MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
Just to be clear, XProtect and MRT updates are still provided to OS X El Capitan [10.11] and above (although there appear to be some enhancements to the Catalina versions). They are normally updated automatically if you have enabled that in System Preferences and can be manually updated with a terminal command or SilentKnight.
Just FYI, while GateKeeper updates are still available for Yosemite (10.10), there's no XProtect update available for Yosemite anymore (it's simply no longer part of the update catalog - not even an old/outdated version!).

So your old machine/ setup might just be stuck to the last update it has received (whatever version this is at) and then can't update from that anymore. If you're lucky, it's stuck with 2103 (the last version that was available). If you're unlucky, you're stuck with 2099 or <insert-some-random-number-that-is-smaller-than-2103>.

As a workaround, one can fetch the El Captain (10.11) update catalog manually and extract the direct download link to a more recent (latest?) XProtect update. The downloaded pkg will install fine on Yosemite, too. I'm not 100% sure it works properly, but it can't be worse than being stuck with an outdated version, I guess. A virus test file is still properly triggered at least.

Just a heads-up for people with unsupported versions of OS X. It probably also applies to earlier versions?
 


There's a "high" (CVSS 7.5) vulnerability involving Curl in OS X versions prior to macOS 10.12 Sierra (and Apple isn't supporting anything prior to macOS 10.13 with security updates).
I think this CVS is just a cumulative "Apple CVS" for all the security fixes that were applied between version 7.43.0 and 7.49.1 of Curl (Curl 7.43.0 was the latest version included in OS X 10.11, while macOS 10.12 then came with Curl 7.49.1.)

It's odd that this is published, like, 4 years later. It makes no sense really.

Nonetheless, I went ahead and built myself a new Curl on my Yosemite machine today (with almost all the bells and whistles, no less! :) Since there will be no updates for Yosemite anymore, I'm thinking about replacing Apple's retired Curl there entirely. I wonder if there could be side effects of some sorts (especially with libcurl). Does anyone have experience with such a drop-in-replacement of Curl?

Well… for now there's a fancy up-to-date Curl in "/usr/local" at least:
Bash:
/usr/local/bin/curl -V
curl 7.68.0 (x86_64-apple-darwin14.5.0) libcurl/7.68.0 OpenSSL/1.1.1a zlib/1.2.5 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
Probably the outdated zlib should be addressed too. :)
 


I just returned from a short trip to Arizona, [and] unfortunately, this time I left my iPhone 7 Plus in the [airplane] seatback pocket. I realized this about 20 minutes after my pickup car had left the airport, so it was too late to return to the airport. I filled out the airlines "lost and found" form on another iPhone while on the drive home.

My iPhone's lockscreen has the message "If found, please call (phone number for wife's iPhone) or (phone number for home) for cash reward". The iPhone has a six-character passcode.

I have yet to receive a call... and I just received my once-every-three-days message from the airlines that they haven't found it yet. I figure there must be thousands of items lost at airports every day and didn't really expect them to find it so quickly, if it had even been turned in. I don't think anyone can actually use the phone, as it is passcode locked.

Immediately after returning home, I realized that the major problem I'm having is that now everything I need to do that requires two-factor authentication doesn't work, as my "second device" is the lost iPhone. No second number to text or call.

I can't get into iCloud to "find my iPhone". I can't get into my online bank accounts, because I don't have access to my second device for 2FA. I couldn't register for my doctor's appointment because no second device.

When the iPhone is in my home, my 2009 Mac Pro running Mojave will receive all messages sent to the iPhone via "Messages", but I guess that doesn't work with the iPhone being distant.

I think there is a way to get around all this by petitioning Apple, but it sounds complicated and takes a lot of time.

So, given that I might be quite some time before my iPhone 7 Plus is found and returned, or given up as lost and replaced, how can I work around the lack of 2FA in the meantime?

How can I prevent this from happening again in the future? Can I add a my lovely bride's different iPhone number to my account? Anything else?

Any and all tips and advice appreciated.
 


... How can I prevent this from happening again in the future? Can I add a my lovely bride's different iPhone number to my account? Anything else?
Any and all tips and advice appreciated.
I have the phone number of two family members listed as "trusted phone numbers" on my Apple ID settings. These are both iPhones so no need for SMS. I believe this would take care of your unfortunate situation (assuming the family members are nearby).
 



How can I prevent this from happening again in the future? ...Anything else?
Any and all tips and advice appreciated.
Ladd, I recommend obtaining and then securing a Google Voice phone number. There are several commentaries available online on how to separate and remove your personal information from Google Voice after signing up for a virtual phone number.
 


I have the phone number of two family members listed as "trusted phone numbers" on my Apple ID settings. These are both iPhones so no need for SMS. I believe this would take care of your unfortunate situation (assuming the family members are nearby).
Perhaps that is something I can do after my current iPhone is returned or replaced. Unfortunately, any attempts to access my Apple ID generate the message "A message with a verification code has been sent to your devices. Enter the code to continue." So I can't go any further to try and add additional phone numbers.
 


You can use Find My without needing 2FA - go to icloud.com/find
I tried that four times yesterday, and three times it said "can't find your iPhone." Once, it showed the iPhone at the Phoenix airport, which was where the plane was going after I got off in Baltimore. I have no idea if the phone is actually there or just the last place I used it while connected to a cell tower.

Four attempts to "find my phone" today all resulted in "can't find it"....
 


If you contact your mobile carrier and have them issue a new SIM card on your account (for use in a replacement phone), you'll be able to receive SMS texts on the replacement phone.

Any Apple device (Mac, iPhone, iPad, iPod Touch) logged in to your iCloud account should be able to receive iMessages and get the 2FA popups used by Apple's security.
 


I just returned from a short trip to Arizona, [and] unfortunately, this time I left my iPhone 7 Plus in the [airplane] seatback pocket. ... Any and all tips and advice appreciated.
Be wary of any message you get stating your phone was found. It could be scammers trying to trick you into unlocking your phone so they can reset it and resell it. With the advent of locked iPhones, this is how thieves are still able to profit from stolen (or found) iPhones.
 


I left my iPhone in an airplane at ABQ airport several years ago – it had been in my lap, and I just stood up and retrieved my carry-on from the overhead bin and forgot the phone. I also had an "In case of emergency" message on the front of the phone, with my wife's phone number listed, an offer to pay for its return, and, at the bottom, the entreaty "No Catholic Hospitals Please." I realized while still in the airport that I'd forgotten the phone, and went to the lost and found. No joy.

I called the office later in the day, describing the phone and its case; they didn't have it. I called the next day and didn't describe the phone, but rather asked if they had taken in any iPhones; they said yes, they had one, but it didn't have a case. I asked them to turn it on, which they did, and told me that it said something about Catholic hospitals. Now the line about hospitals is at the very bottom, beneath the rather prominent plea to call the phone number listed. I told them to hold it, returned to the airport, and gratefully retrieved the phone. Someone had obviously removed the inexpensive case and turned in the phone! Luckily for me, however, it was before the plane left for its next destination – probably because it was on the floor, not in the pocket of a seatback.

The emergency information obviously was no help in returning the phone in that situation (although it did let me ID the phone). I imagine that the number of cell phones that turn up on a daily basis make it unlikely that a busy (perhaps) staff may not check each one.

Whenever I try to Find My (wife's) iPhone, and it is out and about with her, I have to enter the code Apple sends to her devices, but the code always shows up on her iPad, which is at home, far away from the iPhone, which is with her.
 


... Whenever I try to Find My (wife's) iPhone, and it is out and about with her, I have to enter the code Apple sends to her devices, but the code always shows up on her iPad, which is at home, far away from the iPhone, which is with her.
If you enable Family Sharing, you won't need to enter in any codes.

(On iOS 13) Go to Settings > AppleID > Family Sharing and add Family Members. Also in this section there are Shared Features, one of which is Location Sharing. Each member can go into this setting and control whether others in the family group can see their location in the Find My app.
 


Immediately after returning home, I realized that the major problem I'm having is that now everything I need to do that requires two-factor authentication doesn't work, as my "second device" is the lost iPhone. No second number to text or call.
Are you referring to 2FA using SMS to your phone number, or 2FA using an authenticator app (One-Time-Passwords)?

If it's the former (which it sounds like), from my understanding of how carriers work, you should be able to get a new (or existing) phone, a new SIM, and get your carrier to assign your existing phone number to this new SIM (essentially, a sanctioned SIM swap), and 2FA SMS codes should come through to your new SIM/phone.

If it's the latter, then there should be two solutions, depending on how you backed things up:
  • If you backed up your phone with backup encryption enabled, any authenticator app worth its salt will be able to be restored with your existing OTPs you've already setup.
  • Depending on the service you use to set up the OTPs for that service, they may have given you the option to record backup recovery code(s) in order to be able to recover access; for those services, it's probably easiest to use that.
It's worth re-iterating that using SMS for 2FA is not secure and is not recommended! If at all possible, avoid SMS 2FA for any service you use. There's a good guide at Two Factor Auth (2FA) on how to set it up with an authenticator app (or other secure, non-SMS methods) for various services.

Using an authenticator app is much more secure but also needs a bit more care. (If you lose the device, you have to find other means to recover access, which is what recovery codes are useful for.)
 


The Mac/iPhone clipboard can create a security problem - just think about copying and pasting a critical password or other sensitive data and then having it silently stolen without you realizing it...
Does macOS keep a Clipboard log, or does the Clipboard clear prior entries as it's repopulated with new data?
 


Ladd, I recommend obtaining and then securing a Google Voice phone number. There are several commentaries available online on how to separate and remove your personal information from Google Voice after signing up for a virtual phone number.
I second. Also, when I'm traveling internationally, texts going to my Google Voice number can still be retrieved via email/the GV app/the GV web site, but I might not have access to SMS texts.

Also, if you have shared accts with your spouse, you can also set up email filters – e.g. text messages from (bank) automatically get forwarded to me and my wife, because sometimes we're both logging in at different times doing different things.
 


Whenever I try to Find My (wife's) iPhone, and it is out and about with her, I have to enter the code Apple sends to her devices, but the code always shows up on her iPad, which is at home, far away from the iPhone, which is with her.
How are you logging in to Find My? It should never require a 2FA code. If you're using the website, you have to go to icloud.com/find, not icloud.com.
 



Does macOS keep a Clipboard log, or does the Clipboard clear prior entries as it's repopulated with new data?
I doesn't keep a 'log' per se, but it does keep it in the clipboard until the next 'copy' operation (of the same type - so first copying a text password string will put it on the clipboard, and the next copy operation of any text string will "overwrite" it).

However if your use of passwords involve copy/pasting them, I would strongly suggest you use a password manager instead - even the lowly macOS Keychain is an improvement.
 



Ric Ford

MacInTouch
Another update to Apple's invisible Mac anti-malware files:
Eclectic Light said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2115, dated 5 March 2020, and to its malware removal tool MRT, bringing it to version 1.56, also dated 5 March 2020.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Changes since the malware definitions in 2114 are small: MACOS.489e70f has been added, and MACOS.0e62876 amended slightly. Although the additional file LegacyEntitlementAllowlist.plist is included in this update, it hasn’t changed since version 2114.
 


Ric Ford

MacInTouch
Howard Oakley points out location-tracking security/privacy issues with iCloud:
Eclectic Light Co. said:
A Guide to Catalina’s Privacy Protection: 5 Location
... Overall, Catalina gives users the control they need over access to location data except for the overriding fact that, when Location Services are enabled, they’re inevitably shared across all devices connected to the same iCloud account. This is a potential security risk, as it could be used by an unfriendly and prying app running on your Mac to gain access to data gathered on your iPhone, for example. Users don’t appear to have any ability to segregate their location data between different devices which are connected to the same iCloud account. If you want to do that, you’ll have to use more than one iCloud account, which brings its own disadvantages. Apple really does seem to want you to collect and share location data.
 





Ric Ford

MacInTouch
There's an unpatched bug in iOS 13 that compromises VPN security:
Here's more about the iOS VPN vulnerability:
Threatpost said:
Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers

... The bug, outlined in a report by ProtonVPN, impacts Apple’s most recent iOS 13.4. The flaw is tied to the way VPN security software loads on iOS devices. Post launch, VPN software is supposed to terminates all internet traffic and reestablishes connections as encrypted and protected. Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device’s IP address, exposing it for a limited window of time.

“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” researchers explained in a technical analysis of the flaw.
 


Ric Ford

MacInTouch
Here's some interesting discussion of a serious Apple Bluetooth vulnerability, recently patched, but only for macOS 10.13 and later.
Gizchina said:
Apple macOS has a Bluetooth vulnerability that can be remotely exploited
Recently, Apple issued two consecutive security announcements, publicly thanking the 360 Alpha Lab team for discovering 5 MacOS Bluetooth vulnerabilities. This is an extremely rare combination of vulnerabilities in Apple’s macOS system, and it has been officially confirmed that all the vulnerabilities are “zero-click, no-touch” remote exploitation vulnerabilities.

This vulnerability danger cannot be ignored, the team of 360 Alpha Labs has informed Apple officials which released a patch based on the vulnerability report submitted by the 360 security team and awarded a vulnerability bonus of $ 75,000
 


I did my monthly backups last night. One of the external disks I attached mounted without asking for the FileVault password. Disk Utility said not encrypted. That is disturbing. My external T5 disk says not encrypted, either. That is worse. Both of them were encrypted when I first started using them. The second external backup disk is still encrypted. I looked at my internal spinner that hasn't been mounted in months and it is encrypted.

Mojave 10.14.6 on a 2019 Mac Mini.

Something has turned off FileVault on two of my disks. Any way to trace when it might have happened, or how?
 


Ric Ford

MacInTouch
... Something has turned off FileVault on two of my disks. Any way to trace when it might have happened, or how?
The only time(s) I've had a FileVault volume decrypted behind my back was during an Apple OS X installation.

It might also happen during a disk reformat, repartition or volume format conversion – e.g. from HFS+ to APFS.

(It's also possible for the FileVault password to be stored in your Keychain, so that the drive mounts without you entering a password, but it doesn't sound like that's what's happening in your case.)
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts