Intego Mac Security Podcast

Apple Updates, VaporMalware, and the Cyber Trust Mark – Intego Mac Podcast Episode 303

Posted on by

Another round of Apple security updates, another instance of vaporMalware, and the UK’s drive to remove end-to-end encryption for messaging apps. We also discuss the coming Cyber Trust Mark, which is a way of labelling IoT devices.


If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.

Intego Mac Podcast

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.


Transcript of Intego Mac Podcast episode 303

Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, August 3, 2023.

In this week’s Intego Mac Podcast security headlines, we’ll get caught up on the operating system updates Apple released over the past two weeks. Ever heard of vapor malware? It exists…or maybe doesn’t exist. We have an update on the UK’s attempt to outlaw end-to-end encryption, which will permit access to text and message data. And the Cyber Trust mark and accompanying QR code will soon be appearing on Internet of Things devices and packaging. How does it help consumers? Now here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:52
Good morning, Josh, how are you today?

Josh Long 0:54
I’m doing well. How are you, Kirk?

What did Apple’s July operating system updates patch?

Kirk McElhearn 0:56
I’m doing fine. I haven’t seen you in two weeks. Because last week you were in an undisclosed location. And of course, the week that you were away and we used the miracle of time travel to record an episode in advance, Apple released updates for everything fixing major vulnerabilities in the wild actively exploited and all that.

Josh Long 1:14
Right, one of these vulnerabilities that was actively exploited had previously been patched for at least iOS and macOS, and iPadOS. But they have now released that same patch two weeks later to watchOS, TVOS etc. So now all the Apple operating systems finally get that patch for that WebKit vulnerability.

Kirk McElhearn 1:38
Is this the patch that was in that Rapid Security Response that they bungled?

Josh Long 1:42
Exactly, yeah. This was the Rapid Security Response that, if I remember right, I think it was originally July 10. And then they pulled it and then it was July 12 when they re-released it. Last week, Apple has now released that patch for everything as well as a bunch of other things that have been patched. One other actively exploited vulnerability was patched across the board for all of the Apple operating systems. And this one’s pretty interesting because it’s a kernel vulnerability that apparently, based on the information that Apple has given about it, looks like it was probably used to distribute TriangleDB malware via the “Operation Triangulation”. Remember, this was the thing that was used to infect Russian iPhones with malware. It looks like they found yet another vulnerability and have finally patched that and patched it for all the operating systems not just for iPhones,

Kirk McElhearn 2:34
Which James Bond movie was that in?

Josh Long 2:37
We talked about this probably I don’t know what was it a month or two ago.

Kirk McElhearn 2:42
“TriangleDB!” “Operation Triangulation!” It just sounds like a Bond thing.

Josh Long 2:46
Yeah. But in any case, it’s good to know that yet another one of these big vulnerabilities that apparently was used by some nation state attacker or other has now finally been patched for all the Apple operating systems.

What is the Realst malware?

Kirk McElhearn 2:59
Okay, is there new malware that’s targeting macOS Sonoma, that’s not even released yet?

Josh Long 3:04
This is a good question because headlines are saying that. Yes, there’s new Mac malware. It contains references to macOS Sonoma. And “Realst” is some Stealer malware. We’ve talked about a variety of different kinds of Stealer malware throughout this year. In fact, this has been probably one of the most commonly talked about types of malware on the Mac is malware that does things like stealing cookies. Remember, you can stay logged into websites using cookies. It’s not just something that keeps generic information about you or past visits to a particular site. It can also be a stay-logged-in cookie, which means that if someone gets that cookie if someone steals it or exfiltrates it from your computer, now they can just stick that on their computer and login as you. “Realst” is yet another thing that tries to steal a bunch of data from your devices. Stealer malware can also try to grab your passwords from your keychain from your browsers and a number of other things like that.

Kirk McElhearn 4:06
But macOS Sonoma is not released yet. (Yeah, I mean…) Should we be worried about this?

Josh Long 4:12
Not really, if you’re using Intego security software, we actually already were proactively detecting this threat way before it ever got in the headlines. So this is not something that you need to worry about if you’re using Intego Virus Barrier.

ChatGPT erroneously linked to Mac malware on the “dark web”.

Kirk McElhearn 4:25
So we can’t really get through an episode of this podcast without mentioning AI or ChatGPT. Or all the wonderful things they can do. One thing I discovered recently is that if you know what regular expressions are, or regex these are things to find and replace things and I discovered that ChatGPT can create regular expressions with natural language. So “find all of the letters that are capitalized, not following a space” in a text things like that. On the other hand, ChatGPT apparently has been uncovering Mac malware on the dark web. And this…there are so many variables here like why….Why is ChatGPT uncovering malware on the dark web? Is ChatGPT the name of some new superhero?

Josh Long 5:07
I put this in the show notes because I feel like we got to talk about it because there’s headlines on all the Mac news sites today about this. But this is a lie. First of all, ChatGPT did not find any new Mac malware.

Kirk McElhearn 5:18
ChatGPT has no agency. ChatGPT can’t find anything unless someone asks someone to look at it.

Josh Long 5:23
And in fact, the research company that claims they didn’t actually use ChatGPT to find malware that’s out there. Where they said, hey, ChatGPT Is there other Mac malware that hasn’t been discovered yet? And then it was Yeah, probably. And then when they were like, wow, well, we’re inspired by the answer. And so we’re gonna go hunting for more. And you might remember that we talked about ShadowVault recently. This is the same research agency that found ShadowVault even though we still to this day have zero samples of it that have been confirmed by anybody in the entire antivirus industry. Unfortunately, these guys are grabbing a lot of headlines. And they have zero samples. They claim that there is some version of VNC, that’s “virtual network computing”, that is called HiddenVNC or H-VNC. And this can surreptitiously allow people to log into your computer remotely. And there’s some bad guy who’s supposedly selling this on the dark web. Again, there’s no samples of this. This type of malware does exist on Windows. If you have some of this malware on your system, which you most likely do not, then it’s probably going to get flagged.

The UK prepares to prohibit end-to-end encryption that prevents access to private data.

Kirk McElhearn 6:39
So basically make sure you have Intego Virus Barrier X 9 and you will be protected because this is easy to spot. (Yep.) Okay. In UK news, Apple is threatening to kill iMessage and FaceTime, if a controversial law passes, eliminating end-to-end encryption. Now I’ll put a link in the show notes to an article that I wrote on the Intego Mac Security blog, four or five months ago when this first floated, or maybe last year, and we have a podcast episode. Essentially, the UK Government wants to have backdoors so that if ever they want to check what someone’s doing, they can make a backdoor. And Apple has been adamant that they’re never going to put backdoors into anything. And just the idea of killing off end-to-end encryption. Could Apple actually prevent iMessage and FaceTime from working? That would be really surprising. This could be just a threat. Apple’s not the only one I think Signal and Telegram and a couple of others have come out against this. But for Apple to say this is it’s pretty strong.

Josh Long 7:39
You did mention in that article that the UK government was planning this PR blitz to paint end-to-end encryption as dangerous. So this has been brewing for a long time. As far as all this goes Apple saying that it is going to pull iMessage out of the UK if this law were to pass. I think that’s really interesting. I appreciate Apple’s solidarity with Signal and WhatsApp which have both said the same thing that they will not comply with a backdoor to end-to-end encryption. Plus, once you insert a backdoor then now everybody in the entire world basically can exploit that backdoor in some way or other right, every other government is going to want to put their hands in there, very likely, eventually, some threat actor is going to find some way to exploit that same backdoor. And now there’s no end-to-end encryption for anybody. And that’s, and that’s why so many companies are really pushing back on this kind of legislation.

Canon advises its customers not to rely on the factory reset function on many of its printers.

Kirk McElhearn 8:37
We have a pretty quick news item that we want to talk about. If you happen to have a Canon printer, and you sell the printer or give it away. You might be tempted to reset the device to factory settings. Normal, right? That’s what you always do. But if you do that Canon is warning people to manually wipe the Wi Fi settings before discarding it because the restoring to factory settings doesn’t restore to factory settings. Is that it?

Josh Long 9:01
Oops! (Oops!) That seems like kind of a big mistake. Right? I will just say in general, it’s important to make sure that any network connected device that you have, really any device that you ever have to input data into like you put a password into it sometimes, especially in a workplace environment, right, you might have to put in a pin in order to make copies, for example, something like that. I know there have been cases in the past where some of those big iron devices have hard drives in them that cache some of that scanned information or sent to the printer information. In the past there have been researchers who have gone and purchased these scanning and copying units and have been able to recover tons of really sensitive private information from those drives. I would say even if you have a little consumer grade device, it may not necessarily be caching any data like that. But you do need to be careful about making sure that if it’s ever been connected to your Wi Fi, well, it’s got your password in there somewhere, it hopefully is encrypted and may or may not be. But it’s a good idea to clear that out. The difference here is that Canon is actually saying, even if you go through the trouble of setting back to factory defaults, it doesn’t actually do that. That is a bit problematic. And I hope that they’ll release a firmware update course, who installs firmware updates on their printers? Right? (Yeah.) That’s the other problem.

Kirk McElhearn 10:32
I seem to recall a story a few years ago. Some printers have what is it called EPROM. So it’s like flash memory. And that researchers bought some used printers on eBay that belonged to law firms that had a bunch of documents that were stored in the memory and they were able to access them.

Josh Long 10:50
Yeah, it’s a real thing. Just like when you get rid of your computer if you are donating it or selling it or recycling it, whatever you’re going to do, it’s a great idea to make sure that you securely wipe any data that’s on that drive first. You even have to do that on your other consumer devices, too, not just your computers.

Google using AI in test to produce news articles.

Kirk McElhearn 11:11
Okay, Google seems to be testing an AI tool that writes news articles. And I want to remind listeners that all the articles in the Mac Security blog are handcrafted, artisanal, bespoke articles. And we do not use AI. Even though even though I sometimes use AI to generate bullet points for articles and things. I said earlier that we can’t go an episode without mentioning AI and ChatGPT. And this is something to be aware of that we’re going to see news sources that we’ve trusted, all of a sudden, eroding that trust by pressing a couple of buttons to get articles instead of paying people to do them.

Josh Long 11:49
It’s not super easy to recognize there are of course, websites that will identify text that has probably been written by a large language model. But do you really want to have to install a browser plugin to like, analyze every web page that you land on? Because now you’ve got another browser plug in that? What if that goes rogue? What if somebody pays off the developer of that plugin, I mean, you know, like, it gets a little crazy. And so we don’t want to have to have an extra step of verification on every article. And so just be careful about where you get your news.

Kirk McElhearn 12:23
One other thing I want to mention about AI is if you’re a writer, and you use one of these online, grammar checkers, it turns out that a lot of these are using your text to train their AI tool. Now, if you’re in a business environment, this could be text that shouldn’t get out of your business. So be very careful about this. Basically, any text you put into a form on on the web is going to be snuffed up by some company and chewed up and they’re going to do something with it. We’re gonna take a break. When we come back, we’re going to talk about the Cyber Trust mark, which is actually quite interesting.

Voice Over 12:57
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

What is the Cyber Trust mark?

Kirk McElhearn 14:13
Okay. Three words that don’t really fit together “cyber”, “trust”, “mark”. Cyber and trust already they don’t fit together. We see this “mark” we think of Mark Z over there in…(Metaland.) Metaland in the in the metalsphere the multisports the Unisphere what is it? (The Metaverse.) Metaverse? Why can’t I remember that? Because no one talks about it anymore. Remember last year when Meta came out with this Metaverse and everyone and they showed like the funny Mark Zuckerberg avatar that looked like he was on The Simpsons. And everyone talked about it for a couple months and then ChatGPT came out no one talks about the metaverse anymore. I think Facebook Meta actually is abandoning all this at the cost of billions of dollars. Anyway. Cyber Trust mark is a voluntary IoT Internet of Things label coming in 2024. We had a long pre show discussion about this to try and determine what this actually means. As it stands right now, we’re constantly telling you, for example, if you have a router, update the firmware, don’t buy old things because they won’t get security updates. And there’s a lot of data that’s needed for users to understand how to use their Internet of Things devices that’s very, very hard to find. So this Cyber Trust mark, is a funny little logo with a shield and some looks like Klingon spaceships in the middle. And Josh hates it because they have too many different colors. It’s basically an indication on a box, it’s going to tell you the QR code next to this gives you some information about the device that you’re buying. You scan the QR code, you’ll find out things like when was the device made? How long will it get security updates, what sort of data it collects, etc. This is all in the sort of planning stage, although I’m going to link in the show notes to a document from the National Institute of Standards and Technology from February 2022, where they laid out basically the conditions or requirements. It’s an RFC document, I assume a request for comment, that sort of thing, puts down all the ground rules. Essentially, it’s going to ensure that on the one hand, you see this little logo, and that means, oh, this is a device that I can trust, because that’s the trust in the Cyber Trust mark. On the other hand, that QR code is going to give access, presumably to a government run database. It’s the FCC who’s running this, that should give you more information about the device, which is a good thing, right, Josh?

Josh Long 16:30
Maybe. (Maybe.) Here’s my perspective on this. This sounds really good. I liked better the idea that we talked about back in, I think November, we talked about the IoT nutrition label. And Ars Technica had kind of a mock up of what that might look like. At that time, there was discussion of maybe these things could actually have more information on the packaging itself, or in the case of buying something online, maybe that could be one of the screens of information that they give you when you’re looking through all the pictures of an Amazon product. For example. The idea behind that label is that it would give you all the information that you need to know, to be able to easily identify, they’re meeting at least these minimum criteria in order to ensure my security and privacy if I’m going to buy this device. The problem that I have with the Cyber Trust mark, at least as it appears right now. And again, the standards are not finalized. But if all we’re talking about is sticking a logo on a box and having a QR code next to it, my fear is that people are going to see that logo and be like, Oh, I know what that is. That’s the Cyber Trust mark. That means whatever this thing is, I can trust it. And I can put it on my home and I don’t need to worry about it. And I don’t think that that’s such a great idea. Here’s one reason why. Let’s say that something gets the Cyber Trust mark, they get approval to stick that logo on their box. Let’s say that three years later, they’re having a clearance sale. And they’re getting rid of all these devices. It turns out behind the scenes that the manufacturer is no longer selling that and no longer releasing updates for that device. But it had the Cyber Trust mark on the box. So you see it on clearance. And you think, Oh, this is great. This is a Cyber Trust device, and I don’t need to worry about it at all. Now, if you were to actually scan that QR code, hopefully that would take you to a page where you get some more information about a potential end date for when they won’t release security updates for that device anymore. Maybe it would have that. Hopefully it would. But that’s where things get a little icky, because I don’t really foresee a lot of people scanning QR codes, they’ll just see that Cyber Trust mark, if they’re told that they should look for that mark, and they’ll think, oh, this device is safe, and it may not necessarily be safe.

Kirk McElhearn 18:58
Lots of good points there. I think what’s interesting is, and I was saying this before the show, that people who are buying Internet of Things devices today tend to be on the right side of the bell curve of technology savviness. So they’re going to be a little bit more aware. They may not know about the security updates, but they will know that that QR code is something that they can scan with their phone because everyone knows QR codes. Now. I did think of something though, while you were just talking about clearance sales, right? What if the store has put the price label on top of the QR code, you can’t access the QR code, then you’re totally out of luck. And you try to peel the price label off and it rips the QR code. And then you can’t do anything. The problem with the nutrition labels and we’ll link to an article in Ars Technica that shows an example of what would be a good label is they’re big, they take up a lot of space. And a lot of these IoT devices come in little boxes. Think of the size of an iPhone box, right? That nutrition label would take up I want to say two thirds of the back of the iPhone box. So you’re not going to really see something like that if they make the font too small, then you can’t read it. if there’s always problems. I mentioned to Josh before the show the C E logo that you probably seen with the curved “C” and the curved “E”, it means Conformité Européene. It is…in French, it means it meets European standards. You’ll even see devices in the US with the CE label on it. Because these are companies that are based, let’s say in China, and they’re selling things around the world. So they want to match the standards that are the most strict, which is often the European Union. I don’t know if they still do this. But when I was in the States, the Underwriters Laboratory, put a little UL thing on electrical, you know, power strips and stuff. And that was like, oh, it’s been tested by the Underwriters Laboratory, which maybe it was, maybe it wasn’t. So none of these things are proof of anything. But what they mainly are, is proof for distributors, importers, retailers, that a device does meet certain standards. If there is a QR code required, and that this goes to an FCC database, then anyone can look this up, even before it gets to retail. Anyone can look this up and check to make sure that these devices, at least meet some minimums that they talk about how long they’ll get security updates, to talk about what type of data they’re collecting, et cetera.

Josh Long 21:13
From that perspective, I think this could be looked at as a step in the right direction. First, they’re hoping to start this out with routers. And then it could expand to other Internet of Things devices, like maybe baby monitors and other things like that, like at least they’re trying to make something that gives some indication on the packaging that this is a device that at some point or other has been tested and given some level of certification. That’s better than where we are today, where you buy an IoT device on Amazon, and you have no idea what the security implications of this device are.

Kirk McElhearn 21:49
Looking at the document from the National Institute of Standards and Technology, it shows that a lot of thought has been put into this and that they’ve really narrowed down all the things we need to know. And what’s important is if this information is in a database, it can be updated over time. So if a company does have something, let’s say they’ve extended security updates, or shortened security updates, or there are some issues, they could put this into the database, now they’d have to be required to do this. This would involve governments looking over the shoulder of companies, which I think is a good thing that we need regulation for this sort of stuff. This looks like the kind of thing that if it works, it’s going to take 10 years to really get off the ground to become common for everyone to use it. We might not be there yet. But I think it’s a good first step to try and do this.

Josh Long 22:36
Of course, another kind of scary thing about this is that now you’re going to be scanning a QR code and trusting that this is the actual QR code and somebody didn’t stick like a label over the top, right, or a sticker with a fake QR code that’s actually going to infect your device or give you false information. I would not be surprised to see companies even sometimes putting a legitimate sticker over the top of that QR code because oops, we made a mistake when we printed this package. And so now we’ve got a stick a little sticker on it. And now you’ve got to wonder: Is that sticker placed by an attacker? Or is this the legitimate sticker?

Google preparing to introduce anti-stalking measures.

Kirk McElhearn 23:13
Okay, Google has rolled out some anti-stalking measures for the AirTag and other Bluetooth trackers. And what really stands out here is it’s available for anyone with an Android 6 or higher phone. Android 6 came out sometime in the late 19th century, didn’t it?

Josh Long 23:30
It came out originally in 2015. This was actually called Android Marshmallow at the time, back when Google was using candy related names for all the Android versions. I don’t really understand how exactly it’s going to start appearing on Android 6.0 and later devices Beginning today, the last time that Android 6 got a security update, I think was 2017. So I’m a little confused as to how exactly that’s going to happen. But setting that part aside, Google says that they’ve been working with Apple and trying to come up with anti-stalking measures. And it’s not just AirTag, it’s also other Bluetooth trackers like you mentioned, this is a step in the right direction. When it comes to things like stalking. One of the big worries with AirTag is that it has been used in the past to track people. And that’s not Apple’s intent. The idea behind AirTag is usually to put it on a device that you own to be able to see where that device goes. So for example, if somebody steals your laptop bag, you’ll be able to find where your laptop bag is currently located. You can of course, put them in luggage and all sorts of other things. We have actually a whole article on the Intego Mac security blog about all sorts of different clever things that you can do with the AirTag. But of course they can be abused. And so it’s good to see that Google has been working with Apple on this and finally has some measures in place to prevent them from being used maliciously.

Hard drive capacity increases; Power over Ethernet powers an M1 Mac mini.

Kirk McElhearn 25:00
Okay, two quick stories. One that I wanted to mention I was very surprised to see in Ars Technica yesterday, that Western Digital hard disk capacity hits 28 terabytes as Seagate looks to 30 terabytes and beyond. 28 terabytes. And I’m thinking back, it wasn’t that long ago, I was buying one terabyte hard drives, and then two terabyte, and then four and eight. Now we’re up to 28. If you got a lot of stuff to backup 28 terabytes is a lot of stuff. Every time I bought one of those bigger hard drives, I always thought, Is this safe? Am I gonna lose my data, right? If I lose 250 megabytes, that’s one thing. If I lose four terabytes, but every time they seem to work mostly reliably. So 28 terabyte hard drives and even bigger. By the time they get up to 30 or 50 terabytes, it’ll be cheaper to buy SSDs. Another thing that Josh wanted to talk about, and I spotted this too, someone hacked an M1 Mac mini to use Power over Ethernet. Power over Ethernet that is a protocol that you can use, for instance, to connect an Ethernet cable to a router, so it doesn’t need a power supply. There are lots of devices that can work with Power over Ethernet. And someone has an M1 Max doing this, which means you don’t need that cable and power brick that goes on the floor. And it’s one less cable, assuming you’re using the Ethernet already. I think this is cool. I think Josh, you should make one of these for one of your home computers.

Josh Long 26:22
It’s pretty cool. Now most people are not really using Power over Ethernet. This is something that you see in business environments, because that’s the place where you’ll actually have network switches that are delivering power over Ethernet, you can’t just plug in any old Ethernet cable into the back of your device and power it. You actually have to have power coming from somewhere. And that requires a special switch or router that will actually push power over that line. What they’ve done here is really clever. And this could be really useful in a data center. I think if if you are an organization that uses a lot of Mac minis, this might actually make sense for you. Now there he did a lot of hardware hacking to make this work because of course Apple doesn’t have Power over Ethernet built into Macs. But pretty exciting stuff to see. I haven’t seen a lot of clever Mac mods like this for a long time.

Kirk McElhearn 27:12
Maybe Apple will do this in the future, as you say for data center if it’s one less cable if they’re already going to be using Ethernet cables, and you can get rid of the power cable. So that’s a big deal for data center. That’s enough for this week. That’s a lot and we’ve got a lot of things we didn’t cover. So you’re gonna have to listen next week to hear all the rest of the news. Until next week, Josh, stay secure.

Josh Long 27:30
All right, stay secure.

Voice Over 27:33
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →