URL spoofing - what it is, and what to do about it
Are we alive? We are live the Android apps a bit different, excellent hi everyone and welcome back to Facebook live. We are naked security by Sophos and yeah. We are trying it out. Our Facebook live on an Android, Wow yeah. If you notice any quality difference. I think you may be blinded by populous, but let's hope we've got it right. The lens is a bit different on this. I can, I see myself in the lens compared to an iPhone, so I'll have to get that. Sometimes it's not because Charlotte shouting at me. It'S because I can see myself and I've scared myself. So today's topic is URL spoofing. It is it, it sounds a bit technical duck.
What what is it and why are we talking about it right now? Well, let's, let's take that start at the end, why are we talking about it now? The reason is, there was a big story all over the media last week about a URL spoofing bug that, as apparently was found some time ago in Apple Safari, so it affects Mac users and iPhone users. Also affected Microsoft is, is an edge Microsoft, patched, their browser apple, didn't the bug got disclosed disclosed and the media got all excited and the deal with URL spoofing and why it's important? If, basically, what it means is the URL you see in the address bar in your browser doesn't match the website that it is in the main window.
So, in other words, it's easy to get confused between where you think you are and where you actually are, because the URL in the address bar has been spoofed. To put it simply so: Oh quickly, hi Teresa hello Teresa, it's good to have you back yeah, so duck, I'm guessing that, because Apple just did a round of updates which included releasing iOS 12 that this bug might have got fixed. Oh, so am i that transparent? Why pick it today? Yes, last night at least UK time well this morning I woke up, and there was the fixed iOS. 12 has been released and there's a there's: a safari 12 update for Mac offs for Mac users, and indeed, even though it's a week since its disclosure Apple of now fixed and now Apple.
Unfortunately, I wish they wouldn't do this. They have this official corporate policy, which is keep totally stung about in security, updates that until they're ready now I get there. The idea is you don't want people guessing and speculating? So when you say hey, there was this bug in our product. You tell people when it's fixed, unfortunately, what it meant is that, a week ago, everyone's panicking going well, I wonder: if Apple's ignored this, does it consider this not to be a bug or is there a bug in the work the bug fix in the works? We speculated on naked security last week that the reason that that Apple was probably very close to a fix on fortune didn't say so wish they had.
But, given that the fix is out today for at least four people in the UK, that means we thought it was worth talking about it. Big story, problematic bug last week, all over the news, if you were worried about it and you get the update, you're sorting. Okay, so why is URL spoofing a hot issue in cybersecurity? The address power has an incorrect text in it. Just it's just one line of text, though, so why is it such a big deal? It sounds a bit of a triviality. Doesn'T it there's? The address bars got like you mention it had a typo where you get a document with spelling mistakes, it doesn't completely throw you off, it doesn't stop you making a judgement, but let me show you some.
So if then, if they, if that's a foreign site, that's pretending to be NS Don example you're relying on the address bar a bit at the very top to actually tell you that you're on the wrong site. So you can imagine if you can make the bit at the top look like what it shouldn't be. That'S very very beneficial if you're a crook trying to do phishing and the theory is that, although the main window in your website and your browser can be can have anything, including fraudulent logos, fake logos, fake content, the address bar is not directly under the control of Anything remote the browser looks after it carefully, so it's the one true place that is supposed to be able to look at to figure out where you are now.
Here'S an example of what he did. He took the URL and he added. What'S called a tcp port on the end now normally web services, port 80 for HTTP and port 443 for HTTPS, so he said: go to a site that exists but to a TC people where nobody's listening. That'S like making a phone call to a company. That'S there through a phone exchange, that's working but to an extension where nobody's sitting so nobody answers. So what you'd expect to happen when you, when you tell the browser, hey switch to this new site? What you'd expect is it'll go well, try to connect to the site event, it will timeout that typically takes one to two minutes and during that time, what you expect is you'll, see the old web page and the old URL, and that's what most browsers did except Edge patched a month or so ago and Safari, and so in Safari.
Unfortunately, what you would see is something that looked more like this you'd see the old content, which could be a phishing or a fake site and you'd see the new URL and only after the download timed out. And you got an error message to display with the URL and the content actually line up now I haven't got a picture of this, but on the mobile safari browser on an iPhone, it was even worse because to save space it didn't actually show the colon 8000. So you didn't even realize you're going to a weird part of the site. So what this researcher said is this is a way of having content from one place could be a phishing site and a URL that suggests that you're actually somewhere else.
Even though you're not there yet can I just stop. You had a quick question. Well, first of all, Andy says hello from Mechanicsburg Pennsylvania, maynia, yes, just real Belt. I think from the name. That'S why I assume that's why it's called can expect. In England, we have Colville guess what they used to mind there. Who knows? Who knows so Theresa says so. This has been caught and fixed in most browsers, like Microsoft, edge, Internet, Explorer, Firefox and Chrome and Apple is catching up with fixing this in version 12. That'S basically it now just quickly. Let'S, let's let me just then show that, even though this was kind of a bug and everyone got very excited about it, there are some things that you could have looked for in Safari and you should look for in every browser.
Anyway - and you can see here that, although you've got that, there's that new URL, at least in the non mobile browser - you can see the 8000 - you don't see a padlock because it has make sure connected to the site. So there's no TLS, there's no security certificate. That it's received that it could possibly display and, of course, if you see a website with a webform on it, you shouldn't be putting data in there unless you think you're on a secure site. So that will be warning number one. The weird port of its visible warning number two, and also you see that blue bar other browsers use different visual cues.
That means whatever is happening, something's still loaded. So if you're going to put data into the forum, while a page is still loading, you're kind of putting it into something - that's not complete or but you're, not quite short, it is yeah. So there were already warnings, even in Safari, that the URL, the page is still loading the URL there's a hint that it's what's coming next, what's here now, but as Teresa mentions Apple, have fixed that which means that, if you've done an update, you will now be Okay - and you should still look out for those things that I've mentioned with whatever browser you're using, is there a padlock?
The point is you're supposed to be able to do that. What a browser's not supposed to do is tell you: you've already reached your new destination when it's still showing the old content. That was the very simple bug that Safari had it updated the address bar before it had any content to match it, which meant that things could get out of sync. What other browsers were doing is they were waiting until they'd been an error, and then they would update the address bar and the screen to say, there's been an error at the same time. So we're never in any doubt and that's what that's the change Apple has made to fix this so, and I just want to ask a question of my own: what is an M & M attacked, I guess man in the middle or man in the browser.
If you can actually intercept the traffic at the very end, either at the start or the end, obviously it has to be decrypted there. It has to be decrypted at the server, so the server knows what you're trying to ask for, and it has to be decrypted inside your browser so that you can actually so that it can actually display it, and that's a man in the browser attack same idea. What somebody's doing is, somewhere between your screen, the outside surface of your screen, if you like, and the processing on the server that there's somebody you shouldn't be, there is trying to listen in, they can either do it in the middle man in the middle attack, MIT M, which is when they're snooping on the network, or they can do it in the browser where they actually see the stuff after it's been decrypted.
So when you see MIT M or MIT B, that's what those things mean great so back to URL spoofing. Yes, from Don hello Don, he says how would we get John slashed Jill public to learn to realize what to look for so as to protect themselves from issues? Well, one. We actually write about things, whether directly or indirectly, about things like URL, spoofing, email, address, spoofing, dodgy links in emails; things like that regularly on naked security. For exactly that purpose. We feel that this is not a it's, not a game that we've lost to the cyber crooks. If we just keep reminding people what to look for, then a people have never given this a thought will improve in security and be because the crooks keep changing their game every time we are par as they try and alter theirs.
It means that you people can keep sort of in sync with what the latest attacks are. So we regularly do articles on naked security wet like the one we did for this particular bug where we we fill them up, not just with a description, but we actually put pictures in sequence that show you. This is what will happen when things are going well. This is how you compare it with what happens when things are going badly and our idea is trying to alert people where to look in their browser where to look on the screen. What things to look for the kind of tricks that the crooks for what to do with emails, what not to do with emails and so forth, and so Rob Klein.
That is a shameless plug for naked security. I'Ll stop cause! That'S what I was hoping for. So Rob Klein is really shocked that no one has commented on your awesome t-shirt yet. Well, it is an awesome t-shirt and you too can own one just like it. By going to shop so fast calm - or let me be more formal, HTTP colon, slash, slash shops, office, calm and you can get t-shirts, cool socks, cool, be nice, you can even buy high-end bicycles, but that's not why most people go there. Those are just to kind of they were used by they're, used by some salespeople in a race that we participated in an event that we participated in.
We figured you might like them, but the t-shirts all this and many more other cool slogans like malware is a dish best served. Never, for example, all their. I think so. Rob'S actually asked a question as well. He says: are there times that HTTP isn't really doing the job and are there ways to know? Oh, that is the very open question and they're, usually when you're faced with HTTP web certificates trickery. What usually happens you may see, for example, if you go into a coffee shop and they've got free Wi-Fi and what they do. Is they let you connect to their network and there's no password on the network, but the first time you try and go anywhere.
They basically redirect you to a fake site and the fake site is their login. Their captive portal and their captive portal says: hey. You can't go to Bing com search engine, yet you have to fill in this form and of course, to do that. They have to pretend that their Bing comm for one web page and they can't put the right certificate of you'll, get a certificate warning. So they claimed to be Bing calm, but they don't have the right certificate signed in the right way. So often when you go to a site, that's presenting a bogus web certificate, it's pretty obvious, because no so-called certificate authority issue web certificates will let just anybody have a website to say Microsoft, Commerce, office, karma Bing, calm or whatever it is so one protection is, if You get a warning that says: there's something wrong with a web certificate a couple of years ago.
Loads of people would let their certificates expire or they put the wrong name in, because it was all too hard and we got in the habit of going our certificate warning. Who cares it's only a website and you'd click through and if you're unlucky, your browser would remember that so next time the crooks have got, you won't get the warning again. So if you get a web certificate, security certificate warning, do not ignore it. They are there for a purpose, the other trick. Obviously, this is much harder to deal with what happens if a certificate authority somebody signs web certificates goes rogue and they agree. They agree to sign a certificate for the wrong person.
It'S very difficult to deal with that, but usually it's reasonably infrequent and when it happens, it's all over the news. So keep your eyes open and watch out for web certificate authorities that can no longer be trusted. Okay, that's great and then one final, very quick question for you: don't what should Mac and iPhone users do now well get the update Apple of traditionally been very good at getting updates out fast and people tend to accept them, and since I'm in a hurry, because I know we're over time. I have now botched things up on the phone and what do they say more haste, less speed. Well, while you look at that, I'm going to tell you that Andy says his wife stole his saw for socks.
They are in high demand that doesn't count as stealing does it. If you, if you're, mrs. where's your clothes, that's just you just have to go with that. Yeah, you, okay! So what do you do on on a Mac? Click on me, click on the Apple icon and go about Mac software update and wait to see if there's anything make sure that you probably get them automatically. But it's worth having a check and if you aren't on the list yet because that will stagger the updates. You could jump the queue by saying on to update now same on an iPhone or iPad. You go to what is it settings general software update and after the updates you'll see something like that.
So you see there Safari 12. That'S got the bug fix for this. An iOS 12 for the iPhone that update includes a brand new version of Safari, with this bug fix and while you're about it getting loads of other security updates and feature updates to so you might as well. Do it because the crooks now know what things have? What bugs existed in iOS 12, I owe s11 and Safari 11 before the update was out, so don't be the low-hanging fruit I get out there and get those updates. That'S great. Thank you. Duck has ways for your wisdom and thanks everyone for commenting and question and your questions and you have any more questions for duck or the team pop them in the comments box know we always check after the video has finished and until next time,