MacInTouch Amazon link...

malware and security

Channels
Security

Ric Ford

MacInTouch
A heads-up from Thomas Reed:
Malwarebytes said:
Mac malware targets cryptomining users
Last week, a security researcher named Remco Verhoef announced the discovery of a new piece of Mac malware being distributed on cryptomining chat groups. This malware was later further analyzed by Patrick Wardle, who gave it the rather appropriate moniker OSX.Dummy.

The malware was being distributed by chat users posing as admins, who posted the following shell script for users to run...
 


Ric Ford

MacInTouch
Some new Mac malware was analyzed by Thomas Reed:
Malwarebytes Labs said:
Mac malware combines EmPyre backdoor and XMRig miner
... The malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is designed to aid in the piracy of a variety of Adobe applications. In this case, however, the app was called Adobe Zii, but it was definitely not the real thing.

... This script opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac.

...Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.

... If you’re infected, it’s impossible to say what else the malware may have done besides cryptomining. It’s entirely possible it could have exfiltrated files or captured passwords.
 


Another new Mac malware technically analyzed by Patrick Wardle:
Objective-See said:
Word to Your Mac
In this blog post, we’ll detail how analyze a Word document that we suspect contains malicious logic.

Specifically we’ll detail:
  • How to extract & analyze the malicious macros embedded in the document.
  • How to decode & analyze the embedded 1-st payload (downloader).
  • Retrieve & identify the 2nd-stage downloader
I don't recommend downloading the sample!
 


Ric Ford

MacInTouch
More from Thomas Reed:
Malwarebytes Labs said:
Flurry of new Mac malware drops in December
...
The similarities between all these pieces of malware, as well as the close coincidence in timing (all were first submitted to VirusTotal within about a one month period), may mean that they were all be made by the same malware developer.

However, there is no concrete evidence for that supposition at this time. The IP addresses these pieces of malware communicate with are scattered around the globe in the US, Luxembourg, Germany, and the Netherlands, and there are no obvious connections between them. The code is similar, but not identical.

At this time, we are calling each of these by a different name, but will keep investigating.

In the meantime, the best things you can do to stay safe are:
  • Don’t allow macros to run in Microsoft Office documents
  • Don’t download software from anywhere other than the developer’s official site, and especially not piracy sites
  • Don’t open anything sent to you via email unless you know the sender and were expecting it
  • If you open a newly-downloaded application and something doesn’t work as expected, check with the developer
 


Ric Ford

MacInTouch
There's news today about clever Mac malware that combines web advertising (malvertising) with steganography and the familiar "Flash Updater" trojan:
Dan Goodin/Ars Technica said:
Malvertisers target Mac users with steganographic code stashed in images
Researchers have uncovered a recent malicious advertisement campaign that’s notable for its size, scope, and resourcefulness: a two-day blitz triggered as many as 5 million times per day that used highly camouflaged JavaScript stashed in images to install a trojan on visitors' Macs.

The ads were served by a group security firm Confiant has dubbed VeryMal, a name that comes from veryield-malyst.com, one of the ad-serving domains the group uses. A run that was active from January 11 to January 13 on about 25 of the top 100 publisher sites triggered the image as many as 5 million times a day. In an attempt to bypass increasingly effective measures available to detect malicious ads, the images used steganography—the ancient practice of hiding code, messages, or other data inside images or text—to deliver its malicious payload to Mac-using visitors.
Eliya Stein/Confiant said:
Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users
Recent months have seen an uptick in reports of JavaScript malware that hides in image files. This is often referred to as “image based malware” or “steganography malware” in more technical contexts.
This post will examine a steganography based payload utilized by a malvertiser that Confiant have dubbed VeryMal after one of their ad serving domains, veryield-malyst.com. Malwarebytes provided an analysis of the malicious binary that was dropped. It’s estimated based on the scope of our coverage that as many as 5MM visitors maybe have been subject to this recent malware campaign.

The result of the fully executed payload is this familiar browser hijack...
 



Ric Ford

MacInTouch
FYI:
Bleeping Computer LLC said:
New SpeakUp Backdoor Infects Linux and macOS with Miners
A malware campaign distributing a new Backdoor Trojan named SpeakUp is currently targeting servers running six different Linux distributions and macOS by exploiting a number of known security vulnerabilities, while also managing to evade all anti-malware solutions in the process.

Backdoor Trojans are malware capable of providing attackers with access to compromised machines and to help them control those infected computers using commands sent via command-and-control (C&C) servers.
 


I repair quite a few Macs - mostly hardware, but software as well. I've noticed recently, and I don't know if it started in Mojave or before, the difficulty and sometimes the seeming impossibility of changing the homepage in Safari. I currently have a client's iMac (2012) where the homepage has been hijacked by "chumsearch.com".

I've googled and tried the various remedies, short of using terminal commands, and been unable to reset the password. This isn't the first time.

In some instances I'm pretty sure there has not been any "untoward" malware that has led to this situation. In this case it seems the malware has "implanted" something.

Does anyone know the foolproof way to allow resetting of the homepage or are there too many variables and it is really situation/condition specific?
 


Ric Ford

MacInTouch
I've noticed recently, and I don't know if it started in Mojave or before, the difficulty and sometimes the seeming impossibility of changing the homepage in Safari. I currently have a client's iMac (2012) where the homepage has been hijacked by "chumsearch.com".
That sounds like classic web browser malware, and Malwarebytes for Mac should clean it up. Let us (and the Malwarebytes folks) know if it doesn't. (Here's some discussion at the Malwarebytes website: Chumsearch Problem.)
 


I've noticed recently, and I don't know if it started in Mojave or before, the difficulty and sometimes the seeming impossibility of changing the homepage in Safari. I currently have a client's iMac (2012) where the homepage has been hijacked by "chumsearch.com".
It's not unique to Mojave, but adware developers have recently been very inventive in finding new ways to making such restorations more and more difficult. Although Malwarebytes will normally clean up what caused the infection, much of the needed resetting has to be done manually and often requires a restart.

There seems to be something new almost every day. One example is the installation of a profile to lock settings. Anti-malware has not come up with an acceptable way of uninstalling them. Chrome is even worse, requiring a nuclear uninstall of all components.
 



So here is the solution that finally worked:

The computer was at macOS 10.14.0. I updated it to macOS 10.14.3. That gave me an "empty" homepage. After some "massaging", I was able to get www.google.com as the homepage.
 



One of my clients saw a dialog that said his Mac was locked and to call a number. I wasn’t available, so they brought in an expert who just called the number, let them take control and install things after registering for Official Apple Support at an xyz domain, charged him $1,600, and the expert abandoned him with a mess.

I didn’t see the dialog, so I don’t know if the computer was really locked or if it was just a window displayed from his Facebook feed in Safari.

When I was able to examine it, Malwarebytes and ClamXAV found nothing, but with a day of digging and fixing throughout the OS folders, I found applications and parts from: 360 Total Security, LogMeIn, GoTo Opener, and AdGuard for Safari.

I also found a Flash dmg in his downloads. I suspected that Flash, or maybe his use of Chrome with built-in Flash support, may have led to the warning dialog.

The Mac is on the latest macOS 10.13, all the caches were cleared, new Startup Items and LaunchAgents removed, passwords changed, and the last security update applied, among other things.

After several days of working fine, he was on Facebook, then his screen showed nothing else besides asking for his username and password. I assume it was asking for his Mac credentials, and it's interesting that Facebook was the initiator again.

I don’t know if I missed something, or if a Facebook extension may have tried to install something that prompted the dialog.

I’ve considered reapplying the combo update and security update, instead of a full erase, because his offline Time Machine backup is a few months old. Since USB itself is vulnerable, I’m considering throwing away my flash drives used for fixing, in case they installed something else. I’m going to look at his Mac again and would appreciate any suggestions.
 


Ric Ford

MacInTouch
... I don’t know if I missed something, or if a Facebook extension may have tried to install something that prompted the dialog. ... I’m going to look at his Mac again and would appreciate any suggestions.
I don't know what's happening exactly, but it's nasty, and it hit a friend of our family, too - on Windows, also involving Facebook. Here's my earlier post about it.
 


One of my clients saw a dialog that said his Mac was locked and to call a number. I wasn’t available, so they brought in an expert who just called the number, let them take control and install things after registering for Official Apple Support at an xyz domain, charged him $1,600, and the expert abandoned him with a mess.

I didn’t see the dialog, so I don’t know if the computer was really locked or if it was just a window displayed from his Facebook feed in Safari.

