Site icon The Mac Security Blog

Apple Podcasts on the Web, AirTag Catches Porch Pirate, and More on the Biggest Ever Data Breach – Intego Mac Podcast Episode 358

You can now access Apple Podcasts on the web. iCloud is the most popular Apple subscription service, and there’s an important reason why. A cleverly placed AirTag catches a porch pirate. And there’s more fallout from the recent breach of personal information from National Public Data.


If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.


Transcript of Intego Mac Podcast episode 358

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, August 22, 2024. This week’s Intego Mac Podcast headlines include: Apple Podcasts can now be played from the Apple website; iCloud is the most popular Apple subscription service, and there’s an important reason why; a cleverly placed AirTag catches a porch pirate; and there’s more fallout from the recent breach of personal information from National Public Data. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:44
Good morning, Josh. How are you today?

Josh Long 0:47
I’m doing well. How are you, Kirk?

Apple Podcasts now available via the web at Apple’s website

Kirk McElhearn 0:48
I’m doing well. I’m really excited because listeners will be able to listen to this episode of the Intego Mac Podcast on the web. You no longer need to use a podcast app to listen to podcasts. Of course, you could always do this on the podcast site itself. We’re hosted with a podcast hosting company, and the podcast is available there. But Apple podcast is now available on the web. This started with Apple Music a couple years ago. You can sign into your Apple Music account and listen to all your Apple Music. Apple just put Maps on the web, I think a couple weeks ago, and now podcasts are available on the web.

Josh Long 1:22
Well, technically, you could already listen to podcasts on the web, it’s just that now they put the full interface on there so you can browse, you can search, and it’s all built into the apple podcasts site. So this is a new site, so rather than just individual listings for podcasts that might come up, for example, in Google search results, now you can actually go to a special page dedicated to podcasts that works just like the podcast app on your phone.

Kirk McElhearn 1:53
Makes you wonder why you need a special app if you can do it on the web.

Josh Long 1:58
Well, honestly, it’s kind of that way with a lot of apps. I feel like most apps that we use today are basically the same thing that you could do in a browser. It’s just kind of giving it to you in a an easily switchable app, rather than like having keep a tab open all the time for it.

Kirk McElhearn 2:15
It’s worth pointing out that all of this content that you see, whether it’s in Apple, Music, Podcasts, the Books app, the TV app, all of it is just HTML content. It’s all basically web pages that are designed to be responsive, which means that if you’re looking on a desktop browser, it’ll look one way, or if you’re on an iPhone, it’ll look another way. But it’s all exactly the same content, so it’s actually trivial for them to just make it available on the web. Now I wonder what their long term thinking is, that maybe people will search and find podcasts that way and say, Oh, this is Apple podcast and I’m going to listen to it because you can listen to podcasts without signing in. The only reason you’d need to sign in is to get your subscriptions.

Josh Long 2:56
Right exactly if you want to follow a podcast. So you get future episodes, they do prompt you to sign in at that point. So, yeah, this is interesting. I don’t know that it really moves the needle all that much. Like, you know, how dramatically is this going to affect podcasters or podcasts and how popular they are? I don’t think it’s going to make that big of a difference, but it is nice that Apple now has an interface. It does make me wonder, though, like, what was the purpose behind this? Because, yeah, I mean, this isn’t nice to have, but, like, Why all of a sudden launch this now?

Kirk McElhearn 3:29
Well, I think the reason they launched maps on the web is to compete with Google. Because you can go to maps.google.com, and you can have your maps, and maybe you’re on your work computer and you want to check Apple Maps, because on your iPhone, you’ve planned a trip or something. I’m not sure what the logic is. It just seems to me that for podcasts and music, it means that these things show up in Google searches and can be playable and maybe again, at work, you’re not allowed to use the Apple Music app or the podcast app, or you’re working on a Windows PC, and you still want to access this content.

Josh Long 4:01
Until you mentioned it, I had completely forgotten that Apple Maps even is on the web. It’s new, yeah, and I don’t remember really people talking about it that much. It just sort of like, kind of went went by and people didn’t really pay much attention to it.

Kirk McElhearn 4:15
Well, it could have something to do with Apple splitting up the iTunes app on Windows. The iTunes app on Windows. Did play podcasts, but Apple has, I don’t know if they’re still considered preview apps, but they’ve made an Apple Music app, they have an iCloud app, etc, but they don’t have a podcast app. So maybe this is a way to make podcasts available through windows, and they’re not going to make a podcast app, because maybe not too many people on Windows listen to podcasts through iTunes in the first place. In any case, it’s trivial to do. They have all this content, and once they’ve put one of these media apps on the web, they can put the others. We have a report. And this is not surprising that iCloud, and this means iCloud plus so iCloud storage is the most popular Apple subscription service. In the US. And when I saw this, I said, of course, because when you spend $1,000 on a new iPhone, you still have to pay 99 cents a month to get more than five gigabytes to be able to back up your iPhone, unless you back it up to a Mac or a PC. And the idea that most people buy iCloud because they have no choice, it’s kind of embarrassing. Apple should be embarrassed. I wish I knew on which episode we first talked about how Apple needed to increase the base iCloud storage. This podcast has been around for just about seven years. I’m thinking it was six years ago, if not even seven years ago. We mentioned that it’s been five gigabytes since forever, and so, of course, it’s the most popular Apple subscription, because people don’t have a choice.

iCloud is Apple’s most popular subscription service

Josh Long 5:40
Yeah, I was gonna emphasize that point. iCloud is the most popular Apple subscription service in the US, you know. So there it’s, it’s by no means, like, extremely popular, but, yeah, that’s the main thing that people are getting, is iCloud plus. So they’re bundling a bunch of other services, including Apple Music, which you can get as a separate service. And that one happens to come in at number two on this list of other Apple services that you can subscribe to. But yeah, five gigabytes being like the base storage for iCloud, that doesn’t make any sense in 2024 like you have so much data now and photos. You’ve got years probably worth of photos that you have been, you know, taking pictures and taking videos on your iPhones. Now you’re on, I don’t know what is this like? Your maybe your sixth, your 10th iPhone at this point, you’ve got a huge Photos Library, and where else is that gonna sync? Like? You probably have more than five gigabytes worth of photos and videos just in your photos library right now, so you need more than five gigs in order to be able to back up your device and have your photos and things stored in iCloud. So it’s kind of, I’m very confused as to why Apple is still doing this, like, besides the obvious revenue stream, right? Like, we know that obviously a lot of people are going to be paying, but is it right for Apple to be almost forcing everybody to have to pay for that storage? That feels really wrong at this point.

Kirk McElhearn 7:11
I haven’t looked up the dates, but my guess is that iCloud storage the five gigabytes started when you got an iPhone with four gigabytes of storage on the device, maybe eight gigabytes. So it was a fairly large percentage compared to the device. Now, I think all iPhones start with 128 gigabytes. You still only get five gigabytes. Now, you don’t have to back up your 128 gigabytes, but as you say, you’ve got photos for years and years. If you look at the math, let’s say 200 million people pay for iCloud storage, that’s $200 million a month. That’s a lot of money. That’s billions of dollars a year.

Josh Long 7:46
By the way, I looked it up, and in the iCloud article on Wikipedia, it says, since its introduction in 2011 each account has five gigabytes of free storage for either an iOS device or a Mac so guess what? 2011 how many years ago is that? Let me see, 13 years ago. Wow, that’s that’s kind of insane, like, how, how is this even still a thing? Anyway? Rant over for now.

AirTag assists with apprehending package thief

Kirk McElhearn 8:14
Okay, we don’t often link to articles in the New York Post, but I found an interesting one entitled fed up California woman catches male Thieves by sending herself an apple AirTag. And this is really cool, because apparently people go up to people’s houses and steal their mail. And this woman was really annoyed, so she sent herself a package with a little apple AirTag in it, and the person stole it, and she followed it, and she went to the police, and the thief is being held on a $50,000 bond.

Josh Long 8:38
Pretty clever. I actually really like this idea. So mail theft is, well, mail and package theft are, unfortunately, very common in certain parts of the world, and so I think this is pretty innovative, right? New way to use your apple AirTag. You activate your AirTag, you mail it to yourself, and then when it gets stolen, now you’ll know exactly who stole your mail, and you can turn them over to the police. Now, whether the police will actually do anything about it, that may be an entirely different story.

Kirk McElhearn 9:09
Well, in this case, the police arrested this person. They found that she had mail from like a dozen other people, so this woman was a serial porch pirate. On top of that, I believe that stealing mail is a federal crime, isn’t it?

Josh Long 9:22
It is. Yeah, it is a federal crime. So yeah, you could get in some pretty big trouble for stealing somebody’s mail, for sure.

A hacked ISP may have allowed software updates to be compromised

Kirk McElhearn 9:29
Okay, so in malware, we have a story on Ars Technica saying that Mac and Windows users were infected by software updates delivered over hacked ISP, and this was a DNS poisoning attack that worked even when the targets were using DNS from Google and Cloudflare. So you need to explain what DNS poisoning is, Josh.

Josh Long 9:47
Okay, basically, if somebody upstream from you so some somewhere between your computer or phone and the website that you’re trying to connect to, if there’s. Some network connection in between that is compromised by an attacker. They could potentially do some malicious things. They could redirect your traffic. So a lot of people don’t realize that DNS, which is the domain name system, the way that this works is that when you type in, for example, apple.com, there’s a lookup that takes place, and it translates that into basically, I’m oversimplifying here, but it basically translates that into the IP address of the server that you’re trying to reach. So if you’re going to apple.com it’ll translate it into whatever the apple.com IP address is. So it works this way for just about any website and other servers on the Internet that your device may be trying to connect to, most of those connections in this day and age will go over an encrypted connection, meaning that if you’re trying to go to an HTTPS site, that connection request is probably going to be sent in a secure way, but very often, people will type in to their browser just, you know, whatever.com, and unless the browser is configured to only connect to a site, if it’s if it supports HTTPS, then it may actually try To connect over HTTP, an unencrypted connection first. So if there’s a man in the middle that’s doing DNS poisoning, and you don’t have your own DNS like manually configured where you’re choosing which DNS servers you’re going to connect to, then what could happen? And what happened in this case is that the people in control of the ISPs network actually were able to redirect people to Windows or Mac malware when they tried to make these unencrypted connections. So this is something that there are technologies that can prevent some of these things from happening, but unfortunately, not all those technologies were being used, and so some people ended up infected.

Kirk McElhearn 12:03
This sounds really complicated, and we’ll link to the article in Ars Technica where there’s a sort of a flow chart with graphics for computers and servers and all this. But it’s really not that complicated. If someone can hack the ISP, then basically it’s like they’re on a railroad track and switching the switch onto a different track, right?

Josh Long 12:21
Yeah, yeah, it’s kind of like that, right? So that’s, that’s a good analogy for it anyway. So I think the one of the important things to take away from this is that browsers should, by default, only connect to sites over HTTPS. Incidentally, the brave browser implemented a feature, I think it was in February last year, and the iOS version finally just got that feature this week, to only connect to sites over HTTPS. If a site supports HTTPS, it will connect to it over HTTPS.

Kirk McElhearn 12:55
Okay, let’s take a break. When we come back, we’re going to talk about that big data breach we talked about last week, because it’s gotten worse.

Voice Over 13:04
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

Analysts predict hackers have stolen a huge haul so far in 2024

Kirk McElhearn 14:19
So hackers make a lot of money, and in fact, ransomware has earned at least $450 million in the first half of 2024 I say at least, because no one really knows this is a prediction from an analysis company. This is a lot of money. And we don’t really see a lot of ransomware on the Mac, do we?

Josh Long 14:35
No, it’s not a it’s not a very common type of malware that we see on the Mac. However, I thought this was worth mentioning, just because it’s not something that we should be complacent about, right? It’s really important, I think, to make sure that you’re backing up your data, that you’re keeping your data in multiple places, if you just have your data some file that you created only if that only exists. It’s on your Mac, and that’s it, then that’s a little bit problematic, because what if somebody steals your Mac, what if there’s a fire or some other event that causes damage, and now you lose that data? So it’s really important to back up your data anyway. Ransomware is just one reason why you should be backing up your data. It’s not difficult to imagine that some of the Steeler malware, which is really popular these days on the Mac, could implement ransomware as yet another step, another way for these Steelers to make money. So the main reason for the Steeler malware is that, first of all, it not only steals your passwords remember, but it also looks for things like cryptocurrency wallets. So ultimately, the people who are running these MAC stealer operations, they’re trying to make money off of you at the end of the day. And so, you know, it’s just another step to add some functionality to Now, also, after they’ve stolen everything from you, also encrypt all your files and demand a ransom. But it’s

Kirk McElhearn 16:08
But it’s not worth the trouble to target individuals with ransomware. This money comes from businesses, hospitals, schools, the British Library had a huge ransomware attack, and I don’t know if they’ve even recovered from it, yet the money’s not there. Where the money is, and the same article points out, is cryptocurrency, which is stolen from cryptocurrency wallets using steel or malware. And they’re talking about $1.58 billion by the end of July 2024 so that’s well beyond what ransomware is getting. I remember when ransomware first started. It was targeting individuals send me $100 in Bitcoin, or whatever it was, but it’s mainly targeting people with money now, right?

Josh Long 16:47
Well, a lot of the really big operations, and those are mostly the ones I think they’re talking about in this $450 million obviously, they’re not going to be ransoming individuals for anything close to that. And most of the time, I think these ransomware operations really do target big businesses, and they’re usually distributed in such a way that it’s not like something that you’re gonna accidentally download when you’re, you know, browsing the web or whatever, and then now it infects your one computer. That’s not the kind of thing that usually we’re talking about when they have these stories about ransomware being as big as it is and making as much money as it apparently does. Usually they’re talking about big organizations that their entire network now has been infected. Ransomware is all over the place, or they have really important systems, like servers that got ransomware installed and now they have no backup, unfortunately, because they or not a recent enough backup, and so they decide to pay the ransom. So it is the big businesses that are the big target most of the time when you’re talking about ransomware. But ransomware can also affect individuals too. So just something to be aware of. It’s not a big problem right now on the Mac, but it is something that could come back. We’ve seen Mac ransomware before, and we could see it again.

More trouble from National Public Data’s mega-breach

Kirk McElhearn 18:07
Okay, last week we talked about the National Public Data data breach, and it was, I don’t remember, 2.7 or 2.9 billion records. There was some disagreement on the exact number. Well, it turns out now that there was also a data breach of all of this, or much of this information in plain text, so usernames and passwords that weren’t even encrypted, they weren’t hashes of passwords. And why? How can this happen? This is too big. It’s gotten to the point where it’s too big. If everyone was using passcodes instead of passwords, we wouldn’t have this problem, because a passcode is a sort of a cryptographically generated agreement between a device and a server, and it can only work on a specific device, and it uses biometrics to verify that you are who you are, so Touch ID, face ID, et cetera. I know it’s going to take a long time to get rid of passwords and move to pass codes, and presumably passcodes are going to be a lot more secure. But this is just ridiculous. All this stuff in plain text.

Josh Long 19:05
That’s the most shocking part about this, right? Like, anytime there was a website, I think it’s defunct now, but there used to be a website called plain text offenders, and it was just a blog that listed, you know, people would would email in their you know, latest example that they got so they’d forward emails from a company that they got that, for example, if they requested their their password to re or to reset their password, sometimes these companies would actually send the password in plain text in an email to that user, which means that they’re not storing it correctly. Because, technically, passwords should never actually be stored by a company. Like, what they should do is they should have a cryptographic hash of that password and among other things, to better protect it so that these things can’t just leak, like, like the having unencrypted. Unprotected passwords is insane. In 2024 this should never happen. And so I the headline is so delightful, and yet so like mind-blowingly frustrating, national public data published its own passwords. Well, wonderful golf clap to you, national public data. Not only did you leak everybody’s social security numbers and their home addresses, but you also apparently leaked your own passwords, which you were storing in plain text. So good job. Wonderful job.

Kirk McElhearn 20:32
I saw on social media someone pointing out that he had a database of every social security number the list, it started with 111, dash 111, dash 111111, dash 111, dash 111, dash 11112, so you’ve got all the social security numbers this website plain text offender still exists. It hasn’t been updated since 2021 I’ll link in the show notes. I have several times in recent years received a plain text password by email when I was setting up an account on a new website that said, Okay, here’s your password. Please sign in and change the password. Now, is that dangerous? Does that mean that they’re storing the password that I change in plain text, or is that only the process for the first creation of an account to give them a random plain text password so no one else can log in, but telling people to change it right away, which many people might not do

Josh Long 21:23
Well, that is the question. I would suggest that if they are sending you a password in plain text when they first create your account, that does seem a little bit concerning, because the more common thing to do would actually be to just send you a link that you use to create your password, right? So they verify your email by sending you a link to your email address, you click on that, and then it takes you to their site, where now it prompts you to put in a password and confirm it, right? That’s the normal process. So if there’s any point in that process where they’re sending you a password in plain text, that is a little bit of a cause for concern, because that means that they’re storing at least some passwords in plain text, and maybe that means they’re storing all passwords in plain text.

US lawmakers may investigate other Chinese electronics manufacturers

Kirk McElhearn 22:09
Just as an aside, I got this recently for a WordPress site, and I think this is what WordPress does. It gives you a random password and it tells you to change when you log in fact, I think it forces you to change when you log in. Okay, so remember, it wasn’t long ago that US lawmakers were talking about banning TikTok because it’s owned by a Chinese company. Apparently, now they want to investigate TP-Link, which is a company that makes network hardware, routers, switches, a lot of enterprise level network hardware over Chinese hacking fears. US lawmakers were afraid that, since TP-Link is a Chinese company, that it’s going to raise the same kind of issues that they’re worried about with tick tock. By the way, how’s that tick tock ban going? Any news on that?

Josh Long 22:47
That’s a good question. Honestly, this is hard to follow, because I feel like this changes all the time. There have been all these attempts to ban tick tock. I don’t know where we are in the process right now, whether it’s going to happen or not.

Kirk McElhearn 22:57
So TP-Link, are you worried about them?

Josh Long 23:00
You know what? I’ve actually used their network hardware before. Not too many years ago, I was using TP-Link, mesh, Wi Fi in my home. So it’s, it’s a big brand in your home. Gosh, oh yeah, it’s a well known brand, and they had some good security features at the time, so I’m not currently using them. Honestly, I’m not really happy with any router brand right now. Like that’s the problem. The biggest issue that I have is that they don’t tell you in advance, like, we’re gonna support this hardware with firmware updates and security updates until at least this date right like you can get that information out of some software companies, Microsoft’s been doing that for ages. Google’s been doing that with Android. And you know, you don’t get that though, with a lot of other companies. Apple doesn’t even really do that. You kind of have a rough idea, based on Apple’s history, that they might support a product for five, six years after they initially released that product. But beyond that, like, the Apple doesn’t even have, like, a stated policy, like, we will support this until this date. And it’s kind of the same with these router manufacturers too. So honestly, you know, TP-Link is yet another one of these companies that I don’t know how much I trust them, but I also don’t necessarily trust all the US based brands, either.

Kirk McElhearn 24:25
Would you say that the router is the weakest element in our security chain?

Josh Long 24:31
Well, it is something that’s important to consider, because, remember, we talked about a man in the middle type attack earlier, right when we’re talking about an ISP being upstream from you or from your device. Well, guess what? Your router is also upstream from every device in your home as well. So if your router gets infected, well, that’s a pretty big problem, because it might get infected with some kind of malware that is specifically looking for any unencrypted data that’s. Passing through your network and maybe looking for particular juicy bits in there and exfiltrating some part about that to some attacker. So it is something you do need to think about carefully, and you need to make sure that when you buy a router that it’s at least currently getting firmware security updates from the manufacturer.

Kirk McElhearn 25:21
Well, the one thing to think about is, if someone gets into your router, they could potentially get into any cameras you have in your home, any other smart home devices, locks, for instance, smart locks and the router has actually become a lot more important in recent years. With smart home devices, it needs to be extremely sturdy to prevent, even if, even if the software for these smart home devices may not have vulnerabilities, they could be discovered at some point. And if the router is the door into your smart home and someone finds a vulnerability in software for your walk or your cameras, they can get a lot of information right.

Josh Long 25:56
And one other thing to think about here is that really most of the time your router is your firewall protecting you from everything on the internet that’s trying to spray all over the internet and just infect whatever it can. There’s all kinds of infected devices out there that are broadcasting all over the internet trying to find some other vulnerable things to infect, and some of those things that they may try to infect could include your router. It’s really not uncommon for there to be router malware out there that’s trying to get a foothold.

Microsoft security flaws may allow spying on users

Kirk McElhearn 26:30
Okay. Last news this week, there have been security flaws in Microsoft Mac apps that could let attackers spy on users. So apparently, these vulnerabilities allow attackers to inject malicious code into the apps and allowing the attacker to operate as the compromised app. Does that mean a hacker can make my Excel spreadsheets for me?

Josh Long 26:49
Well, I don’t think any malware is going to be creating spreadsheets for you or anything like that. Unfortunately, malware doesn’t usually do good things for you. But the important thing to know about this, I think, is that the teams app and OneNote app, if using those apps in particular, Microsoft has removed the risky entitlement from those particular apps. However, the other apps, which are the more common ones, Word Excel, PowerPoint and Outlook, those apps apparently remain vulnerable. According to Cisco, in fact, if you look up the vulnerability numbers, they’re not listed in the major databases yet, which is a little concerning. So I’m not sure why Microsoft isn’t patching them, but apparently Microsoft considers them low risk, which is a little bit odd, because in terms of their vulnerability score, they’re ranked pretty highly, like I noticed one of them, the Excel one, was like 7.1 out of 10, which is kind of severe. So there seems to be a little bit of a disagreement between Cisco, who found these vulnerabilities and Microsoft, who’s saying, Yeah, we don’t really care. Maybe we’ll patch it eventually.

Kirk McElhearn 27:55
Okay, we’ll keep our eyes on this for next week, and we’ll let you know if anything’s been updated until next week, Josh, stay secure.

Josh Long 28:00
All right, stay secure.

Voice Over 28:04
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us in Apple Podcasts or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.

Share this: