So What happens if you try to find an app for this platform on the App Store? Well, if you search for xAI chat, you’ll come across several things, some that use the exact name and St. Stylize, the same way with a lowercase x and a capital AI. And they’re in the App Store, both on Apple’s App Store for iOS and iPad OS, and, frankly, macOS too, because you can run some iPhone or iPad apps on the Mac that you can obtain through the Mac App Store. And also on Google Play Store. So Android also has these fake xAI apps as well. So the main thing you need to know is you can’t get an app that allows you to use this new Grok ChatGPT competitor on any platform right now. So don’t expect that you’re going to find this in any app store. If you see something like this. It’s a scam. They’re trying to trick you into downloading their rip off app. And again, who knows what they’re going to do with your data, whether they’re actually going to keep it private. And I wrote an article about this, I looked this up like as soon as that new platform launched, I checked the App Store and there were already apps that claimed to be xAI apps. And well, they’re not. And if a developer is already lying about that in the app title in the screenshots, then do you really think that it’s a good idea to trust them, not most of these apps have in app purchases or subscriptions. And I definitely don’t want to be giving my money to a developer who’s already you know, shown that they’re not super ethical because of violating trademarks and copyrights. Not a good idea. Not only that, but you don’t know what they’re going to do with your data unnecessarily, either. So I would just avoid these apps altogether. By the way, interesting side note, in if you have Windows, the Microsoft apps store does not have any fake xAI apps. And also, interestingly, if you search for ChatGPT, or open AI, you will get zero results. So while you get a lot of results on the Apple App Store, or Google Play Store, when you search for those terms, including the official open ai ChatGPT app, you get a lot of other things that are kind of sketchy. And Windows doesn’t have that they don’t have the official app, but they also don’t have any search results for anything that uses those particular trademark terms. So it kind of seems to imply that Microsoft has cracked down a lot harder on these lookalike AI chat apps than Apple and Google have.
Kirk McElhearn 22:45
So open AI announced some new capabilities for ChatGPT .GPT, for now can allow input of up to about 300 pages of text. That’s a huge amount. So you can put a book into GPT and have it do things with it, summarize it, etc. It also has knowledge of world events up to April 2023. And one of the problems with GPT. Previously, is it ended in what was it November 2021. So when you were asking any questions about things since then, it didn’t know it. Now, it’s still limited to April. And I guess they’re going to update this every few months. There are a lot of other features that are a little obscure in terms of writing code and dealing with things. But there’s one thing that really blew me away when I tested it this morning, they have a new text to speech feature. The quality of these voices is the best that I’ve ever heard in text to speech, there’s about a half a dozen voices, and there’s a standard and a high definition version of the voices. I’m going to link to a blog post on the open ai.com website where you can listen to some samples. This is really good. And of course, this raises a lot of questions. This isn’t a voice made to sound like someone else. This is like the voices you have already on your Mac or your iPhone, that read text to speech that always sound a little bit artificial. But these sounds so good, that I can see these being used for audiobooks for articles, etc. You’ll certainly have some terms that they can’t pronounce correctly. But this is an extraordinary quality. They’ve added some improvements to Dally, which is the image generator. This is going so fast. It’s like we’re in the dial up stage of AI and in two years, we’ll be in the DSL or the fiber stage, right.
Josh Long 24:29
And then this is all advancing very quickly. And by the way, during that presentation. Sam Altman, the CEO of OpenAI got up on stage and he actually had Satya Nadella from Microsoft even come out and talk about their partnership, which is a big deal. I mean, Microsoft really has given a lot of funding to open AI because of their partnership. And you know, obviously being roles in open AI is ChatGPT technology and dally technology for image generation and so forth. So as being AI is also going to significantly improve because of this partnership as well. So a lot of really positive announcements if you’re excited about generative AI and you don’t see it as a threat to your job, or or whatever. You know, this is definitely a big week for artificial intelligence and chat bots, and so forth.
Kirk McElhearn 25:21
One of the issues around generative AI is that you may be giving some personal data to your devices. On your computer, you may be typing something into a browser window to ask ChatGPT a question. And you may not want this data to be stored by whatever company is doing this. Samsung Galaxy X 24 will likely according to The Verge include on device generative AI called Samsung Gauss, this is really important. And you know, Apple hasn’t really come up with generative AI yet though Tim Cook in the recent earnings call said that they were working on things, I can see Apple providing generative AI tools with on device processing, and really touting the privacy of this. And this is really important, you know, because you could be in a business where you’re sending, you know, important business intelligence to some computer someplace in the cloud, and you don’t know what happens to it. So this is really important. Brave, the company that makes a browser has released an anonymous and secure AI chatbot. So this is another way that companies are starting to realize just how much personal and private and corporate data is used with these tools, and how it needs to be protected, right.
Josh Long 26:31
And you may or may not have access to this just yet, this is starting to roll out in the Brave browser on desktop. They haven’t quite added this feature for everybody yet. It looks like I just got access to it because I checked yesterday, I think and I did not yet. But now I do see it show up in the sidebar. So we’ll link to an article where you can find a little bit more details about Leo is what they’re calling this new Braves version of this AI smart assistant. The main point of this one is that it’s trying to be more private. And they’re saying basically, you don’t have to give away your information to some other company, we’re going to keep all of your data private for you. And you don’t have to worry about leaking it to somebody like Google or Microsoft or open AI.
Kirk McElhearn 27:16
Okay, last thing we want to talk about Google. Google’s security blog says more ways for users to identify independently security tested apps on Google Play. And we just talked about scam apps for Xai grok, etc. Now, Google is going to include information if apps have had an independent security review. The problem with this is, if the app doesn’t have an independent security review, Google is still going to sell it in the Google Play Store. So you’re really not protected unless you decide you can only get apps that are independently reviewed. But how many apps will have independent security reviews? We don’t know yet.
Josh Long 27:53
One thing that’s not entirely clear, and maybe I need to dig a little bit deeper into this. One is how do they determine whether that independent security validation is legitimate? Like are they only allowing independent security validations from certain companies that Google trusts? Or are they allowing developers to say, Yeah, we got an independent security audit? Wink?
Kirk McElhearn 28:17
Well, we don’t know. I think if Google is announcing this and making a step, then there must be something behind it. But it’s true that we want to have more details. I’d like to see Apple do something like this, I’d like to see fewer scam apps, and you’re really active on Twitter, pointing out all the scam apps that are available in the in the App Store, and particularly this just in a couple of days, right, the grok, AIX or whatever it’s called. I would like to see Apple do something more proactively about that. But we’ll have to wait.
Josh Long 28:47
Yeah, 100% Agree. By the way, if you do have an Android device, the badge to look for the thing that will show up in the Google Play Store is it’ll have a little section, if you scroll down, you may have to scroll down a little bit to see it. But it says independent security review. And then it has a little thing that says in this case VPN app, it says VPN apps with this badge and the data Safety section have been independently validated against a global security standards. So that sounds like they’re talking about a very specific standard here. And it’s got a little green shield badge with a star in it. If you see something like that, that’s apparently starting to roll out maybe just to VPN apps at first, but it’s probably going to roll out to other apps as well have third party audits.
Kirk McElhearn 29:32
Okay, next week. You know, we’re going to come back to our annual discussion of Black Friday because Black Friday is right around the corner. We’re going to talk about how to shop safely and securely when you spend all your money for something you don’t need on Black Friday. Until next week, Josh stay secure.
Josh Long 29:47
All right, stay secure.
Voice Over 29:50
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
