MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
It strikes me as more than a little... ironic?... to have Apple and Facebook telling us what we "want" for privacy....
It was one of the reasons I felt it worthwhile to post here. Looks like it will be live streamed. There should at least be some commentary of the event afterwards.
 


Ric Ford

MacInTouch
Apple has issued new updates to its invisible anti-malware mechanisms:
Eclectic Light Co. said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2111, dated 7 January 2020, and to its malware removal tool MRT, bringing it to version 1.52, also dated 7 January 2020.

... A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan, Sierra, High Sierra, Mojave and Catalina, available from their product page.
 


Ric Ford

MacInTouch
It seems that your iPhone can get Apple Pay charges without you even knowing it...
New York Post said:
Apple Pay glitch saddles NYC straphangers with accidental charges
Dozens of straphangers have been slugged with bogus charges by the MTA’s new fare readers — simply by walking past them.

The OMNY tap-and-go fare readers have been taking a $2.75 charge from people who have enabled a passcode-skipping Apply Pay service — which allows straphangers to enter the subway with a swipe of their iPhone at the turnstile — even while trying to use a regular MetroCard.

#applepay
 



Ric Ford

MacInTouch
An Ars Technica article describes the implications of "Checkra1n", a major new iOS "jailbreak":
And now you can get it on Windows, too, as Ra1nUSB.
ValueWalk said:
Ra1nUSB is Checkra1n alternative for Windows: How to use it - ValueWalk
Checkra1n is one of the best jailbreaks that we have seen so far. It is easy to use, supports the latest OS and is almost unpatchable. However, it suffers from one major drawback – it still does not support Windows. So, those who don’t have a Mac can’t use the Checkra1n jailbreak. However, there is one Checkra1n alternative for Windows that can be used, called Ra1nUSB.

Ra1nUSB can jailbreak iOS 12.3 through iOS 13.3 and works on both Intel and AMD-based systems. Moreover, it supports all iPhones from iPhone 5S through iPhone X. Before we detail the steps to use this Checkra1n alternative for Windows to jailbreak your iPhone, let’s go over the things that you will need first.

#jailbreak #applesecurity #iphones #Ra1nUSB #Checkra1n
 


Ric Ford

MacInTouch
... There's no doubt that dedicated AI chip features are coming to all our devices. Users may get some benefits, but I do have to wonder if they won't mostly end up being used as Apple does, to gather data about you and your use of the device, process it on the device, then phone the highly processed shorthand version home?
Certainly not to condone, in any way, horrible, illegal abuses, but it's clear now that Apple is scanning everyone's images in iCloud using AI...
Ubergizmo said:
Apple Is Now Scanning Uploaded iCloud Photos To Check For Child Abuse
... It is unclear if other companies perform similar scans to photos uploaded to their cloud, but this is something that Apple themselves have announced. While this is no doubt a good thing, it does highlight how items stored in the cloud might not be as private as you might think.

#applesecurity #appleprivacy
 


Ric Ford

MacInTouch
Meanwhile, here's the flip side of Apple security/privacy, symbolized by FBI demands and companies selling iPhone cracking technology to governments etc.
Forbes said:
U.S. Launches Fresh Assault On Apple’s ‘Warrant-Proof Encryption’
he U.S. government has launched fresh attempts to try to stop Apple and other tech companies locking up user data with encryption.

On Monday, NBC reported that the FBI had written a letter to Apple, asking it to help unlock two iPhones belonging to the Saudi aviation student Mohammed Saeed Alshamrani, who is alleged to have killed three people at a Naval Air Station in Pensacola, Florida, before being shot and killed by police in December. It risks reviving a battle with Apple that started with the case of a terrorist shooting in San Bernardino in 2015. Apple declined to help the government unlock the iPhone of the shooter in that case, leading to a protracted legal battle that ended when an unknown third party managed to retrieve information from the device.
 


Ubergizmo said:
Apple Is Now Scanning Uploaded iCloud Photos To Check For Child Abuse
...it does highlight how items stored in the cloud might not be as private as you might think.
Anyone who thinks anything stored in any cloud is (somehow?) "private" is living in a dreamworld. We have accepted the trade-off between privacy and convenience. Sometimes I tell myself that, at least, there's so much more interesting and useful data in the cloud than my own... that I needn't worry much about privacy.

I think I'm more worried about "security" of my data than about its privacy. But the NYT recently published a very interesting and revealing series called "The Privacy Project."
 



Any data in your home should be encrypted... before it leaves. Doesn’t matter if its final destination is the cloud, a USB stick, or a hard drive. Just encrypt it by default. Apple makes this easy via FileVault (plus there are third-party programs, too). But, it has to be encrypted before you upload it. Then no one can scan it, whether they break into your home or into your cloud account.

Yes, this approach may not be as convenient as storing the data in easily browsed formats, but I see it as good hygiene. Some people don’t like the feel of seat belts either and argue for beltless driving... and yet even though the probability of a accident is quite low, most of us still see the benefit of always using our seat belts!

Similarly, encryption should not be seen as some sort of tool to make life difficult for law enforcement, as some in that community have tried to portray it. For the vast majority of users, encryption provides security from the small minority of miscreants that would like to do them harm.

Encryption is not about preventing Apple from scanning for nasty stuff. It’s about preventing social engineering hacks into your iCloud account from yielding something useful (see the celebrity hacks a few years ago).

Yeah, I would like to use iCloud to back up my phone in real time, but so far it doesn’t look like Apple offers a secure way for me to store my iPhone data there with the tools that Apple provides. That’s likely the fig leaf that Apple is throwing to three letter, law enforcement, and other agencies.... and so I risk some data loss if my phone goes missing.

Plus, Apple's pricing on iCloud storage in the past was pretty outrageous and only made sense for folks with no backup strategy.
 


Ric Ford

MacInTouch
"End-to-end encryption" changes things a lot, but iCloud doesn't offer that, nor does Dropbox, but Sync.com and Cryptomator do, for example, as does ProtonMail.
Yeah, I would like to use iCloud to back up my phone in real time, but so far it doesn’t look like Apple offers a secure way for me to store my iPhone data there with the tools that Apple provides.
And here's a new report on Apple's refusal, despite all its privacy marketing, to provide end-to-end encryption:
Reuters said:
Apple dropped plan for encrypting backups after FBI complained
Apple Inc. dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.
 


DFG

On the other hand, another big story yesterday was the revelation that the Manhattan D.A. is operating a "$10 Million lab" dedicated to cracking iPhones (and presumably other smartphones as well).

Reading about this incredible (and possibly illegal) overreach by law enforcement and -especially - the off-base statements of Manhattan D.A. Cyrus Vance, one comes away with the impression that Apple is still firmly on the side of reason and privacy.
 


FYI:
Google Researchers said:
Information Leaks via Safari’s Intelligent Tracking Prevention
by: Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, Roberto Clapis

ABSTRACT
Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017[1]. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data[2].

As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks[3] (including cross-site search[4]).

This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319[5]), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019[6].
 


Ric Ford

MacInTouch
Howard Oakley explores the intracices involved in Apple's "app first run" security mechanisms (quarantine, translocation, Gatekeeper, XProtect, notarization, and more).
Eclectic Light Co. said:
What could possibly go wrong on an app first run?
In yesterday’s article, I discussed problems which can arise when first running an app downloaded from the Internet, or delivered via AirDrop, which became translocated and then locked out during its first run. Although the process of app translocation was introduced in macOS 10.12 Sierra, it continues to trip users up, and in combination with the more complex Gatekeeper checks in Catalina, may leave you baffled as to why an app won’t complete its first run successfully. This article steps through the processes involved, and explains how you can deal with problems arising in them.
 


Ric Ford

MacInTouch
A new vulnerability has been identified in the Sudo (Superuser do) command-line program in macOS, Linux and other operating systems. Apple patched the vulnerability for macOS 10.13 and later, but not for macOS 10.12 and earlier. Exploiting the vulnerability requires a non-default mode setting in macOS, but the dangerous mode is the default in some other systems.
The Hacker News said:
Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root
Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems.

... According to Vennix, the flaw can only be exploited when the "pwfeedback" option is enabled in the sudoers configuration file, a feature that provides visual feedback, an asterisk (*), when a user inputs password in the terminal.

To be noted, the pwfeedback feature is not enabled by default in the upstream version of sudo or many other packages. However, some Linux distributions, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

... To determine if your sudoers configuration is affected, you can run sudo -l command on your Linux or macOS terminal to find whether the "pwfeedback" option is enabled and listed in the "Matching Defaults entries" output.

... Joe Vennix last year reported a similar impact vulnerability in Sudo that could have been exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."
Apple said:
About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra
...
sudo
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2​
Impact: Certain configurations may allow a local attacker to execute arbitrary code​
Description: A buffer overflow issue was addressed with improved memory handling.​
CVE-2019-18634: Apple​

#Linux
 


Ric Ford

MacInTouch
Howard Oakley talks about today's security changes for macOS Catalina:
Electic Light Co. said:
Hardening and notarization finally arrive in Catalina
From today, 3 February, Catalina 10.15.3 finally reaches what Apple had intended to be its launch point: all newly-built apps and command tools for Catalina are now required to be both hardened and properly notarized. This doesn’t mean that you can’t run apps or tools which aren’t, indeed you can still run completely unsigned apps if you wish. But if an app has been signed from today onwards and you expect it to pass Gatekeeper’s full first run checks, hardening and full notarization are no longer optional.

... Over the coming weeks and months, we should finally start to see whether all this effort has been worth it, and does change the threat landscape in our favour.
 


Ric Ford

MacInTouch
Apple has pushed out new versions of its invisible anti-malware files, XProtect and MRT. (The updates are installed on macOS 10.12.6 Sierra, despite Apple having abandoned this macOS for other security updates.)
Eclectic Light Co. said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2113, dated 5 February 2020, and to its malware removal tool MRT, bringing it to version 1.54, also dated 5 February 2020.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Examination of the XProtect data files shows only minor amendments, with the naming of five signatures which were already in the Yara file. No new detection signatures appear to have been added at all.
 


Apple has pushed out new versions of its invisible anti-malware files, XProtect and MRT. (The updates are installed on macOS 10.12.6 Sierra, despite Apple having abandoned this macOS for other security updates.)
Thanks for the heads-up! Running macOS 10.12.6 here. Used the SilentKnight app to get the updates and the following info:
Finding available software
Software Update found the following new or updated software:
* MRTConfigData_10_14-1.54
MRTConfigData (1.54), 4100K [recommended]
* XProtectPlistConfigData_10_14-2113
XProtectPlistConfigData (2113), 68K [recommended]
Downloaded XProtectPlistConfigData
Downloaded MRTConfigData
Installing MRTConfigData, XProtectPlistConfigData
Done with MRTConfigData
Done with XProtectPlistConfigData
Done.
Everything is working so far.
 


Ric Ford

MacInTouch
Apple deployed updates to its invisible anti-malware files, XProtect and MRT, today. Howard Oakley has more details:
Eclectic Light Co. said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2114, dated 20 February 2020, and to its malware removal tool MRT, bringing it to version 1.55, also dated 20 February 2020....
 


I am running Mojave and enrolled in the beta program. I just installed maybe the 5th or more beta security update for macOS 10.14.6.
 


I assume there is no way to manually update XProtect and MRT, like downloading the "latest definitions"and any issuances of updates is OS dependent ... for later versions than, say Sierra.

I am curious as to why the more popular third-party apps, like Malwarebytes, do not
post in the Apple App Store....
 


Ric Ford

MacInTouch
There's a "high" (CVSS 7.5) vulnerability involving Curl in OS X versions prior to macOS 10.12 Sierra (and Apple isn't supporting anything prior to macOS 10.13 with security updates).
NIST said:
NVD - cve-2016-4606
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
 



It's possible from the command line but easier and more informative with SilentKnight.
Thanks. I was sort of thinking, however, if there was a manual workaround trick for security updates for older macOS, like 10.12.6 Sierra. It still appears to me that any security updates are definitively tied to later versions of macOS, either through terminal command, or simply through App Store Software Update.
 


Ric Ford

MacInTouch
The Mac/iPhone clipboard can create a security problem - just think about copying and pasting a critical password or other sensitive data and then having it silently stolen without you realizing it...
ZDNet said:
iPhone and iPad apps can snoop on everything you copy to the clipboard | ZDNet
Did you know that all the apps on your iPhone and iPad can snoop on whatever you copy to the system clipboard (called pasteboard on iOS)? A new security demo by researchers at Mysk shows how this could be used by apps to get detailed information about the user.
Threatpost said:
Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data
Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
 


Ric Ford

MacInTouch
I was sort of thinking, however, if there was a manual workaround trick for security updates for older macOS, like 10.12.6 Sierra.
No, there isn't. But it's complicated.

You can, for example, have fully up-to-date web browsers with the latest security patches... Firefox, Chrome, iCab, TenFourFox, etc., for older Mac operating systems, but Apple won't even give you Safari security patches for macOS 10.12 or older Mac systems!

But then there's today's example of the Curl vulnerability. Firefox and Chrome aren't going to patch that, and Apple won't patch it for OS X 10.11 or earlier. In this case, you could potentially replace Curl with an up-to-date version yourself, but it's not simple for someone who's not technically adept in related areas (if it's even feasible at all).

Software now is astonishingly and unknowably complex with components so numerous, widely-sourced, and tangled that you have little hope of really controlling any of it or the vulnerabilities and security mechanisms involved... just pray... and follow all the "best practices" you can.
 


Ric Ford

MacInTouch
Apple's stance on privacy in the U.S. seems to be at odds with its practices in China....
Mikey Campbell said:
Apple to again skip US congressional hearing on Chinese influence in tech
... Apple's willingness to kowtow to Chinese officials is often viewed as antithetical to its well-groomed image as a bastion of human rights, data privacy and free speech.

Beyond iCloud, Apple has agreed to pull controversial apps at the direction of China's government. Most recently, the company yanked HKMaps from the Chinese App Store during the recent Hong Kong protests. When pressed on the decision, the company said the app was in violation of Hong Kong law, a dubious claim considering the title's core functionality did not contravene local regulations, nor did it break rules laid out in Apple's own App Store Guidelines.

The company has a long history of removing apps in compliance with Chinese government requests. In 2017, it pulled The New York Times app and multiple VPN apps for supposed violations, while the Quartz app was likewise removed after it provided extensive coverage of the Hong Kong protests in October.
 


I assume there is no way to manually update XProtect and MRT, like downloading the "latest definitions"and any issuances of updates is OS dependent ... for later versions than, say Sierra.
Just to be clear, XProtect and MRT updates are still provided to OS X El Capitan [10.11] and above (although there appear to be some enhancements to the Catalina versions). They are normally updated automatically if you have enabled that in System Preferences and can be manually updated with a terminal command or SilentKnight.

The macOS Security Updates that you mentioned later are usually provided for the current and previous two versions of macOS and there is no alternate way to obtain them for other versions.
I am curious as to why the more popular third-party apps, like Malwarebytes, do not
post in the Apple App Store....
Apple rules covering App Store applications preclude them from being able to adequately identify and then quarantine or remove such infections. That's why all the effective anti-malware software must be distributed outside the App Store.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts