Josh attended this year’s RSA Conference, one of the big meet-ups about computer security, and discusses what he learned there. We also cover news about smart speakers listening to your conversations (again), a copy/paste issue that Apple says isn’t a big deal, and a new limitation by Safari for HTTPS certificates, that will affect some websites.
Voice-over 00:00
This is the Intego Mac Podcast—the voice of Mac security—for March 6, 2020. Smart speakers accidentally listen in. Apple puts a time limit on security certificates, but says copy and paste aren’t a security issue. Plus, Josh reports from RSA Conference in San Francisco. Now, here are the hosts of the Intego Mac podcast, veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 00:42
Josh, it’s good to see you back. You’ve been away.
Josh Long 00:51
Yeah, I have. I’ve been at RSA Conference the whole past week.
Kirk McElhearn 00:56
We’re going to talk about some news, and then a little bit later in the show. We’re going to have you tell us what you learned at the RSA conference.
Josh Long 01:02
Sounds great.
Kirk McElhearn 01:03
OK, we’ve talked about smart speakers a number of times on this podcast. And it’s an interesting article that came out today, which is essentially repeating what we already know. It says, “your smart speaker could be listening in on your conversations by accident.” But what’s interesting is this was a study by researchers at Northeastern University and Imperial College London, and they found that some speakers — Alexa, Google Assistant, Siri, and Cortana — can activate by mistake up to 19 times per day. And it’s all down to a simple case of voice assistants mishearing their wake words. Now, I never use Hey Siri. If I have something to ask Siri, I press the button on my watcher on my phone. I don’t use Alexa or any of the others. I would really like to have my own wake word, in which case I would be much more apt to maybe turn these things on. I would like to say, hey, Mxyzptlk.
Josh Long 01:55
Right. Exactly. You want to pick a wake word that is very difficult to accidentally say. And most of these devices don’t give you any sort of option like that. And I’ve always felt that two things, right? You want, ideally, a device to recognize your voice so that, say, you have a guest at your home that they can’t easily activate it by mistake or on purpose and mess around with you, right? And you also want to be able to pick your wake word. Now Amazon has sort of kind of done something similar to that, but they give you like three or four different words that you can choose from. But it’s not the same thing really as letting you pick your own wake word. And I understand maybe part of this is, it gets a little complicated because you need to pick a wake word that that device is going to consistently understand. And so they don’t want you picking something that it’s maybe going to misunderstand or maybe not understand your dialect or maybe you’re picking a made up word like you were suggesting. And it doesn’t know how to put that in. How do you even tell it, I want this word to always be recognized in this way. Was that made up word or was that an actual word?
Kirk McElhearn 03:16
Yes, Mister Mxyzptlk was a character in Superman comics. I didn’t make that up myself. It’s hard to spell. I can’t remember how to spell it, but it is a word that would be hard to recognize. Unless of course you’re watching a Superman TV show. And the study that they did was based on 125 hours of audio from various Netflix shows, including The Office, The Big Bang Theory, and Narcos. So if you were watching a Superman thing and you would chosen that wake word, it could wake up. And what they say is that the HomePod was the worst culprit because essentially anytime someone says, “Hey,” or “Hi,” followed by an “S” and a vowel, it tends often to wake it up. So like, “Hey, seriously, Josh,” that will wake up an iPhone or other iOS device.
Josh Long 04:05
Yeah. Oops, sorry. We might have activated somebody’s out there.
Kirk McElhearn 04:09
Yeah. Okay, one other bit of news that I want to talk about is, according to The Register, if you don’t know The Register, it’s a slightly snarky British publication. “Apple drops a bomb on long life HTTPS certificates: Safari to snub new security certs valid for more than 13 months.” When I bought SSL certificates from my website in the past, I had an option of buying for one year or two years or five years. What Apple is saying is that Safari will no longer accept HTTPS certificates that are more than a year. They’re using 13 months as a loose cutoff. So you won’t get caught if it’s just a year and a week left in your certificate. But if you have bought certificates that are for multiple years, you won’t be able to. Now, there’s a valid reason for this because these certificates may have been hacked at some point and the only way you need to not trust certificates too long because if you’ve got a certificate for five years that’s been hacked, then that’s a long time that it can be used fraudulently.
Josh Long 05:07
Yeah, there’s a lot of controversy over this one. Originally, I believe this was proposed by Google, the idea of limiting certificate lengths to one year. There was a consortium that voted on this and they basically chose not to adopt this industry-wide. So Apple just sort of unilaterally decided, “Okay, well, so what? We don’t care what anyone else says. We’re going to do this from now on and we’re doing it in the name of protecting everyone,” right? So as you say, you don’t necessarily want certificates to be valid for too far into the future because if one gets compromised, then now somebody could potentially reuse that certificate. However, there’s also ways to revoke a certificate that’s known to have been compromised. And so maybe Apple should have been spending its time on improving or encouraging better practices there and we’re improving those systems. Some have argued, “It’s a little controversial and it’s sort of forced all of these companies that sell certificates to have to change their practices.” So now what they’re going to have to do instead, and this also of course applies to anybody who runs a website. You’re going to have to get new certificates every year instead of maybe getting one certificate and having it last for two years. If you’ve purchased multiple years of a certificate, you’ll just have to go and re-download another copy of that certificate that is valid from newer dates. And then just, you’ll still be able to get a certificate that lasts that long sort of, you’ll just have to replace it every year.
Kirk McElhearn 07:07
Right. And a lot of times people forget, in fact, I won’t mention names, but a very well-known tech website last week was all of a sudden unavailable because someone forgot to renew their certificate. When they got notified on Twitter, they took care of it within the hour, but it’s a bit of a problem. If for some reason you haven’t set a reminder, or if it’s not an automatic renewal with whoever issues the certificate. So, there’s always the trade-off between security and convenience.
Josh Long 07:36
Right. Now, if you’re using interestingly something like Let’s Encrypt, we’ve mentioned before that Let’s Encrypt is a service that allows you to get a free certificate for your website, but it has a very, very short window that it’s valid for, and then it has to be updated on a regular basis. If you’re using something with a very short window like that, that by the way, also bad guys use because it’s free and easy, that is totally safe and fine according to Safari. They have no problem with that. So it is a little bit funny, but some people are not very happy about Apple sort of forcing this change on the industry. And when you look at it from the perspective of yes, but if a certificate is compromised, what if it is compromised say a week or a day after the certificate is issued, or even a month? Now, you’ve got 11 plus months potentially that certificate is still out there and still valid. So how much is this really helping? That’s one of those things that people are sort of challenging Apple on, but they’ve already made their decision and it’s happening. It’s going to happen.
Kirk McElhearn 08:54
Okay, one final story. We’re going to keep this really quick. I find this interesting because if you remember a few weeks ago, we talked about how your precise location data can be stored in your photos. It’s a company called Mysk, M-Y-S-K, and they discovered that precise location information can leak through the system pasteboard. Now they submitted this information to Apple and Apple said they don’t see an issue with this vulnerability. What it is is iOS and iPadOS apps can access the general pasteboard. So if you copy something in one application, go to another, that next application gets accessed. And this is also the case on the Mac. If you were to copy a photo taken by the built-in camera app to the pasteboard, the GPS coordinates are in that and again, we’ll put a link to the article on the Intego Mac Security Blog where I wrote about this. Any app can get that information from the pasteboard. Now, is this a security issue or not? Because the other app might want it. Let’s say that I’m copying a photo and pasting it into an app. And I don’t know if these exist, but an app where it will use that location information to find information about that location. Right?
Josh Long 10:08
Yeah. So I think what’s interesting about this though is that it’s using a feature and exploiting it. This is something that you actually do want, for example, to have a password manager on your device that you can open up, copy a password, and switch to another app and paste that password. That’s how one of the ways that password managers typically work. Sometimes, in fact, increasingly now, apps have a built-in capability where you can input a password by tapping in the password field. And then in your keyboard, you’ll have a thing pop up that allows you to use a password manager to input the password.
Kirk McElhearn 10:54
Right. So you don’t have to copy it and paste it, but the app automatically interfaces with your password manager.
Josh Long 11:01
Right. So it’s not that you necessarily always need to have this ability to copy from something else. But let’s say that you’re using a password manager that doesn’t have that built-in integration with Apple’s password keyboard button. You may actually want legitimately to do this. Also another example where you may legitimately want to copy something and paste it into another app: Maybe you’ve got a one-time use password that was emailed to you. And so you open up your email program, copy that, and you want to be able to paste that into the website, two different apps. And perhaps you’re using a third-party browser or a third-party email client. And so it’s not even necessarily that you’re always going to be using Apple apps that should be allowed to have access to the clipboard. You need third-party apps to have this in certain scenarios. So this is a feature, not a bug, but it can be used against you.
Kirk McElhearn 12:01
But people need to be aware of it.
Josh Long 12:03
Yes, absolutely.
Kirk McElhearn 12:04
I used 1Password, I’ve mentioned before, both on iOS and on my Mac. On the Mac, in the preferences, you can choose how long a password or any item you’ve copied from one password remains in the clipboard. You can choose a number of seconds. On iOS, you only have an option to clear the clipboard automatically after 90 seconds. 90 seconds to me seems a little bit too long. I have mindset to 30 seconds on the Mac.
Josh Long 12:29
Yeah, at least it does give that option, which is I think important because if you forget to copy something else, what I do, because I’m paranoid and because I’ve done some research into this and I’ve found some surprising things, which I will write and talk about eventually. But I’ve gotten to the habit of just copying one character, let’s say like the last character of my email address. So if it’s a .com, I’ll copy the M or something. So I’ll paste the password and then I’ll copy the .com or something.
Kirk McElhearn 13:06
So to flush the clipboard.
Josh Long 13:08
Yeah, it flushes the clipboard immediately rather than waiting for that 90 seconds or whatever for it to clear out if you happen to be using 1Password.
Kirk McElhearn 13:16
Okay, let’s take a break and when we come back, we’re going to talk about the RSA Conference.
Voice-over 13:23
If you or someone you know has got a new MacBook or iMac or switched to the Mac from Windows, be sure to check out Intego’s New Mac User Center. It’s a one-stop collection of the things you’ll need to know about using your Mac. Intego’s new Mac user center covers plenty of the basics to get you running smoothly and smartly in no time. Of course, one of the first steps you’ll want to take is to install Mac security software from Intego to keep yourself protected. And right now, Intego Mac Podcast listeners can get 40% savings on Intego software, including Mac Premium Bundle X9. Intego Premium Bundle X9 is a suite of terrific Intego software that includes the antivirus, anti-phishing and anti-spyware protection of Intego VirusBarrier. Home and hotspot firewall security from Intego NetBarrier, parental controls for peace of mind from Intego ContentBarrier, and much more to help protect, secure, and organize your Mac. Download the free trial of Mac Premium Bundle X9 from Intego.com today and then use the URL https://offer.intego.com/PodcastMACAV_jr0w0yuu3 to save 40% on complete Mac protection and security with Intego’s Mac Premium Bundle X9. Intego: devoted to protecting Apple products since 1997. Visit Intego.com today.
Kirk McElhearn 14:45
Okay, so, Josh, you told us at the beginning of the show that you went to the RSA Conference. Remind us what the RSA Conference is.
Josh Long 14:56
Okay, the RSA Conference is a yearly event. They actually have a couple of these. There’s one that they do in the Asia Pacific region, I think, as well. But the main RSA conference event is in San Francisco toward the beginning of every year. And this is a security conference for geeks like me who like to go and watch all these sessions and visit all the exhibitor booths and watch keynotes and find out what everyone else is saying about, here are all the latest things you should know about in the security world. Sometimes people reveal new research that they’ve been working on that they haven’t spoken about elsewhere. And there’s lots of really good and interesting discussions on a variety of security related topics.
Kirk McElhearn 15:45
And what does RSA mean?
Josh Long 15:47
I feel like we talk about this every year, but there’s three cryptographers named Rivest, Shamir, Adleman. And those three came up with the RSA cryptography algorithm. And so they’re the inventors of RSA, the technology. And RSA, the company names itself after that algorithm. So that’s where the RSA conference then comes from. And then actually interestingly, RSA Conferences, a subsidiary of Dell of all companies.
Kirk McElhearn 16:25
Really?
Josh Long 16:26
Which is kind of interesting. Yeah, Dell owns RSA Conference now.
Kirk McElhearn 16:29
How many people go to this conference? And how many of them were wearing masks?
Josh Long 16:35
You know, there are a lot of people who go, I don’t know the exact numbers this year, but I mean, there’s easily thousands of people who would who attend these conferences. There were a fair number of people wearing masks. I mean, it certainly wasn’t like everyone there, but I would say, I don’t know, maybe 2% of people were wearing masks all the time. So and I saw a lot of people traveling on the way there. So I took a train into San Francisco and there were a handful of people who were wearing masks on the train too. So yeah, and interestingly, I think a lot of places are kind of sold out of their N95 masks because of the coronavirus scare. Everyone’s kind of really worried about it. And so a lot of people are just like buying out stock of masks and things. But they did have hand sanitizer kiosks all around the expo floor and at the bottom and top of escalators and all those typical places where you might have recently shaken somebody’s hand or might be putting your hand on a hand rail or things like that. So they did a good job. I also did see conference, or Moscone Center employees, really, who were going around and wiping down surfaces like the check in registration area just to kind of help to prevent the spread of germs. So that was good. They were doing a lot of things right.
Kirk McElhearn 19:17
So it’s kind of interesting though, a security conference with an actual virus around.
Josh Long 19:22
Well, yeah, a real-world virus and not just computer viruses, yes.
Kirk McElhearn 19:27
Okay, so of all these thousands of people, there aren’t many people who care about the Mac, are there? Apple doesn’t have any official presence. You told me before the show there was only really one talk about Mac malware.
Josh Long 19:39
Yeah, it was kind of, this is fairly typical. Okay, so Apple doesn’t like to have booths at other people’s events. It’s been a long, long time since Apple has done anything remotely like that. And it’s just, it’s just not Apple’s style, right? But so there’s not really any kind of Apple presence. Apple doesn’t sponsor shows like this. But there are usually one or two talks related to Apple or Macs at these conferences. And there was only one this year. There was another talk that actually mostly was focused on Linux malware, but kind of had a little bit to do with Mac malware. It was a very geeky and technical talk. We won’t talk much about that today, if at all. But the one interesting talk that was very specifically focused on Mac malware was given by Patrick Wardle, who is a frequent RSA Conference speaker, also runs the Objective by the Sea conference that I’m going to be attending very soon. And he spoke about kind of an interesting topic. His topic title was “Repurposed malware: a dark side of recycling.”
Kirk McElhearn 20:58
We’ll have a link in the show notes to a video of this on YouTube.
Josh Long 21:02
Yes. And so basically what he talked about is that, and he, you know, basically this could be with any kind of malware. It doesn’t have to be Mac malware, but he knows Mac malware. And so that’s what he was using as an example to present about. But among other things, he he talked about the ability that hackers and nation state entities have of taking existing malware and tweaking it and repurposing it for nefarious purposes. And so one of the things that goes along with that is the idea of false flags. This is where somebody who’s creating malware specifically designs malware to look like it was created by somebody else. And one easy way for a nation state or anybody who wants to create some malware to do this is to just take some existing malware. There are samples out there. And even if you don’t have the source code, you can do something called reverse engineering to sort of figure out how it was built. And then you can repackage it and redistribute it. And there’s some things you can do to tweak it so that hopefully it won’t get caught. You know, and I say hopefully from the perspective of the attacker, hopefully it won’t get caught by an antivirus products. And and all of this ultimately makes it look like the original nation state or whoever developed to that malware is just doing the same thing again. When in reality, it could be somebody else who’s just repurposing it. So that was one of the things that that he emphasized in his talk.
Kirk McElhearn 22:44
So the goal of that is to make one country nation state look guilty of doing something that they weren’t doing.
Josh Long 22:52
Right. Sort of taking the fall for somebody else’s essay knowledge or whatever they’re using this malware for. So that was that was one aspect of it. And of course, he also mentioned that it’s much cheaper. If you’re if you’re already if you know you’re going to be developing some malware, but there’s already malware out there that does the thing that you want to do, it’s cheaper to just repurpose some existing malware rather than hiring somebody to write some new malware from scratch. And so also from that perspective, you know, he talked about how this can save attackers money too. And so that’s what they do. This is by the way, none of this is like unique, you know, ideas that nobody else has thought of before Patrick Wirtles not giving anyone ideas. It’s this is already something that, you know, bad actors are doing to try to infect people. And these are some of the things that antivirus companies always have that challenge of, you know, when we write signatures for malware, we need to make sure that we’re writing them in such a way that ideally they will catch as many new variants as possible even before they’re written.
Kirk McElhearn 24:04
Okay. So the theme of the conference this year was “the human element.” What were they talking about there?
Josh Long 24:10
The keynote speakers all, you know, we’re kind of encouraged to to incorporate this theme. And it was obviously very broad, but one thing that the human element can mean is that, you know, we’re the weak link in security because you can have all the security controls in place that are available, you know, you can buy all the latest products and have all the latest features in them. But ultimately, the weak point often is the people because we, we’re weak when it comes to things like phishing. And although many of the people probably listening to this podcast and you and I might say, oh, yeah, no, it’s no problem. We can easily spot phishing attacks, right? We’ve been around the block. We’ve seen all kinds of samples of phishing malware. But all it takes is for one cleverly designed email that maybe it’s even targeted at you. There was one keynote speaker, I remember, who specifically said, I am one of these people who should never get fooled. And I almost clicked on a link once or I did click on a link and then I immediately realized that was a mistake. And that, it happens. And especially if somebody’s targeting you, if they know your psychology, your weak points, then they can take advantage of that.
Kirk McElhearn 25:32
And when someone does that specifically targeting an individual, it’s called spear phishing.
Josh Long 25:36
Right. Yeah. And sometimes it’s even called “whaling,” in the case of like trying to spear-phish a CEO or something. That’s also called CEO fraud, sometimes depending on the exact attack that’s going on. Sometimes people will pretend to be a CEO and email, say, the CBO, the chief business officer of a company and say, oh, I need you to wire something to so and so. And I need it done right now because I’m trying to get this deal and they will only give me 10 more minutes to do it or else they’re going to call off the deal. Those are the kinds of things that can psych somebody out and make them go and kind of panic and go, oh, shoot, I need to get that get on this right away. And they act before thinking.
Kirk McElhearn 26:22
Okay. So did they talk about deep fakes at all? I keep seeing more and more of these wonderful videos like it was a video from Back to the Future with Robert Downey, Jr. replacing, I don’t remember which actor it was. This is getting really serious.
Josh Long 26:37
They did. Yeah. Deepfakes came up quite a bit in a lot of conversations in some of the key notes there. And one of the things that I thought was sort of an interesting perspective on this is this kind of thing comes along every once in a while, right? And there was a period of time you could say where you could kind of know if somebody was trying to pretend to be somebody else. And now we’re back in a period of time when that is becoming more difficult again. But there was an example given, I think it was that the cryptographers panel keynote, they talked about how back in like the early days of our country, right, of the United States, the founding of the United States, if somebody were to say that, you know, Thomas Jefferson said this or that, they could publish anything they want. And anybody could choose to believe that or not. And how would you know that he said that or not? Because there were no audio recordings. There were no video recordings.
Kirk McElhearn 27:46
And so you couldn’t Google it.
Josh Long 27:48
You couldn’t Google it! And so, you know, or check fact-checking websites or things like that. And so how do you know that somebody actually said what they’re purported to have said? It’s one person’s word against another. And so ideally, you know the person as well as you can and trust people that you believe you can trust. And hope that they’re trusting the right people or that they were there and can vouch for somebody. But we’re now, interestingly, getting back into another era where you can’t necessarily believe everything that you see or hear. And so that was kind of interesting to look at it from that perspective. You know, a lot of people are just very freaked out about the idea of deep fakes. But not thinking about it from the perspective of, yeah, but there is a certain element of, you know, you have to kind of be wiser than whoever is, you know, putting out the false information. Right?
Kirk McElhearn 28:51
Yes, but imagine someone gets a video of someone committing a crime and then puts someone else’s face on it, or someone takes a video of two people talking saying things and then puts the faces of politicians on it. Whereas they just created the whole thing to get a politician or several politicians to say things they didn’t say or have relationships with people they didn’t have relationships with.
Josh Long 29:17
Yeah. Well, and looking at it from the reverse perspective, you could also have somebody who really was caught doing something on video who says, no, no, that’s a deep fake. Right?
Kirk McElhearn 29:28
Right. So the question is, how do you authenticate these videos, right?
Josh Long 29:32
Yeah, and there are some people who have developed this type of software who are really good at identifying the little tiny flags in a video that can sort of tip them off to whether something is a deep fake or not. Now of course, this technology is continuing to advance and so it’s going to continue to get better and it’s going to become more difficult to identify whether a video is a deep fake or not. But—
Kirk McElhearn 30:04
It’s going to become undetectable. It’s just a matter of time.
Josh Long 30:10
And so again, that’s where we get back to deciding who you’re going to trust, right? If you see a video posted on social media, you don’t necessarily, you shouldn’t necessarily trust it. Even if it looks like somebody trustworthy, even if it looks like them, if it sounds like them, question the source, try to figure out what the original source of that video was. There, interestingly, there was actually a story just this past week. I don’t remember what country there, but there was a politician who changed the, who had a deep fake video presenting themself, you know, that the politician talking in a different language or dialect, then what they actually spoke to try to get a different segment of the population to be interested in voting for them. So we’re already seeing this actually being used as a tool to try to help politicians. And so there was some debate about whether this was done surreptitiously and like trying to deceive people in voting for them or whether this is, no, no, this is natural. This is normal because they want people and other, you know, who understand a different language or dialect to also understand what they stand for. So there, this is already happening in the real world, in politics, today.
Kirk McElhearn 31:36
Did you talk about election hacking at all? That’s going to be a big issue coming up way to this year, isn’t it?
Josh Long 31:41
Yeah. This is definitely always a hot topic. Election hacking is, is something that everyone always wants to know about. I was talked about last year too. And from multiple perspectives, right, because you have some governments who have been accused of meddling in other government’s election campaigns. So that’s one element of this. And then there’s also the element of, okay, well, if we’re voting online or even just using electronic machines to cast our votes, how do we know that those machines or those websites or whatever they might be are reliable? How do we know that somebody is not breaking in and changing people’s votes? Or even, you know, that the developers of these are designing them in such a way that every so often it’ll change a vote without, you know, calling much attention to itself. And I think the best comments that usually come out of these discussions are basically that, you know, we probably shouldn’t be using electronics to vote; we should just stick to the, to the old tried and true paper ballot methods and have reliable people counting those ballots.
Kirk McElhearn 32:57
Well, I know that I’ve seen elections, in particular when I lived in France, everyone votes in the local town hall or in a school in a city. And the paper ballots are there and they don’t move. And you have people from all the parties who are there watching the counts and just done very carefully, piles of 10, piles of 100. And so with the paper ballots, you always have a trace that you can follow. You can always recount easily, whereas with electronic, there’s absolutely no way. Okay, that’s enough for this week. I’m sure we’ll have another conference soon. You said you’re going to objective by the sea and that’s very soon. So you’ll be able to come back and tell us about what’s been talked about there, won’t you?
Josh Long 33:35
Yep. Yeah, I will definitely do that. We’ll have, I’m sure some real fun things because again, this is an Apple focused conference. So every talk is going to be Apple related, so that’s great.
Kirk McElhearn 33:45
Okay, until next week, Josh, stay secure.
Josh Long 33:48
All right, stay secure.
Voice-over 33:50
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to subscribe at Apple Podcasts or in your favorite podcast app. And if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the online show notes for the episode at podcast.Intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: Intego.com.
If you like what you hear, be sure to rate and review the Intego Mac Podcast on Apple Podcasts.
Have a question? Ask us! Listeners can contact Intego and ask us any questions that they want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.