MacInTouch Amazon link...

Apple security and privacy

Apple, Security

Any data in your home should be encrypted... before it leaves. Doesn’t matter if its final destination is the cloud, a USB stick, or a hard drive. Just encrypt it by default. Apple makes this easy via FileVault (plus there are third-party programs, too). But, it has to be encrypted before you upload it. Then no one can scan it, whether they break into your home or into your cloud account.

Yes, this approach may not be as convenient as storing the data in easily browsed formats, but I see it as good hygiene. Some people don’t like the feel of seat belts either and argue for beltless driving... and yet even though the probability of a accident is quite low, most of us still see the benefit of always using our seat belts!

Similarly, encryption should not be seen as some sort of tool to make life difficult for law enforcement, as some in that community have tried to portray it. For the vast majority of users, encryption provides security from the small minority of miscreants that would like to do them harm.

Encryption is not about preventing Apple from scanning for nasty stuff. It’s about preventing social engineering hacks into your iCloud account from yielding something useful (see the celebrity hacks a few years ago).

Yeah, I would like to use iCloud to back up my phone in real time, but so far it doesn’t look like Apple offers a secure way for me to store my iPhone data there with the tools that Apple provides. That’s likely the fig leaf that Apple is throwing to three letter, law enforcement, and other agencies.... and so I risk some data loss if my phone goes missing.

Plus, Apple's pricing on iCloud storage in the past was pretty outrageous and only made sense for folks with no backup strategy.

Ric Ford

"End-to-end encryption" changes things a lot, but iCloud doesn't offer that, nor does Dropbox, but and Cryptomator do, for example, as does ProtonMail.
Yeah, I would like to use iCloud to back up my phone in real time, but so far it doesn’t look like Apple offers a secure way for me to store my iPhone data there with the tools that Apple provides.
And here's a new report on Apple's refusal, despite all its privacy marketing, to provide end-to-end encryption:
Reuters said:
Apple dropped plan for encrypting backups after FBI complained
Apple Inc. dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.


On the other hand, another big story yesterday was the revelation that the Manhattan D.A. is operating a "$10 Million lab" dedicated to cracking iPhones (and presumably other smartphones as well).

Reading about this incredible (and possibly illegal) overreach by law enforcement and -especially - the off-base statements of Manhattan D.A. Cyrus Vance, one comes away with the impression that Apple is still firmly on the side of reason and privacy.

Google Researchers said:
Information Leaks via Safari’s Intelligent Tracking Prevention
by: Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, Roberto Clapis

Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017[1]. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data[2].

As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks[3] (including cross-site search[4]).

This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319[5]), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019[6].

Ric Ford

Howard Oakley explores the intracices involved in Apple's "app first run" security mechanisms (quarantine, translocation, Gatekeeper, XProtect, notarization, and more).
Eclectic Light Co. said:
What could possibly go wrong on an app first run?
In yesterday’s article, I discussed problems which can arise when first running an app downloaded from the Internet, or delivered via AirDrop, which became translocated and then locked out during its first run. Although the process of app translocation was introduced in macOS 10.12 Sierra, it continues to trip users up, and in combination with the more complex Gatekeeper checks in Catalina, may leave you baffled as to why an app won’t complete its first run successfully. This article steps through the processes involved, and explains how you can deal with problems arising in them.

Ric Ford

A new vulnerability has been identified in the Sudo (Superuser do) command-line program in macOS, Linux and other operating systems. Apple patched the vulnerability for macOS 10.13 and later, but not for macOS 10.12 and earlier. Exploiting the vulnerability requires a non-default mode setting in macOS, but the dangerous mode is the default in some other systems.
The Hacker News said:
Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root
Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems.

... According to Vennix, the flaw can only be exploited when the "pwfeedback" option is enabled in the sudoers configuration file, a feature that provides visual feedback, an asterisk (*), when a user inputs password in the terminal.

To be noted, the pwfeedback feature is not enabled by default in the upstream version of sudo or many other packages. However, some Linux distributions, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

... To determine if your sudoers configuration is affected, you can run sudo -l command on your Linux or macOS terminal to find whether the "pwfeedback" option is enabled and listed in the "Matching Defaults entries" output.

... Joe Vennix last year reported a similar impact vulnerability in Sudo that could have been exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."
Apple said:
About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2​
Impact: Certain configurations may allow a local attacker to execute arbitrary code​
Description: A buffer overflow issue was addressed with improved memory handling.​
CVE-2019-18634: Apple​


Ric Ford

Howard Oakley talks about today's security changes for macOS Catalina:
Electic Light Co. said:
Hardening and notarization finally arrive in Catalina
From today, 3 February, Catalina 10.15.3 finally reaches what Apple had intended to be its launch point: all newly-built apps and command tools for Catalina are now required to be both hardened and properly notarized. This doesn’t mean that you can’t run apps or tools which aren’t, indeed you can still run completely unsigned apps if you wish. But if an app has been signed from today onwards and you expect it to pass Gatekeeper’s full first run checks, hardening and full notarization are no longer optional.

... Over the coming weeks and months, we should finally start to see whether all this effort has been worth it, and does change the threat landscape in our favour.

Ric Ford

Apple has pushed out new versions of its invisible anti-malware files, XProtect and MRT. (The updates are installed on macOS 10.12.6 Sierra, despite Apple having abandoned this macOS for other security updates.)
Eclectic Light Co. said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2113, dated 5 February 2020, and to its malware removal tool MRT, bringing it to version 1.54, also dated 5 February 2020.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Examination of the XProtect data files shows only minor amendments, with the naming of five signatures which were already in the Yara file. No new detection signatures appear to have been added at all.

Apple has pushed out new versions of its invisible anti-malware files, XProtect and MRT. (The updates are installed on macOS 10.12.6 Sierra, despite Apple having abandoned this macOS for other security updates.)
Thanks for the heads-up! Running macOS 10.12.6 here. Used the SilentKnight app to get the updates and the following info:
Finding available software
Software Update found the following new or updated software:
* MRTConfigData_10_14-1.54
MRTConfigData (1.54), 4100K [recommended]
* XProtectPlistConfigData_10_14-2113
XProtectPlistConfigData (2113), 68K [recommended]
Downloaded XProtectPlistConfigData
Downloaded MRTConfigData
Installing MRTConfigData, XProtectPlistConfigData
Done with MRTConfigData
Done with XProtectPlistConfigData
Everything is working so far.

Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts