Intego Mac Security Podcast

NightOwl, Downfall, and LinkedIn Hacks – Intego Mac Podcast Episode 305

Posted on by

A banal Mac app to granularly adjust Light Mode and Dark Mode was bought out by a shady company, and enlists Macs in a botnet. A new Intel CPU vulnerability may affect older Macs. And a lot of LinkedIn accounts have been hacked; we offer some suggestions on how to protect your account.


If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.

Intego Mac Podcast

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.


Transcript of Intego Mac Podcast episode 305

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, August 17, 2023.

This week’s Intego Mac podcast security headlines include: a few observations on the 25th anniversary of Apple’s revolutionary iMac computer. The DownFall vulnerability that affects Intel processors may or may not affect Intel Macs. LinkedIn experiences a widespread hijacking attack that affects a large number of users. And what happened when a developer sold his popular app to a potentially shady company with a questionable business model. Now, here are the hosts of the Intego Mac Podcast, veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:52
Good morning, Josh, how are you today?

Josh Long 0:54
I’m doing well. How are you, Kirk?

Kirk McElhearn 0:56
I’m doing just fine. You know, I’m thinking of a Tweet that you posted yesterday, the day before, pointing out that we’ve been doing this podcast almost for six years. And we’ve never missed a week. This is episode 305. Six years, never missed a week. That’s pretty good. Congratulations, Josh.

Josh Long 1:11
Yeah, that’s pretty awesome.

What was updated in the August watchOS update?

Kirk McElhearn 1:13
I’ll congratulate you again when we get to Episode 312, which will be our sixth year podcast anniversary. Okay, this week, we have all the Apple updates again, for the Apple Watch.

Josh Long 1:23
Yeah, this is kind of funny because it fixed zero security vulnerabilities. Really, the only thing that it seems to do, according to the patch notes is it fixes an issue that prevents access to motion data for apps that use the movement disorder API to track tremors and symptoms associated with Parkinson’s disease.

Kirk McElhearn 1:44
They’re always sticking something in that they don’t tell you about.

Josh Long 1:47
Yeah, there could be other things too, but at least there’s no security vulnerabilities that they’re letting us know about. If you do go to the Apple security updates page, they say that there’s no CVE entries meaning at least there’s no numbered named vulnerabilities that are included in this so nothing that they thought was worth pointing out.

What is DownFall and will it affect my Mac computer?

Kirk McElhearn 2:06
Okay, we have a security issue which is called DownFall and I mean, come on guys, you taking all these dismal names, you know, DownFall, that’s the name of that movie with Hitler in his bunker at the end. It’s been memed to death. You know, the actors saying things that they’re not really saying. DownFall? This is something to fix Intel Mac. So my Mac’s use Apple processors, they’re not affected. And it looks like it’s something that can not be mitigated? Is this correct?

Josh Long 2:34
There’s some question as to whether this really applies to Macs. There’s an article from Macworld “DownFall and Intel Macs: What Do You Need to Know About The Flaw and Fix. Years of Macs use affected processors.” But it’s unclear if they’re subject to the attack or not. So yes, there’s a big Intel vulnerability, a whole bunch of vendors have released patches, but Apple is not one of them. And it’s not really clear whether this is an issue that necessarily affects Macs. And if it does, then maybe Apple will release a patch. But we just don’t know yet.

Kirk McElhearn 3:10
Well, we’ll link to a microsite from the security researcher who detected this who, naturally, reserved a domain DownFall dot page because you got to give a name to your malware or your vulnerability. You got to reserve a domain, got to have a logo, got to have theme music and all that. And you can look at it. I don’t think we’ll ever know if Macs are affected.

Josh Long 3:33
I guess we’ll know if Apple releases a patch for it. But I don’t know that they’re going to necessarily do that. This is another one of those things like Spectre and Meltdown, that seems like an enormous deal. That everybody should be freaking out and pulling their hair out and, you know, making their processors much slower than they were before because we’ve got to mitigate this vulnerability. At this point for Apple, Intel’s in the rearview mirror, they’re never going back to Intel. And I just don’t think that Apple really cares all that much about Intel Macs anymore. So unless this is an issue that’s being exploited in the wild on Macs, I don’t really expect Apple to do much about it.

DEF CON proof-of-concept dupes some conference attendees

Kirk McElhearn 4:13
Okay, in our notes here, you say something weird happened at DEF CON. Before you say what happened. Explain what DEF CON is.

Josh Long 4:21
DEF CON is a security conference that happens yearly in Las Vegas. It happens right along the same time as Blackhat. There’s Blackhat, DEF CON. And also there’s a Bsides Las Vegas that all happened like within days of each other. Every year in Las Vegas. At DEF CON, there were a bunch of people who were posting on social media about getting these weird pop ups. One person posted a video of what this actually looks like. They’re getting this message popping up on their iPhone just out of the blue that says join this Apple TV. And they’re not trying to connect to an Apple TV, and it just pops up on the iPhone They tried shutting it off and turning back on. And that doesn’t seem to fix it, it still keeps popping up. And so a lot of people were experiencing this. And these were fully patched devices. And so it kind of seems like maybe there’s some zero day vulnerability that some silly person playing around at DEF CON was exploiting.

Kirk McElhearn 5:29
The video shows some a little device that’s being used as a proof of concept here.

Josh Long 5:33
Well, there’s an article in TechCrunch today that says that they think they figured out what’s going on. They say that there’s a device that will give you this ability to pop up these kinds of alerts, and trick people potentially into sharing their password. That seems to be what was going on. We don’t really have a whole lot of other details, but we will link to that TechCrunch article if you want to read more about what they think was going on.

LinkedIn website experiences widespread hack

Kirk McElhearn 6:02
So LinkedIn. Josh, do you use LinkedIn regularly?

Josh Long 6:05
Every once in a while, like I sometimes get messages. It’s mostly like I get messages from spammers, right? Like they’re trying to get me to work with them on something or get me to go to some conference or this or that.

Kirk McElhearn 6:19
It’s the same here every two months or so I go into LinkedIn, because I’ve gotten a message from someone. Apparently, a bunch of LinkedIn accounts have been hacked in a widespread hijacking campaign, I wouldn’t even notice because I use LinkedIn so rarely. I think, I don’t know how many people use LinkedIn a lot. It’s like, when you’re looking for a job, you’re going to use LinkedIn. But for most people, it’s only something they go to occasionally. So you might not even know that your account is hacked.

Josh Long 6:44
Yeah, that’s a good point. It depends on the person, right? Some people post a lot of things on there, they use it like, you know, like a social media place to just like post things. I don’t do that. Usually on LinkedIn, I’m not checking it out every day, maybe you might not notice it. Yeah, if you’re if you’re more like us, and don’t really use it all that often. So just something to be aware of. A lot of accounts apparently are being hacked and locked out for security reasons. If that is something that is of concern to you, you know, make sure you’re using good practices in terms of like your passwords, make sure you don’t have it connected to old email addresses. Remember, we’ve talked about that before, you know, you may have at some point connected that to an email address that you used at a previous employer. If you no longer work there, make sure that you take that email address out of your LinkedIn account, because somebody working at that company could potentially get emails intended for you and sign into your account and lock you out of it.

Apple’s iMac computer turns 25 years old this year

Kirk McElhearn 7:48
That’s a good point. Okay, we’re recording this on Wednesday, August 16. Yesterday was the 25th birthday of the iMac. Now, we have two kinds of iMac birthdays. The one is the first one is when Steve Jobs presented it. But August 15, I believe is the day that actually shipped the first one shipped. And we just wanted to share some memories about iMacs because it’s true that when the iMac came out, it was revolutionary. It was the first personal computer that felt like you wanted it in your home. It wasn’t a beige tower. It wasn’t big and noisy. You could put it on a table and not be embarrassed to have a computer. And it was an all in one. Now there were a couple of on ones that Apple had before that, but they were still beige and ugly. I remember that first iMac. It was such a shock when you’re working with computers and their tools to have something that all of a sudden feels like just something that’s part of your home in a way.

Josh Long 8:43
Yeah, it was almost pod like like a translucent egg or (Yeah) you know, because it had a an old CRT monitor with all the computer guts kind of packed into it. So it was just like you had a monitor and nothing else. But you could plug your keyboard into it. It had a nice little door on the side that gave you access to the ports. And there were very few ports I think was was it two USB ports on on the first model (In the first model, yeah.) Yeah. And of course you were supposed to plug your keyboard into one of those and have your hockey puck mouse plugged into your keyboard then. The other port was for your printer probably. That’s about it. It had a built in 56k modem.

Kirk McElhearn 9:25
Which I think might have been the first personal computer with a built in modem. You could get a modem card for computers, but this was you know, it came standard with the computer.

Josh Long 9:35
And of course Apple had advertisements about how it was three steps to connect to the internet. Step one, plug it in step two, turn it on step three, there is no step three. It really was a revolutionary product in a lot of ways. It kicked off the whole craze for several years after this. We saw all these products with translucent plastic, and not just computer peripherals. I mean there were a PC manufacturers, obviously, who were trying to copycat Apple. But then it started to bleed into all sorts of other tech products that were not even really computer related. There were coffee machines and all sorts of other things that had translucent plastic for several years after that.

Kirk McElhearn 10:17
So we both had a number of iMacs. And I think we’re both working with iMacs right now I’ve got the 24 inch M1 iMac, which is two years old. And I said on this podcast, this Mac is gonna last for five years. And I see no reason why it won’t, given the way the processor works with what I need to do. Over the years, it’s just been, there’s just something about the iMac. And of course, PC manufacturers have copied this now with all in one computers. But there’s just something about it, that kind of just makes sense as a computer. On the other hand, I’ve always felt that like I’ve got this really good display. And wouldn’t it be nice to be able to use it with something else like a Mac mini. Now that Apple doesn’t even sell normal priced displays anymore. You can’t even do that with the cheapest displays like $1,500. But the iMac has always felt like it’s everything you need, you don’t have to worry about connecting things and plugging them in. I say that, well, I have a thunderbolt dock, which has 17 ports here, I have a USB C dock in the back with four more ports, I have cables going over to my hard drives. So you can’t really use it without connecting a lot of stuff. But it’s its own self contained world. And I think that’s a real success on Apple’s part to have made that shift in personal computing at the time.

Josh Long 11:28
It’s pretty amazing that product line has lasted that long. And granted, it’s very different now than what it was 25 years ago. You know that that CRT all in one is a far cry from the you know, M series based flat screens that we have today. But that iMac the whole concept of the all in one desktop computer has has lived on and is still very successful today.

Kirk McElhearn 11:55
Well, if you remember the first flat screen Mac came out in 2002. So that wasn’t long after the initial iMac. That was I like to call that the Pixar Mac. So that was the one that had the the hemisphere the white hemisphere on the bottom and the articulating screen. So that was pretty early. So we’re at more than 20 years of flat screen iMacs. The CRT was only that one model over several years with different revisions. Let’s see it was sold until January 2022. So three and a half years. But from then on, we’ve got flat screens and that was actually for me personally in my work. That was a big change to have an all in one Mac with a flat screen, not too hot, not taking up space, etc. Anyway, we’ll come back in three more years to confirm that I’ve still got this M1 iMac. And we’ll come back after this break to talk about NightOwl which might be an app that joins Macs to a botnet army.

Voice Over 12:52
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

What happened to the NightOwl app?

Kirk McElhearn 14:08
So we have an extensive article on the Intego Mac Security blog: “Did the NightOwl App Really Join Macs to a Botnet Army?” So some definitions first a botnet is when computers are taken over by malware and that they connect to a command-and-control server remotely. And you can instruct these computers to do something. It’s very often used in denial of service attacks where you instruct a million computers to attack a website just to load pages but to overwhelm the server. They can also be used to store files that can then be accessed remotely. They can be used to do crypto mining and all sorts of things. But the point of a botnet is that one person is controlling a lot of computers that aren’t theirs. So let’s start by talking about what the NightOwl app is.

Josh Long 14:51
Okay, so NightOwl is an app that’s been around since 2018. And it’s a third party app developed originally by Benjamin Kramser. And he wrote this app as a way to give you more granular control over Night Shift. So the whole thing where your Mac can kind of shifts from daytime to nighttime colors, you know, light mode and dark mode to make that transition, he built this app to give you more granular control. So you could, for example, choose certain apps that you wanted to stay in light mode, and others that you want to shift to dark mode and things like that. So it gives you a whole bunch of extra functionality beyond what macOS has built in. Well, in November of last year, he decided to sell the app, he was looking for a buyer, because he had just kind of gotten to the point where he didn’t want to develop the app anymore. And he knew there were still a lot of people who used it. And so he didn’t want to just drop development of it. And so he was looking for a buyer. Well, he found a company to buy it. And then it seems that that company made some interesting decisions about how they were going to monetize the app, of course, they bought the rights to this app. And so it made sense that they would want to make some money off of it. And of course, this new developer made some assurances to the original developer that they were going to monetize it in certain ethical ways it was going to be on the up and up. That’s what was promised to the original developer.

Kirk McElhearn 16:28
So what did they do? Did they essentially turn this into a scam app?

Josh Long 16:31
Well, they added some functionality that would connect this app in the background to a remote Secure Shell server. And so it would it was making these private communications back to a server controlled by the developer for purposes other than just checking for updates and things like that. So that already seems a little bit sketchy, right? That’s not normal behavior. It also included this framework called “Pawns”, like in chess, it sounds a little sketchy, right? Why are they calling me a “pawn”? Like, why? Why would somebody be including some framework that’s calling it sort of implying that I’m a pawn in their game or whatever. So Pawns is a framework that allows a developer or really anybody to monetize an app, or install this framework surreptitiously on somebody’s computer, and then they can utilize that to make money off of that endpoint, or that potentially infected computer’s internet access. So they can use your internet connection as a proxy for someone else’s traffic. Whoever that might be, is really up to the company that’s behind Pawns.

Kirk McElhearn 17:48
So if I go to the Pawns website, it says passive income online, make passive money online by completing surveys and sharing your internet. So I’m thinking why would you be sharing your Internet? In other words, let’s say you have a lot of bandwidth and someone doesn’t have a lot of bandwidth. Well, they’re not getting more bandwidth when they’re connecting to your computer. So what’s the point of this? It sounds shady.

Josh Long 18:12
That’s the thing it’s like, what would you want to use this for? Maybe you would want to use it for something kind of like people sometimes use Tor, the onion router for right, which is often illegal or illicit behavior.

Kirk McElhearn 18:27
Or at least sharing illegal content…

Josh Long 18:30
Or accessing illegal content.(Yeah.) That’s the real concern here. As we were discussing this, before the show, Kirk was like, wait a minute, does that mean that somebody could, if you had NightOwl installed, could somebody use your computer to, for example, access, illicit pornography or something like that? The whole idea behind Pawns is very sketchy. In any case, the developer had decided to use this framework. And it wasn’t clear to users of NightOwl, that all of this stuff was going on behind the scenes. And that’s where it gets really, really uncomfortable. Because if you had been a user of NightOwl for all these years, you’ve had no reason to distrust it, maybe you didn’t know that the developer had sold it to another company. And now it’s doing things like this behind the scenes behind your back. That seems like a really big violation of trust.

Kirk McElhearn 19:23
So the thing that I don’t see on the Pawns website is what the people connecting to your computer are doing. I asked you before the before we started recording, if you knew how Spotify served content in the early years. They used a peer to peer system kind of like BitTorrent. So if you had listened to a certain song, and I wanted to listen to it, and you were closer to me, I would maybe get that song from you. You would be uploading it from the cache on your computer, I will be downloading it. And Spotify would be saving money on servers. Now in 2016 they stopped doing this and they moved to Google Cloud But in the very early days, and they were clear about this, that Spotify, I think you could choose the amount of bandwidth you set, you could even turn it off. But they they sold this as a feature where you’re sharing with other people. Here with Pawns, I don’t see any app that connects to the Pawns network that I could download. Now I’m thinking, Okay, it’s a BitTorrent app, but I still someone should be telling me that this app is going to give me access to this 1.8 million army of computers that Pawns is using and the fact that they’re not suggests that there’s something going on that’s very illegal behind it.

Josh Long 20:35
The Pawns parent company, which is called IP Royal says that they have 8 million IP addresses that they claim are 100%, ethically sourced IP addresses. That automatically should sound pretty sketchy.

Kirk McElhearn 20:48
“Ethically sourced”. Yeah.

Josh Long 20:50
Don’t worry, it’s all ethically sourced. 100% ethically sourced, like, why are you trying to sell me on that? Like, shouldn’t it be obvious that it’s ethically sourced, there’s obviously some shady things going on behind the scenes here. And so they were trying to monetize the app, the new developers of NightOwl that is are trying to monetize the app in a way that seems shady at best. This was originally written about by a web developer, he wrote this up on his blog, June 28, finally in August got picked up by hacker news site, and other sites picked it up as well. And so Apple decided, we’re just going to revoke their developer certificate. That forced the developer to take the app offline, you can’t download it today, it wouldn’t work anyway, you wouldn’t be able to install it now, because Apple’s revoke their developers certificate. At this point, there’s no new installs of NightOwl. And what the developer’s trying to do, the new developer that is, is trying to figure out a way they can kind of get back in Apple’s good graces, you know, right their wrongs and legitimize NightOwl again. And well, good luck with that. I don’t know how they’re going to actually convince Apple to unblock their developer account. I’ve never heard of that happening before. Maybe it has, but I don’t know of it.

Kirk McElhearn 22:12
On the Pawns website, they have a list of business cases how unrestricted Internet access helps our clients. And they still don’t say how you become a client. One of the one that stands out to me is social media management. “Businesses often operate multiple accounts to promote their brand. However, most platforms frown upon or strictly prohibit this practice. With a countless number of IPs, our system helps circumvent these restrictions.” This sounds to me like, we want to put 500 fake reviews on Amazon, we want to make 1000 followers or 10,000 followers for someone’s Instagram account. This doesn’t sound like this is anything. I don’t want to say it’s illegal. But this doesn’t sound like it’s anything that ethical.

Josh Long 22:55
Exactly. Apple did the right thing, first of all. Is this necessarily a botnet? We haven’t seen it doing anything illegal. But by the time that this really became widespread knowledge about what it had been doing Apple had revoked the developer certificate, so there wasn’t a whole lot that we could do to test it. We don’t know that it ever did anything illegal or shady. But the framework was there. So it was possible for the developer or clients of Pawns to be able to potentially use NightOwl computers or something like that. And now they can’t. And the Pawns framework, by the way, and some other components of this that were a little bit shady, were already being detected by Intego definitions, long before this really even came into the news cycle. So even if you had installed this, at some point, not only would Virus Barrier have blocked those components, Net Barrier, which is Intego’s firewall solution would also have alerted you to when the app was trying to connect to this strange SSH server behind the scenes as well. And so it would give you the option to block that request. You were protected in a couple of ways if you’re using Intego software, even before we knew that this was potentially unwanted behavior.

Kirk McElhearn 24:18
So I was just looking on Google while you were talking. And I found tons of articles about these types of services. Here’s one “11 Bandwidth Sharing Apps”. And what I find interesting is this article says you can leverage your connectivity to earn a passive income while helping others gain access to reliable internet. I don’t get it, their access to the internet is local. Your bandwidth doesn’t give someone in another country more bandwidth. There’s something I surprised I never heard of this before. But there’s something fishy going on here.

Josh Long 24:48
Another thing that you could potentially get around, you know, a lot of times if you’re using a legitimate VPN service, for example, you’ll get all these really obnoxious CAPTCHAs and things like that if you’re browsing around the web and even trying to go to google.com, you’ll often get CAPTCHAs and say, this network, you’re connecting from a suspicious just because a lot of people are using that same IP address from even a legitimate VPN. Also, Wikipedia, if you want to edit a Wikipedia article, well, you can’t do that from any known VPN network. This is also something that people could potentially use to work around those things. Wikipedia, that’s another one of those like things where it’s very intentional, they’re blocking VPNs because people often try to use VPNs, to maliciously edit Wikipedia. This could be a way around that using one of these sort of so called bandwidth sharing services.

Kirk McElhearn 25:42
Okay, at the same time, we have an article in The Register, a maker of Chrome extension with 300,000 users tales of constant pressure to sell out. Anyone with a sizable audience in this surveillance economy is invited to stuff their add ons with tracking and ads. Now, in the one case of NightOwl, it was someone who bought the app in order to add this stuff. And people who were using it weren’t aware maybe of the change. But here it looks like they’re this one particular developers, it received more than 130 solicitations to monetize his Chrome browser extension. There’s something going on out there. There’s something wrong on the internet. And we don’t know what it is. Is there that much value in getting access to computers like this, because here they’re talking about tracking and reselling user data. Is there that much value in this?

Josh Long 26:33
So there’s a few different things that can happen here. Another thing that happened in the past was we’ve even seen legitimate apps that have been hacked. In some cases, like multiple times, in a case of Transmission, a BitTorrent client, many years ago, twice in the same year, their actual developer site got hacked, and they were began to distribute malware unbeknownst to the actual legitimate developer of this app. So that was one thing that can happen, where a legitimate app is overtaken by a bad guy forcefully. Another thing that can happen is something like what happened with NightOwl, where the developer’s just looking for a buyer sells it to someone, they claim they’re going to do something unethical, and then they apparently don’t. Yet another thing that can happen now is what we’re talking about with these Chrome extensions, you know, this particular developer of this Chrome extension as 300,000 users of this extension, and so of course, people are going to want to, you know, get immediate access to 300,000 computers. And so if they can spread their malware or potentially unwanted software to 300,000 users at a time, yeah, you better believe they’re going to be trying their best to get access to that extension. So, you know, imagine if this is just one developer 130 solicitations. So this probably happens all the time to a lot of developers.

Kirk McElhearn 28:02
Now, you always say download software from reputable developers. And we don’t always know who’s reputable download from the Mac App Store, in which case, we know that Apple has checked it, but it’s not perfect. What really worries me here is that if I were doing this sharing my bandwidth and I have gigabit fiber, someone could be doing something illegal through my computer. And in that case, I could be held responsible for it.

Josh Long 28:26
Yeah, that’s a bit scary. Someone could come knocking on your door from a federal agency and say, I know what you’ve done, and you have no idea what they’re talking about.

Kirk McElhearn 28:35
Okay, that’s enough for this week. Until next week, Josh, stay safe and stay secure. All right, stay secure.

Voice Over 28:43
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →