The Biggest Data Leak Ever – Intego Mac Podcast Episode 357
Posted on by Kirk McElhearn
A massive data leak affects virtually everyone in the USA and Canada. What do you need to do? Apple will soon be allowing third party apps to make NFC transactions. We think that’s pretty cool, and we’ll tell you why. It’s a new week, which means there’s another variant of stealer malware. And we’ve got a big reason to avoid browser extensions: they may contain malware.
- Developers can soon offer in‑app NFC transactions using the Secure Element
- Apple’s requirements are about to hit creators and fans on Patreon
- Travel Tripod by Peak Design
- Daring Fireball: Apple’s Profits From Services Are on the Cusp of Surpassing Its Profits From Device Sales
- How Apple is changing from a hardware company to a services and media company
- Apple results: Quarterly record, all-time high in Services
- Invisible laser beam detects what a MacBook user is typing
- A critical security issue in 1Password for Mac left credentials vulnerable to attack
- ‘;–have i been pwned?
- Massive data leak: 2.7 billion records of U.S., Canada, UK residents, including Social Security numbers
- What to do after a data breach—and how to avoid getting hacked—in 9 easy steps
- Chrome and Edge users infected with malicious browser extensions that steal personal data
- Chrome extensions are a security nightmare; here’s why you should avoid them
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Transcript of Intego Mac Podcast episode 357
Voice Over 0:00
This is the Intego Mac podcast, the voice of Mac security, for Thursday, August 15, 2024. This week’s Intego Mac podcast headlines include: a massive data leak affects virtually everyone in the USA and Canada. What do you need to do? Apple will soon be allowing third party apps to make NFC transactions. We think that’s pretty cool, and we’ll tell you why. It’s a new week, which means there’s another variant of Stealer malware. And we’ve got a big reason to avoid browser extensions: they may contain malware. Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:49
Good morning, Josh. How are you today?
Josh Long 0:51
I’m doing well. How are you, Kirk?
Apple announces upcoming support for third party NFC transactions
Kirk McElhearn 0:52
I’m doing fine. We’re counting down the weeks. According to my calculations, we’ve got three more weeks before we learn about the new iPhone, and then, in the meantime, we’re in that summer doldrums, where there’s not a lot of news, but surprisingly, there’s been a lot of news this week. We’re going to start with an announcement that Apple made just about an hour ago before we started recording it’s Wednesday, the 14th that we’re recording this, and Apple is saying that developers can soon offer in app NFC transactions using the secure element. So let’s explain that NFC is near field communication. That’s what you get with you tap your credit card on a payment terminal, right? Or, if you use Apple, pay with your phone. The secure element is the secure element in the iPhone. Didn’t it used to be called the Secure Enclave, or that’s only the Mac. And this is the thing that guarantees all the cryptographic stuff and makes sure that it’s totally private and secure and that you won’t be scammed and things like that. What Apple is saying is that this is not only for payment, but this is also for things like car keys, corporate badges, student IDs, hotel keys, et cetera, et cetera. So there are two things going on. One, you can have a supermarket that creates their own app in which you could do your shopping and then pay using that app on their payment terminal. The other possibility is you could have an app, say, a university a hotel, would have an app that they give you for your ID, for your hotel key. There’s a setting that you’ll be able to set on your iPhone to choose which app opens when you double press the side button. So imagine you’re in college and you need to use your student ID someplace. You double tap, you authenticate with face ID, and boom, it’s done. This is really interesting idea. Now one thing to note is Apple says that this is going to be available in Australia, Brazil, Canada, Japan, New Zealand and the UK and the US in an upcoming developer seed for iOS 18.1 they didn’t mention a whole bunch of countries in there, did they What did what did they leave out?
Josh Long 2:49
Well, I first noticed that, like all of South America, all of Africa, but I know you’re probably thinking about the EU as well, right? It’s all of Europe except for the UK, which is kind of interesting.
Kirk McElhearn 3:00
I was trying to prompt you to say the European Union who has mandated that Apple should provide access to the NFC chip in the iPhone. And for some reason, Apple is not saying it. This is a really interesting thing. This is just first steps, because they’re talking about developers getting access in 18.1 which means that they could have apps coming out around October this year, when 18.1 comes out, it’s interesting to see what you’ll be able to do with this now, if you can already pay with your iPhone and Apple Pay, I don’t see how paying with a separate app makes that much of a difference, because Apple is going to be taking a commission of whatever payment goes through these apps. So we’ll see what happens.
Josh Long 3:41
You mentioned the Secure Element, which according to Apple’s press release, so that’s an industry standard, and that’s related to the whole NFC thing. And the Secure Enclave is an Apple specific thing, so Apple devices have both if they’ve got an NFC chip.
Apple requires Patreon to use Apple’s purchasing systems on iOS
Kirk McElhearn 3:56
Okay, so this is not the only news about Apple, and getting a commission. Is it? Apple announced that they’re going to require that Patreon through the iOS app, only get payments using Apple’s in app purchase system, and not through PayPal or something else. Currently, you can pay through PayPal. There’s no in app purchases in the Patreon app, and this means that Apple is going to take a 30% cut of all the money that goes into Patreon creators, which could be small people, it could be there some big people get a lot of money. This is a bit disturbing, because are they trying to get, like, extra change from the couch these days Apple?
Josh Long 4:37
Well, I really wonder what’s actually going to end up happening here. Patreon first announced this last year that Apple was going to start requiring that Patreon use their in app purchasing system and remove all other billing systems from the Patreon iOS app by November 2024 and no one noticed, right, right? Nobody like noticed it at the time, and so they put out another. Blog post just this week, bringing this back up again, and in the hopes that there would be enough backlash against Apple that maybe Apple will not move ahead with these plans. So you mentioned PayPal there, and my immediate thought was, well, the eBay app, there’s no like in app purchases for purchasing physical products in the eBay app, you use PayPal, typically to pay for items that you’re purchasing on eBay, or you use a credit card, yeah, yeah, you can use a regular credit card too, and none of that goes through Apple’s in app purchase process. So why is it that Patreon is being singled out here? That seems really weird.
Kirk McElhearn 5:40
Well, what worries me even more is, if Apple’s starting to attack companies like Patreon, will they go after Go Fund Me and Kickstarter? I mean, most of Go Fund Me is charities. Kickstarter. Well, it’s a lot of small projects, but there are some multi million dollar Kickstarter projects. Imagine if Apple took 30% of everything that went through the iOS app. Remember, you can go to the web for all these things, but some people might find it easier to use an app. I think what would happen is that these services would just either delete their apps or tell people not to use the apps to make payments, maybe if they want to follow a Kickstarter and get news, but not make payments through the app.
Josh Long 6:19
Yeah. That really bothers me, especially when you’re talking about GoFundMe, and we don’t know if Apple is going to go after GoFundMe next, but just the idea that these are mostly small creators who are using Patreon, they’re not people who are making giant salaries off of the people who support them, that’s the whole reason for Patreon is so that individual creators who don’t work for a big company can get paid by their supporters, by individuals who support them. And so the whole idea of Apple just taking 30% of the revenue that individual creators are making, that blows my mind, that should not be the case.
Kirk McElhearn 7:00
I think Patreon takes either eight or 12% so you’ve already got a fee for that service, and that’s understandable, because they’re providing you the platform, the link, the payment service and all that. So you accept that. But what really bothers me if they do go after GoFundMe? I mean, I donate to my local food bank with GoFundMe. I know someone in Texas A few years ago that the weirdest thing is, house got struck by lightning and burned down, and so I donated some money, and that’s what Go Fund Me is for me. Now, kick start is a little different, because there are some people who fund small projects. Could be writers, musicians, etc, but there are some very large companies. There’s a company called Peak Design that makes camera accessories, and I use a lot of their and their last product was a tripod a couple years ago, and they raised over $12 million for a goal of a half a million so there’s a lot of money in Kickstarter for some of the projects, but all these things are small Now this also makes us look at the amount of money that Apple has made from services. I don’t know how many years ago I wrote an article for the Intego Mac security blog. I’ll have to find it and put link in the show notes saying that Apple is becoming a services company. We have an article from John Gruber staring fireball, where he’s quoting Jason Snell, pointing out that Apple made about $22 billion in profit from product, so that’s hardware and 18 billion from services. It’s the closest those two lines have ever come to each other, and services keeps going up, and hardware stays more or less flat. One of the big things about services for Apple is it’s very steady from quarter to quarter. I’ll link to Jason Snell overview of Apple’s latest financial report, where he does these wonderful charts, and you can see that wow, the iPad jumped up this quarter because there were new iPads, and then for two or three quarters it drops, and the iPhone is always really strong in the quarter at the end of the year, but the rest of the year, it’s not so services do allow them to have regular income, but it’s not like they need to have regular income with the amount of money they had. The idea of them going after patron, it seems it makes them stingy. Would that be the word they want to squeeze blood out of every stone they can?
Josh Long 9:04
Yeah, it doesn’t feel right. I hope that by Patreon bringing this up, that it’ll shine a spotlight on Apple and courage enough of a backlash that Apple will change its position on this. And I do wonder how many other small developers who are not as big, don’t have the same platform as Patreon, have also gotten similar notices from Apple that, hey, we’re going to start taking a cut.
Apple News+ contains multitudes of ads
Kirk McElhearn 9:28
As long as we’re on the topic. I want to rant about Apple News+. So when I bought my M for iPad Pro, Apple offered me a three month trial to Apple News+. And I put it off for a while, and then last week, I decided to do it just to see what Apple News+ is like. Now I use Apple News daily, and I follow a number of channels, and I get some interesting information. Apple News+ here in the UK, is 12 pounds, 99 I think it’s $13.99 in the US, and you still get ads when you pay for Apple News+. It’s not just that, it’s that the ads on some of these. Publications are terrible. I’m going to give you an example. There is an article in the Wall Street Journal. So this is something I wouldn’t read otherwise. I don’t have a Wall Street Journal subscription. It’s about people wanting to salvage the wreckage of the Titanic. It’s a fairly long article, so here’s three paragraphs and here’s a photo, and two more paragraphs and two more photos, and then people born 1944 to 1973 with no life insurance could four paragraphs. Photo, the shoe, Americans swear by for pain relief. Four paragraphs a photo, the shoe. Orthopedist swear by for pain relief. A few more paragraphs, couple photos, seniors across the US are loving these wooden jigsaw puzzles. I’m not finished. A couple paragraphs a photo. Closing sale. Wooden puzzles start at 499, couple paragraphs, couple photos, premium wooden jigsaw puzzles, just one article. This is seven ads, and they’re wider than the column of text and photos in the article. They’re big in your face. Ads, they are obnoxious. The sleaziest ads you could get. I mean, the ones about like people born between this and that life insurance we mentioned last week or the week before that, Apple has brought Taboola in to do the ads for Apple News. So taboo is the sleaziest ads that you see on cheap websites at the very bottom of the website with you’ll never believe what happened when, and I can’t believe that Apple News, plus, is so pathetic, I would not pay for this if there were no ads. I would actually consider it, because there are a lot of publications that have articles that I like to read, but I’m not going to subscribe to The Wall Street Journal or to this magazine or that magazine. This is just pathetic. What Apple has done to Apple News, plus, now it’s not new. They’ve had these bad ads for a while, but you look at this and you feel like that, if this is not an Apple product with that sort of ad.
Josh Long 11:41
Apple changing from a hardware company to a media and services company? Well, if part of that is making a ton of money on obnoxious ads and gouging developers, you know, to for that 30% cut that they want, I don’t know. I don’t know if I like this Apple. This doesn’t, this doesn’t sound like a great Apple.
Researchers gotta research
Kirk McElhearn 12:01
I know. Things have changed from a company where you felt really proud to be using their hardware to a company that feels like they’re trying to nickel and dime you to death. Okay, just a quick story, which is kind of, I think we do one of these every three months, one of these proof of concept things, an invisible laser beam detects what a MacBook user is typing. And we’ve had these microphones down the hall, or video cameras or flashing lights? What was it? LED lights the way they flashed, and then researchers are always finding this sort of thing. I don’t know if any of these will actually be used in anything other than a Tom Cruise movie, but it’s kind of interesting to see that what you’re doing on a computer is not limited to the computer, and it emits radiation and light and energy, and it can be read somehow.
Josh Long 12:48
Yeah, this is pretty interesting research, and we’ll link in the show notes to an article about this. This article shows an example of exactly what he typed and what the laser picked up. So he’s got Hello and welcome to the laser microphone test. And the test results are not the exact words, like it shows a couple of like repeated letters and things in there, but you can pretty much read exactly what he typed, in spite of it not being exactly perfect. So this might mean, not be great for getting someone’s password, but at least you could use this to tell pretty close to what somebody typed, which is pretty surprising at how accurate it is.
Kirk McElhearn 13:25
Well, if you’ve ever looked at a keystroke recorder, you know that one thing it does is it shows all of the keystrokes. So if you type a couple letters incorrectly and then type backspace a few times, it’s going to show all the keystrokes. Now it would only get a password if you’re actually typing the password, if it’s using auto fill from your browser or password manager, then it’s not actually being typed, but it is kind of clever that it detects from the sound and the vibrations, and each keystroke has a different sound, and it works it out, and it’s close enough to get a text message or an email that someone’s typing in a Tom Cruise Movie. Okay, we’re going to take a break. When we come back, we’ve got lots more interesting news.
Voice Over 14:07
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Stealer malware variants continue to proliferate
Kirk McElhearn 15:23
We have a new Stealer, which is called Banshee Stealer. Now Stealer, we’ve been talking about this type of malware quite a lot. It steals information on your Mac. It steals your passwords, your keystrokes without needing a laser. It can steal your crypto wallet, if you have crypto wallets and other things. This is the malware of 2024 isn’t it? We’re seeing one every few weeks, a new variant.
Josh Long 15:49
Oh yeah, there’s constant new variants. There’s Amos, which is kind of the OG that’s been around for a long time, and really for a while, Amos, or atomic macOS Stealer, as it’s more properly known, it was kind of the only one in the market, and since then, there have been others that have been developed that are based on the same code as Amos. This is one of those Banshee Stealer appears to have been developed by probably one of the original developers who worked on Amos is now developing Banshee stealer and going out on their own with their own product. So interestingly, this showed up on some forums, hacker forums, where people try to sell these things and make them available to third parties who want to use some existing malware to infect people to steal their again, cryptocurrency, passwords, or whatever other things they might be going for. So Banshee Stealers, yet another player in the macOS Stealer malware market.
Kirk McElhearn 16:51
Now we’ve been doing this podcast for, believe it or not, nearly seven years, and I don’t think we’ve been talking about steel or malware for more than a year. Did it not exist before, or was it called something different? Well,
Josh Long 17:02
I guess you could say that back door malware had some of these capabilities before, and of course, there were keystroke loggers and things like that. So in some form or other, there have been similar types of malware in the past. It’s just that Stealer malware is more specifically focused on going after your password databases and taking your cryptocurrency, if you have any on your system, and other things like that steel or malware. The whole point of it is to just sit in the background, gather all this stuff and then exfiltrate it to the attacker right, all silently behind the scenes, and they don’t really care about anything else that’s all that steel or malware is designed to do is just grab that stuff and go and then who cares what happens after that? You can detect it with a one off antivirus scan after that, and well, they’ve already stolen your data. This is a good reason to be using active scanning antivirus software on your machine. Of course, Intego virus barrier will detect Banshee stealer and Amos and all of these others. Of course, that’s what I would recommend. But maybe I’m a little bit biased. I mean, this is the Intego Mac podcast, after all.
Browser extensions can contain malware
Kirk McElhearn 18:13
Okay, we have an article in Tom’s guide that says Chrome and Edge users are infected with malicious browser extensions that ready for this steal your personal data. What to do now we’ve been talking about browser extensions for a while, not necessarily in the podcast, but in our conversations. And I would almost think that we should just say to people, don’t install any browser extensions. I mean, there are some that might be safe we’ve mentioned I use 1Password and 1Password has a Safari extension, but I don’t know that I would trust any browser extension, because these extensions get access to anything that you enter in your browser. So they can even get access to a credit card number if you enter it into a web page to buy something. It’s really hard to trust them. Now on the Mac, if you use Safari Extensions come through the Mac App Store. Now they used to be bundled inside apps, and now they’re actually separate. So you’ll download, for example, the 1Password Safari extension, and the app you download doesn’t do anything but hold that extension with all the things that we’ve seen of the Mac App Store and the iOS App Store, of we the review process is not very efficient. I don’t know how much I would trust a random extension that I find even on the Mac App Store in Safari.
Josh Long 19:27
Well, we know specifically with the Chrome Web Store, this has been a problem. In fact, I just recently wrote an article about this. Just a few weeks ago, Chrome extensions are a security nightmare, and in that article, I talked about how Google was bragging recently in a blog post that less than 1% of all installs from the Chrome Web Store found to include malware, which is kind of crazy, if you think about it, because that means, like, really, like, one in 100 extension installs is malware. Like, that’s not a good record. Why are you bragging about this? There was even more. Research that over 346 million users installed one of these security noteworthy extensions in the last three years. And in this recent article that you mentioned, at least 300,000 Chrome and Edge users have fallen victim to this, to this particular malware campaign that’s been active since 2021 this is crazy, because these extensions have been around for literally years, and Google hasn’t noticed that. I mean, how does this happen? Like, how are they not reviewing extensions closely enough and just letting them sit there for years, infecting people’s systems? It kind of blows my mind. Like, really? How is it that bad Google’s review process, and I would hope that Apple’s is a little bit better, but at the same time, we also very frequently see more and more iOS apps and Mac OS apps that are basically malicious, or at least sketchy, scammy apps that are somehow getting through Apple’s review process. I just do not use any third party extensions, except for the like one or two that I know I can trust the developer.
Kirk McElhearn 21:10
Speaking of 1Password, there was a critical security issue in 1Password for Mac that left credentials vulnerable to attack.
Josh Long 21:17
Right? This was very specifically 1Password version eight for Mac. If you have 1Password, eight for macOS you want to make sure to update to the latest version that will fix this vulnerability. So specifically, 1Password says that this issue enabled a malicious process running locally on your machine to bypass inter process communication protections. So as long as you’ve got the latest version, then you’re safe from this. Also, they noted that if you’re still on 1Password seven, that also wasn’t affected by this as well.
Huge data breach contains hundreds of millions entries
Kirk McElhearn 21:51
Yeah, 1Passwords weird, because they released 1Password eight and left 1Password seven, still maintained. So you’ve got two versions, it’s because they changed a lot in 1Password eight, and a lot of people didn’t want to use it. So use it. I think a lot of this is because enterprise customers didn’t want to upgrade to eight, so they’re keeping both actively developed. So if you do have seven, you don’t need to upgrade to eight. It looks different. It’s it runs on a different framework, but you might want to update to eight just to be safe, because eventually seven will be dropped, and then it becomes insecure. Speaking of insecure, there was a massive data leak. And, you know, we’re used to numbers of data leaks that have 100 million or 200 million people. This one had 2.9 billion people, well, 2.9 billion records, right? And it’s thought that this will include the personal data of every person in the US, UK and Canada, obviously your data is in multiple companies and owned by multiple services, and somehow this is all aggregated and 2.9 billion. It’s like, what’s the point anymore? Why should we even bother to keep this stuff secure? It’s going to leak sooner or later.
Josh Long 22:57
Yeah. I mean, obviously it’s important for every company to properly secure their data. This company, apparently, where this data came from was national public data is the name of the company they collect and sell personal data for recent things like background checks by private investigators, etc. There were more records leaked than the total number of people living in these three countries, which is kind of crazy to think about, but apparently the reason for that is because they included individual records for people based on every address where they’ve lived in recent histories. That’s why there were more records than the number of people, which is kind of crazy to think about. So yeah, very massive data leak, apparently did include social security numbers. And what can you do about it? There’s unfortunately, you can’t change your social security number if you’re if you live in the US, so you’re just kind of out of luck. Unfortunately, maybe national public data will offer identity theft protection. I kind of doubt it, because, again, they’d have to offer that to every single person in the US…
Kirk McElhearn 24:05
Or maybe they’ll send out $10 Uber Eats gift cards to everyone.
Josh Long 24:10
Yeah, that you can’t actually redeem.
Kirk McElhearn 24:13
Although 2.9 billion, that’s a lot of gift cards. I’m just trying to think, is there any worry to have a company that has public data of everyone in the country. Did no one ever think that this could be a problem, and it was. This is a company that presumably bought this data from data brokers and credit card companies and banks insurance companies to collate it all. And didn’t anyone think that putting all this data in one place might be dangerous?
Josh Long 24:39
You would think so, right? Like that just seems kind of obvious.
Kirk McElhearn 24:42
It’s worth pointing out that of all these records, only a small amount contained passwords. So if you go to the have I been pwned website, I’ll put a link in the show notes. You can put your email address in and find if that email address has been in a data breach. There’s only 133 million, 130 4 million National Public. Data accounts. That means that out of the 2.9 or 2.7 million, it’s not sure what the exact number is, only a small amount actually had email and password information. The rest is, as you said, addresses, social security numbers and things like that. But you should go to have I been pone.com enter your email address and find how many times your credentials have been leaked, and for every account they list, you should change it now Apple’s passwords Manager, which is iCloud Keychain. This is going to change with iOS. 18 is going to be a separate app. It will tell you if any of your credentials have been in a data leak. And it has a thing, I think it interfaces with how I’ve been pwned, and you can go through and you can see which ones need to be changed as a button. Change Password on website if you have any. I’ve got lots of them, but most of them are accounts that I don’t use anymore, or accounts I’ve already changed the password on. Some of their accounts aren’t even recognized. Some don’t exist. So you should go through these and find if there are any important websites where your credentials have leaked. Now this is particularly important if you use the same password on multiple websites. And if you listen to this podcast, I don’t think you do that, because out of 357 episodes, we probably mentioned not to do that 112 times. If you do repeat the same password on another on multiple websites, don’t do it. Get a password manager or use iCloud Keychain. I’ll put a link in the show notes to our complete guide to using iCloud Keychain. And as I said earlier this year, in the fall, with macOS Sequoia, iOS 18, there will be a standalone Passwords app app, which will make all of this easier to manage.
Josh Long 26:29
Although you can’t necessarily do anything about the data that’s already out there, there are some things that you can do to minimize your risk after a data breach. I recently updated an article on the Intego Mac security blog called what to do after data breach and how to avoid getting hacked in nine easy steps. So you can look for that. We’ll have a link in the show notes to that as well.
Kirk McElhearn 26:50
Okay, that’s enough for this week until next week. Josh, stay secure.
Josh Long 26:53
All right. Stay secure.
Voice Over 26:56
Thanks for listening to the Intego Mac podcast. The voice of Mac security with your host, Kirk McElhearn and Josh long to get every weekly episode. Be sure to follow us in Apple podcasts or subscribe in your favorite podcast app, and if you can leave a rating, a like or a review, links to topics and information mentioned in the podcast can be found in the show notes for the [email protected] the Intego website is also where to find details on the full line of Intego security and utility software intego.com.