Think Like a Hacker Episode 115

Episode 115: Update Your Mac: Gatekeeper Bypass Vulnerability Exploited in the Wild

Apple patches a gatekeeper bypass vulnerability that has been exploited in the wild on MacOS. Though this vulnerability requires some social engineering to exploit, it is believed to have been actively exploited since January 9, 2021. Some Digital Ocean customers were affected by a data breach exposing personally identifiable information. A WordPress trac conversation considers blocking Federated Learning of Cohorts as a security release, and Creative Commons Search is coming to WordPress.org in a few weeks. Google Chrome has yet another remote code execution bug requiring an update to patch. Celebrated Security Researcher Dan Kaminski passes away.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:10 FLoC Blocking Discussion Continues on WordPress Trac
5:25 Creative Commons Search Relaunching on WordPress.org
7:28 Digital Ocean Data Breach Exposes Customer Billing Information
9:06 Apple Patches MacOS Gatekeeper Bypass Vulnerability Exploited in the Wild
10:22 Prominent Security Expert Dan Kaminski Passes Away at 42
11:09 Google Chrome Bug Allows Remote Code Execution
13:07 Wordfence K-12 Site Security Audit and Site Cleaning Program
14:36 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 115 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, with me is Director of Marketing Kathy Zant. So Kathy, what’s with this FLoC blocking discussion and WordPress.

Kathy:
FLoC blocking, yeah, that sounds interesting, doesn’t it?

Ram:
Yes, I love that you came up with that.

Kathy:
FLoC blocking. Well, actually I didn’t come up with it. This is from an article on WP Tavern, so I guess we can blame our friends over there for this. Federated Learning of Cohorts, this is something that Google’s adding into Chrome. What is it exactly, Ram?

Ram:
For the longest time Google, and other advertising providers, have sort of tracked site visitor behavior across the internet using third-party cookies. And this is Google’s attempt to completely get rid of those.

Ram:
The replacement is basically kind of a way of pigeonholing site visitors, otherwise known as literally everyone who uses the internet, into niche categories based on their interests without officially de-anonymizing them. A person who happens to be shopping for large appliances and also likes TV thrillers, and has shown interest in the Chicago Bulls.

Kathy:
Who lives in… Your zip code.

Ram:
Yes, yeah.

Kathy:
Wow, I wonder how many people would fit that?

Ram:
Yeah, and that’s the thing. If you get these cohorts into useful sizes of maybe a few thousand people each, it becomes pretty easy to figure out who’s who from other metadata.

Kathy:
Sure, exactly. I mean, once you start pigeonholing people into certain niche categories, eventually you’re going to run into a situation when there’re only just so many people who would fit this particular profile. So it’s not really anonymized the way they say it is. So the WordPress core team started a discussion, I want to say last week, where they wanted to basically block FloC, Federated Learning of Cohorts.

Ram:
They were on a clock, okay?

Kathy:
They were at a clock to block the FLoC. Exactly.

Ram:
Don’t mock.

Kathy:
There we go. And so they wanted to get this into WordPress core as a security release, which would basically put it into a dot release and basically patch everyone so-

Ram:
And auto-update people automatically, right.

Kathy:
Right, exactly. And so this discussion ensued, and we had a discussion ourselves of what we thought about this. And I thought that was pretty interesting because we’re obviously a security company and they’re talking about doing something with basically privacy and taking a stand against what Google was doing, but doing so under the umbrella of security. And Ram, you had an interesting observation about this. And I wanted to ask you a little bit more about why it’s really important to have a distinction between security and privacy.

Ram:
Okay, so here’s the thing. Insufficient security can be a privacy issue. If your security is not strong enough that your private information can get leaked. And threats to privacy can diminish your security. Once that leaked information is out there in the wild, an attacker could use OSInt techniques to make it way easier to socially engineer you. But I do think it’s important to recognize that they’re fundamentally different things, and it can be dangerous to conflate them because you could sacrifice one in the pursuit of the other really easily. And we kind of want as much of both as possible.

Kathy:
Yeah, and it’s really important. Security is one thing, and it has a different sort of level of importance. So if there’s a privacy issue, say for one of your customers who’s visiting a WordPress website, that’s a different thing altogether than your site’s hacked and there’s malware everywhere. But, you know, the malware could be stealing information about your customers, but it’s a completely different issue. So it might have a privacy component to it, but a hack site is way different than a site that might be sharing information about IP addresses with Google.

Ram:
Exactly. And I honestly think a lot of it comes down to generally the best way to deal with privacy issues is through legal and policy whereas security issues often require a more tactical response.

Kathy:
Yeah. So different tactics for privacy, different tactics for security, and reserving security releases for true security issues that could have a cascading effect that may affect privacy, but it’s a security issue, right?

Ram:
Exactly.

Kathy:
Okay, all right. So it looks like they are not doing this as a security release, but it is coming into WordPress eventually.

Ram:
That’s what it looks like, yes. It looks like there is still an ongoing discussion as to how it should be implemented, but it looks like it’s not coming as an emergency point release.

Kathy:
Yeah, okay, great. And I agree that’s the way that it should happen. I think it’s great that the WordPress community is coming together to kind of take a stand about this and that so many people in the community are aware of privacy issues. So I think that’s great. And I think it’s great that they’re also addressing this in the most appropriate way possible.

Ram:
Yeah. I hear that WordPress is doing some other cool stuff with relaunching Creative Commons search.

Kathy:
Isn’t this neat? Matt Mullenweg announced this earlier this week saying that he’s excited about giving a new home to Creative Commons search. Now this is basically the ability to find images that are licensed under Creative Commons, and this is happening within WordPress.org, right?

Ram:
Yeah. So I mean anytime you put an image on a blog or something, you want to make sure that you have a license to use that image. That can be really easy if you’re the one who took the picture, but it can be kind of hard to find the right image. And so that’s what’s so exciting about this is that it’s a way to add images to your site, your creative work, that other people have taken that they’re allowing you to use without paying them a licensing fee. And that’s-

Kathy:
Right, I’ve had a blog and I look for featured images or look for images that try to tell a story because I can’t always get out and take pictures of everything. And so I’ve been using services like Pexels and Unsplash, which is a really great, easy way to find high-quality images that I can use that have been licensed under Creative Commons. But it looks like in 2017, they changed that, and now they’ve been acquired by Getty Images. So it looks like that door may be closing. So it’s really exciting to see Creative Commons search now coming to WordPress.org so that we can start using fully Creative Commons licensed images within our blogs.

Ram:
Yeah. I think it’s really important, honestly, just because, a world where no sites have images is kind of an unpleasant idea.

Kathy:
Right, yeah, and videos, too. I mean-

Ram:
Because not everyone can afford to pay Getty the licensing fees for every single image on their site.

Kathy:
Yeah. They get kind of ridiculous sometimes and it’s like-

Ram:
And aggressive.

Kathy:
Yeah, exactly. Yeah. And do I really need this picture of these celebrities doing these things? Yeah. So this is good news for WordPress. Hey, did you get any emails from Digital Ocean lately?

Ram:
I did not. I do use Digital Ocean for a couple of personal sites, and you were mentioning that you did as well. So-

Kathy:
Yeah, I didn’t get any emails.

Ram:
I guess we should be relieved.

Kathy:
Yes, I am very relieved because it looks like Digital Ocean emailed a few customers telling them that they were a part of a data breach that exposed some of their personally identifiable information, their customer billing information. It looks like they exposed name, address, last four of the credit card, and expiration dates. And an unauthorized user was able to get these between April 9th and April 22nd. If you did not receive an email notifying you that you were affected by Digital Ocean, you’re probably okay, but-

Ram:
Check your inbox just in case it ended up in the spam folder.

Kathy:
Oh, of course, yeah. Attempt to do a search for Digital Ocean in your inbox and make sure. If these types of breaches happen, if you ever are in a breach like this, I mean, just change your billing information, change passwords.

Ram:
Maybe get a new credit card.

Kathy:
Maybe get a new credit card and be very aware of any charges to those cards. And also, you were mentioning that these types of breaches are really helpful to malicious attackers to use this kind of information for really targeted social engineering attacks.

Ram:
Yeah. The number of companies that still use the last four of a credit card for identity verification over the phone, it’s getting smaller, but you know, I’ve still called a couple in the past year where that was all I needed to verify my identity, so-

Kathy:
Yeah, Yep. So definitely something to watch for. So did you have to update your Mac this week?

Ram:
I did. Did you?

Kathy:
It took forever, yes. How could I forget? It looks like we had to do so because of a Mac OS gatekeeper bypass vulnerability that was being exploited in the wild. What do you know about this, Ram?

Ram:
So apparently there’s a vulnerability that allows malware to bypass some of the built-in protections on executing on signed code on MacOS and apparently this has been used by the Shlayer adware.

Kathy:
Ew.

Ram:
Yeah, which basically would pop up advertisements on your computer or open up your browser and take you to sketchy websites. And I guess this has been exploited in the wild since January 9th of this year. So, it took them a while to catch it.

Kathy:
But it looks like social engineering was still required in order for them to exploit this vulnerability.

Ram:
Yeah, as far as we know, you would still have had to click on a link in a phishing email or something like that in order to actually fall victim to this. Still, it’s not a great thing, but I’m glad they patched it.

Kathy:
Yeah. I am glad too, even though that update took forever and a day it seemed like, but yeah. Good to have it patched and yes, even Macs can fall victim to hackers.

Kathy:
Looks like we have a sad story next. It looks like Dan Kaminski passed away. This is the guy who found out that DNS cache poisoning could be effective.

Ram:
Yeah, back in 2008. I mean he was kind of something of a legend in the InfoSec community. Just one of those names you kind of grew up hearing about or at least kept on hearing about. I never had the honor of meeting him, but by literally all accounts, he was just a generally great human being and the entire InfoSec community is mourning him. And, I mean, it’s pretty rare for the entire community to come together and agree on almost anything really, so-

Kathy:
He was what, only 42?

Ram:
Yeah.

Kathy:
That’s so young, yeah, very sad news in the InfoSec community. And it looks like we’re updating Chrome again this week, huh?

Ram:
Yeah. At this point, I mean, think of this podcast as your weekly update Chrome reminder.

Kathy:
Exactly.

Ram:
At least this one wasn’t a zero-day, but it was a critical RCE in Chrome. It wasn’t a sandbox escape. So an attacker could only execute code within Chrome, but there’s still a potential for a lot of damage. So, again, if you’ve got like 9,000 tabs open and you just want to preserve them, just restart Chrome and restore your history.

Kathy:
Very good advice. I mean, it sounds like a very small kind of bug. It’s not a zero-day, but it is… And if you think about how you use Chrome, how you use a browser, this is your window into your digital life. This is how you log into your bank account. This is how you’re logging into your social media, how you are logging into your email, which has the capability for all of the password reset confirmations for all of your digital accounts. So if you are using Chrome as regularly as most people are, it seems to be the behemoth browser at the moment, it’s really important to ensure that you’re keeping Chrome safe, that you’re checking your extensions regularly and making sure that those are the extensions you really want to use and be very judicious in using them and making sure that you update Chrome when an update is available. Which I updated right before this podcast, so-

Ram:
I am very glad to hear that. And I mean a big part of why we’re seeing so many of these is just because there’s a lot of eyeballs on it because it’s the biggest browser in the world. Literally, everyone uses it for everything. There’s a lot of good guys and there’s a lot of bad guys looking for vulnerabilities in it. And it’s sort of a toss-up who finds them first. But there’s still, there’ve been just a huge number of critical vulnerabilities in Chrome this year. So keep on updating, if you can get it to automatically update, please do.

Kathy:
Every week. All right. Well, that’s pretty much the security and WordPress news that we have this week. We did want to mention a couple of things. First of all, our K through 12 public school site cleaning initiative is still there. If you know of a school that could use some WordPress security assistance, whether it is an audit to make sure that their site is safe, or if they have, God forbid, an intrusion and needs some help cleaning up, we are here for them. Just head over to the show notes. There’s going to be a link there. And they basically just have to reach out and contact us, fill out a very small form and let us know.

Ram:
And this is any government-funded school, anywhere in the world, right?

Kathy:
Right. Anywhere in the world.

Ram:
Not just the US. Pre-university basically, right?

Kathy:
Yeah. Basically, anybody who’s dealing with children. Dealing with the children. Yes, we want to keep them safe.

Ram:
We want to think of the children.

Kathy:
Yes, always think of the children. They’ve had a tough time. I’ve watched, I have a 12-year-old and I’ve watched how her schools have had to deal with remote learning. As a parent of a child, it has not been a pleasant experience. I can’t imagine what it is for teachers. They are using WordPress in a number of installations and-

Ram:
We found vulnerabilities in a number of e-learning solutions. I know Chloe’s found like at least, I want to say two, at least. And I know I found one last year, so yeah. There’s just a lot-

Kathy:
Yeah, yep. So we are here to support your schools and to support your kids. So if you have any questions about that, you can reach out to us at feedback@wordfence.com or you can hit the link in the show notes.

Kathy:
We also want to mention that we are still hiring. We are expanding a number of our initiatives. So we are looking for someone to support us with security operations. So if you like AWS and you like securing lots of systems, we would love to talk to you. If you like PHP development, not necessarily WordPress PHP. This is some more complex and challenging systems. So if you would like to be challenged in the PHP world, we’d love to talk to you. You’re hiring for a friend in QA it looks like Ram, huh?

Ram:
Yes, yes we are. We are hiring for a QA role. So if you like testing stuff and breaking stuff.

Kathy:
Yeah!

Ram:
If you like breaking other people’s software in ways that aren’t just security-related, then we’ve got the role for you.

Kathy:
Excellent, yeah. And our QA team is amazing. Very, very challenging, but very rewarding as well. We also are still looking for someone who loves website performance. We have some interesting initiatives happening there.

Ram:
If you actually know what the Core Web Vitals are and how they matter, then this might be the role for you.

Kathy:
Yeah, definitely. So all these job listings will be in the show notes. So head over there, we have amazing benefits. So if you like working for a fun team, it’s Ram, it’s me, it’s Chloe.

Ram:
And there’s not really micromanagement here. Honestly, it’s very much you do the thing that you’re good at and we judge you on your results.

Kathy:
Yeah. And there’s plenty of opportunities for growth. So, I mean, there’s a video on our employment page that is sort of a clip from one of the Wordfence Lives when Chloe kind of talked about how she started here at Defiant, working with the customer service team and how she’s evolved into one of the leading evolved. Well, it’s not like she’s evolved, that’s a bad-

Ram:
It’s not like she’s a Pokemon.

Kathy:
She hasn’t reached her final form yet, right? But she keeps rising to different challenges and basically amazing all of us. So go watch that video because Chloe is pretty amazing and she’s so much fun to work with, too. I just had a conversation with Mark earlier today and he was asking how things are going? And I’m like, I have laughed more this week than I have in quite some time. It’s been a good week. It’s a fun team. If you like to laugh, if you like to work hard, if you like to see an opportunity and make things happen, we’d love to talk to you. So head on over and look and see what might fit for you.

Ram:
Apply for the role even if this is just something you’re really passionate about and have some experience with.

Kathy:
We’d still love to talk to you. That’s fun, too. So thanks for listening to Think Like a Hacker. We will be back again next week with all the security news and all of the WordPress news and all of the news and-

Ram:
The Chrome zero-day updates.

Kathy:
Yeah, exactly. We’ll tell you what’s going on with Chrome again. It’s been kind of crazy. Thanks for talking again, Ram. We’ll talk to you again next week.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments