Two new security threats, a malware-as-a-service (MaaS) platform and a ransomware-as-a-service (RaaS) program, are designed to specifically target machines running Apple macOS.
The MaaS platform, known as “MacSpy,” responds to what its authors feel is an ongoing lack of “sophisticated malware for Mac users”. Of course, that perception is not entirely accurate. We’ve seen numerous sophisticated malware strains developed for Macs over the past year or so.
It’s true, however, that MacSpy takes this budding proliferation to the next level by making macOS malware more accessible to users with low levels of technical expertise.
To get started with MacSpy, users sign up by emailing the author their preferred username and password. They then receive an email instructing them to download a ZIP archive using the Tor browser. Unzipping the archive launches the malware-as-a-service program.
When installed on a computer, the malware comes with numerous measures like anti-debugger checks in an attempt to avoid analysis. It also seeks to obtain persistence before executing. AlienVault researcher Peter Ewane explains what happens next:
“Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to ~/Library/.DS_Stores/ and deletes the original files in an attempt to stay hidden from the user. The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.”
The exfiltrated data, including screenshots, keystrokes, photos synced with iCloud, recorded audio files, retrieved clipboard content, and browser information, appears in directories that are accessible from the malware’s user web portal.
The “basic” MacSpy offering is free. But for an unspecified number of Bitcoins, users can gain even more functionality. These “advanced” features include the ability to access emails and social media accounts, retrieve any files/data, and encrypt the user directory within “in a few seconds.”
Its encryption capabilities aside, MacSpy is a quintessential spyware program.
Online criminals looking for a true ransomware package need to look elsewhere.
As it turns out, they don’t need to look too far; it appears the same authors are behind a ransomware-as-a-service platform known as MacRansom.
Like MacSpy, MacRansom also runs anti-debugging checks and tries to obtain persistence on the machine. It then encrypts the victim’s files using a TargetFileKey. According to Fortinet’s researchers, this encryption resource is fairly unique:
“A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program’s memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files. Moreover, it doesn’t have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files. However, it is still technically possible to recover the TargetFileKey. One of the known techniques is to use a brute-force attack. It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents.”
Once the encryption routine has completed, this ransomware demands 0.25 Bitcoins (approximately US $700) from its victims. Its ransom message instructs users to send payment to a ProtonMail address.
It’s unclear how MacSpy and MacRansom are making their way onto unsuspecting users’ computers, but we can assume it’s through the usual distribution vectors of exploit kits and malspam campaigns. Under that assumption, users can protect themselves by exercising caution around suspicious links and attachments and by regularly updating their systems.
They should also back up their data on a regular basis.
Should they suffer an infection at the hands of MacRansom or another ransomware for OS X, users can follow these recovery tips.
For more discussion of this topic be sure to listen to this recent episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security is sponsored this week by FORSYS.
They are holding the Secure Tour, and you can go and visit them in Manchester on the 6th of July at the Old Trafford football stadium, Manchester United's own stadium.
They are holding the Secure Tour, and you can go and visit them in Manchester on the 6th of July at the Old Trafford football stadium, Manchester United's own stadium.
What is this cyber tour?
Well, it's a Secure Tour.
Secure Tour is where they get loads of experts like Paul Ducklin or Mustafa Al-Bassam, who used to be in the LulzSec hacking gang, as well as technology companies all speaking about their technology and cybercrime.
And if you're an IT security professional, you can register and attend.
Secure Tour is where they get loads of experts like Paul Ducklin or Mustafa Al-Bassam, who used to be in the LulzSec hacking gang, as well as technology companies all speaking about their technology and cybercrime.
And if you're an IT security professional, you can register and attend.
Wait, wait, wait, wait, wait. Aren't you speaking at this thing? Yeah.
Oh yes, I'm speaking at it as well. Yes, that's true. Yes, you can.
So you got a two-for in this one. You got a two-for.
What's a two-for?
A two-for-one.
Oh, I see.
Well, if you want to think of it that way. 6th of July, Manchester Old Trafford football stadium. Register now if you're an IT security professional. Places are limited.
Go to foursys.co.uk. That's foursys, F-O-U-R-S-Y-S, .co.uk, and get yourself a ticket for the Manchester Secure Tour.
Smashing Security, Episode 29: Exploits to Get Your English Teeth Into, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 29 of Smashing Security.
My name is Graham Cluley, and I'm joined as ever by my co-host, Carole Theriault. Hi, Carole.
Go to foursys.co.uk. That's foursys, F-O-U-R-S-Y-S, .co.uk, and get yourself a ticket for the Manchester Secure Tour.
Smashing Security, Episode 29: Exploits to Get Your English Teeth Into, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 29 of Smashing Security.
My name is Graham Cluley, and I'm joined as ever by my co-host, Carole Theriault. Hi, Carole.
Hello. How are you?
I'm pretty excited. Episode 29, you see, not episode 25.
Okay, you have to explain why. You're gonna have to tell them why. It's my fault.
Yes, it is, actually.
You can tell them.
When we did some splinter episodes earlier in the run, Carole said, "Don't put a number on them.
Don't put a number on them." And then it all got really confusing, because people ask us, "How many episodes have you done?" It's like, "Well, this is the 29th episode, but it's number 25." It's got too complicated.
So I think what we need to do is now jump straight from episode 25 to episode 29, which is this one.
Don't put a number on them." And then it all got really confusing, because people ask us, "How many episodes have you done?" It's like, "Well, this is the 29th episode, but it's number 25." It's got too complicated.
So I think what we need to do is now jump straight from episode 25 to episode 29, which is this one.
I wonder if you could have jumped, you know how a lot of podcasts, they start at 100 and they do a season of 12 shows.
And then the second season, they start at 200 and they do 12 shows.
And then the second season, they start at 200 and they do 12 shows.
Sounds a bit lazy to me.
Yeah. If we had a number 489, we'd probably have a lot more listeners, maybe.
You think people, that's what they're looking for, are they? Just a high episode count.
Maybe they are.
Maybe they are. Anyway, like the Gregorian, or is it the Julian calendar? We've skipped a few and we've jumped ahead. That's the way it's going to be now.
And it's honest.
It is honest. And talking of honest, oh my word, what a special guest we have with us today. He is a blogger. He is a star of YouTube. He is the sole founder of Host Unknown.
He is the 3-time World Embassy snooker champion. He is security advocate at AlienVault. It is Javvad Malik. Hey, Javvad, welcome to the show.
He is the 3-time World Embassy snooker champion. He is security advocate at AlienVault. It is Javvad Malik. Hey, Javvad, welcome to the show.
Thank you so much, Graham.
Wow. No one—
Can I hire you as my permanent hype man or something? That was just amazing.
Anytime you need a fluffer, I will come.
Okay, well, I didn't know it was this kind of show. Is this a bromance? Are you really a snooker champion?
No, I think my highest break is 15.
Knowing very little about pool sports, snooker.
So, Javvad, I don't know if you've listened to the show before, but let me explain what we're going to do. Of course he has, of course he has.
What we're going to do is each of us is going to choose a story from the last week from the wonderful world of computer security, and we are going to explain why it piqued our interest and why we think we should have a little chat about it as well.
What we're going to do is each of us is going to choose a story from the last week from the wonderful world of computer security, and we are going to explain why it piqued our interest and why we think we should have a little chat about it as well.
So before we start, Javvad, what is your astrological sign? Can you tell me?
My sign?
Yes.
I'm a Scorpio.
Okay. I'm going to talk about this later, but I just wanted to see that. I'm a Scorpio too.
Is this part of some elaborate social engineering scam?
Yes, you'll see. Yes. Thank you so much. I'm collecting all the information as we go.
I really like nicknames. What was your nickname as a child?
Exactly. You got my question. You already got my second question already.
Okay.
It's typical that both of you are Scorpios, isn't it? Oh, sexy Scorpio.
Watch out.
Oh yeah.
Watch out. What are you?
Hmm?
What are you?
I'm Aries, the ram.
Sorry.
Sorry, was that funny? Right, moving on. Patch Tuesday. It's been Patch Tuesday this week.
On the second Tuesday of every month, Microsoft releases to us, the great unwashed, its security patches, which is wonderful.
And we like them for doing that because it helps us protect against all the bad out there, but something rather unusual has happened this time.
Very unusually, Microsoft has issued patches for operating systems which it no longer supports.
The operating systems for which it said, "We will never, never ever release another patch for something like Windows XP and Vista again." So why are they doing this?
Well, they are warning of destructive cyberattacks, rather like those we saw involving another Microsoft exploit WannaCry a month or so ago.
So they've released a whole bunch of updates.
They've done their regular updates as well, of course, but they've now released security updates for XP, Vista, Server 2003 containing fixes for 3 NSA-developed exploits.
On the second Tuesday of every month, Microsoft releases to us, the great unwashed, its security patches, which is wonderful.
And we like them for doing that because it helps us protect against all the bad out there, but something rather unusual has happened this time.
Very unusually, Microsoft has issued patches for operating systems which it no longer supports.
The operating systems for which it said, "We will never, never ever release another patch for something like Windows XP and Vista again." So why are they doing this?
Well, they are warning of destructive cyberattacks, rather like those we saw involving another Microsoft exploit WannaCry a month or so ago.
So they've released a whole bunch of updates.
They've done their regular updates as well, of course, but they've now released security updates for XP, Vista, Server 2003 containing fixes for 3 NSA-developed exploits.
Are you surprised? Are you surprised?
Well, of course, the NSA has been having a little spot of trouble lately, hasn't it? Exactly.
Hasn't been able to keep its exploits hoarded away quite as well as they should have done.
And unfortunately, because they've had these things and they've fallen into the bad guy's hands, in this case, the Shadow Brokers hacking gang, potentially they could be exploited by other online criminals or indeed nation states.
And that seems to be what Microsoft is worried about because Eric Doerr, I'm not sure, he's the general manager of Microsoft Security Response Center.
He has said, that the reason they've done this is to fix vulnerabilities that are at risk of exploitation by nation-state actors.
In short, they are worried of another WannaCry-style attack.
Hasn't been able to keep its exploits hoarded away quite as well as they should have done.
And unfortunately, because they've had these things and they've fallen into the bad guy's hands, in this case, the Shadow Brokers hacking gang, potentially they could be exploited by other online criminals or indeed nation states.
And that seems to be what Microsoft is worried about because Eric Doerr, I'm not sure, he's the general manager of Microsoft Security Response Center.
He has said, that the reason they've done this is to fix vulnerabilities that are at risk of exploitation by nation-state actors.
In short, they are worried of another WannaCry-style attack.
They're in a difficult position now though, because they kind of set the precedent with WannaCry, didn't they?
Well, they have, and of course—
And I'm not saying that's a bad thing. I'm not saying that was a bad thing. But I do feel for them, because God, they've been trying to RIP XP for God knows how long.
Well, absolutely. They thought it was long dead and buried, didn't they?
I mean, and I think many companies have switched away, but there are inevitably organizations which still have older computers running older operating systems, which maybe have been overlooked or for whatever reason haven't been patched, haven't been kept up to date.
I mean, and I think many companies have switched away, but there are inevitably organizations which still have older computers running older operating systems, which maybe have been overlooked or for whatever reason haven't been patched, haven't been kept up to date.
Well, they can't patch XP.
Well, no, no.
They have legacy systems.
Maybe they could be upgraded, but sometimes that requires upgrading the hardware and you may well think, look, it just does its job. It's just had this simple little job.
We're going to keep on doing it.
Or it may be that that computer is powering a piece of medical equipment, for instance, which may have cost millions, and they simply cannot afford to upgrade the computer because they've only got drivers to drive that medical equipment which run on those older operating systems.
We're going to keep on doing it.
Or it may be that that computer is powering a piece of medical equipment, for instance, which may have cost millions, and they simply cannot afford to upgrade the computer because they've only got drivers to drive that medical equipment which run on those older operating systems.
Exactly. And there's lots of businesses out there without lots of cash to splash out on the latest tech that are trying to do good work.
Yeah, so I think it's a good thing that they've done this. It's just how are they going to decide going forward whether they should release patches for these legacy systems or not?
And if they don't and it happens to get hit, are they going to get some negative press about that?
Yeah, so I think it's a good thing that they've done this. It's just how are they going to decide going forward whether they should release patches for these legacy systems or not?
And if they don't and it happens to get hit, are they going to get some negative press about that?
Well, I've seen some people criticizing Microsoft for releasing these patches at all.
I've seen people saying they shouldn't have released these patches for these older versions of these operating systems because basically they sort of— These are people who believe in survival of the fittest.
It's they have to get rid of these older operating systems, let them die, let the malware infect them. That's what some people believe. Javvad, what do you think?
I've seen people saying they shouldn't have released these patches for these older versions of these operating systems because basically they sort of— These are people who believe in survival of the fittest.
It's they have to get rid of these older operating systems, let them die, let the malware infect them. That's what some people believe. Javvad, what do you think?
Oh, I think it is one of those really complicated issues. There is no sort of— it's kind of Microsoft are damned if they do and damned if they don't in many regards.
It's a bit rehab, isn't it?
Someone's trying to come off whatever substance they're addicted to, and you keep feeding them something when things get really bad, you're not really helping them necessarily.
It's a bit rehab, isn't it?
Someone's trying to come off whatever substance they're addicted to, and you keep feeding them something when things get really bad, you're not really helping them necessarily.
Yeah.
So what this brings to light in my mind is what we see is a legacy model of selling and upgrading and maintaining software at work here, where not everyone does have the capital to invest to undertake all the testing needed and upgrading their systems or the resources available.
So maybe the question is, do we need a different style or model of how software is licensed and spread and maintained?
So maybe the question is, do we need a different style or model of how software is licensed and spread and maintained?
Yeah, I know it's really interesting actually, because it's almost you can't force someone to stop using these legacy systems, yet they do potentially pose a threat to the rest of us.
Because they can act as a hub.
Because they can act as a hub.
Well, exactly. You may find that your company is being attacked by older computers which haven't been properly protected.
And I think Microsoft as a whole would really the whole of the internet to be safer because anything risky which is going on does damage to them and makes people want to switch away from their operating systems to something else.
And I think Microsoft as a whole would really the whole of the internet to be safer because anything risky which is going on does damage to them and makes people want to switch away from their operating systems to something else.
But when you're a software giant of their size, what can they do? I agree with Javvad Malik. They're in a hard place, they're damned if they do and they're damned if they don't.
Anyway, Microsoft has released these critical, what they call down-level patches. They have to be manually downloaded, manually installed.
It's not as simple as doing your regular Windows update. And interestingly, what's come out of this are the code names which the NSA gave these exploits.
So we have three exploits which Microsoft is patching against this week. There is Steam Audit, which exploits vulnerabilities in Windows Remote Desktop Protocol.
There is Exploding Can, which exploits flaws in IIS 6.0. And there is Englishman Dentist, which exploits a flaw in Exchange Servers.
Now, what we have is some intelligence agent, some hacker dude working for the NSA, right? Working on these exploits and he's thinking, oh, what am I gonna call this one?
And his mind wanders and maybe he thinks of the Austin Powers movie and the general state of British dentistry.
And he calls it — now, I thought we were supposed to have a special relationship with the Americans. How can they go around criticising our teeth like this?
It's not as simple as doing your regular Windows update. And interestingly, what's come out of this are the code names which the NSA gave these exploits.
So we have three exploits which Microsoft is patching against this week. There is Steam Audit, which exploits vulnerabilities in Windows Remote Desktop Protocol.
There is Exploding Can, which exploits flaws in IIS 6.0. And there is Englishman Dentist, which exploits a flaw in Exchange Servers.
Now, what we have is some intelligence agent, some hacker dude working for the NSA, right? Working on these exploits and he's thinking, oh, what am I gonna call this one?
And his mind wanders and maybe he thinks of the Austin Powers movie and the general state of British dentistry.
And he calls it — now, I thought we were supposed to have a special relationship with the Americans. How can they go around criticising our teeth like this?
Oh, come on, who teases you more than your brother, right? People that like you, people with a special relationship.
I think it's a pretty low — Carole, you are a North American. How would you compare the British versus the North American teeth?
Oh, well, I would say they're both very different and special in their own way.
Special.
Special. Yes.
I see.
See, I think this is OPSEC fail on behalf of the intelligence agencies. Why would you name an exploit in a way that it's easy to guess who named it?
Absolutely. I remember there were a couple of exploits which were found before. There was one called Weeping Angel and another one called Sonic Screwdriver.
That's the one.
Yeah.
If you are a Doctor Who fan, which presumably some of the agents working at GCHQ in the UK are, you know, that sort of points a finger, doesn't it?
To be fair, though, very few are named in a way that's quirky, cute, or memorable. You know, in the 20 years I've worked in the industry.
Oh, but I think the exploit names do.
I mean, the malware doesn't always, and the vulnerabilities don't, but these exploits which are written by agencies do seem to have these funky code names.
And I have to say, sometimes I am a little bit impressed with them.
I don't know if they have a random word generator, you know, it's, oh, look, it's the Lumpy Trousers exploit, which we're going to release this week.
But it's, you know, I think it has a certain charm about it, doesn't it?
I mean, the malware doesn't always, and the vulnerabilities don't, but these exploits which are written by agencies do seem to have these funky code names.
And I have to say, sometimes I am a little bit impressed with them.
I don't know if they have a random word generator, you know, it's, oh, look, it's the Lumpy Trousers exploit, which we're going to release this week.
But it's, you know, I think it has a certain charm about it, doesn't it?
Yeah. Well, no, I, yeah.
Anyway. The message, I think, to listeners of Smashing Security is you've got to patch and protect yourself against these exploits. Patch because these fixes are available.
You may also want some layered protection to reduce the chances of you being exposed to some of the vulnerabilities here as well.
You may also want some layered protection to reduce the chances of you being exposed to some of the vulnerabilities here as well.
Can I just ask a question before you close off? So when you were talking about the patches, so people who are running currently protected systems or supported systems.
Yes.
What do they need to do? Do they need to do anything different than they normally do on Patch Tuesday?
Well, the officially supported versions of Windows, so the latest versions of Windows, are not vulnerable to these 3 NSA-developed exploits. Okay, perfect.
So you have to apply your normal patches just like you would any other Patch Tuesday, but you don't have to worry about these particular ones.
These particular ones seem to target particularly old operating systems.
Now why that is, whether someone is planning to launch an attack against older operating systems and why Microsoft's been driven to this, we don't know exactly what has driven them to do this.
So you have to apply your normal patches just like you would any other Patch Tuesday, but you don't have to worry about these particular ones.
These particular ones seem to target particularly old operating systems.
Now why that is, whether someone is planning to launch an attack against older operating systems and why Microsoft's been driven to this, we don't know exactly what has driven them to do this.
And users of these old legacy systems who want to patch, and we recommend they do, need to manually download them and install them.
That's right.
Just an automated— okay.
And we'll put links in the show notes as well.
Super.
Okay, Javvad, what's caught your attention this week?
So this week my attention has been captivated and absolutely fully consumed by MacSpy, which is an OS X RAT. As a service.
Yeah, it's probably one of the first instances of malware as a service that we've seen on the macOS, and it just came to light about a month ago.
Yeah, it's probably one of the first instances of malware as a service that we've seen on the macOS, and it just came to light about a month ago.
Now, Javvad, just to interrupt, malware as a service, how does that vary from traditional malware? What does that actually mean, malware as a service?
It means that it's offered very much as a service. So if you want to go and launch the attack, you don't have to worry about compiling, downloading, executing it.
You just go online and you say, "Hey, Mr. Bad Guy, here's my credit card details," or, "Here are some bitcoins.
Can you launch the attack against here and give me an interface which I can then collect the data from?" So it's a very commoditized offering that allows non-technical criminals to—
You just go online and you say, "Hey, Mr. Bad Guy, here's my credit card details," or, "Here are some bitcoins.
Can you launch the attack against here and give me an interface which I can then collect the data from?" So it's a very commoditized offering that allows non-technical criminals to—
Be criminals.
To be criminals, yes.
Hmm. Okay. All right, so tell us what's happened. So we have malware as a service. Now, this is not new for Windows. This is just new for Mac.
Yes, that's right. It's new for Macs. It's kind of like the question is why now?
I mean, Macs are all marketed on the premise that they're secure and they don't get viruses or malware. And it's really, I think it's just like they follow the money.
Wherever there's more proliferation of any operating system, you'll see more attacks being developed against it.
And we see Macs growing in popularity at home, but more than that in the enterprise now.
I mean, Macs are all marketed on the premise that they're secure and they don't get viruses or malware. And it's really, I think it's just like they follow the money.
Wherever there's more proliferation of any operating system, you'll see more attacks being developed against it.
And we see Macs growing in popularity at home, but more than that in the enterprise now.
Yeah.
So it becomes a far more attractive target for people to go.
So I think one of the things which has happened is many business people, you know, they're used to being given a computer at work or whatever, but many of us now are given laptops as well because, you know, we're expected to work from home or expected to go out for meetings and the rest of it.
Or just a laptop.
Or just a laptop.
Yeah.
And it's not unusual at all for some people to say, well, you know what, I'd really like a MacBook. Because they're great laptops. And so people are requesting those.
And so they do become a target. I mean, it's never been the case that there hasn't been malware for Mac.
There's been a lot less malware for Mac, but this is really a sign that malware for Mac is growing up.
And so they do become a target. I mean, it's never been the case that there hasn't been malware for Mac.
There's been a lot less malware for Mac, but this is really a sign that malware for Mac is growing up.
Oh, stop it. I always hate this argument.
What?
Just because, okay, just because this is basically a proof of concept, right? Like it doesn't mean, oh, suddenly now Mac users watch out, you know, the storm is coming.
Carole, this isn't a proof of concept. This is real criminal business in action happening on the web right now.
If I wanted to infect your Mac, presuming you had a Mac, I could go there, I could give them so many bitcoin and woof, off they go.
If I wanted to infect your Mac, presuming you had a Mac, I could go there, I could give them so many bitcoin and woof, off they go.
Yeah, but it's one instance of it. That's it.
Yes, but there's only one instance of Amazon, you know, and there's big websites, right? It's only got to be one person.
You know what, you're right. Go make sweeping statements about it. Go ahead, go ahead, go tell us how it's going to be.
No, I'm just saying, it only requires one criminal organization to do this properly and effectively, and they've got their funky little screenshots and they've built this nice little website, and that potentially opens up attacks to so many people who would not have the technical nous to know how to do this, who wouldn't want to get their hands dirty.
There's something gross about that.
The fact that people that don't know how to do it can actually just go and ask someone to do it for them that has no basis in anything other than, "I've paid you money.
I want you to do this attack." That's a gun for hire, effectively.
The fact that people that don't know how to do it can actually just go and ask someone to do it for them that has no basis in anything other than, "I've paid you money.
I want you to do this attack." That's a gun for hire, effectively.
It's guns for hire, and it effectively opens up the criminal world of malware to so many more people who may previously have been thought, oh, I just don't get on with computers very well, you know, or whatever.
But they were running adverts for it, which is how it came to the attention of researchers to begin with.
On just average websites, on ads, on advertising online?
They had their online sort of banners and stuff. Not on the mainstream sites, but more your kind of Cedia websites.
But you know, they have a whole bunch of features and things that they list out, which, you know, you start going through and it's really quite impressive.
And then you think about the potential victims there. It's not just big enterprises, but you could see celebrities and PR agents and all those kind of things.
They're still reeling from their previous, you know, iPhotos sort of breaches. And this facilitates a lot of that kind of stuff as well.
But you know, they have a whole bunch of features and things that they list out, which, you know, you start going through and it's really quite impressive.
And then you think about the potential victims there. It's not just big enterprises, but you could see celebrities and PR agents and all those kind of things.
They're still reeling from their previous, you know, iPhotos sort of breaches. And this facilitates a lot of that kind of stuff as well.
It's pretty nasty stuff. And I saw the same gang. This is the spyware variant, but I saw they were also releasing and distributing ransomware as a service as well.
So they're doing a ransomware version of this called MacRansom. So, you know, it looks pretty organized to me. And I think the message to Mac users is you can't be complacent.
There are far fewer threats for Mac, but it doesn't mean they don't exist at all. And malware for Mac I would argue, Carole, is growing up.
So they're doing a ransomware version of this called MacRansom. So, you know, it looks pretty organized to me. And I think the message to Mac users is you can't be complacent.
There are far fewer threats for Mac, but it doesn't mean they don't exist at all. And malware for Mac I would argue, Carole, is growing up.
Yeah, but you've only been saying that for 15 years, so.
Yeah, well—
It'll catch up. You'll be right one day.
It's when something gets to be about 15 years that it gets particularly unpleasant and smelly.
Okay.
And pockmarked.
Okay.
Right?
Okay, we agree to disagree in our tone.
That's all. Oh, okay. You're the calming, wonderful voice of reason in a world gone mad.
That's how people mostly describe me.
Yes. Calming. Carole Theriault. Over to you. What have you got? Thank you, Javvad. What have you got for us?
Okay, so imagine the situation that you have had your information stolen, maybe your information from your email or from LinkedIn, or you were involved in a big data breach and they've stolen that information.
Okay.
And they're now trying to use that information to get more information or maybe credit card details.
How are banks and other websites gonna stop people who have all the correct information from actually accessing the information you wanna protect from them?
We have this cool paper from this research team, Morano, Gambarini, and Sartoni. They published this last month, and it's a novel approach to detecting fake identities.
So the idea is this: so while truth tellers respond in one way to unexpected questions— and I'll get to what unexpected questions are in a second— liars have to build and verify their responses.
So they take actually longer to answer, and they take a more roundabout way, literally a roundabout way in selecting the correct answer.
So in this study that they've done, they had yes or no answers. And the expected questions were things like, were you born in 1991?
And Graham, you would certainly, if you're being honest, say no, right?
How are banks and other websites gonna stop people who have all the correct information from actually accessing the information you wanna protect from them?
We have this cool paper from this research team, Morano, Gambarini, and Sartoni. They published this last month, and it's a novel approach to detecting fake identities.
So the idea is this: so while truth tellers respond in one way to unexpected questions— and I'll get to what unexpected questions are in a second— liars have to build and verify their responses.
So they take actually longer to answer, and they take a more roundabout way, literally a roundabout way in selecting the correct answer.
So in this study that they've done, they had yes or no answers. And the expected questions were things like, were you born in 1991?
And Graham, you would certainly, if you're being honest, say no, right?
Thank you.
Were you born before 19— No, I'm kidding. Or were you born in a particular city? So do you live in Pisa? And you would answer yes or no.
I eat a lot pizza, but yes, okay, carry on.
So those questions are considered expected questions, and if you were trying to fake someone else's identity, you would probably research those and know those quite quickly.
Oh, okay, yeah, so an identity thief would have that sort of information at his fingertips potentially, and so he would be able to trick the website into believing that he was the person he was pretending to be.
Okay.
Yeah, it's when I was trying to get into dance clubs when I was underage, right? You'd memorize the license the driver's license that you borrowed from your friend.
You would figure out all kinds of questions, including the star sign.
Actually, that was one of the things we were often asked, and that's the thing that would make me not get access because I wouldn't have researched that bit, which is why I asked you earlier, Javvad, did you know your zodiac sign?
Because that was one of the unexpected questions that they used in this as well. So one of them is, are you 21 years old? Right?
So rather than asking what year you're born in, it's asking what age you are right now.
Now, that's not something that you can't work out if you're faking an identity, but it takes you a bit longer, doesn't it?
Because I know right away what my age is, as opposed to if I was trying to pretend to be you, Graham, 55 or 56.
You would figure out all kinds of questions, including the star sign.
Actually, that was one of the things we were often asked, and that's the thing that would make me not get access because I wouldn't have researched that bit, which is why I asked you earlier, Javvad, did you know your zodiac sign?
Because that was one of the unexpected questions that they used in this as well. So one of them is, are you 21 years old? Right?
So rather than asking what year you're born in, it's asking what age you are right now.
Now, that's not something that you can't work out if you're faking an identity, but it takes you a bit longer, doesn't it?
Because I know right away what my age is, as opposed to if I was trying to pretend to be you, Graham, 55 or 56.
Cheeky. The real person knows their age instantly, whereas a criminal has to go, "Okay, after 1973 minus this," you know, they have to work it out. Okay.
Right. Or you might ask, instead of asking, "Do you live in a particular city?" you might say, "Do you live in a particular state?" Right?
Because if you were faking it and you were maybe not from the same country, that may not be quickly available to you.
So it seems they find it difficult, liars find it difficult to respond to these unexpected questions quickly and without errors.
And what happens is it changes, this is the cool bit for me, it changes their mouse dynamics.
So if you imagine your mouse is hovering at place X on the screen and you draw a direct line to the answer you need, which let's assume is yes in this instance.
If you draw a straight line to that, you'll see that people who are truthfully answers will be very close to that straight line.
There'll be a little bit of an arc, but those that are lying, they have a lot bigger arc around.
It's almost it looks like a bow and arrow, like the bow, you know, with the— So, and apparently that it's 90% accurate that fraudsters will kind of be a lot looser in their direction and a lot slower in getting there.
Because if you were faking it and you were maybe not from the same country, that may not be quickly available to you.
So it seems they find it difficult, liars find it difficult to respond to these unexpected questions quickly and without errors.
And what happens is it changes, this is the cool bit for me, it changes their mouse dynamics.
So if you imagine your mouse is hovering at place X on the screen and you draw a direct line to the answer you need, which let's assume is yes in this instance.
If you draw a straight line to that, you'll see that people who are truthfully answers will be very close to that straight line.
There'll be a little bit of an arc, but those that are lying, they have a lot bigger arc around.
It's almost it looks like a bow and arrow, like the bow, you know, with the— So, and apparently that it's 90% accurate that fraudsters will kind of be a lot looser in their direction and a lot slower in getting there.
Because basically they're dithering. They're thinking, "I don't know, I don't know." And this is the sort of tale which someone like Derren Brown would be able to tell, right?
Because he's a bit spooky if you haven't seen Derren Brown.
But he'll just look at you, ask you a question, and he knows if you're lying or he knows if you're thinking of a particular number.
And similarly, this tracking of the mouse might give clues to critical websites as to whether someone is who they claim. That's very interesting.
Because he's a bit spooky if you haven't seen Derren Brown.
But he'll just look at you, ask you a question, and he knows if you're lying or he knows if you're thinking of a particular number.
And similarly, this tracking of the mouse might give clues to critical websites as to whether someone is who they claim. That's very interesting.
Well, it is, except that, you know, it's a bit like a digital polygraph, isn't it?
And I mean, we all know that polygraphs aren't considered scientific by most of the community anymore.
I mean, I don't think they're used anywhere privately, anywhere in the States, for instance. Oh, I think they still use it in governments, which is weird.
And I mean, we all know that polygraphs aren't considered scientific by most of the community anymore.
I mean, I don't think they're used anywhere privately, anywhere in the States, for instance. Oh, I think they still use it in governments, which is weird.
We use one in our house.
But the idea behind that is that uses certain indications to make a judgment.
And I guess most of the security industry, really, most of the security technology kind of works a lot in that way. Look for patterns. So anyway, it's very interesting.
And it could open the door to new research.
And I guess most of the security industry, really, most of the security technology kind of works a lot in that way. Look for patterns. So anyway, it's very interesting.
And it could open the door to new research.
Are there any privacy concerns here? If websites begin to track your mouse movement, I wonder if some people might be a little bit—
I think there's a lot bigger privacy concerns we have to have right now than mouse movements.
I think a lot of anti-fraud type technologies have been using some elements of things that before.
They map your user journey as you enter the website, which URLs you tend to navigate through, the dwell time and all that kind of stuff to pick out whether you're a human or a script or that kind of thing.
So I don't think, you know, mouse is that much of an issue. I tell you what I think. I think that the biggest issue we have is websites are just too polite.
They're there to help facilitate and say, hey, welcome back, Graham. We think it's you. Please tell us it's you and buy some stuff.
I think they should just switch it around, be rude and have, you know, the American TSA kind of approach. What are you doing here? What do you want? We don't like the looks of you.
Turn around.
They map your user journey as you enter the website, which URLs you tend to navigate through, the dwell time and all that kind of stuff to pick out whether you're a human or a script or that kind of thing.
So I don't think, you know, mouse is that much of an issue. I tell you what I think. I think that the biggest issue we have is websites are just too polite.
They're there to help facilitate and say, hey, welcome back, Graham. We think it's you. Please tell us it's you and buy some stuff.
I think they should just switch it around, be rude and have, you know, the American TSA kind of approach. What are you doing here? What do you want? We don't like the looks of you.
Turn around.
And who are you?
What do you want?
You would drain the economy that way.
How dare you come into our country.
Exactly.
A tax form approach.
Yeah. What are you doing with those shoes?
God.
Yeah. Time for the pat down. You know, you just remove all fraud that way. I think we just need to get bit more, yeah, bit rude security is the way to go.
So my recommendation to websites is if you spot Javvad Malik is coming towards you with his browser, maybe reach for the wooden spoon and get ready to apply it.
That's how he likes to be treated. Don't give him a usual login prompt. That'd be marvelous.
That's how he likes to be treated. Don't give him a usual login prompt. That'd be marvelous.
Another list you want me added to, thank you. I'm trying to collect them all, they're like Pokémon.
Okay, well, thanks very much, Carole. I think it's time to shout out for our sponsor this week.
Thank you to FORSYS for sponsoring the show. If you're interested in joining Secure Tour '17, please visit forsys.co.uk to register. That's FORSYS, F-O-R-S-Y-S.co.uk.
And thanks for sponsoring the show.
And thanks for sponsoring the show.
And I'm gonna be there too, Carole, I'm gonna be there.
Oh yeah, and Graham's there.
Okay, welcome back to the show. And in this final segment of the show, we are going to describe our pick of the week. Pick of the week. Pick of the week.
Carole, are you gonna do it or not?
Carole, are you gonna do it or not?
Pick of the week.
Pick of the week.
Excellent. So each of us has chosen something, it doesn't have to be security related at all, just something which took our fancy a little bit.
And I'm going to go first because have you heard — do you remember the Atari video game console?
And I'm going to go first because have you heard — do you remember the Atari video game console?
Oh yeah.
Way back when.
I'm not that old.
You look it. Well, back in the 1980s, there was an awesome Atari game called Ms. Pac-Man. Not the original Pac-Man.
It was so good.
Apparently the purists prefer Ms. Pac-Man. They consider it to be a superior game.
Oh, I didn't know that.
Yes, apparently it is meant to be better. Anyway, I don't know about these things, but I have bad news, which is that Microsoft have defeated Ms. Pac-Man.
Specifically, they have developed an AI, an artificial intelligence, which can play Ms.
Pac-Man perfectly, and it has now scored a perfect score of 990,990, more than any human has ever achieved.
Specifically, they have developed an AI, an artificial intelligence, which can play Ms.
Pac-Man perfectly, and it has now scored a perfect score of 990,990, more than any human has ever achieved.
Okay, let me get this. So Microsoft, 30 years on with their latest technology, have been able to beat a game that was created in the '80s. Well, well done, Microsoft.
Well, I think they're thinking that the AI may have some useful application. Let's be honest, they're not really thinking of a useful application at all.
They clearly had a lot of time on their hands. But, you know, I think this is quite serious. We have to be careful about AI, don't we?
Because you remember, this is how Skynet started. I'm sure Terminator. It all started with Ms. Pac-Man. And before you know it, there were rising robots.
They clearly had a lot of time on their hands. But, you know, I think this is quite serious. We have to be careful about AI, don't we?
Because you remember, this is how Skynet started. I'm sure Terminator. It all started with Ms. Pac-Man. And before you know it, there were rising robots.
Yeah, and Google's AI beat Go, didn't it?
Yes, it plays a very good game of Go. Yes, thanks to Go-ogle. But let's not do that joke again.
Oh yeah, yeah, that's right.
It went down very badly last week.
Oh, you're still harping on about it? Okay.
But you know who else is going to be pissed off? Abner Ashman.
Who?
You don't know Abner Ashman?
No.
He holds the official world's record for Ms. Pac-Man. He managed to score, and it looks pretty pathetic now, let's be honest.
No, it doesn't.
933,580.
He's a human being. He spent hours. I bet he probably peed in a cup to play that long.
He didn't have pauses. Anyway, you can check out the video.
We'll put it in the show notes as to what Microsoft has been spending all that money we give them in Office 365 subscriptions is obviously being spent sensibly.
And they've written a program which can play Ms. Pac-Man really well. Fantastic. It's kind of cool, kind of crazy as well. And I imagine it has some use.
We'll put it in the show notes as to what Microsoft has been spending all that money we give them in Office 365 subscriptions is obviously being spent sensibly.
And they've written a program which can play Ms. Pac-Man really well. Fantastic. It's kind of cool, kind of crazy as well. And I imagine it has some use.
Yeah.
Well, thank you for that.
That was my pick of the week. Now, Javvad, do you have a pick of the week?
I do have a Pick of the Week, yes. So there was this techie apparently who worked for Google, I think. I can't remember.
But anyway, he was a developer, and he felt that his life was too entrenched in routine and a steady pattern, so he made an app that eventually he expanded on it.
He started off with it just to do Uber, but basically it randomized his life. So he would, you know, click on the app and set a budget.
An Uber would pick him up and he'd have no idea where it would take him.
But anyway, he was a developer, and he felt that his life was too entrenched in routine and a steady pattern, so he made an app that eventually he expanded on it.
He started off with it just to do Uber, but basically it randomized his life. So he would, you know, click on the app and set a budget.
An Uber would pick him up and he'd have no idea where it would take him.
What?
Cool! I love this.
On top of that, he would end up at random Facebook parties. So a person would have an open party on Facebook.
He would travel there, turn up with a bottle of bubbly and say, "Hey, I saw the invite online. I'm just here." And what's his—
He would travel there, turn up with a bottle of bubbly and say, "Hey, I saw the invite online. I'm just here." And what's his—
Has he got a kind of conclusion of his living his life this way?
Some purpose, meaning in his life at all?
I don't know. I think what he said, that he was really happy that it allowed him to experience things and meet people that he would otherwise never have done.
So, you know, he ended up going around the world. He spent time at weird sort of festivals in random parts of the world that happens. He ended up there.
So he went around the world, he met people and strangers and all that kind of stuff. So I think it's good in a way that you kind of step outside of your own bubble.
So, you know, he ended up going around the world. He spent time at weird sort of festivals in random parts of the world that happens. He ended up there.
So he went around the world, he met people and strangers and all that kind of stuff. So I think it's good in a way that you kind of step outside of your own bubble.
I know, but it's bringing on more chaos theory. Don't we have enough chaos?
So is he going to create an app and make this available to anyone who wants to just throw their wife into the dryer and see what happens?
So is he going to create an app and make this available to anyone who wants to just throw their wife into the dryer and see what happens?
He's got a website where he's got details of his project on it and he's got a lot of tips that he's collected over the years, how to encourage— well, how to attend strangers' publicly listed events.
It reminds me a bit of that— do you remember that book in the 1970s, The Dice Man?
I'm not that old.
Presume you've heard of books which existed before you were alive. Anyway, yeah, there was a book in the 1970s by Luke Rhinehart called The Dice Man, all about a guy who decides—
It's a great book.
Have you read it, Carole? Yes.
I bet you haven't.
No, I have actually.
Really? Is that one of the 5 books of fiction you've ever deigned to read?
But yeah, it was rather a disturbing book, as I recall.
Oh, I liked it. Yeah, it all got a bit dark though.
It did get a bit dark. But yeah, it was about a guy who basically decided, well, I'm just not going to decide I won't make any decisions myself. It's all going to be done by a dice.
And it sounds like he sort of reenacted that for the app generation. Can I ask a technical question about this fellow? Does he have a girlfriend?
And it sounds like he sort of reenacted that for the app generation. Can I ask a technical question about this fellow? Does he have a girlfriend?
It wasn't mentioned in the article.
No, surprising that, isn't it? Did he have a job at all?
Yeah, he started off, he was working at Google, I think. And I think by the end of it, he's working somewhere else.
Were you gonna get all conservative on him and like, you don't have a job, you don't have anything, you don't have any responsibilities, you don't have a wife.
It sounds like he's having a life.
It sounds sad to me.
I'm wondering how I could have a life like this.
Well, you could just ask us, and then I think all the listeners should send in random advice for Graham to experience in his life.
We could do a Twitter poll rather than throwing a dice. We should put up a Twitter poll every time some big decision needs to be made.
I mean, I'll just put it out there. I think you should fly out to Canada and be a lumberjack for a week or something like that.
I agree. I agree. I'm a natural lumberjack. I'll film it. It'll be a documentary.
Yes.
How the English dentist made his way to the big country.
Alright. Carole, what have you got for us?
Oh, well, I've got something quite fun.
Okay, good.
Okay.
You know, I have actually thrown my wireless mouse in the drawer about a year ago because I just got so annoyed with the frickin' battery usage and it going out of battery, not having batteries, and la la la la.
You know, I have actually thrown my wireless mouse in the drawer about a year ago because I just got so annoyed with the frickin' battery usage and it going out of battery, not having batteries, and la la la la.
That's not the main problem with wireless mice.
No, and they disconnect.
No, no, no, there's another problem with wireless mice.
You lose it?
Yes, because they don't have a wire. Same with these EarPods and things, these stupid Apple AirPods. I don't know what they're called, but they don't have a wire.
It's like you want the wire. The wire is a bonus. I would pay extra for a wire. Same with a mouse. I've got a cluttered desk. I need to find my mouse. You don't have to pay extra.
I will yank the wire.
It's like you want the wire. The wire is a bonus. I would pay extra for a wire. Same with a mouse. I've got a cluttered desk. I need to find my mouse. You don't have to pay extra.
I will yank the wire.
You don't have to pay extra for either. The wire is cheap. You can get them with wire. Now, Logitech, the mouse people, I thought I'd stay on the same topic of mice and mices.
Good, good, I like this.
Have found a way that a wireless mouse will never again run out of battery.
Clockwork.
How did they do it?
Solar power.
A chargeable mousepad, people! How has no one ever thought about this before?
What?
A rechargeable mousepad?
Yeah. So you have your little mouse on your little mousepad, and as you're working, it's actually keeping it charged.
Hang on, hang on. Your mousepad is plugged into something with a wire, isn't it? So what is the point of that?
Pay no attention to the man behind the curtain.
So it's got a dongle on the mouse. So it's actually, there's a lot of money to be spent here actually. Okay.
So there are two Logitech mice for which this will be compatible, the G903 and the G703 for those who are interested. And there's the charging mat called the PowerPlay bundle.
So bundle is separate from the mice. So the mice are $100, $150. The power, the bundle, the mouse mat, the wireless charging base, which yes, you'd probably have to plug in.
Two mouse surfaces are in there, soft and hard. So you have a choice.
So there are two Logitech mice for which this will be compatible, the G903 and the G703 for those who are interested. And there's the charging mat called the PowerPlay bundle.
So bundle is separate from the mice. So the mice are $100, $150. The power, the bundle, the mouse mat, the wireless charging base, which yes, you'd probably have to plug in.
Two mouse surfaces are in there, soft and hard. So you have a choice.
Pointless.
Yes.
Yes. Okay. I can't believe I didn't notice that before.
I was all excited by the idea that it's using cool, you know, magnetic resonance transmitters to, you know, because that's really hard to do.
You know how normally this whole wireless stuff works. You have to be right on top of each other. The transmitter and the receiver got to be very close for it to work.
But this is working across a whole mouse pad. So I don't know how they're doing it.
Ars Technica's Sebastian Anthony thinks there must be lots of antennas around built into the charging mouse pad. But I don't know.
I was all excited by the idea that it's using cool, you know, magnetic resonance transmitters to, you know, because that's really hard to do.
You know how normally this whole wireless stuff works. You have to be right on top of each other. The transmitter and the receiver got to be very close for it to work.
But this is working across a whole mouse pad. So I don't know how they're doing it.
Ars Technica's Sebastian Anthony thinks there must be lots of antennas around built into the charging mouse pad. But I don't know.
How much are you going to have to spend for this mouse?
Well, the mice also, the other problem, the mice are ugly. They're black, they're angry, they're angular, and apparently they don't work on a mat.
As well.
And I don't know why. I don't see why that is, but there you are. The whole shebang will put you back for the cheaper mouse, $150, right? Yep, $250.
$250?
Yep. If you get the Logitech G903.
Well, thank you, Carole.
And then you can lose your mouse, right? And but, you know, know if you find it, it'll be charged. We bring it back.
Crow, that was a quite brilliant Pick of the Week.
Pick of the Week. Pick of the Week.
I think we can't beat that one. That just about wraps it up. Thanks for tuning in. If you like the show, tell your friends. Leave us a review on iTunes. That's a nice thing to do.
Apparently it means more people get to learn about our podcast.
Apparently it means more people get to learn about our podcast.
If you leave a nice review.
Yeah, exactly. We had a bad one the other day. Don't leave any bad ones. We only want the 5-star reviews. Go to www.smashingsecurity.com because we've got a brand new website.
Go and check it out and you can contact us there and find our links to Twitter and all the other things. So until next time, thank you very much, Javvad Malik.
We appreciate you coming along.
Go and check it out and you can contact us there and find our links to Twitter and all the other things. So until next time, thank you very much, Javvad Malik.
We appreciate you coming along.
Thank you for having me. Had a blast.
Cheers. We'll put links to your Twitter and things like that in the show notes. Thank you, Carole Theriault, as ever, and especially for that pick of the week. Pick of the week.
And until next time, bye-bye! Bye! Ah, that was quite something, wasn't it?
And until next time, bye-bye! Bye! Ah, that was quite something, wasn't it?