When I was able to examine it, Malwarebytes and ClamXAV found nothing, but with a day of digging and fixing throughout the OS folders, I found applications and parts from: 360 Total Security, LogMeIn, GoTo Opener, and AdGuard for Safari.
What “expert” did your client call? It doesn’t seem out of the question that the expert was benefiting from the scam beyond whatever ridiculous fee the “expert” charged. I hope your client is in a position to dispute at least some of these charges.
 



I found applications and parts from: 360 Total Security, LogMeIn, GoTo Opener . . .
Criminals have had access to and control of your client's computer. They may still have access if they tricked your client into installing and activating the LogMeIn (or another) remote access client. "GoTo Opener" is part of the LogMeIn "Go To Meeting" remote system. "360 Total Security" is, if genuine, a China-origin anti-virus. Given criminals had control of the client's system, I wouldn't trust 360, and I'd be dubious of it even if genuine.

I would consider the Mac toxic and remove it from the network and Internet. My next step would be to secure my email accounts, since they're often used by financial institutions and brokers to verify account changes. I would check the server-side email setup to be sure the criminals didn't set up an email forward that would enable them to intercept verifications, and more.

Two-factor authentication helps, but if criminals had access to the system, a keylogger or man-in-the-middle scenario may enable interception of two-factor codes as they're entered, giving persistent control of the accessed site to the criminals.

If by offline you mean your client's Time Machine wasn't connected to the Mac while the criminals controlled it, that's an advantage, even if the backup is old. Don't reconnect it to the compromised Mac until the Mac is wiped and rebuilt.

(Personal experience: I've found hidden files from old installs. The most intriguing was a "phone home" from a tiny and hidden component of the Intego Security Suite I had cancelled and removed. The component was migrated forward into several Macs by Migration Assistant. It became noticeable when it started slowing down my system and showed up in Activity Monitor. Had it lain dormant for years, or had it been phoning home for years and become noticeable when its connection to Intego broke?)
Trojan horses disguised as Flash installers are very common (if you didn't already know).
Chrome has long sandboxed its custom "Pepper" Flash. Beginning in version 56, Chrome blocks Flash and requires user approval to let it run. Beginning in 69, Chrome stopped letting non-Enterprise users (easily) grant persistent permission for Flash to run on whitelisted sites. Because "Flash" is built into Chrome, there's no separate install. If [real Adobe] Flash is installed on that Mac, it would be for a different browser.

Flash has a long and melancholy history. Yet most of Flash exploits I've read about aren't Flash itself, but, as Ric wrote, fakes users are tricked into installing, often by popups. Flash's "safer" HTML5 replacement can pop up scareware notices, just like Flash did.
ArsTecnica said:
Malvertisers target Mac users with steganographic code stashed in images
Clever HTML5 coding helps a blitz of malicious ads slip past scanners.

Researchers have uncovered a recent malicious advertisement campaign that’s notable for its size, scope, and resourcefulness: a two-day blitz triggered as many as 5 million times per day that used highly camouflaged JavaScript stashed in images to install a trojan on visitors' Macs.
Facebook has long been a distribution vehicle for this kind of attack:
CSO said:
If the Mac were mine, I'd do a nuke and pave from an external boot. PIA it may be, but I'd change every log in ID and password that was stored or accessed from that system presuming the criminals could have copied everything out of my password wallet and Keychain. I'd probably go further, and ask banks/brokers/credit cards to issue new account numbers.
 


Kathryn, good idea about the so-called expert being complicit, but not in this case. My client is quite old, easily confused, and doesn’t have a great memory. He just trusted a friend who had a friend who meant well. Not strangers.

Besides giving the criminals his now cancelled credit card, he also gave them his bank account number. It took much explaining to convince him that it needs to be changed too.

Ric, good to remind everyone about trojans disguised as Flash installers. That may or may not have been the case here. Malwarebytes didn’t detect anything, DetectX noticed the FlashPlayerInstaller in the downloads folder but didn’t comment on it. He also had Pepper Flash Player installed. EtreCheck and Simpleum Check were useful for verifying other settings and Onyx for clearing caches. I temporarily installed Little Snitch and saw no unidentified connections for many hours.

George, I agree that criminals controlled the client’s computer. All of the programs I mentioned have been completely removed, and more. Both the expert and the client were tricked through social engineering to install those programs as part of their security service. All passwords were changed, but he did not want me to set up 2-factor authentication or a password manager, as he gets easily confused. Good tip about verifying no email forwarding exists.

This Mac running macOS 10.13 is quite old and quite slow, and having only an outdated and disconnected Time Machine backup, he did not want me to take the time for a full erase and reinstall. I’m confident in what I did, but if it were my machine, I would certainly not trust it without an erase and reinstall.

I forced him to use Firefox and UBlock Origin, warning him about the fake messages that appear on Facebook and elsewhere. In Facebook, I found no apps listed, but I did turn off the preference to “interact with apps, websites and games.” Could that setting have played a part, when it was turned on?

My takeaway lesson is to start questioning every macOS and iOS app I have. What country are they made in? Do I really need this? What is their privacy policy? I avoid apps with ads and Chinese apps. I wonder how safe apps are from Ukraine, which includes Readdle. I don’t think we can blindly accept apps as safe, regardless of their notoriety. This would be a good conversation to have, if anyone has opinions.
 



My takeaway lesson is to start questioning every macOS and iOS app I have. What country are they made in? Do I really need this? What is their privacy policy? I avoid apps with ads and Chinese apps. I wonder how safe apps are from Ukraine, which includes Readdle. I don’t think we can blindly accept apps as safe, regardless of their notoriety. This would be a good conversation to have, if anyone has opinions.
That conversation also includes the latest versions of The Unarchiver, now owned by MacPaw in the Ukraine. Version 3.11.1 was the last version before they acquired it.
 


For iOS, my favorite equivalent of UBlock Origin is Weblock. It blocks ads, scripts, pop-ups, etc., using a VPN strategy, and works on most app ads as well as in Safari. Cheap at $1.99. I'm just a happy user. Only downside: I have to remember to re-enable VPN in Settings after every reboot, Apple's fault for a non-sticky setting.
 


Ric Ford

MacInTouch
For iOS, my favorite equivalent of UBlock Origin is Weblock...
Their privacy policy includes this bit:
Weblock said:
Privacy Policy
Our app use Flurry Analytics SDK to collect basic information about the app usage. The exact information collected by Flurry and privacy policy for this information can be found here: http://www.flurry.com/legal-privacy/privacy-policy. If you wish to disallow Flurry Analytics, please enable blocking of Flurry by going to "Weblock -> Filters -> User Tracking" and enabling "Block Flurry".
I went to http://www.flurry.com/legal-privacy/privacy-policy, and it seemed to be entirely devoid of any content at all. So I went to the Flurry home page and found a Privacy link that led here:
 


That conversation also includes the latest versions of The Unarchiver, now owned by MacPaw in the Ukraine. Version 3.11.1 was the last version before they acquired it.
Interesting. For what it's worth, it looks like the pre-acquisition distributions are still available on the original developer's website. I'm still wrestling with what exactly makes a Ukrainian company intrinsically less trustworthy than a Finnish one-man show (per his GitHub profile).
 


I would like to make a pitch here for using LaunchControl to deal with any computer belonging to a novice or ingenuous person.

It lets you go through and find all the automatic-launch stuff and shut it off. It is not the world's best interface, it has an annoying number of alerts and are-you-sures, but it will do the trick, and it's much easier than doing the same thing from Finder locations. EtreCheck will reveal other stuff you may have missed.

Malware removers are good at removing some malware, but I find that a lot of stuff is “semi-legit” enough to escape. If you use LaunchControl, you can deactivate and remove things that act like malware but technically might not be.

Also get familiar with Terminal, because you will need it... (not saying that to any one person, just in general).

Instead of TheUnarchiver, you can use Keka.
 



One of my clients saw a dialog that said his Mac was locked and to call a number. I wasn’t available, so they brought in an expert who just called the number, let them take control and install things after registering for Official Apple Support at an xyz domain, charged him $1,600, and the expert abandoned him with a mess.
I wonder if using Parental Controls to limit what apps run on your client's Mac would be helpful?
 


Trojan horses disguised as Flash installers are very common (if you didn't already know).
Coincidentally, just a couple days before Ric posted this reminder, I selected a (very) old bookmark. It went to a page that "flashed" a notice that my Flash was not up-to-date, and immediately proceeded to download a Flash installer. I isolated the Mac, ran ClamXAV. It found some "relatively" harmless adware in the Flash installer.

It also found adware in another archive I downloaded either from the developer or MacUpdate, but had never gotten around to opening. Finally, it found adware in an app from the App Store (another I really hadn't tried yet).

I ran the Avast demo just for redundancy. It found that the App Store app had in fact, installed its payload. I also ran the Sophos demo. Lots of sudo rm followed... :-}

Ironically, the take-away for me from all this was that anti-virus software remains difficult to distinguish from the threats they are supposed to protect us from. None of them would function without being given carte blanche to phone home. In spite of preferences seemingly to the contrary, none of them would simply run when asked. They all insisted on daemons in the background. Is it unreasonable to expect these folks to be sensitive to this?
 


Ironically, the take-away for me from all this was that anti-virus software remains difficult to distinguish from the threats they are supposed to protect us from. None of them would function without being given carte blanche to phone home. In spite of preferences seemingly to the contrary, none of them would simply run when asked. They all insisted on daemons in the background. Is it unreasonable to expect these folks to be sensitive to this?
Yes, for the most part it is unreasonable in today's macOS environment. It's not that these apps need to “phone home” by the traditional definition, rather they must also stay up to date on malware definitions to be effective against the ever-changing malware types and variants. If you have privacy concerns, check the developer's policy to see what, if any, information is being passed to them. If they require registration, then that's the minimum check that needs to be made when used.

Background processes are necessary to provide real-time / on-access protection involving newly downloaded / changed files. They also control all scheduled scanning and definition / app update checks. And, they are necessary to provide a menu icon.

There have been a couple of requests to ClamXAV to eliminate all background processes as long as Sentry and all scheduled events are disabled. Although such settings are not optimal for providing full protection, the developer has agreed to provide such an option for users who demand complete control in a future release. This will simply eliminate the menubar icon, which uses practically no resources at all, but should satisfy such purists.
 


Yes, for the most part it is unreasonable...
I don't think it is unreasonable. I know why developers claim software needs to phone home. I know what information their privacy notices claim to be gathering. What I don’t know is any way to verify any of the above claims.

With Microsoft and its Windows Installers (with bonus secret marketing surveys) and now Google’s example of “let’s just grab this data and feign innocence when it upsets someone” setting industry privacy standards, I am really supposed to trust all this?

I download from Apple, directly from developer sites (after reading reviews), and occasionally, source code from GitHub. Nowhere else. In over thirty years of personal computer use, I have only been “infected” one other time besides the above instance. That was in 1987. Every single “infection” has come from a “trusted source”, i.e. directly from an established developer.

In short, I don’t feel the need for my CPU and I/O bandwidth to be eaten up by constantly running antivirus processes. I have 267 processes and 905 threads (each of which “uses practically no resources at all”). Meanwhile, folks in this forum complain about macOS getting more sluggish with each update. All those processes don’t add up?

I have five persistent iCloud processes (with 2 threads each). I don’t use iCloud. Five Photos processes (with 2 threads each). I wouldn’t let Photos near my photo library. Siri processes, and I don’t even have a microphone. SafeEjectGPU processes, when I have no ejectable GPU, etc. Most of these could be avoided with one-line-of-code tests. How many other more obscurely titled processes do I really not need?
 


I don't think it is unreasonable. I know why developers claim software needs to phone home. I know what information their privacy notices claim to be gathering. What I don’t know is any way to verify any of the above claims.
I understand such frustration. I was narrowly responding to your specific questions about ClamXAV and similar anti-malware apps, not the proliferation of background processes with each new version of macOS. Most of those are easily supported by current hardware and won't noticeably impact the average user, but are somewhat unnecessary energy consumers. Nor does it address your ability to verify privacy policies. That requires research into the company, which is often difficult and time-consuming for most all of us. Some developers have even accidentally violated their own policies due to faulty coding and / or poor QC.

If you really feel you want to control these unused processes, then grab a copy of LaunchControl for $15 and learn how to safely use it.
 


I have five persistent iCloud processes (with 2 threads each). I don’t use iCloud. Five Photos processes (with 2 threads each). I wouldn’t let Photos near my photo library. Siri processes, and I don’t even have a microphone. SafeEjectGPU processes, when I have no ejectable GPU, etc. Most of these could be avoided with one-line-of-code tests. How many other more obscurely titled processes do I really not need?
Found this trick that will shut off photoanalysisd, the background process that's identifying faces and possibly objects:
Guy Blanco IV said:
Controlling photoanalysisd
We're going to make a cron job that kills the photoanalysisd service every minute. The command takes less than 10ms to run and doesn't error out if the service is already dead.
It may be possible to apply Guy Blanco's idea to other unwelcome processes.

From observing in Little Snitch, I found many Apple processes engage in bi-directional telemetry, and it's possible those blocked by Little Snitch build logs to phone home when I deactivate Little Snitch to take updates.

It's possible, as I've mentioned before, to delete some of what I consider Apple bloatware (Game Center was one that had no place on computers in the workplace). Such applications are simply built on top of the underlying BSD/Darwin core of macOS, and can be removed without creating instability, and seem to improve speed. To do that, for the ones it is possible to delete, turn off SIP and use a program like the late Reggie Ashworth's full and still supported (not Mac App Store) version of AppDelete to easily scrape out all the applications' hidden files. I even deleted Safari once, with no negative side effects. In days gone by, it was possible to delete Spotlight, but that no longer seems possible.

Of course, the Apple apps you delete are likely to return at the next major point release, but not with standalone security releases. That's one reason I prefer not to "upgrade" to a new version, e.g., El Capitan to Sierra, until the final (often .6) version is released. Then I'm able to create a Carbon Copy Clone of my macOS system that has been stripped of what isn't needed, and clone that to other Macs in the office.
 


Found this trick that will shut off photoanalysisd, the background process that's identifying faces and possibly objects:
That did not work for me. However, using LaunchControl, in expert mode, I could either shut it down entirely, or change the interval from 7200 (the default) to 72000 (quite rare). I can also shut down PowerNap, which strikes me as a good idea.

That said, to run the crontab or use LaunchControl on that particular item, you need to shut off System Integrity Protection (SIP). In short, reboot into Recovery partition, go to Terminal, type
/usr/bin/csrutil disable
go back into normal boot, LaunchControl to remove or restrict the daemon, and back into Recovery to
/usr/bin/csrutil enable

It would be nice to have a clever way to play with SIP without two reboots each time...
 


I'm still wrestling with what exactly makes a Ukrainian company intrinsically less trustworthy than a Finnish one-man show (per his GitHub profile).
The increasingly international provenance of software raises interesting, complicated, and perhaps unresolvable questions about security and privacy.

At a very simple level, how confident can anyone be about the security of a piece of software written by a single individual, regardless of the individual's location? Even the most honest, careful, talented developers produce software with bugs, and sometimes those bugs create security vulnerabilities. Even if you have access to the source code or can perform formalized software security testing, issues still can slip through. That's the best case.

What happens if the developer is careless, has strong incentives to de-emphasize security, or is outright dishonest? Will you ever know? Perhaps there is some comfort if the developer is in a friendly legal jurisdiction. In that case, perhaps you can pursue legal compensation if negligence or criminal behavior can be demonstrated, but doing so can be costly and may have a low chance of success. In any case, if legal remedies are sought, chances are that they're being pursued in response to a security/privacy breach that already has happened. By then, it may be that no amount of compensation will match the financial losses and damages to privacy, reputation, and so on.

Now let's look at some widespread practices in the industry. Many commercial software developers (regardless of size) rely on outsourced development partners with highly variable degrees of oversight. This includes everything from traditional apps to websites. You may insist on buying/licensing/using software written by local developers, but there is a substantial probability that some, most, or even all of the actual code was written somewhere else by someone else. I'd wager that most people who don't have firsthand experience with the process would be astonished at how much code is developed by outsourced developers.

Complicating things further, outsourced development partners themselves often rely on additional third party developers unless contractually prohibited from doing so. While some outsourcing is entirely local, and most people think of India as the base of most international outsourcing, places like Russia, Ukraine, and eastern Europe are very commonly used. They have very reasonable costs and significant pools of developers with excellent reputations, world-class technical training, and surprisingly good English skills. Latin America is growing quickly, too, with a lot of development outsourcing being done in places like Argentina, Uruguay, and Mexico. If things go wrong, however, opportunities for redress may be limited.

A variation is how often code is developed by in-house developers based in other countries. Just about every large software provider has a significant in-house international development footprint, and many surprisingly small firms do, too. In my own work, I often encounter firms with a three or four person headquarters in places like Boston or NY and a 24-person overseas software development department -- without any public mention of the overseas development department. Often, the ability of HQ to keep a close eye on development is less than ideal.

In other words, modern software development often involves a very complicated international supply chain, the security of that supply chain can be highly variable, and it can be pretty rare for end users to have true visibility into where their software comes from.

This ends up being an extremely unsatisfying post. On the one hand, I often think that people worry too much about security/privacy issues that are derived from the geographical origin of well-known, professionally managed products. On the other hand, the variability and vulnerability of the software supply chain across the full range of websites and apps is so large and the associated guarantees and protections are so small that I sometimes feel like pen and paper are the future.
 


Ric Ford

MacInTouch
The increasingly international provenance of software raises interesting, complicated, and perhaps unresolvable questions about security and privacy....
Thanks for describing some of these critical software supply chain issues and their complexity.

To add just a couple of additional notes, I'll start by mentioning that developers typically use third-party software libraries within their apps, from a wide variety of sources with a wide variety of issues, including many severe security and privacy problems. Examples abound, including some nasty code in iOS apps, while more benign libraries also can contain security flaws, as we've discussed recently re SQLite.

Meanwhile, it seems that almost every app now connects over the Internet to remote systems to exchange data and code, which can be anything but transparent and create all kinds of issues on the fly in real time, regardless of what code happened to be in the app when someone first downloaded it. Firewalls, such as Little Snitch, can be helpful here, but we can't know or see what's going back and forth. Apple is a prime example - we might think we know what's happening, such as a software update being installed, but we can't actually see what's going back and forth, and there's astounding complexity involved, as Apple hooks the customer into Apple ID, iCloud, iMessage, App Store, iTunes, OS signing, software update scans, etc.
 


To add just a couple of additional notes, I'll start by mentioning that developers typically use third-party software libraries within their apps, from a wide variety of sources with a wide variety of issues, including many severe security and privacy problems.
Excellent point. In my day job, I occasionally participate in technical due diligence assessments of firms that develop software for internal use or for external distribution. Some firms manage their software development processes very well, with regular, close review of code as it is developed and with tracking of incorporated libraries and other third-party code, updating them as necessary, and auditing periodically. With such firms, there is little worry about whether the code is generated in one country or another. The processes are good enough to instill confidence.

Other firms are not so rigorous or proficient; sometimes they have no idea that one of their staff decided to include a particular third-party library or code snippet in their product. In those cases, the code often is out of date, revealing potential vulnerabilities, and sometimes the code is incorporated in violation of applicable licenses, opening potential legal/financial liabilities. Perhaps needless to say, firms that operate in that fashion will tend to have other significant issues with their software, whether the code is developed in Kiev or in Kansas.
 


That did not work for me. However, using LaunchControl, in expert mode, I could either shut it down entirely, or change the interval
I've clicked into the LaunchControl website several times and fled like a scared bunny - I found no detailed documentation on the web site site, and it appears possible to unwittingly choose options that would bork a system? I sorta' understand what I was doing when I tried to shut off photosynthid in Terminal, and how the cron job trick would work, if it worked, but that's one process, and it took some research to reach that understanding.

Is LaunchControl idiot-proof (or George-proof)? Does it provide in-application explanation of what processes may be unnecessary and warnings against disabling those which are essential?

Lastly about Launch Control: You used what amounts to a cron inside LaunchControl to shut down photosynthid. Any idea if LaunchControl provides a different and separate cron service? If that's the case, removing LaunchControl would result in photosynthid returning from the grave? Does LaunchControl work by patching on its own kernel extension (kext)?
I often think that people worry too much about security/privacy issues that are derived from the geographical origin of well-known, professionally managed products.
Parallels, which was developed in Russia, used to prohibit blocking its software from phoning home. An acquaintance learned about the Parallels Toolbox for Mac, a set of utilities that mostly replicates native functions. I tried to persuade her not to use it when it is (mostly) duplicative, because of this language I extracted from the Parallels site in July, 2017:
"Parallels reserves the right, and you authorize Parallels, to gather data on key usage including license key numbers, Authorized Device IP addresses or other applicable device identifier (including MAC address or UDID), domain counts and other information deemed relevant, to ensure that our products are being used in accordance with the terms of this Agreement. . . . You agree not to block, electronically or otherwise, the transmission of data required for compliance with this Agreement. Any blocking of data required for compliance under this Agreement is considered to be violation of this Agreement and will result in immediate termination of this Agreement pursuant to Section 5."
I can no longer find the blocking prohibition on the legal pages of Parallels' site. Still, Parallels' Privacy Policy, shown updated May16, 2018, is pretty scary, and I presume using Little Snitch or an alternative to block it from phoning home would result in its refusal to work, since it can't check DRM, or send back to Parallels the extensive range of data it collects, tied to identified users:
Parallels said:
Privacy Policy
The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information and may include name, postal address, email address, phone number, date of birth, language preference, job title and business affiliations . . .

When you visit our website and/or use our products, we may collect certain information automatically from your device (e.g., information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (i.e., country or city-level location) and other technical information). We may also collect information about how your device has interacted with our website and/or products, including the pages accessed and links clicked. . . . In some cases, your personal data will be supplemented by information retrieved from public sources, such as online media or employer websites, for the purpose of confirming your current professional position or address. . . .

We do not sell or otherwise make your personal data available to third parties, although we may disclose your personal information to the following categories of recipients: to our group companies (including those in Cyprus, Estonia, Germany, Malta, Russia, Spain, the United Kingdom and United States), third party service providers and partners who provide data processing services to us (e.g., to support the delivery of, provide functionality on, or help to enhance the security of our website and/or products), or who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information (when they perform services on our behalf, mainly to maintain and support our IT systems).

We may also disclose your personal data to third parties including law enforcement bodies, regulatory, government agencies or other third parties in the following circumstances: (a) to undertake the activities listed above; (b) to conform to legal requirements or comply with legal process (including assisting in the investigation of suspected illegal or wrongful activity or to deal with any misuse of the product); (c) to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers.
Comforting or not, Corel, a Canadian company, acquired Parallels in December, 2018.
 


Ric Ford

MacInTouch
Is LaunchControl idiot-proof (or George-proof)? Does it provide in-application explanation of what processes may be unnecessary and warnings against disabling those which are essential?
It's not entirely idiot-proof, but there are a number of built-in checks and warnings and extensive built-in help, plus macOS also restricts what you can do via System Integrity Protection (SIP), which you have to disable by jumping through arcane hoops if you want to do something like disable photoanalysisd or gamed.
Any idea if LaunchControl provides a different and separate cron service? If that's the case, removing LaunchControl would result in photosynthid returning from the grave?
LaunchControl has a variety of checkboxes and options to control spawning, running at load time, background/interactive, "globbing" and more,
 


Ric Ford

MacInTouch
To add just a couple of additional notes, I'll start by mentioning that developers typically use third-party software libraries within their apps, from a wide variety of sources with a wide variety of issues...
Here's an example: QuickBooks 2016 for Mac, a standalone app specifically designed to hold very sensitive financial data:
Intuit/QuickBooks for Mac said:
... This program uses the following open source components under their respective licenses: Blast.c, Boost, Excelsior! And SQLite.
... This distribution may contain Sparkle. Copyright (c) 2006 Andy Matuschak.
... This distribution may contain IFVerticallyExpandingTextfield. Copyright (c) 2006, Andrew Bowman.
... This distribution contains AttachedWindow and NSColor Contrasting Label Extensions by Matt Gemmell
... This distribution contains InspectorKit, created by Steven Degutis
... This product code includes Apple Sample Code - Sketch-112 - Copyright © 2005 Apple Inc.
... This distribution may contain CHCSVParser. Copyright (c) 2014 Dave DeLong
... This distribution may contain MailCore 2 Copyright (C) 2001 - 2013 - MailCore team
 


Ric Ford

MacInTouch
Here's an example: QuickBooks 2016 for Mac, a standalone app specifically designed to hold very sensitive financial data:
Intuit/QuickBooks for Mac said:
... This program uses the following open source components under their respective licenses: Blast.c, Boost, Excelsior! And SQLite.
... This distribution may contain Sparkle. Copyright (c) 2006 Andy Matuschak.
... This distribution may contain IFVerticallyExpandingTextfield. Copyright (c) 2006, Andrew Bowman.
... This distribution contains AttachedWindow and NSColor Contrasting Label Extensions by Matt Gemmell
... This distribution contains InspectorKit, created by Steven Degutis
... This product code includes Apple Sample Code - Sketch-112 - Copyright © 2005 Apple Inc.
... This distribution may contain CHCSVParser. Copyright (c) 2014 Dave DeLong
... This distribution may contain MailCore 2 Copyright (C) 2001 - 2013 - MailCore team
Meanwhile, here are some network connections that QuickBooks makes to 13 different IP addresses:
  • cdn.mxpnl.com
  • d24n15hnbwhuhn.cloudfront.net
  • ofx-prod-brand.intuit.com
  • http-download.intuit.com
  • download.fidir.intuit.com
Identifying the owners and purposes of "mxpnl.com" and "d24n15hnbwhuhn.cloudfront.net" is left as an exercise for the reader.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts