MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
Regarding Safari and signature issues, I did a test with a fresh install of Sierra and High Sierra and performed all Apple updates. Codesign indicated it was “valid on disk”. Updated OS’s that have been in use showed “a sealed resource is missing or invalid.” It's interesting that variations exist.

This is a useful article on MacIssues:

I especially like the command to verify all apps (in the specified directory, not subdirectories):
Code:
find /Applications -d 1 -name "*.app" -exec codesign --verify --verbose {} \;
and for system policy assessment:
Code:
find /Applications -d 1 -name "*.app" -exec spctl --assess --verbose {} \;
 


This is what my Settings > Security section looks like. The "Security Key" section goes to the screens I posted earlier where you can only add a mobile number for SMS delivery. I was unable to find anything that looks like what you described or any instructions that match that. A screenshot might be helpful in determining why yours looks so different.
There is a possibility that PayPal is doing a slow rollout of TOTP, and only certain people can use it.
 


Apple is about to force me, as a developer, into 2FA for my developer Apple ID ...
I've been using 2FA successfully on all my devices. However, I will note that when logging into my iCloud account on my MacBook Pro the verification code will pop up on-screen directly on top of (and completely hiding) the dialog box where I'm supposed to enter it. I always have to drag the window with the code off to the side then type the code into the dialog box. your milage may vary. And, yes, it does seem odd to have the verification code appear on the device being used to log into iCloud, but that's the way it works.
 


This is what my Settings > Security section looks like. The "Security Key" section goes to the screens I posted earlier where you can only add a mobile number for SMS delivery. I was unable to find anything that looks like what you described or any instructions that match that. A screenshot might be helpful in determining why yours looks so different.
It appears that 2FA is available if you use Braintree as your credit card processor. Otherwise, you can set up a security key with a phone or device.
 


I don't think 2FA will work if you are outside of the US and use a local SIM card in order to get less expensive data on your phone, because your phone number will not be the one registered for 2FA. (Maybe I'm missing something.)
If you have a data connection, you do not need a phone number - that's how your Mac or iPad can work with 2FA.

If you know your "foreign" phone number you can register that as a "trusted number"....
 


Ric Ford

MacInTouch
Another silent Gatekeeper update for macOS:
Howard Oakley said:
Apple has pushed an update to Gatekeeper’s data
Apple has pushed an update to the data used by Gatekeeper, bringing its version number to 163, dated 20 February 2019. Apple provides no details as to what changes this update brings, but it is normally expected to include recent revocations of security certificates used in signing software.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
 


It appears to be related to iOS telemetry, as the domain "ckdatabase.fe.apple-dns.net" appears on this blacklist of hostnames to block if you want to block telemetry. I supposed it may be related to the setting that asks if you want to send usage data to Apple during OS installation/setup. On iOS, you can find those settings under Settings > Privacy > Analytics.
Thanks for the reply. I checked my Macs and iOS devices, and they all have analytics disabled, so I don't think it's related to that option.
 


It appears that 2FA is available if you use Braintree as your credit card processor. Otherwise, you can set up a security key with a phone or device.
Paypal still has a page available where you can add a Symantec VIP token, but the page doesn't appear to be linked anywhere on the main site. I've been using two Yubikey VIP tokens, but yesterday added a separate VIP token generated with a Python script so I could add the TOTP secret key to 1Password. I haven't been able to find backup codes referenced anywhere on Paypal since they started pushing SMS "authentication", so I keep 3 keys active at PayPal including one of their original DisplayCard tokens. I discovered yesterday that the battery in that token was dead which is what drove me to add a new token. The 1Password TOTP setup is easy and makes 2FA easy to use.

https://www.paypal.com/webscr?cmd=_setup-security-key
https://github.com/dlenski/python-vipaccess
 


Ric Ford

MacInTouch
Malwarebytes covers a confusing and mostly invisible array of Apple security mechanisms in macOS:
Thomas Reed said:
How does macOS protect against malware?
Mac users often are told that “Macs don’t get viruses.” This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in others. Let’s take a look at how macOS features protect you from malware, and how malware can get past these features.
 


Malwarebytes covers a confusing and mostly invisible array of Apple security mechanisms in macOS:
Thomas' article is an excellent summary of macOS security in Mojave and to some degree earlier systems. The only thing I can add is a somewhat more technical blog on MRT and the identity of the mysterious MACOS.35846e4 malware:
Phillip Stokes for Sentinal One said:
Uncovering Apple's Mysterious Malware Removal (MRT) Tool Update
Apple’s little known malware removal tool gets a signature update. But what is this new malware family MACOS.35846e4? Find out on this journey inside MRT.

We’ve noted before that Apple’s built-in security technologies have been missing some updates of late, and we weren’t the only ones. So, when Apple dropped a couple of updates to MRT and XProtect last week, the macOS community raised a collective eyebrow of interest. With XProtect having hardly seen a significant update since March of 2018, there were high hopes that Apple were finally playing catch-up with the rounds of macOS malware that have appeared since XProtect’s last update.
Philip is the developer of DetectX Swift.
 


I don't think 2FA will work if you are outside of the US and use a local SIM card in order to get less expensive data on your phone, because your phone number will not be the one registered for 2FA. (Maybe I'm missing something.) If you have a data connection, you do not need a phone number - that's how your Mac or iPad can work with 2FA. If you know your "foreign" phone number you can register that as a "trusted number"....
Here’s an example of some pain and suffering related to 2FA:

My wife is unable to log into her CapitalOne account via the online portal, because the 2FA code is being sent to her US phone number, and we are in Thailand. The customer service representative tried changing the notifications to her email address, but the "fix" did not work. It still went to the phone.

So another call to a different service representative is needed, one with more privileges. So 35 minutes on Skype wasted. Aggravation level increased for little valid reason.

Without 2FA this problem would not exist. There’s got to be a better way.
 


It appears that 2FA is available if you use Braintree as your credit card processor. Otherwise, you can set up a security key with a phone or device.
That is only for Braintree accounts, which is a payment processor gateway, a separate subsidiary service from PayPal's normal services. (Braintree was a PayPal acquisition.) You can merge your Braintree account to a PayPal login, but as their help document states, you will lose all the 2FA options that Braintree provides, and only have the brain-dead PayPal option (SMS delivery).

Paypal still has a page available where you can add a Symantec VIP token, but the page doesn't appear to be linked anywhere on the main site.

https://www.paypal.com/webscr?cmd=_setup-security-key
https://github.com/dlenski/python-vipaccess
That page is from the old PayPal site before they rolled out the redesign in 2013. The fact that the hardware token options were not carried over to the current site gives me pause. The fact that you have to hack that old option to associate it with a software token does not instill me with confidence. Why can't PayPal just roll out proper software Authenticator app support like every other company?

If you want to try the software hack, I found these step-by-step instructions. Hardly a simply process, though you can use the online tool in the first link to make it easier (if you trust the website):
 


Here’s an example of some pain and suffering related to 2FA:

My wife is unable to log into her CapitalOne account via the online portal, because the 2FA code is being sent to her US phone number, and we are in Thailand. The customer service representative tried changing the notifications to her email address, but the "fix" did not work. It still went to the phone.

... Without 2FA this problem would not exist. There’s got to be a better way.
This isn't a problem with 2FA, but with the fact that your account is configured to use SMS text messages as the second factor.

According to TwoFactorAuth.org, Capital One supports SMS, e-mail and a soft-token (typically a mobile app) as your second factor. You may want to contact them to see what's involved in changing the mechanism used for your account.

It appears that Capital One's soft-token is the SwiftID component of their mobile app.
 


Ric Ford

MacInTouch
Thomas' article is an excellent summary of macOS security in Mojave and to some degree earlier systems. The only thing I can add is a somewhat more technical blog on MRT and the identity of the mysterious MACOS.35846e4 malware:
Uncovering Apple's Mysterious Malware Removal (MRT) Tool Update
And here's another silent MRT update:
Eclectic Light Co. said:
Apple has pushed an update to MRT
A day after updating Gatekeeper’s data, Apple has just pushed an update to its malware removal tool, MRT, for macOS, bringing its version number to 1.40.

Apple doesn’t provide any information on what changes this update brings. As it now obfuscates the names of malware which it can detect and remove, it appears impossible to correlate changed strings in the app with any malware known outside Apple.
 



Why can't PayPal just roll out proper software Authenticator app support like every other company?
I wish that PayPal being the exception were the case. In my experience most of the financial institutions I deal with offer no 2FA, and the practice of only offering SMS based 2FA is distressingly common.
 


Here’s an example of some pain and suffering related to 2FA:
My wife is unable to log into her CapitalOne account via the online portal, because the 2FA code is being sent to her US phone number, and we are in Thailand. The customer service representative tried changing the notifications to her email address, but the "fix" did not work. It still went to the phone.
So another call to a different service representative is needed, one with more privileges. So 35 minutes on Skype wasted. Aggravation level increased for little valid reason.
Without 2FA this problem would not exist. There’s got to be a better way.
I've started switching all my 2FA phone numbers to a Google Voice number for exactly this reason. Even when I'm traveling, I can always access my Google Voice texts, email and/or the web site and/or app.
 


Thanks for the reply. I checked my Macs and iOS devices, and they all have analytics disabled, so I don't think it's related to that option.
I deleted some of the applications Apple sends out with every OS install. Little Snitch reported SubmitDiagInfo was attempting to phone home to radarsubmission.apple.com - even though I had submit analytics off in System Preferences.
The Register [10/5/2016] said:
Is Apple's software getting worse or what?
Apple maintains an internal database of bugs called Radar that could be used to assess the frequency of bug reports over time. But the company does not make Radar public.

In an effort to promote greater transparency, developer Tim Burks in 2008 launched Open Radar, a way to make Radar submissions to the developer community. Even so, it's hardly a comprehensive way to assess whether alleged problems stem from the quality of Apple's code or from users who may just be holding their iPhones the wrong way.
 


I have removed SMS 2FA to the greatest extent possible from all my sensitive online accounts. A combination of iOS-based soft tokens, Verisign hardware tokens, and Google Voice have allowed to me be almost completely decoupled from SMS. Ironically, the one site that insists on clinging to SMS, and hence is extremely vulnerable to SIM swapping scams, belongs to my mobile phone provider!
 


I deleted some of the applications Apple sends out with every OS install. Little Snitch reported SubmitDiagInfo was attempting to phone home to radarsubmission.apple.com - even though I had submit analytics off in System Preferences.
I have seen this exact behavior going back to El Capitan (and posted about it here). On Mojave, I don't have a permanent Little Snitch rule but I seem to recall one or two instances of attempted connections to radarsubmissions, which I blocked. So maybe Apple seemingly going behind our backs may be less of an issue, but I believe it still happens (at least in this regard).
 


I have seen this exact behavior going back to El Capitan (and posted about it here). On Mojave, I don't have a permanent Little Snitch rule but I seem to recall one or two instances of attempted connections to radarsubmissions, which I blocked. So maybe Apple seemingly going behind our backs may be less of an issue, but I believe it still happens (at least in this regard).
Apple has a long history of knowing better than its users. "You may think that you don't want to share this info, but we know that, deep down, you really do."
 


I have removed SMS 2FA to the greatest extent possible from all my sensitive online accounts. A combination of iOS-based soft tokens, Verisign hardware tokens, and Google Voice have allowed to me be almost completely decoupled from SMS. Ironically, the one site that insists on clinging to SMS, and hence is extremely vulnerable to SIM swapping scams, belongs to my mobile phone provider!
It doesn't work for me. I tried adding my Google Voice number to PayPal as a contact number and I get the dreaded red triangle with an "!". No explanation as to why. In the past I have had trouble using Google Voice as a contact number with other companies.

Key Bank doesn't seem to offer 2FA. BofA does and I was able to change the 2FA-SMS to my Google Voice number.
 


Bombich Software just posted version 5.1.8 of their excellent backup/cloning app - Carbon Copy Cloner. In the release notes I spotted this interesting (disturbing?) tidbit:
Errors related to accessing Apple's super-secret /private/var/db/fpsd/dvp folder are now suppressed. No application is allowed to see the contents of this folder, you won't even be able to see this folder in the Finder. Apple has not documented the purpose nor content of this super-secret folder.
 


Ric Ford

MacInTouch
Bombich software just posted version 5.1.8 of their excellent backup/cloning app - Carbon Copy Cloner. In the release notes I spotted this interesting (disturbing?) tidbit:
Yes, I mentioned that on the MacInTouch Home Page this morning. Just now, I changed ACL for the relevant folder in Mojave (it wasn't present in Sierra), using Path Finder, and looked at it from the command line, so at least it's accessible with effort, though it's still mysterious.
Bash:
pwd
/private/var/db/fpsd
ls -l@
total 0
drwx------  2 _fpsd  _fpsd   64 Jan 22 10:23 SC Info
drwxrwxrwx@ 5 _fpsd  _fpsd  160 Dec 28 17:47 adi
    com.apple.metadata:com_apple_backup_excludeItem     61
cd adi
ls -l@
total 8
-rw-rw-rw-@ 1 _fpsd  _fpsd     0 Nov 14 19:07 adi-gb.lck
    com.apple.lastuseddate#PS      16
-rw-rw-rw-@ 1 _fpsd  _fpsd  3365 Nov 28 22:21 adi.pb
    com.apple.FinderInfo      32
    com.apple.lastuseddate#PS      16
-rw-rw-rw-@ 1 _fpsd  _fpsd     0 Nov 14 19:13 adi.pb.lck
    com.apple.lastuseddate#PS      16
 


Yes, I mentioned that on the MacInTouch Home Page this morning. Just now, I changed ACL for the relevant folder in Mojave (it wasn't present in Sierra), using Path Finder, and looked at it from the command line, so at least it's accessible with effort, though it's still mysterious.
Bash:
pwd
/private/var/db/fpsd
ls -l@
total 0
drwx------  2 _fpsd  _fpsd   64 Jan 22 10:23 SC Info
drwxrwxrwx@ 5 _fpsd  _fpsd  160 Dec 28 17:47 adi
    com.apple.metadata:com_apple_backup_excludeItem     61
cd adi
ls -l@
total 8
-rw-rw-rw-@ 1 _fpsd  _fpsd     0 Nov 14 19:07 adi-gb.lck
    com.apple.lastuseddate#PS      16
-rw-rw-rw-@ 1 _fpsd  _fpsd  3365 Nov 28 22:21 adi.pb
    com.apple.FinderInfo      32
    com.apple.lastuseddate#PS      16
-rw-rw-rw-@ 1 _fpsd  _fpsd     0 Nov 14 19:13 adi.pb.lck
    com.apple.lastuseddate#PS      16
Web searching 'adi.pb mac' yields this tidbit: /Users/Shared/adi - galvanist

May be artifacts of App Store and iBooks and formerly stored in
/Users/Shared/adi?
 


Yes, I mentioned that on the MacInTouch Home Page this morning. Just now, I changed ACL for the relevant folder in Mojave (it wasn't present in Sierra), using Path Finder, and looked at it from the command line, so at least it's accessible with effort, though it's still mysterious.
...
/private/var/db/fpsd
I wonder if fps stands for FairPlay Streaming?
_fpsd user?
... So here's my take upon further investigation: The _fpsd daemon is directly linked to iTunes, in the part of Core framework.
 


Bombich Software just posted version 5.1.8 of their excellent backup/cloning app - Carbon Copy Cloner. In the release notes I spotted this interesting (disturbing?) tidbit:
Yes, I mentioned that on the MacInTouch Home Page this morning.
That caught my eye yesterday, so I went to the link to see it, but the quoted note is not there: no mention of anything "secret", and the only mention of "private" is under v.5.1.4 ("Errors related to being unable to access Apple-private folders in the user home folder are now suppressed."). So now even talking about this "super-secret" folder is "suppressed"?
 



Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts