Checklist 330: CAPTCHA, Pegasus, and Mr. Softy’s Migraine
Why Pegasus is in the news again
A report from The Guardian says security researchers have uncovered a new first for Pegasus spyware:
Researchers have documented the first known case of NSO Group’s spyware being used in a military conflict after they discovered that journalists, human rights advocates, a United Nations official, and members of civil society in Armenia were hacked by a government using the spyware. The hacking campaign, which targeted at least a dozen victims from October 2020 to December 2022, appears closely linked to events in the long running military conflict between Armenia and Azerbaijan…
If Pegasus spyware sounds familiar, that’s probably because we’ve talked about it multiple times on this podcast. For those not in the loop: Pegasus is commercial spyware sold by NSO Group to law enforcement agencies and governments. It can compromise iPhones—even without the user clicking on anything.
The good news here is that Apple appears to be successful at detecting Pegasus spyware; the company now sends out security alerts to people who may have been compromised.
For everyday users, the spyware doesn’t pose that much of a danger: It tends to be used by advanced threat actors in highly targeted attacks. But if you’re concerned about it, the best thing to do is keep your device up to date. When Apple discovers a vulnerability that could lead to a Pegasus infection, it patches that vulnerability—and thanks to features like Rapid Security Response, it’s easier than ever to get your iOS security patches quickly!
Humans helping bots helping bad guys
On Checklist 297, we discussed Private Access Tokens: an Apple attempt to help website owners determine if traffic to their sites is human or bot. The technology holds a lot of promise—but like all new technologies, there has been a lag between release and widespread implementation.
This week, a story in The Hacker News shows why bot traffic is such an urgent problem. According to the site:
…CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic. These CAPTCHA-solving services don’t use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers.
This lets bad actors bypass CAPTCHA protection—so they can turn their bots loose on a site to scrape data, autofill forms, fake ad impressions, and do other shady bot stuff. All of which goes to show why innovative technologies like Private Access Tokens are so important!
A macOS “headache”
Microsoft has discovered a macOS vulnerability they’re calling “Migraine.” Migraine, according to Microsoft, “…could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device.”
Sound bad? It is. As Microsoft explains:
Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits.
The good news is that Microsoft informed Apple of the vulnerability over a month ago. It was patched as of macOS 13.4 (released back on May 18). In other words, it’s already fixed—provided you’ve kept your Mac up to date.