MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
(It's also possible for the FileVault password to be stored in your Keychain, so that the drive mounts without you entering a password, but it doesn't sound like that's what's happening in your case.)
I haven't done any installations or disk formatting in months.

I am hoping some Console log file records an encryption status change. I found a 5-year-old terminal command that sounds like what I want, but it didn't show anything that seems related.
"log show ... 'subsystem == "com.apple.securityd"' ...

I can't find much information about keychain files. If a FileVault password was stored in a keychain, which keychain file would it be in? I found one screenshot showing an entry "FileVault" in the left-hand column of Keychain Access, but I have no such entry. In my Keychains folder I have keychain-2.db (modified March 27), keychain-2.db-shm (modified March 16), keychain-2.db-wal (modified yesterday), login.keychain-db (modified yesterday). Does anyone know what causes these files to be modified? I think nothing I did last month should change anything password-related.

I guess my next step is turn FileVault back on and see what shows up in the log and in Keychain Access and in the Keychains folder.
 


I guess my next step is turn FileVault back on and see what shows up in the log and in Keychain Access and in the Keychains folder.
Rebooted, activated FileVault and did nothing else until it finished. The keychain-2.db-shm and keychain-w.db-wal files got new timestamps at this time. Nothing else changed.

Nothing in the log contains the terms filevault or encrypt. Maybe I am looking in the wrong place, I find it hard to believe such an important change in the system doesn't get logged.
 


Ric Ford

MacInTouch
More updates to Apple's invisible anti-malware files:
Eclectic Light Co. said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2117, dated 2 April 2020, and to its malware removal tool MRT, bringing it to version 1.58, also dated 2 April 2020.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names.
 


Ric Ford

MacInTouch
Apple paid a security researcher who discovered vulnerabilities that allowed malware to access a victim's camera and microphone.
BleepingComputer said:
Apple Paid $75K For Bugs Letting Sites Hijack iPhone Cameras
"Imagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed. This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads)," Pickren stated in a writeup about the vulnerabilities he discovered.

While researching ways to get unauthorized permission to an iPhone's camera, Pickren discovered seven zero-day vulnerabilities with IDs CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, and CVE-2020-9787.

Of these vulnerabilities, three were chained together to gain unauthorized access to a device's camera and microphone.
The security holes are reportedly fixed in iOS 13.4 and Safari 13.1, but it's not clear if older systems/devices are still vulnerable.
 



Ric Ford

MacInTouch
Apple paid a security researcher who discovered vulnerabilities that allowed malware to access a victim's camera and microphone.
On the other hand, Apple says that its latest Macs and iPads include a microphone disconnect mechanism.
Apple said:
Hardware microphone disconnect in Mac and iPad
All Mac portables with the Apple T2 Security Chip feature a hardware disconnect that ensures the microphone is disabled whenever the lid is closed. On the 13-inch MacBook Pro and MacBook Air computers with the T2 chip, and on the 15-inch MacBook Pro portables from 2019 or later, this disconnect is implemented in hardware alone. The disconnect prevents any software—even with root or kernel privileges in macOS, and even the software on the T2 chip—from engaging the microphone when the lid is closed. (The camera is not disconnected in hardware, because its field of view is completely obstructed with the lid closed.)

iPad models beginning in 2020 also feature the hardware microphone disconnect. When an MFI compliant case (including those sold by Apple) is attached to the iPad and closed, the microphone is disconnected in hardware, preventing microphone audio data being made available to any software—even with root or kernel privileges in iPadOS or in case the firmware is compromised.
 


Ric Ford

MacInTouch
Here's an interesting report about an intersection between the two notorious hacking/surveillance companies, Facebook and NSO...
Motherboard said:
Facebook Wanted NSO Spyware to Monitor Users, NSO CEO Claims
"The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices," the court filing reads. "The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users."
 


I was unable to update the MRT data on my Mojave install using LockRattler, an unusual fail. I kept getting an "update not found" error. So I ran "softwareupdate" from the Terminal to first check to make sure there was really an MRT update available and then I installed the update using the same command. All is good now. LockRattler has not been updated in a while, so maybe that is an issue.
 


Ric Ford

MacInTouch
I was unable to update the MRT data on my Mojave install using LockRattler, an unusual fail. I kept getting an "update not found" error. So I ran "softwareupdate" from the Terminal to first check to make sure there was really an MRT update available and then I installed the update using the same command. All is good now. LockRattler has not been updated in a while, so maybe that is an issue.
You might want to give SilentKnight a try. (That's what I've been using lately.)
 


You might want to give SilentKnight a try. (That's what I've been using lately.)
I installed it. I miss LockRattler's ability to only install certain updates but I can live with the command line for that. There is also the weirdness with the TCC bundle report; "TCC 17.0 should be 140.18". As far as I can tell v17.0 is right for my Mojave install. There is a related article about this on Eclectic Light.
 


There is also the weirdness with the TCC bundle report; "TCC 17.0 should be 140.18".
See
“EclecticLight” said:
Why does SilentKnight/LockRattler show TCC is out of date?
Some users are seeing discrepancies in version numbers of installed security data when checking them using SilentKnight, LockRattler, or EFIcienC. This is most common in the TCC database, but can affect others, and is currently worst in Catalina betas. This article explains how this happens, and what to do about it.
 




Ric Ford

MacInTouch
Apple has pushed out yet another silent update to its XProtect anti-malware mechanism:
Eclectic Light Co. said:
Apple has pushed an update to XProtect
Apple has pushed one update today, to the data files used by XProtect, bringing its version number to 2118, dated 8 April 2020. This is an unusual out-of-cycle update whose sole purpose seems to be to update the large and mysterious collection of signatures in LegacyEntitlementAllowList.plist.
 


Apple has pushed out yet another silent update to its XProtect anti-malware mechanism:
I thought macOS 10.12 Sierra was no longer supported, but I note Xprotect 2118 is the version on some older system installations. Is this because App Store preferences is set to “Automatically check for updates” and “Install system data files and security updates”?
 


Ric Ford

MacInTouch
I thought macOS 10.12 Sierra was no longer supported, but I note Xprotect 2118 is the version on some older system installations.
Yes, unlike other critical security updates, a few of Apple's anti-malware protections do get installed on older macOS versions, offering a bit of protection while leaving many other vulnerabilities (and bugs) unpatched.
 


Is this because App Store preferences is set to “Automatically check for updates” and “Install system data files and security updates”?
Yes. As Ric mentioned, many background system data files and security updates continue to be provided to all previous macOS versions that are capable of processing those updates and enabling those two preferences. Generally speaking, that goes on until there has been a change in format of those files that can no longer be handled by older systems.
 



Ric Ford

MacInTouch
Apple updated XProtect to version 2119:
Eclectic Light Co. said:
Apple has pushed an update to XProtect
Apple has pushed one update today, to the data files used by XProtect, bringing its version number to 2119, dated 16 April 2020. Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names.

... I maintain lists of the current versions of security data files for Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.
 



Ric Ford

MacInTouch
There is an extreme vulnerability in Apple Mail for iOS devices that is being actively exploited in the wild with zero-click remote malware execution.
This article says that Apple will patch the extreme iOS Apple Mail vulnerability in an upcoming 13.4.5 update:
ThreatPost said:
Apple Patches Two iOS Zero-Days Abused for Years
Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads. Impacted are iOS 6 and iOS 13.4.1. Apple patched both vulnerabilities in iOS 13.4.5 beta, released last week. A final release of iOS 13.4.5 is expected soon.
 




Ric Ford

MacInTouch
So users of really old iPhones should simply stop using their phones for email, right?
Good point - if Apple only puts the patches in iOS 13.4.5, that leaves out hundreds of millions of iPhones that can't run iOS 13 (i.e. iPhone 6 and earlier models) that can't get the security fixes.
Apple said:
iOS 13 is compatible with these devices.
iPhone 11​
iPhone 11 Pro​
iPhone 11 Pro Max​
iPhone XS​
iPhone XS Max​
iPhone XR​
iPhone X​
iPhone 8​
iPhone 8 Plus​
iPhone 7​
iPhone 7 Plus​
iPhone 6s​
iPhone 6s Plus​
iPhone SE​
 


Good point - if Apple only puts the patches in iOS 13.4.5, that leaves out hundreds of millions of iPhones that can't run iOS 13 (i.e. iPhone 6 and earlier models) that can't get the security fixes.
Gmail requires iOS 12, as well. I guess I'll have to byte the bullet and "upgrade" the iOS and lose the few legacy apps that run on early versions of iOS.
 


So users of really old iPhones should simply stop using their phones for email, right?
I guess we'll have to wait and see. Apple has been releasing updates quietly for iOS 12 along with iOS 13 recently, and Apple even released an update for iOS 9 back in July. If they update iOS 13 to address this issue, I think it's very likely they'll update iOS 12, too. While I wouldn't bet that they'll update iOS 9, it wouldn't shock me, either, given the severity of the bug.
 



So users of really old iPhones should simply stop using their phones for email, right?
According to the article, there have been exploits in the wild for two years. In other words, you're just as vulnerable today as you were in 2018.

Clearly, the exploits were not that widespread if it managed to slip under the radar for all that time. I'm not going to be losing any sleep, and I'm going to keep reading e-mail on my iPhone 6 with or without an update.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts