MacInTouch Amazon link...

Apple security and privacy

Apple, Security

Ric Ford

There are some issues with Apple's "Sign In with Apple" scheme (emphasis added):
OpenID Foundation said:
Open Letter from the OpenID Foundation to Apple Regarding Sign In with Apple

Dear Mr. Federighi,

The OpenID Foundation applauds Apple’s efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect.

Over the course of the last decade, OpenID Connect was developed by a large number of companies and industry experts within the OpenID Foundation (OIDF). OpenID Connect is a modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications in a standard way.

It appears Apple has largely adopted OpenID Connect for their Sign In with Apple implementation offering, or at least has intended to. Known differences between the two are tracked in a document managed by the OIDF certification team, found here:

The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.

Therefore the OpenID Foundation invites Apple to:
  1. Address the gaps between Sign In with Apple and OpenID Connect based on the feedback.
  2. Use the OpenID Connect Self Certification Test Suite to improve the interoperability and security of Sign In with Apple.
  3. Publicly state that Sign In with Apple is compatible and interoperable with widely-available OpenID Connect Relying Party software.
  4. Join the OpenID Foundation.
The OpenID Foundation and the community at large would appreciate Apple’s feedback.

Thank you for your consideration.

Nat Sakimura
OpenID Foundation Chairman

Ric Ford

Ars Technica covers a surge in Mac malware...
Dan Goodin said:
In-the-wild Mac malware kept busy in June—here’s a rundown

... Friday’s Intego post lists one of at least six macOS threats that have come to light this month. Others include:
  • OSX/Linker, a Mac malware family that exploits a zero-day vulnerability in Gatekeeper so that it can install unsigned malware. The exploit technique, which was disclosed by researcher Filippo Cavallarin last month, works by loading installers from a network-shared disk, which is off limits to Gatekeeper.
  • A cryptocurrency miner dubbed LoudMiner by ESET and Bird Miner by Malwarebytes, the two firms that independently discovered it. The miners, found in a cracked installer for the high-end music production software Ableton Live, work by emulating Linux.
  • Malware dubbed OSX/Newtab, which tries to inject tabs into the Safari browser. Some of the file names disguise themselves as government forms or recipe apps. All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE).
  • Backdoors dubbed NetWire and Mokes that were installed in in-the-wild attacks exploiting a pair of potent Firefox zerodays to target people involved with cryptocurrencies. Both backdoors were able to bypass Gatekeeper and were undetected by antivirus engines at the time the attacks went live.

We were told there is a way to log in without a screen, and sometimes it works. Boot the computer, wait until it reaches the login screen (take a wild guess at how long to wait), then hit the left arrow key once or twice to move the cursor to the account on the left end of the row of user accounts, then enter the password for that account.
If you're referring to the list of accounts appearing at the login window, you can also type the first/initial letter(s) of an account to select it. Then press return to get access to the password field (which I presume is also necessary when using the arrows, but you don't mention it).

Got my Late 2018 MacBook Pro back today. Apple replaced the screen half of the computer so the ugly dented corner is gone. Pretty is most important, just ask Ive.

Test 1: Target Mode. Now that I can see the screen, I know the system really is in Target Mode. It can not be unlocked from my main computer. Disable FileVault, and it works just fine. Reenable FileVault, and it no longer works.

Changed boot security to allow booting from external disk, and Target Mode works! Maybe because the second computer is a 2018 Mac Mini? Maybe it matters which port I use for Thunderbolt?

Test 2: External Monitor. The monitor does not respond until the login process is nearly complete and the user desktop appears on the built-in screen. Interesting note - if all users log out, the external monitor is still active. So it appears that one user must log in to enable the external monitor, and it stays active until the system is powered down. There may be some eventual timeout, I didn’t test that.

Test 3: Log in without monitor. Using the right/left arrow keys to select a user account after system reaches login screen works well when I can see what is going on. Maybe it didn’t work last week because we hit one key too many or at the wrong time. After using the arrow key, hitting any key other than the Return Key blocks all input until I hit an arrow key again (usually when entering a password that fails, hitting the Return key will let you start again, but in this situation hitting the Arrow key lets you start again), with one exception. Ted M said that hitting a key that matches the first letter of an account will jump to that account can be done instead of using the arrow keys, and that works.

Ric Ford

Log in without monitor. Using the right/left arrow keys to select a user account after system reaches login screen...
Note that there are two different login modes, controlled via System Preferences > Users & Groups > Login Options > Display login window as > List of users | Name and password

Ric Ford

Apple still hasn't responded to the "Sign in with Apple" issues raised by OpenID:
Sophos said:
Privacy and security risks as Sign In with Apple tweaks Open ID protocol

... The OIDF published this list of ways in which Sign In with Apple differs from OpenID Connect and what security and/or privacy risks those deviations entail.

For example, Apple’s tweaks to OpenID means that the protocol can’t thwart Cross Site Request Forgery (CSRF) attacks.

We saw an example of what that could lead to in February when a researcher discovered that Facebook had a CSRF flaw that could have allowed an attacker to hijack accounts in multiple ways. As we said at the time, CSRF flaws enable attackers to trick users into making unintended actions on websites they may be logged into but aren’t using (imagine clicking a link on a malicious website and it triggering a bank transfer at the bank website you forgot to log out of).

Another one of Apple’s spec violations enables attackers to pull off code injection attacks. This type of vulnerability can prove disastrous: for example, it allows computer worms to propagate.

Apple’s deviations from OpenID protocol could also lead to privacy problems, given that users’ ID Token and Authorization Code – and, hence, personal data – could potentially leak… personal data that could be used for a code insertion attack, the OpenID Foundation says. Which is ironic, given that Sign In with Apple is supposed to present a privacy-conscious alternative to the services offered by Facebook and Google.

Ric Ford

This looks like a reason to get up to date with iOS, and the Mac could be affected, too, but not so extremely:
Malcolm Owen said:
Fixed iMessage bug bricked iPhones using malformed message

Details of a now-patched bug in iMessage have been revealed by a Google Project Zero researcher, a problem that could have forced users to wipe and restore their iPhones to get them working again, if they received a malformed message. ... As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.

Ric Ford

Here's a look at the security of Apple's upcoming credit card:
Ryan McKamie and Swapnil Deshmukh said:
Deconstructing Apple Card: A Hacker’s Perspective

... Broadly, the security takeaways from Apple Card are threefold: First, from an architecture perspective, Apple thought through all the moving parts and managed to achieve security without compromising user experience. Second, rather than introducing a very fragmented ecosystem for payment, they narrowed the players to only Mastercard and Goldman Sachs, which reduces the number of dependencies and overall business risk. Finally, by integrating hardware-based security controls such as tamper resistance and SE, Apple ensured the foundational security of Apple Card is not software-driven, which may have proved more error prone than hardware controls. The only caveat to this approach is that if a bug is found in the hardware, a fix cannot easily be applied.

I have encountered a disturbing potential bug with iCloud keychain. More independent testing is needed/appreciated.

- A client has multiple email accounts and two Macs (Mini & Air). The configuration for the mail servers has changed over the years (POP -> IMAP, different SMTP addresses, different SSL status, etc.)​
- Client purchased a used Mac Mini to replace an ancient Mac Mini that could not go past OS X 10.11. This newer Mini has a fresh install of macOS 10.13.6.​
- After I re-set-up her Mail accounts in System Preferences / Internet Accounts, Apple Mail displayed duplicate SMTP servers, and her Mail accounts were not sticking to the freshly-set-up SMTP servers.​
- I tried to remove the old / incorrect SMTP server listings in Apple Mail. Fail. They kept returning, like zombies, after their removal, quitting Mail, and then re-launching Mail.​
- I discovered that if I un-checked the Keychain synchronization option in System Preferences / iCloud, then the removed SMTP servers would stay gone. Thus, iCloud Keychain was involved.​
- I entered the Keychain Access app / iCloud and fully expected to see the old SMTP servers. No. A search found nothing.​
- I contacted Apple Support. After an hour of fiddling with permissions and the Keychain and Mail, the representative escalated the ticket.​
- I kept poking around and discovered that Keychain Access has "Show Hidden Items" under the View menu. Boom! The SMTP servers appeared. I removed them. All is now as I wished; no more ancient & incorrect SMTP servers in Apple Mail.​

Here's where it gets interesting and disturbing. Before I discovered the hidden Keychain entries, I decided as a troubleshooting step to create a brand-new Apple ID / iCloud account for the client, thus eliminating whatever SMTP servers were confoundingly still appearing in Apple Mail.

- I noted that the client's current iCloud keychain had other old saved items, like WiFi passwords, FTP passwords, and application passwords. I confirmed none of these were important. I did a Select All and a Delete to completely clear the iCloud keychain.​
- I made sure that every single entry in Internet Accounts was completely removed from the Air and the Mini, as well as a complete sign-out of iCloud on both devices. Then, after a reboot, I confirmed iCloud was still signed out.​
- I signed in to iCloud on the Mini with the brand-new, never-used Apple ID. I ticked only the checkbox for Keychain.​
- To my shock, upon launching Keychain Access, every single old entry from the cleared and removed iCloud keychain had populated this new iCloud keychain!​

This is either a procedural error on my part, or there is something very wrong with security here. I would think a simple logging out of iCloud on all Apple devices and then a logging in to a brand-new iCloud account on one of those devices would absolutely not grab and transfer saved passwords from the logged-out account.

I'd appreciate feedback and testing of this procedure to confirm it is happening / not happening elsewhere for other folks.

Ric Ford

Use Sloth or the lsof terminal command to list open files on the volume that you're trying to eject.
For example:
lsof > ~/Desktop/lsof.txt
deleted 295152 /System/Library/PrivateFrameworks/CacheDelete.framework/deleted
Spotlight 32768 /Users/uuuu/Library/Caches/
Spotlight 53248 /Users/uuuu/Library/Caches/
Spotlight 32768 /Users/uuuu/Library/Caches/
loginwind 214794240 /private/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/0/
loginwind 663060480 /private/var/db/dyld/dyld_shared_cache_x86_64h
cfprefsd 663060480 /private/var/db/dyld/dyld_shared_cache_x86_64h
Finder 25923264 /usr/share/icu/icudt57l.dat
Finder 663060480 /private/var/db/dyld/dyld_shared_cache_x86_64h
cloudd 47984 /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
cloudd 698896 /usr/lib/dyld
cloudd 32768 /Users/uuuu/Library/Caches/CloudKit/CloudKitMetadata-shm
cloudd 32768 /Users/uuuu/Library/Caches/CloudKit/CloudKitOperationInfo-shm
cloudd 25923264 /usr/share/icu/icudt57l.dat
cloudd 663060480 /private/var/db/dyld/dyld_shared_cache_x86_64h
cloudd 57344 /Users/uuuu/Library/Caches/CloudKit/CloudKitMetadata
cloudd 3040592 /Users/uuuu/Library/Caches/CloudKit/CloudKitMetadata-wal
cloudd 32768 /Users/uuuu/Library/Caches/CloudKit/CloudKitMetadata-shm
cloudd 36864 /Users/uuuu/Library/Caches/CloudKit/CloudKitOperationInfo
cloudd 482072 /Users/uuuu/Library/Caches/CloudKit/CloudKitOperationInfo-wal
cloudd 32768 /Users/uuuu/Library/Caches/CloudKit/CloudKitOperationInfo-shm
Actually, Sloth is a much nicer way to investigate, also showing (on macOS Sierra, for example), that Apple has Game Center (gamed) files open and active on my Mac, even though I've never enabled or used Game Center and want nothing to do with it.

It showed me videosubscriptionsd open files, and I don't do anything with any video purchases, etc.

And active/open iCloud files, even though I tried to turn off iCloud, and I'm not doing anything (that I know of) with it.

Then there's photoanalysisd, silently analyzing photos on my drive (apparently including AI-driven face recognition while it accesses my Address Book) and saving data in a hidden location, alongside Photos Agent and cloudphotosd, when I'm not intentionally doing anything with iCloud nor Apple Photos nor iPhoto nor anything related.

(Activity Monitor also helps show what Apple's doing behind the scenes with hidden programs like these.)

Thanks, Apple, for running all these hidden programs to silently access and analyze personal/private data and write data to hidden Apple files and phone home to iCloud and Apple, for things I don’t need, don’t want, didn’t authorize or enable, and can’t see without arcane tricks and tools. Not creepy at all , right? There's 1984, and then there's Nineteen Eighty-Four — Apple seems to have transitioned from the former to the latter....

#apple #security #privacy #daemons

- I made sure that every single entry in Internet Accounts was completely removed from the Air and the Mini, as well as a complete sign-out of iCloud on both devices. Then, after a reboot, I confirmed iCloud was still signed out.​
How did you completely sign-out of iCloud? Simply signing out of iCloud isn't enough (way to go, Apple!). You need to sign-out in multiple places and remove the computer from the Apple ID devices list:
  1. Sign-out of iCloud, iTunes, Messages (and FaceTime too).
  2. Remove your computer from your Apple ID devices list.
  3. Pray you've done everything, because, I guess, the OS itself can be associated with your ID + what's stored in all these new chips e.g. T2. For example, in the past, I've done all of the above and within 10 minutes of reconnecting a MacBook Pro 2016 to the internet where all the above has been meticulously done, it has reappeared back in the Apple ID devices list!

If they would just pop a notification up that the definitions were updated, like every other anti-malware software, this wouldn’t be such an issue.

Maybe they should develop a system for notifying users of important info, say, a small window that might pop up on screen, and not disappear until you clicked a button that acknowledge you at least were aware of its existence. Yeah, they should definitely add that kind of notification system to the OS - I bet it could be used for other important things like birthday reminders and new OS updates.

Yesterday I updated my mid-2012 MacBook Pro Retina to macOS 10.14.5 from 10.14.3. Finding no show stoppers, I then updated my wife's 2017 MacBook Pro 15-inch Touch Bar.

I quickly got an earful about passwords not autofilling in Safari. After digging around on Apple's user community, I ran into several references to autofilling passwords and Touch ID. Touch ID is not enabled on her machine, so I ignored them. Finally, I looked at the Touch ID System Preference and found "Autofill Passwords" checked. Unchecking that and giving her password fixed the problem.

Thanks Apple, for defaulting preferences.

Apple has released a number of security updates today:
Apple said:
Apple security updates
iOS 12.4iPhone 5s and later, iPad Air and later, and iPod touch 6th generation22 Jul 2019
iOS 10.3.4
This update has no published CVE entries.
iPhone 5, iPad (4th generation) Wi-Fi + Cellular22 Jul 2019
iOS 9.3.6
This update has no published CVE entries.
iPhone 4s, iPad mini (1st generation) Wi-Fi + Cellular, iPad 2 Wi-Fi + Cellular, iPad (3rd generation) Wi-Fi + Cellular22 Jul 2019
tvOS 12.4Apple TV 4K and Apple TV HD22 Jul 2019
Apple TV Software 7.3.1
This update has no published CVE entries.
Apple TV (3rd generation)22 Jul 2019
Safari 12.1.2macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.622 Jul 2019
macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 SierramacOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.522 Jul 2019
watchOS 5.3Apple Watch Series 1 and later22 Jul 2019

Ric Ford

Apple has released a number of security updates today...
I just installed the macOS Sierra updates (including Safari), and the MacBook Pro rebooted with Bluetooth disabled, which was quite disconcerting, as it said Bluetooth was "unavailable." I used the laptop keyboard and trackpad to restart, and Bluetooth began working again.

Additionally, Gatekeeper was not updated, nor up-to-date, but I'm running SilentKnight now, hoping to correct that. (It seems that you have to quit and restart SilentKnight to get the latest status after having it update Apple's software/data.)

Apple has released a number of security updates today:
Interesting that iOS is shown as updated for the iPad Mini (1st Gen) from 9.3.5 to 9.3.6 but the iPod Touch 5th Gen is not included in that same upgrade. Both are (were?) limited to iOS 9.3.5. I checked the both my iPod and my iPad Mini and it didn't show 9.3.6 as an available upgrade for either. I wonder if they have not been actually released yet.

Interesting that iOS is shown as updated for the iPad Mini (1st Gen) from 9.3.5 to 9.3.6 but the iPod Touch 5th Gen is not included in that same upgrade. Both are (were?) limited to iOS 9.3.5. I checked the both my iPod and my iPad Mini and it didn't show 9.3.6 as an available upgrade for either. I wonder if they have not been actually released yet.
I think the update was due to models that have the cellular data radios.

Indeed. Here is the iOS 9.3.6 installer description:
iOS 9.3.6 addresses an issue that could impact GPS location performance and could cause system date and time to be incorrect. This update is recommended for all users.
Indeed, since neither my iPod nor the iPad Mini have true GPS (no cellular), that would explain why the update is not offered for either device.

Ric Ford

The Mojave update failed badly on a 2018 MacBook Pro for me, eventually going into Boot Recovery, but I finally got it restarted with Command-R and am now reinstalling Mojave.

Several factors may have contributed, or it may just be buggy — I can't really tell at this point. It would be smart to do a backup prior to attempting the update. The MacBook Pro version was 3.1 GB, while the iMac version was about 2.8 GB.

Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts