MacInTouch Amazon link...

security questions and advice

Channels
Security, Questions
Running Sierra 10.12.6. I have most things working WRT S/MIME in Mail.app (e.g. I can sign and encrypt emails, and folks on the other side can decrypt). What I haven't figured out is why I can't decrypt emails sent to me. They show up with "Security: [lock symbol] Encrypted" in the subject line, and no amount of clicking will open/decrypt.

One thing that has been causing problems is that case matters when comparing sender email address to email address in a certificate. To send an encrypted email I fixed that with a "New Certificate Preference..." using the email address as formatted in the sender email with upper and lower case. But no joy on decrypting. Even when I send myself an encrypted email... I cannot decrypt it.

I've also tried with High Sierra... exact same results.

I'm using Omnikey 3021 and ActivClient 4.0.1.92. Token shows up in keychain access.app just fine. I have what I think are the right CA certs trusted.... I can send encrypted and signed email so if it is not right it is really close.

(Submitted same to Apple discussions: https://discussions.apple.com/thread/8380375)
 
Last edited by a moderator:


A panicky pal gave in to a cold call received on his iPhone. The caller told him his email had been hacked and offered to scan his Mac (thin case Mac Mini running High Sierra). The upshot was the pal paid $2K for a lifetime virus and email protection contract with Systweak.

Leaving aside the apparent scare scam, some research indicates Systweak is a potentially unwanted program, not necessarily malware. However the backdoor access it appears to open is worrisome.

Installing and running Malwarebytes on the Mini gave a clean report, by the way.

Can anyone provide info which will help the pal decide whether to try to remove the software? If removing it looks like the best course, tips are, of course, very welcome.
 


I don't know anything more about Systweak, but it seems that any company that extorts $2K from a user for dubious software and a fabricated "hacking" does not have an honest business model. Why would anybody trust them to put in all the incredible work to make a truly secure program, if this is how they can earn money so easily? $2K is a lot to me, and probably is to your pal. I hope he learns from this.
 


any company that extorts $2K from a user for dubious software and a fabricated "hacking" does not have an honest business model.
I don't know much about Systweak either. They've apparently been around since 1999 and the only product I'm familiar with is TuneupMyMac, which I've never seen to be recommended. My suspicions are that the scam company is just an "affiliate" that pocketed most of that money for itself and gets a reduced price or kickback from selling the software, which is currently on sale for $39.95 USD.
 
Last edited by a moderator:


Can anyone provide info which will help the pal decide whether to try to remove the software.
I'd say that if the friend views this as an ambiguous situation, it might be best to restate what happened using a different context. For example, say a person claiming to be a utility meter reader persuaded you to allow them to make a copy of the key to your house. Later, you begin to have second thoughts. What, then, is the best thing to do to minimize your risk: hope everything turns out OK or change the locks?
 


My brother, whom I regret recommending a Mac to, because now I'm his tech support buddy, called with a similar scam via web browser. He was on the phone with them when he called. They claimed to be 'Apple' and wanted $400 for virus protection - and disinfecting his Mac. I recommended he proffer a few well-timed expletives and hang up. Other than a nasty Safari hack, his system was clean and we fixed Safari. I reiterate to all my 'Mac' family that Apple will never call you!
 
Last edited by a moderator:



I have to work with people who do senior education programs. We all push one single protection mantra. "If they call you, it's a scam... Period."
Seems like a totally reasonable rule of thumb no matter what your age. The only calls from unfamiliar numbers I've gotten that are bona fide are messages left by credit card companies when there's been a possible security issue with a card account. And I never call them back on the number they leave, but instead use the generic customer support number on the back of the card, ask to speak to a rep, and describe the call I got. Fortunately, so far, the calls have called turned out to be legitimate, but I figure ingraining that behavior in myself will pay benefits when cognitive issues start to develop.

Likewise, I never answer a call from an unfamiliar caller ID, much less an absent one. If something is important, the caller can leave a message. If they don't, my assumption is that it's trivial or a scam. I'm sincerely hoping that practice remains with me in the years to come as well.

In those faraway days before even VCRs or remotes, my parents trained me to ignore or at least severely doubt the claims of every commercial on television. My one indispensable tool for watching commercial TV is the TiVO remote with the jump-ahead feature programmed in. It's good that some old habits die hard: they protect you.
 
Last edited by a moderator:


I have to work with people who do senior education programs. We all push one single protection mantra. "If they call you, it's a scam... Period."

There are no exceptions, because we can't teach people how to tell, especially with seniors.
Excellent advice for all. I have noted a few people who seem to think that they should never leave voice mail because "nobody listens to it", and they do need to be warned that is not a good idea. Likewise people who don't listen to voice mail may miss important calls.
 


My brother, whom I regret recommending a Mac to, because now I'm his tech support buddy, called with a similar scam via web browser. He was on the phone with them when he called. They claimed to be 'Apple' and wanted $400 for virus protection - and disinfecting his Mac. I recommended he proffer a few well-timed expletives and hang up. Other than a nasty Safari hack, his system was clean and we fixed Safari. I reiterate to all my 'Mac' family that Apple will never call you!
My friend recently called me with a Safari hack in progress - I could hear her computer in the background telling her "Don't shut down your computer or close this window! Call this number now!" Very frightening to her.

I had her restart, check for malware and clean the Safari caches, and it hasn't returned. What did you do to "fix" Safari?
 


Can anyone provide info which will help the pal decide whether to try to remove the software? If removing it looks like the best course, tips are, of course, very welcome.
Try a Google search for "Remove Systweak from Mac" to get more information on this "product" and how to remove it. If your friend can gather enough data to show it's a scam, he might be successful with a protest to his credit card company.
 
Last edited by a moderator:


Try a Google search for "Remove Systweak from Mac" to get more information on this "product" and how to remove it.
Unfortunately, most of the returns will take you to a site that recommends you download an app that will probably create an even worse situation to just leaving Systweak installed. It's probably OK to follow any manual instructions (most are for their Windows app), but don't download yet another "cleaner" app to make matters worse.

Best to always start with the developer for such instructions and if you can't find them easily, contact them directly.
 


Leaving aside the apparent scare scam, some research indicates Systweak is a potentially unwanted program, not necessarily malware. However the backdoor access it appears to open is worrisome.
Nothing "apparent" about it, it's a scam. I've had several clients fall for this kind of thing, both the phone calls and the JavaScript traps in their web browser. I would definitely advise deleting that software. I've always worried that some other kind of spyware might also have been installed, but have never been able to pin that down. It mostly seems to be that they're after the credit card payment

The advice from Mike_Hathaway that nobody legitimate will ever call you out of the blue is well taken.

I reiterate to all my 'Mac' family that Apple will never call you!
Or Microsoft, or any generic "tech support" outfit. I've heard them all.

If your friend can gather enough data to show it's a scam, he might be successful with a protest to his credit card company.
No need to provide proof. Just protest the charge; it's almost too easy to do. I've had clients protest my own charges just because they didn't remember they had had help from me at that particular time! Very time-consuming to protest the protest.

To delete this software, lacking any better instructions, delete the app from the Applications folder and then go through the system-level Library folder searching for anything containing the name of the application or its publisher. The most likely locations will be the following subfolders: Application Support, LaunchAgents, LaunchDaemons, Preferences, and StartupItems. For good measure do the same in the ~/Library folder.
 


Ric Ford

MacInTouch
Nothing "apparent" about it, it's a scam. I've had several clients fall for this kind of thing, both the phone calls and the JavaScript traps in their web browser.
These criminal scams are rampant right now. One of my relatives got a call from "Microsoft", and she returned the call. A friend just got an email from her lawyer with an enclosure... that wasn't actually from her lawyer. I got an email from a client that wasn't from the client. Someone this morning pasted a MacCleaner scam URL into a post here that had to be removed. A bunch of bad stuff suddenly seems to have ramped up.
 


I used to get almost daily calls from India claiming "I'm from Windows and your computer needs to be fixed." I used to ask, "You mean Microsoft?" and it would actually confuse them. I told one I had a Mac and they didn't understand that either. To be fair, I once had to contact Verizon with a tech problem and the first reaction was to suggest I reinstall Windows (yes, and when my car brakes squeal, I overhaul the engine, too). I said I didn't have Windows because I had a Mac. Two beats... and she asked me to install Windows so I could reinstall it.

(The true end of that story: I said “Oh, wait, I do have Windows, hold on... Okay, I’ve reinstalled it.” Then we moved on to the next pointless step in the script. At that point I learned to humor the script readers and pretend to do all the steps, and they seem to pretend they don’t know that I couldn’t have reinstalled Windows in five seconds.)

In any case, the calls from your credit card company are often real, and some of them sound awfully spammy. One company we use asked for all sorts of personal information. I hung up and called the customer service number and it turned out to be real... go figure.

I get emails telling me my statement is ready and asking me to click on an email link to get to their home page. Really, I think banks and credit card companies want us to fall for scams, because they condition us to fall for phishing attempts.
 


On the subject of hardware firewalls:

I am considering whether it's worth having a hardware firewall and its attendant costs for our (very) small business organization. Consider the following:
  • We don't have an in-house email server. We use an outside email service.
  • We don't operate a web site from our physical location.
  • We're just a small group of people who need email and web access.
  • We all use desktop computers connected to the router by ethernet cables.
I'm thinking that the firewall protection built into our cable modem/router is sufficient for us. Is there any compelling reason to invest in a hardware firewall from the likes of Cisco, Barracuda, Kerio, etc.? It seems like paying for functionality that we don't need. I'd like to know what you more experienced folks think.
 


... I am considering whether it's worth having a hardware firewall and its attendant costs for our (very) small business organization. ... I'm thinking that the firewall protection built into our cable modem/router is sufficient for us. Is there any compelling reason to invest in a hardware firewall from the likes of Cisco, Barracuda, Kerio, etc.? ...
In my opinion and experience, the only compelling reasons for a separate firewall are if your data is super-sensitive or you need to be HIPAA compliant. The protection offered by a separate firewall may be overkill for other uses.

If you're an all Mac site, I'd stick with the cable modem's firewall.

If you have Windows, you could stick with the cable modem's firewall - just make sure it is set for maximum protection.

The quality of cable modem firewalls can vary. Do an Internet search for your model to see if there are security issues.

Be sure to change the default login password on the cable modem. If it has WiFi be sure to change the default WiFi password (or turn WiFi off). If the WiFi supports WEP, turn it off (use WPA2).
 


In my opinion and experience, the only compelling reasons for a separate firewall are if your data is super-sensitive or you need to be HIPAA compliant.
Unless you're running a server that needs to be Internet-reachable. Then you need a robust network security strategy which will include a firewall. But that's not the case here.
 


Some non-technical things to consider, if you haven't already:
  • How attractive is your business and its information to hackers?
  • Does your business have a high visibility public profile?
  • Does your insurer have any security requirements?
  • Would you have any legal liability if sensitive files, internal or external, were stolen?
  • Do you have any sensitive customer data on your machines?
  • Do you have any information you must keep confidential on your machines?
  • Are your network and computers kept running 24/7?
  • Do you and your employees use remote access?
  • If a breach occurred, what would the financial impacts be? Do they outweigh the upfront and ongoing costs of running a firewall?
 


Assuming your router is fairly new, the built-in firewall is probably adequate especially in a macOS-only environment.

To me, there are two much bigger security concerns these days: password reuse and phishing. These are easily addressed with password management software and 2FA. However, getting employees to use them is a whole different story!
 


A typical router (at least, in its default configuration) will not permit inbound connections from the internet to devices on your LAN, but will pass through arbitrary outbound connections.

If that's adequate for your setup, then adding an additional layer is redundant.

If you do need additional filtering (either the ability to route certain inbound connections or to block some outbound connections), then the first thing I would do is look at the capabilities of the firewall built into your router. If your needs are not too complex, then a simple configuration change there will probably be adequate.

From your description, the only thing I could see that might require an additional piece of hardware is if you wanted to protect your local users from each other -- segmenting your LAN into subnets, with restricted access between nodes on different subnets.

But that doesn't seem to be one of your requirements ...
 


A typical router (at least, in its default configuration) will not permit inbound connections from the internet to devices on your LAN, but will pass through arbitrary outbound connections. ...
This is true for IPv4 with NAT, where port-based redirection is required to connect inbound. Typical IPv6 routing is done without NAT or port redirection, so not even a pseudo-firewall effect is in play. In fact, one IPv6 design goal was transparent end-to-end connectivity without needing any gimmicks like Address Translation.

Although some "routers" have firewall code within them, the world is changing, where individual end systems will need to be more hardened. Putting up a wall to keep the world out will be insufficient.
 


This is true for IPv4 with NAT, where port-based redirection is required to connect inbound. Typical IPv6 routing is done without NAT or port redirection, so not even a pseudo-firewall effect is in play. In fact, one IPv6 design goal was transparent end-to-end connectivity without needing any gimmicks like Address Translation.
Good point.

I don't really know how my router would handle inbound IPv6 connections. Cursory reading of the available options indicates that it blocks them by default. But I don't have any good way to test that because my ISP (AFAICT) doesn't support inbound IPv6 connections.
 


A counter argument: a dedicated firewall from a reputable company has the benefit that it likely has undergone more rigorous security testing, making it less likely to be an issue with remote hacks, and more likely to receive support and updates. I will also point out that Ubiquiti makes models in the $50-100 range that are all quite good for the cost, get updates etc. - no vested interest, but I use them quite often.

A dedicated device also is under your control, not your cable provider's. Does your provider force your device to offer a guest network to other cable subscribers? That’s got the potential to slow down your own connection, even if it’s just because the device is working harder. But it also potentially opens your device up to intrusion, because it makes the device accessible. By putting your office behind a $50 firewall you are greatly reducing your attack surface.

You also can set some additional settings, provide VPN access for remote access to the office (handy when you need to print things out for work). If you want to add some IoT-type devices, or say, a security camera or three, you can put them on a separate subnet and keep those segregated from your office machines just in case there is a bug that affects them.

And on one occasion, I have seen an ISP screw up the update they pushed out, forcing erasing the config and starting over.

On the one hand, don’t fix what isn’t broken. On the other, how confident that your cable provider hasn’t given you something broken that they aren’t fixing?
 


The simplest way to think about whether you need a dedicated firewall is one word: liability. If you're running a business, and it requires you to keep customer data, set aside personal pride at setting up everything yourself. Consider that depending on an outside vendor for firewall is like fire or burglary insurance; one hacking incident can completely ruin a small company, unless your firewall vendor is willing to take some or all of the responsibility.

On that note, some larger companies will even contract out management of data storage systems, to absolve themselves of a lot of liability for losing important customer data to a crash, fire, flood, etc.
 


Anyone here have an explanation for this (the Little Snitch folks didn't)?

According to Little Snitch, a couple of times recently the following IP numbers have tried to make incoming UDP connections to mDNSResponder on port 5353:

192.168.20.12
192.168.1.130

Neither of these numbers is in the range of my router’s DHCP settings and I could not find them with any of my network scanning software. Any idea where they came from? Should I be concerned?
 



According to Little Snitch, a couple of times recently the following IP numbers have tried to make incoming UDP connections to mDNSResponder on port 5353:

192.168.20.12
192.168.1.130

Neither of these numbers is in the range of my router’s DHCP settings and I could not find them with any of my network scanning software. Any idea where they came from? Should I be concerned?
These are absolutely from inside your LAN. RFC 1918 (one of the core Internet standards) specifies that 192.168.*.* (and 10.*.*.* and 172.16.*.* through 172.31.*.*) are private address spaces. As such, no Internet router will forward them. If you try to send packets with this address to your ISP, they will be dropped and not forwarded.

Port 5353 is for mDNS - that is multicast DNS (hence the attempt to connect to mDNSResponder). mDNS is part of Bonjour. It is used to perform name-to-address mapping for devices that self-assign addresses (e.g. via Bonjour) as well as for service discovery (e.g. to get a list of all the AirPlay speakers on your LAN.)

As for where the addresses came from, if they're not part of your router's DHCP pool, then they were probably self-assigned, but I'm not sure where they would have come from. As far as I know, self-assigned addresses are taken from the 169.254.*.* pool, not from something your LAN would be using.

I would look more closely at what's connected to your LAN. Don't just look at computers and phones. Look also at set-top boxes, smart TVs, connected appliances and anything else that may be attached to your LAN.

In particular, I'm thinking of set-top boxes from your ISP if you subscribe to TV service. When I had FiOS, all of the set-top boxes had addresses in a block closely related to (but not part of) the DHCP pool their router used for assigning addresses to my devices. If I remember correctly, the STB addresses all came from 192.168.100.* while my addresses all came from 192.168.1.*. And these boxes may well use mDNS or other related protocols to discover each other (e.g. for distributing recorded content from a DVR or for sharing a common pool of tuners).
 


Another useful diagnostic to try and figure out the source of those packets would be the system route table. If you could open a Terminal window and run the commands

netstat -rn -f inet

(to dump the IPv4 route table) and

netstat -in

(to show all your network interfaces, real and virtual) and post the results, that might help figure out what's going on.
 


Another useful diagnostic to try and figure out the source of those packets would be the system route table. If you could open a Terminal window and run the commands

netstat -rn -f inet

(to dump the IPv4 route table) and

netstat -in

(to show all your network interfaces, real and virtual) and post the results, that might help figure out what's going on.
Thanks, David, but that's the point. I know theoretically those numbers are inside my LAN. However, they have never shown up on netstat, etc. Unfortunately, I didn't try netstat immediately when Little Snitch reported them. We had no visitors at the time (in fact I was the only one home).

Whenever a new net-aware device comes into the house, if I can, I give it a fixed IP, just to help keep track of it. If I can't, I at least try to make note of the MAC address. At this moment, netstat is not showing anything I can't account for. I just wish I knew where those numbers came from.
 


Thanks, David, but that's the point. I know theoretically those numbers are inside my LAN. However, they have never shown up on netstat, etc. Unfortunately, I didn't try netstat immediately when Little Snitch reported them. We had no visitors at the time (in fact I was the only one home).
If it's from an address that's not on your local route table and not used by any of your real/virtual interfaces, then your Mac would have no way to respond to the mDNS query.

Such things (it would seem to me) can only be the result of misconfiguration. Perhaps you had a guest at your home and his computer was configured for a static IP address on an incompatible network (e.g. his home LAN).

I've been that guest on occasion - my computers all have static IP addresses configured in a "Home" location. If I travel and forget to change the computer's location to "Automatic", I often end up with communication problems because my address either conflicts with other devices on the LAN or is rejected by the local router. Once I change the location, it gets a DHCP address and everything starts working again. But even without changing the location, it will probably be broadcasting/multicasting various Bonjour packets to discover whatever it can on the LAN - which appears to be what you're seeing.
 



Could this be caused by someone else, outside one's own building, who is within WiFi range?
Could the router have its WiFi turned on but not linked to the main network? Comcast has been known to turn WiFi back on after users turned it off.

Could the Mac be connected to someone else's WiFi that uses 192.168.1.*?
 


Could the router have its WiFi turned on but not linked to the main network? Comcast has been known to turn WiFi back on after users turned it off.
Could the Mac be connected to someone else's WiFi that uses 192.168.1.*?
The Mac in question is on a 6' ethernet cable.

The name of my Comcast WiFi link is "Who Turned This On?" (Hint, it wasn't me.) It hasn't happened in quite awhile (Comcast activation), but it has happened more than once.

I thought about guest devices, but I was the only one home on both occasions. If it was a neighbor, I guess I need to change passwords... :-(
 


I have a mid-2011 iMac running El Capitan, no add-ons. (Yes, I plan to replace sometime in the New Year.) I use Firefox 63.0.1 for social media and sometimes my Google accounts, Chrome 70.0.3538.77 (financial, Google accounts, etc.), and I have Safari 11.1.2 on my iMac but I don't use it for secure sites.

I'm thinking of getting a device such as a Yubi key for more security for 2fa then provided by other means. I was looking at the YubiKey Neo on Amazon. I see that it has both OTP and U2F. I understand that U2F is or was required for Google accounts, and you need to download a program from Yubico to get U2F to work. I also read in one of the comments on Amazon that, at least at one time, you could not run both OTP and U2F on one YubiKey, so some folks bought two, one for U2F and the other for OTP. Do any of you wonderful people have any recommendations on a particular Yubi product?

I was also considering the free Authy app, which I understand works with Firefox, Chrome, and Safari.

I don't currently have a smart phone but have an older flip-message phone. I do have an iPad, which I sometimes use for social media. For the iPad I could get the Google Authenticator app. Any suggestions?

I want to ask here before purchasing or downloading. Thanks in advance for your help.
 


I'm thinking of getting a device such as a Yubi key for more security for 2fa then provided by other means....
The sad thing about the Yubikey is that, on the Mac at least, the only reliable browser for it is Chrome, in my limited experience. I really don’t want to stay so Google-beholden, so I stick with Safari and Firefox. Firefox theoretically can deal with it, if you change some settings but I haven't found any sites that work with it.

If you add Authy, you have something that a small number of sites may take and requires that you run an app and have the hardware key. Regardless, it's pretty much a nuisance, though the good thing is that (unlike Authenticator), apparently you can have it on more than one device (one Yubikey, two Authy apps). At least that's what I gather.

The cost is pretty low on these gizmos, but I'm loathe to leave them in the computer (steal the computer, steal the key), and they don't seem to have widespread support. I'm not saying it won't be useful, I am saying it's not as useful as I'd hoped, and it's more of a nuisance than I'd hoped.

It's at the point where I miss the old hardware-dedicated keys that PayPal used to send out, where you'd press a button and get a magic number. It came on a cord so you could hang it around your neck or on a hook, and you registered with a single serial number entry.
 


The sad thing about the Yubikey is that, on the Mac at least, the only reliable browser for it is Chrome, in my limited experience. I really don’t want to stay so Google-beholden, so I stick with Safari and Firefox. Firefox theoretically can deal with it, if you change some settings but I haven't found any sites that work with it.
If you add Authy, you have something that a small number of sites may take and requires that you run an app and have the hardware key. Regardless, it's pretty much a nuisance, though the good thing is that (unlike Authenticator), apparently you can have it on more than one device (one Yubikey, two Authy apps). At least that's what I gather.
The cost is pretty low on these gizmos, but I'm loathe to leave them in the computer (steal the computer, steal the key), and they don't seem to have widespread support. I'm not saying it won't be useful, I am saying it's not as useful as I'd hoped, and it's more of a nuisance than I'd hoped.
It's at the point where I miss the old hardware-dedicated keys that PayPal used to send out, where you'd press a button and get a magic number. It came on a cord so you could hang it around your neck or on a hook, and you registered with a single serial number entry.
I was afraid that Yubi would not work well with Firefox - not sure if I want to fuss with Firefox, though I have heard that things might be better with the latest Firefox.

Even if Authy does work on a site I am interested in using, I need a hardware key - what is that about? Any other options for safer 2FA? Having something that isn't going to mess things up if I access a site on my Mac and my iPad is important.

Is Google Voice, or whatever it is called, really an option? I have heard some say that Google Voice can be buggy.
 


Is Google Voice, or whatever it is called, really an option? I have heard some say that Google Voice can be buggy.
To clarify if I was not clear: There are three options I am considering for increased two-factor authorization (2FA) security. I had asked about Yubi and Authy earlier, and David Zatz responded (thanks!). I had also read, here and/or elsewhere, about getting and using Google Voice for SMS messaging for 2FA in appropriate accounts. I believe the argument here is that Google Voice is safer for SMS 2FA because of the problem of sim swapping of mobile phones. If anyone has any experience with using Google Voice for 2FA, I'd love to hear from you.
 


Even if Authy does work on a site I am interested in using, I need a hardware key - what is that about? Any other options for safer 2FA? Having something that isn't going to mess things up if I access a site on my Mac and my iPad is important.
I use Authy for 2FA for several sites and services that I use - no hardware key required. I have the app on my iPhone, iPad, and Apple Watch. It’s why I like it better than the Authenticator app from Google, as it allows me to have it on multiple devices. I once had the phone I had Authenticator on die, and it was a PIA to get back in to all of my accounts (lesson learned about making sure I have the one-time code backups for everything).
 


I use Authy for 2FA for several sites and services that I use - no hardware key required. I have the app on my iPhone, iPad, and Apple Watch. It’s why I like it better than the Authenticator app from Google, as it allows me to have it on multiple devices. I once had the phone I had Authenticator on die, and it was a PIA to get back in to all of my accounts (lesson learned about making sure I have the one-time code backups for everything).
I've run into a lot of sites that take Authenticator — do the same sites basically take Authy as a “what they don’t know won’t hurt them” replacement, or is it a subset of the sites that take Authenticator? I'd happily switch.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts