loader from loading.io

Welcome! How app design libraries are defeating design security plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Release Date: 09/11/2020

AS HEARD ON - The Jim Polito Show - WTAG 580 AM: Why Most Businesses Don't Take Security Seriously and Why they Should? show art AS HEARD ON - The Jim Polito Show - WTAG 580 AM: Why Most Businesses Don't Take Security Seriously and Why they Should?

Craig Peterson - America's Leading Security Coach

Welcome! Good morning, everybody. I was on WTAG this morning with Steve Fourni who was sitting in for the vacationing Jim Polito.  He had a few questions about computer security especially in light of the 129 Microsoft Vulnerabilities that were addressed on Patch Tuesday, I did get up on my soapbox for a bit, but Here we go with Steve. For more tech tips, news, and updates visit - ---  Automated Machine Generated Transcript: Craig Peterson: [00:00:00] Hey, it's political season. I had to get on my soapbox. Okay. Little stump, speech, going on here, Craig Peterson. Of course this...

info_outline
AS HEARD ON NH Today with Jack Heath WGIR-AM 610: Critical Patches and Some Good Economic News show art AS HEARD ON NH Today with Jack Heath WGIR-AM 610: Critical Patches and Some Good Economic News

Craig Peterson - America's Leading Security Coach

Welcome, Good Monday morning, everybody. Craig Peterson here. I was on with Jack Heath and we discussed a critical patch that was announced on Friday and is so dangerous that the Fed's gave their system administrators until today to get their servers patched up.  Also, Microsoft announced 129 Critical patches on Tuesday -- Patch, Patch, Patch!  Then we talked about some good economic news. Here we go with Jack.  These and more tech tips, news, and updates visit -  ---  Automated Machine Generated Transcript: Craig Peterson: [00:00:00] Hey, had a quick hit with...

info_outline
Welcome! Why Hackers Like Outsourced MSPs plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Why Hackers Like Outsourced MSPs plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig explains why Hackers have found a new target that they love and why it might put you in jeopardy. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Welcome everybody. Hey, if you think that your IT being outsourced is going to somehow protect you from the bad guys. Unless they are a security service provider, I've got some news for you. Hello everybody. Craig Peterson here. A welcome and glad you joined us here on news radio 98.5 And AM 560. I also want to remind...

info_outline
Welcome! Cybersecurity Spending - The numbers plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Cybersecurity Spending - The numbers plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig puts into perspective cybersecurity spending and how much you should be looking to spend based on certain criteria. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] This talk of MSP outsourced IT providers.  Brings up a really great question. How much should you be spending on security in a business or at home? Hey, you're listening to Craig Peterson here on WGAN 98.5 FM and AM 560. You can also hear me every Wednesday morning with Mr. Matt Gagnon and, he and I...

info_outline
Welcome! China and An EMP - Could it happen plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! China and An EMP - Could it happen plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig discusses Electromagnetic Pulse as it relates to the DHS warning that China might be planning something around our election. What would it mean? How would we deal with it?  For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] If you're not familiar with the Carrington event, stick around because the odds are great we're going to have to live through another one of these. Even though it's been more than a hundred years, we're going to talk about EMP attacks and a real...

info_outline
Welcome! Nation-State Election Interference is about Chaos plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Nation-State Election Interference is about Chaos plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig explains Nation-state Election interference and what is more likely just spreading Chaos and distrust. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Of course, we talk a lot about Russian hackers, Chinese. Iranian, and it goes on and on North Korean, we're going to talk right now about our elections. 2020 a very big year. What's Russia up to, and what's the US doing about it. You're listening to Craig Peterson here on News Radio 98.5FM and AM 560. You can also listen...

info_outline
Welcome! Your Privacy and Security Concerns of Tele-Health plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Your Privacy and Security Concerns of Tele-Health plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig explains Why you should be concerned about your private health information when using a Telehealth application.  For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Coming up in this hour, we're going to be talking about some of these cyber risks that are really exploded because of the telehealth services. We'll tell you about that. And online voting. Price gouging and defective products rampant on Amazon. Hey, listening to Craig Peterson on news radio 98.5 FM and AM...

info_outline
Welcome! Voting technology and why We Won't have Online voting for some time plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Voting technology and why We Won't have Online voting for some time plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig explains Voting secrecy and privacy and why online-voting is not ready for prime time and how Mail-in voting is ripe for fraud.  For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] We're about to talk about online voting. I know you've heard a lot about the Mail-in voting, right? Both sides of that, as well as the regular voting booths and stuff. But we're going to talk about on-line. Hey, of course, you're listening to Craig Peterson here on news radio 98.5 AM and AM...

info_outline
Welcome! Amazon Marketplace and third-party sellers plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Amazon Marketplace and third-party sellers plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig explains third-party sellers on Amazon and why it is not all it is being made up to be and why? For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] You've probably been shopping online and some of these retailers include some of the biggest ones out there have been price, gouging, us, and shipping defective products. We'll talk about who and why and what you can do. Hey, welcome back everybody. Craig Peterson here, he listening to news radio 98.5 FM and AM 560 thanks for...

info_outline
Welcome! Professional Ransomware is Here plus more on Tech Talk with Craig Peterson on WGAN show art Welcome! Professional Ransomware is Here plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Welcome! Craig explains the new Corporate face of Ransomware called Ransomware-as-a-Service or RaaS.  How it works and what it means for you the small business owner. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Odds are pretty good, actually that you've already been hit with ransomware. Raise your arm if it's happened to you, put your hand up. Yep. Yep. I see you. it has gotten a lot worse lately. You're listening to Craig Peterson right here on news radio 98.5 FM, AM 560,...

info_outline
 
More Episodes

Welcome!

Craig explains how app design libraries are causing problems with the security of apps for some of the big tech firms. 

For more tech tips, news, and updates visit - CraigPeterson.com

---

Read More:

iOS 13.7 launched today with a new system for battling the pandemic

Hackers are exploiting a critical flaw affecting >350,000 WordPress sites

The accidental notary: Apple approves notorious malware to run on Macs

Most IoT Hardware Dangerously Easy to Crack

55% of Cybersquatted Domains are Malicious or Potentially Fraudulent

Feds Can’t Ask Google for Every Phone in a 100-meter Radius, Court Says

The Hidden Cost of Losing Security Talent

---

Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] We're going to get into the guts right now of something called notarization. When it comes to our apps. What's Apple doing what's Google doing and how did Apple mess this is up so badly, frankly.

Hey, you're listening to Craig Peterson. Thanks for joining me today. We've had a problem for a very long time when it comes to any sort of apps. I saw a funny meme about yeah about Bill Gates this week. It said Bill Gates couldn't even stop viruses and Windows. It's a really good point that Windows was never designed to be secure at all.

When they came out with NT, that was their first attempt to design it like a real operating system. They took the design of VMS, basically of Dave Cutler and company that had been designed over a DEC - digital equipment. And they said, Hey, we'll use this as a framework. This really works. It's not a hack. Let's just make this work.

 Then, of course, Microsoft had his fingers on it. So they really messed it up. They wanted to be compatible with everything that they could possibly be compatible with in the past. In the past, Microsoft did not have the barriers walls. If you will between the apps between the operating system, between the hardware and the apps. They didn't have the appropriate protections in place. Programmers used some lazy mechanisms to get around the operating system, going directly to things like graphics cards, because the operating system just slowed it down and they couldn't do the graphics they wanted to do that way. So it's been a real problem, frankly.

It's been a real problem for a long time in the windows world, and NT was supposed to fix some of that. It did initially, and then it didn't. Now they're trying to tighten up this whole thing. how do you, if you're Microsoft or Google or Apple, how do you protect the people who are using your products from some of this malicious software?

What's the way to do it? What Apple has come up with is a mechanism and Google as well that signs the software. You might have noticed that if you are trying to install software on your computer or your Google device from a third party website, it will come up and say, can't be opened, It can't be installed. There are a few different messages that come up.

In the case of Apple now, with MacOS Catalina, which is the latest Operating system. Although, there's another one that is about to hit and it looks like they're going to change the whole nomenclature to, with the next release, but in Catalina, Apple now requires what they call notarization for all apps.

Any apps that you are installing on that computer need to be signed digitally by Apple. So the developer, when they write the software, they compile it, they sign it themselves. It's a whole public key cryptography thing. Apple takes that software and checks it and then signs it.

Both Google and Apple are using automated systems that try to verify whether or not the software is malicious. So it'll go through this automated system and will try and figure out well, is there any malicious content? Are they doing things they shouldn't be doing? Are they making suspicious calls to the operating system? Is it trying to get into files that it shouldn't be getting into?

Now, there are ways to hide things from these automated systems. In fact, obfuscation seems to be the norm when it comes to any program or programming anything. It's just absolutely amazing. It does look for code signing issues and then it's designed to return the results to the developer very quickly and say, okay, it's all set. It is signed. You are ready to go. Then they can put it up for sale on the app store or available for free, et cetera. The same trick over on the Google side.

In this case, in the Google side, they've got this alphabet owned malware scanning service called virus total that looks at data from over 60 different antivirus providers to figure out, is this software malicious? Is it using any sort of malicious libraries or routines?

Now we have seen that happen, unfortunately, and it's scary because we have now found that even in the Apple app store, there have been many apps that included this library that was designed to basically steal personal information from you.

Developers would use this library and it wasn't flagged by this notarization process. Now you install it and it's not the main feature of the app, but the app is spying on you. Now, there is a new piece of software out there that they're actually not all that new. It's been around for quite a while.

It's called S H L E Y E R Schleyer and it is a Trojan that has been one of the most prolific pieces of Mac malware now for the last couple of years and it was notarized by Apple. Now, this is interesting, right? This whole notarization thing it's been in the last couple of major releases, but it snuck by.

There is if you're an Apple user, there is a piece of software there's you can put on your Mac called brew and it uses open-source software to install all kinds of features. I use many of these pieces of open-source software all of the time. And they provide functionality that does not come with the base Mac operating system. And so in the case of brew, It is verified and validated by the brew people, right?

Apple has nothing to do with this. There is another site out there called a homebrew.sh, which is a knockoff of the brew site, which is brew.sh. And the number of people were tricked into using that site, this homebrew.sh, and it apparently had fake flash updates. So it pops up and it says, Hey, you need to update.

And we've all seen that before if we have flash on our computer. you click on it and open it and install it. In fact, this Schleyer was slash is so smart. It gives you instructions on how to get around Apple's notarization checks. So in case you didn't know if you install an app on your Mac and you, first of all, you probably can't get it to install, but if you do get it to install or if you download it and you try and run it out of your downloads. If you right-click on it, you then have the option to just open it and get around the signatures from Apple.

Not good, not a good thing. So this, bottom line means that you cannot 100% trust these signed apps from Apple or from Google. Just, this is just to remember. Okay. This isn't something that any of these companies messed up recently. It's just normal. So be very careful. About what you install and it goes right back to something. I said a little earlier today, which is, do not install any software you do not absolutely need and make sure that you keep it all up to date. Some of this stuff does clickJacking. It tricks users into installing these cryptographic certificates. It decrypts and reads all of your HTTPS traffic.

So if you're going to a secure server that is using SSL, it's decrypting it. It's harvesting your user IDs, everything. Okay.

Apples goof, in this case, and they fixed it very quickly. It was reported to Apple. Apple did not figure this particular one out by themselves. So that goes right back to how important it is to have third parties out there that are looking at security, not just for Apple, but for many other pieces of software.

All right, stick around. When we come back, we're going to talk about a new little study that was done about the internet of things hardware.

Make sure you get all of this and more. My newsletter, Craig peterson.com/subscribe and stick around. Cause we'll be right back.

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553