MacInTouch Amazon link...

security questions and advice

Channels
Security, Questions

Ric Ford

MacInTouch
Does anyone here have a suggestion for an alternative app that can encrypt and hide folders?
That seems like a perfect use case for Disk Utility.
Apple Disk Utility Help said:
Create a secure disk image
If you have confidential documents that you don’t want others to see without your permission, you can put them in an encrypted disk image.
Here's a very simple alternative (with no encryption):
Brynjar Saunes Bye said:
Obscurity
Obscurity seems just like a generic Mac OS X folder. Simply place the 'folder' anywhere you want, and anyone snooping around your stuff deciding to double-click it will unknowingly arrive in an empty mock folder. However, if you right-click the 'folder' and choose 'Show Package Contents' from the contextual menu, a completely different folder will show up ready for you to hide all those intimate movies, pictures and old love letters in. It even hides all your secret documents from Spotlight and those pesky 'All Images', 'All Movies' and 'All Documents' Smart Folders in Finder.
 


I believe "Snapshot" depends on the Btrfs file system. My understanding of a main benefit of snapshots is they can be transmitted to other connected Synologies or connected backup drives.
While transmitting snapshot deltas is an easy and efficient remote backup mechanism, it is by no means the only benefit of snapshots. A snapshot also allows you to revert all or part of a filesystem to the point in time when the snapshot was taken.

For example, if you take a snapshot of the filesystem at 1 PM, and at 5 PM a ransomware attack encrypts every file on the volume (or, say, someone does "rm -rf /"), then you can simply revert the entire filesystem to the 1 PM snapshot, and none of those changes will have ever happened.
 


While transmitting snapshot deltas is an easy and efficient remote backup mechanism, it is by no means the only benefit of snapshots. ... if you take a snapshot of the filesystem at 1 PM, and at 5 PM a ransomware attack encrypts every file on the volume ... none of those changes will have ever happened.
My personal experience with snapshots:
  • Windows "Restore Points" that didn't, after malware removal
  • Apple Time Machine "Restore" that wouldn't, after user inadvertently deleted applications and data (suspected cause: Time Machine had filled the backup drive, didn't delete old versions, and provided no user notification)
  • Apple "Versions" that complicate simple photo and text edits and weren't as useful (to me) as simply versioning file names using File > Save As...
As to Btrfs on a Synology, if all works as it should, I see the theoretical advantage. I'd think that advantage would be greater when multiple users are actively creating and editing large numbers of files, though that's when the faster peformance of ext4 might also matter.
ZDNet (Aug. 2014) said:
Ransomeware attacks Synology NAS devices
The attack replaces the DSM management software on the NAS, encrypts the files on the device and demands that the user pay 0.6 BitCoins to retrieve the files.
If that should happen, I don't think either Btrfs or ext4 is safe. I searched rather throughly for Internet reports comparing the vulnerability of Btrfs and ext4 NAS file systems to ransomware and just didn't find any. Back to that air-gapped backup.
 


My personal experience with snapshots:
  • Windows "Restore Points"
  • Apple Time Machine "Restore"
  • Apple "Versions"
None of those technologies is a Copy-on-Write filesystem (such as Btrfs, ZFS, ReFS, and APFS). CoW snapshots really are as magical as I described. It would allow you to recover from a volume completely encrypted by ransomware in a matter of minutes. Your recovery point would depend on how often you take snapshots. You could theoretically take snapshots every second. But, for example, on the ZFS servers I used to administer it was more practical to take snapshots every hour.

Since APFS is a CoW filesystem, you can actually test this out yourself. Just take a manual snapshot of your volume (do a quick Google search for how to create a snapshot from the command-line). Then, do something catastrophic to your files, like delete everything in the Applications folder.

Then, reboot in Recovery Mode and choose "Restore from Time Machine Backup". You'll be given a list of available APFS snapshots on the volume (we're not using Time Machine, that's just where Apple makes the snapshots available in Recovery Mode). Revert to the snapshot you took. When you reboot, you'll find that everything on your volume is magically exactly the same as it was at the point in time when you took the snapshot.
 


None of those technologies is a Copy-on-Write filesystem (such as Btrfs, ZFS, ReFS, and APFS). CoW snapshots really are as magical as I described. It would allow you to recover from a volume completely encrypted by ransomware in a matter of minutes. Your recovery point would depend on how often you take snapshots. You could theoretically take snapshots every second. But, for example, on the ZFS servers I used to administer it was more practical to take snapshots every hour.

Since APFS is a CoW filesystem, you can actually test this out yourself. Just take a manual snapshot of your volume (do a quick Google search for how to create a snapshot from the command-line). Then, do something catastrophic to your files, like delete everything in the Applications folder.

Then, reboot in Recovery Mode and choose "Restore from Time Machine Backup". You'll be given a list of available APFS snapshots on the volume (we're not using Time Machine, that's just where Apple makes the snapshots available in Recovery Mode). Revert to the snapshot you took. When you reboot, you'll find that everything on your volume is magically exactly the same as it was at the point in time when you took the snapshot.
Todd, after reading the linked Wikipedia page, I will agree to the magical assessment. I find the explanation of CoW there to be confusing and contradictory when compared to your description here on MacInTouch, but your example of an intentional sabotage followed by a snapshot recovery seems worthy of testing. I might sleep better if it succeeds. Thanks.
 


I agree that snapshots are a fantastic technology, and ZFS allows you to replicate one server to another securely using snapshots. However, they are not completely foolproof, as once the recipient server starts to fill up, the oldest snapshot images (usually) start getting deleted.

Thus, unless the server you're backing up to is capable of holding several complete copies of the machine it is replicating from, the system may literally iterate / snapshot / backup its way out of a "working", i.e. non-corrupted, backup.

Some of the past ransomware takeovers did exactly that, wait until everything was encrypted, locally and 'abroad', before locking down the NAS.

That aside, the real question in my mind is how to deal with a system takeover in the first place. Todays malware / viruses / etc. are not like the primitive stuff I first encountered on a Mac SE. Between the BIOS, EFI, and all the other management chips with flash memories, etc., there is ample opportunity for stuff to stay behind where the OS can't find it, only to "own" the machine again later. (Never mind that the flash drive in most portables is now soldered in, i.e. not replaceable either.)

So, once malware is in the the system, would you ever trust it again? Barring a better technology, I air-gap my backups... Granted, there are risks with that approach also, but I'd rather lose a few days of data than the whole set.
 


There's a thorough discussion of APFS Snapshots here, from which I extract a warning pertinent to the direction this thread has taken:
Bombich said:
The Role of Snapshots in a Comprehensive Data Protection Strategy
If your startup disk fails, all the snapshots in the world aren't going to help you restore your startup disk and data. Having a bootable backup on an external disk will get you back to work immediately.
 



ICQ is still being updated by a Russian firm. [See ICQ on Wikipedia]. Along with others, I've written to the popular "Macupdate" site asking them not to post this application and to clear releases off with a warning about the very real probability you are compromised the second you initiate it.

What are others' thoughts about trying to get the word out about this 'product', once a pretty good chat program before it was acquired?
 


I've used both. I liked Hands Off and found it friendly, but I've been using Little Snitch lately. ... You can also try out Hands Off free of charge....
I decided to email One Periodic, the developers of Hands Off, to ask them some questions before considering a trial. I emailed their support address and received no reply – not even an automated reply that would expend no human effort. A week later, I figured that perhaps they didn't appreciate sales questions being emailed to the support department, so I forwarded it to their "info" address. Days later, still crickets. I understand if they are busy – just tell me and I would understand – even an auto-reply goes a long way towards customer relations.

So as I await a reply that may never come, and the lack of even a simple reply makes me question whether I personally want to give them my money in the event that a search of my email archives should reveal that I do not already hold a license, I figured I would ask... the MacInTouch community.

My questions were the following:
  1. Does Hands Off protect against connections before/during login?
  2. Does it include a throughput meter in the menu bar? This is a feature that I would want even if I didn't care about a firewall. I could find the answer to that question by installing a free trial, but I am hesitant to do so without first having the answer to question 1.
  3. Bonus question for MacInTouch: If the answer to question 2 is no, is there a good menu bar utility that can provide that information, with regard to throughput and direction of traffic?
Thank you, all!
 


Ric Ford

MacInTouch
Does it include a throughput meter in the menu bar? This is a feature that I would want even if I didn't care about a firewall.
I don't know about Hands Off (which I'm not currently running), but that's very definitely a feature provided by Little Snitch.

You could also take a look at the Vallum and Murus firewall siblings.
 


I recently installed an Eyez-On Envisalink EVL-4EZR on my home security system in place of the phone lines that were used for monitoring by the previous owner. I then connected the Envisalink to a small travel router via ethernet. The router is in client mode and connected to my guest WiFi network (provided by Apple AirPort routers). I created an account on the Eyes-ON web site and can monitor the security system from there or on a companion iPhone app.

However, I am puzzled how the Eyez-ON apps are able to communicate with the Envisalink. I did not implement port forwarding on the AirPort. My Eyez-ON account password is pretty secure (I think), but the password to login to the Envisalink device directly is only six characters (and the default login password was "user" and there is no login name).

How vulnerable is this setup? Can I do more to secure the system? The apps know the WAN and LAN IP numbers, as they are listed on the status page. I am concerned I am getting protection from one kind of threat (burglars) but am now susceptible to another (hackers).
 


So, just found out a family member installed something called "Netflix party extension" on their computer ,,, um with my account 8-\

Anybody heard of this app? It seems to have big name corporate news agency coverage but does not appear to be a Netflix sponsored piece of software.

I am advising said family member to uninstall, or at the very least run this sort of thing on a user account not used for personal business that should remain secure.

My concerns still lie with the notion that these extensiond (apps?) are engineered to have full access to all data transferred through a browser, not just generic data like browsing history and the like, but all activity in the browser including transmission of passwords ... I have no idea whether a browser's encryption protocol protects this data... I assume not, as keystrokes are keystrokes.

Advice would be appreciated
 


So, just found out a family member installed something called "Netflix party extension" on their computer ,,, um with my account 8-\
Anybody heard of this app? It seems to have big name corporate news agency coverage but does not appear to be a Netflix sponsored piece of software.
I am advising said family member to uninstall, or at the very least run this sort of thing on a user account not used for personal business that should remain secure.

My concerns still lie with the notion that these extensiond (apps?) are engineered to have full access to all data transferred through a browser, not just generic data like browsing history and the like, but all activity in the browser including transmission of passwords ... I have no idea whether a browser's encryption protocol protects this data... I assume not, as keystrokes are keystrokes.
Advice would be appreciated
Yes. There was recently an article about this:
CNN said:
 


Two followups:

It does not appear to be a Netflix-sponsored app.

Does it make sense to utilize this extension in a user account dedicated for installs like this, separate from your more important account and important navigational activities ... or am I being overly concerned?
 


Two followups:
  • It does not appear to be a Netflix-sponsored app.
  • Does it make sense to utilize this extension in a user account dedicated for installs like this, separate from your more important account and important navigational activities ... or am I being overly concerned?
Up to you. If you give/gave the other person your credentials?
 


Up to you. If you give/gave the other person your credentials?
Right, the account credentials not so much at issue, permission granted (no credit card on file in the account) ,with the exception of the particular issue of using browser extensions. I would have preferred prior knowledge of that, and would have advised other options. Like advising... "Perhaps, it's time for you to get your own account." ;-)
 


MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
 


Ric Ford

MacInTouch
MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
It may be your own system that's infected rather than macworld.com. A few quick checks here didn't turn up an obvious problem with macworld.com, but I also have extra security mechanisms in place.

Unfortunately, I wasn't able to quickly find a security contact and didn't have any luck trying the security.txt mechanism.

Macworld.com is hosted by Fastly.

Netcraft site report:
Securi site check:

Domain registration:
[server: whois.verisign-grs.com]
Domain Name: MACWORLD.COM
Registry Domain ID: 681577_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: MarkMonitor - Clarivate Analytics | Brand Protection, Domain Management, Anti Piracy, Anti Fraud
Updated Date: 2019-10-22T09:03:21Z
Creation Date: 1997-11-24T05:00:00Z
Registry Expiry Date: 2020-11-23T05:00:00Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: clientTransferProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: clientUpdateProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Name Server: NS-A.PNAP.NET
Name Server: NS-B.PNAP.NET
Name Server: NS-C.PNAP.NET
Name Server: NS-D.PNAP.NET
Name Server: NS0.PCWORLD.COM
Name Server: NS1.PCWORLD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: Whois Inaccuracy Complaint Form | ICANN
>>> Last update of whois database: 2020-04-07T17:54:56Z <<<
 


It may be your own system that's infected rather than macworld.com....
I’m afraid you could be right, Ric. No else seems to be having this problem. Both my iPad and Mac Pro are, but only at MacWorld? I thought it might be my local DNS server, so switched to Comcast’s, but it's still redirecting MacWorld.
 


Ric Ford

MacInTouch
I’m afraid you could be right, Ric. No else seems to be having this problem. Both my iPad and Mac Pro are, but only at MacWorld? I thought it might be my local DNS server, so switched to Comcast’s, but it's still redirecting MacWorld.
If you haven't run Malwarebytes, that's the first thing I'd do.
 



MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
Check all your DNS settings - not just the server address, also the search domains.

I had a problem where my computer had some old domains in the search list (resulting from moving the computer between different employers). When one of those domains expired and got taken over by domain squatters, it started redirecting unqualified host addresses to malware sites.

I wrote an article about this back in November. It is describing Windows, but the same principle should apply to any computer.

 


MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
I'm having the same issue with macworld.com and at least one other site (astronomy.com). Switching to OpenDNS didn't help. I'm currently running a full-disk scan using ClamXAV.
 


MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
I'm having the same issue with macworld.com and at least one other site (astronomy.com). Switching to OpenDNS didn't help. I'm currently running a full-disk scan using ClamXAV.
Odds are it’s malvertising, rather than anything on your Macs, that comes from a JavaScript embedded in an ad provided by third parties that MacWorld, etc. subscribe to.

The way only way to avoid those is with a good adblocker, which is something OpenDNS provides, although I'm not certain how effective it actually is.

And as David mentioned, you need to clear your DNS cache after switching to a new DNS, in order to prevent re-using what the old DNS provided.
 



Check all your DNS settings - not just the server address, also the search domains.

I had a problem where my computer had some old domains in the search list (resulting from moving the computer between different employers). When one of those domains expired and got taken over by domain squatters, it started redirecting unqualified host addresses to malware sites.

I wrote an article about this back in November. It is describing Windows, but the same principle should apply to any computer.

Thanks, David. I read your article and took what steps I could think of to address that. I disabled my local DNS server, redirected my router, and desktop to OpenDNS (temporarily?). Deleted every search engine bookmark I have. Cleared Safari history and quit. Used Onyx to clear the DNS cache and all other internet related caches. Rebooted. Those pages still redirect.

It really feels like those two sites are passing the bad URL's. They will both render the entire page before redirecting. This can mean major shuffling of the page by the time it is finished. Both pages have randomised ads that vary from visit to visit, which may explain why it doesn't always do it?

I can't find anything irregular about my system, except that Little Snitch's Network Monitor had put a nondescript notice that Safari had a "Resource or signature modified."
Taccy and spctl confirmed it. Mojave didn't seem to think it was worth mentioning?
 


Thanks, David. I read your article and took what steps I could think of to address that. I disabled my local DNS server, redirected my router, and desktop to OpenDNS (temporarily?). Deleted every search engine bookmark I have. Cleared Safari history and quit. Used Onyx to clear the DNS cache and all other internet related caches. Rebooted. Those pages still redirect.
Yuck. At this point, it looks like you're going to need to do some packet sniffing (e.g. with WireShark) to see what's happening under the covers.

A packet trace should show you what hostname is actually being sent to your DNS server, what IP address is being returned from the server, and what data is being fetched from that address. Depending on what you find, that should help you isolate the cause of the problem.
  • If the hostname is not what you expect, then you may have an issue with your browser or network configuration.
  • If the DNS server address is not what you expect, double-check network configurations. Also check browser settings (e.g. alternate "secure DNS" servers)
  • If the IP address you get back is wrong, then the DNS server or some proxy in between is corrupt
  • If the IP address is correct, look at the HTTP transaction (your web browser may have a debug mode to show this) to see if you're receiving any redirect pages and where they are coming from
Good luck.
 


Ric Ford

MacInTouch
I don't have a direct contact at MacWorld, but I've let them know via friends, and it does appear that they have a malvertising problem with ads on their website.
 


I don't have a direct contact at MacWorld, but I've let them know via friends, and it does appear that they have a malvertising problem with ads on their website.
I've been getting them for a couple of days, mostly at night. I have Bitdefender running full time, and a Malwareytes scan showed nothing. I've been using OpenDNS for years.
 


I've been getting them for a couple of days, mostly at night. I have Bitdefender running full time, and a Malwareytes scan showed nothing. I've been using OpenDNS for years.
Just an additional thought: I hardly ever click on ads in MacWorld. In fact, I usually use Reader View which eliminates most of the ads since they're exceptionally annoying continuously updating the text position in the screen. Sometimes I forget to put the browser (Safari) in Reader View. If I remember correctly, just running your mouse across an ad without clicking will sometime make them act like they've been clicked.
 


Odds are it’s malvertising, rather than anything on your Macs, that comes from a JavaScript embedded in an ad provided by third parties that MacWorld, etc. subscribe to.
The way only way to avoid those is with a good adblocker, which is something OpenDNS provides, although I'm not certain how effective it actually is.
And as David mentioned, you need to clear your DNS cache after switching to a new DNS, in order to prevent re-using what the old DNS provided.
Adware issue is likely it. Had same problem yesterday on my iMac 10,1 with Catalina via DosDude1’s patches. Kill ads—no issue. With ads—redirect to fake Flash sites. I don’t run flash at all.
 


Ric Ford

MacInTouch
Malvertising is apparently rampant now with trojan Flash – "New York Times, the Washingtonian, Scientific American" and many more besides Macworld. Beware.

(Multi-layered security systems apparently blocked these on my Mac, and I hadn't seen the problem.)
 





I am involved with a small team (60 persons) who seem ambivalent about using Bcc: (blind carbon copy) for group emails.

Am I correct in believing that failure to use Bcc: when appropriate is still a security risk? Most information on the web seems well out of date. What are the security risks today?

I would appreciate is someone can point me to definitive and up to date information. Thanks in advance.
 


Ric Ford

MacInTouch
Ric, would you be willing to share the details of these installed / implemented security systems?
They may be more labor-intensive than most folks would like, but NoScript and LittleSnitch are very useful, and I bypass the ISP's DNS, among other things. Firefox offers some Content Blocking options (including "Strict") which may be helpful, though I'm not sure exactly what blocked the malvertising for me (and now I have to go alert folks I directly support about the problem).

Frequent, rotated backups are a necessity, and I'm sure other folks can offer additional suggestions, too.
 


I am involved with a small team (60 persons) who seem ambivalent about using Bcc: (blind carbon copy) for group emails.

Am I correct in believing that failure to use Bcc: when appropriate is still a security risk? Most information on the web seems well out of date. What are the security risks today?
The security risk, then and now, is that everybody on the list can see everybody else's e-mail addresses.

If someone on the list wants to be malicious, he can use the data to get a list of known-good addresses, the users' real names, and the fact that they (probably) have some relationship to each other. When correlated with other such address lists, it can be used for phishing purposes (e.g. to send someone mail that appears to some from a friend or coworker).

In your particular case, if it's a closed list and everybody already knows each other, then it probably doesn't matter much.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts