If you’re not familiar with this junior partner in our troubleshooting suite of apps, App Fixer does a very specific job: it returns any app you select to its default preferences and settings with the click of a button.
It’s raison d’être is largely for those apps that get themselves stuck in some unresponsive state (looking at you anything-Adobe). It also does a neat trick rescuing Safari from Adware on the side. ;).
If you’ve been using App Fixer already and you’re currently running El Capitan, we’re afraid you won’t see an update notice (the blame for that lies with Amazon AWS, but that’s another story). Just go to the App Fixer home page and download directly. We’ll be introducing an in-app updater (Sparkle) in the next release to make future updates more convenient.
With the release of Elite Keylogger Version 1.7.327, we’ve noticed some unexpected changes to how the developers are installing and hiding their work.
Let’s take a quick look at what happens when you install the free demo of this keylogger. First, you’ll notice that the app isn’t codesigned and requires you to override any GateKeeper settings.
Secondly, it’ll ask you for your admin password to escalate its privileges so it can write to wherever it wants in the system. So far nothing new. But here’s where the new release gets interesting.
What it does next is automagically insert itself into System Preferences/Security & Privacy/Privacy/Accessibility without throwing the required authorisation dialogue:
Forcing apps to be in this list if they want to leverage System Events to control a computer was a change brought in with OS X Lion 10.7, and it isn’t supposed to be circumventable.
The idea was that to get in this list, apps were forced to throw an authorisation dialog to get the user’s permission, even if the user had already given the app admin privileges elsewhere.
Unofficially, we’ve heard that Apple had once promised to crackdown on developers who tried to circumvent this security feature and to close any gaps that were exposed. As it is, we’ve not only been aware of a way around this security feature since late 2013, but it seems it’s not just the less reputable that are at it. Dropbox has been inserting itself into the Accessibility list since at least 10.10.5, without asking for permissions (in our screenshot, we never authorised either of these apps to be in this list, nor did we ever unlock the padlock to let them in).
The way that Elite Keylogger does this is through a sql database insertion, you can see the code they use here:
Another interesting development is that Elite’s developers, widestep, are now leveraging a hidden binary called
FScript64 that is placed and hidden with the
chflags -hidden flag set here:
We first saw this binary used in Refog’s Hoverwatch keylogger, but this is the first time we’ve seen the same code shared with other keyloggers. We can only speculate as to why developers from apparently-competing products are sharing code.
A couple of other things to note with Elite: If you drag the app to the Trash, the secret FScript64.osax will be left behind. If you use the uninstaller, the hidden binary will be removed, but another hidden data file will be placed here:
Our troubleshooting app DetectX already knows about both of these files, so if you want to check whether you’ve got rid of both of these or have other keylogger files present, download a free copy from sqwarq.com.
Finally, note that even if you use Elite Keylogger’s uninstaller, the app will remain in the list of Accessibility apps and it will remain in your list of login items. You’ll need to manually remove them both, and the hidden .ek file AND the osax if you didn’t use the uninstaller or didn’t use DetectX to help you remove the crud.
As always, be careful about what you download, use apps like DetectX or FastTasks 2 that can log changes that downloaded apps make to your system, and beware of all apps that require your admin password in order to be installed. There are legitimate reasons for that in some cases, but not many.
The standard method for doing this, either in Terminal or in code (via NSTask) has always been
defaults write com.apple.finder AppleShowAllFiles -bool true; killall Finder.
In every version of OS X from 10.6 thru to 10.10 this works as expected. In 10.11 I see a reproducible though not always consistent bug when using any GUI-wrapped app to toggle this Finder setting. The bug basically ends up with Finder showing the opposite of both what the app shows and what ‘defaults read’ shows (see image above; the value should be ‘1’ when invisible files are visible).
We believe a related bug is that Finder sometimes fails to show the new version of an app in the Finder preview after the app has been updated.
In both cases, there’s a couple of ways to deal with it (albeit temporary until Apple applies a proper cure):
i. log out then log in
ii. issue a ‘killall Finder’ on the command line
iii. purge the RAM then toggle the setting again in whatever app you’re using to toggle invisible files (if you’re running FastTasks 2, you can purge the RAM from the FT2 menu, avoiding a trip to the Terminal).
We are decidedly not impressed with MacBooster. Ok, we’ll put aside the general complaint that apps like this do very little if anything to improve performance (in fact, in our tests, we find almost always quite the opposite). We have a bigger beef with MacBooster.
Indeed, we rate it even more pesky than it’s obvious inspiration: MacKeeper… 😳
Aside from the fact that MacBooster’s uninstaller leaves a number of executables and other binary files hidden on the user’s system, there’s also the rather cheeky use of ‘com.apple.UninstallerAD” as a bundle identifier in their uninstaller app.
I really don’t think the folks at Cupertino are going to appreciate that, but more importantly the use of a misleading bundle identifier reveals a lot about the developers’ intentions.
Meanwhile, whether you use our apps or not, steer clear of MacBooster.
If you’d rather dig it out yourself than use DetectX, here’s the list of paths we have so far:
~/Library/Application Support/MacBooster 3.0
Version 2.06 is now available.
We’ve added more adware definitions and included MacBooster in the list of commercial apps that DetectX will find and remove.
We just released version 2.04 of DetectX, but if you’re finding that you can’t update, here’s the reason (and the fix!).
Thanks to Apple’s new AppTransport security layer and Amazon S3 not supporting perfect forward secrecy protocol, users of DetectX on any version prior to 2.04 who are running El Capitan (OSX 10.11) will find that DetectX can’t be updated from within the app even though we use a secure https connection.
The simple, if inconvenient fix, is to download DetectX directly from sqwarq. We’ve fixed the bug so that once you’re on v2.04, the in-app update mechanism will function properly again (even on El Capitan !).
Another day, another raft of apps removed from the iOS App Store. Well, actually it’s not quite that bad, but it does seem to be getting a bit more common.
In any case, Apple have just released this statement:
“Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data. This monitoring could be used to compromise SSL/TLS security solutions. If you have one of these apps installed on your device, delete both the app and its associated configuration profile to make sure your data remains protected.”
The only minor problem being they haven’t actually named which apps have been removed, making it sort-of impossible to follow their advice.
Not to worry. You can tell if you have one of the not-mentioned apps simply by going to
Settings > General and looking for the Profile option.
If you don’t see ‘Profile’ anywhere in the list, then you can rest easy. You don’t have any of those apps.
If you do see ‘Profile’ in the list, look at what’s in it. Anything you don’t recognise should be removed. There shouldn’t be anything in there that you didn’t explicitly approve of and know about.
Anything you do recognise but are not sure if its safe, contact the developer and/or Apple directly.
Keeping an eye on General > Profiles is a good idea. We recently found a website that will download a config profile and install apps to your iOS device without that device being either Jailbroken or requiring you to enter an AppleID for the download.
Fair enough, it does require the user to click-through a few “do you want to trust this…” type dialogue boxes, but that’s hardly child-proof. If you’re a parent who lets your children use your iOS devices without constant surveillance like most of us, that’s a real security issue (and yet another reason why we at Applehelpwriter insist user accounts is a must-have feature Apple need to implement in iOS sooner rather than later).
Back in the days of Mountain Lion when Apple introduced GateKeeper, a lot of talk was heard about the best way to protect your mac being to only download apps from the App Store. With several hundred malware infected apps discovered in the App Store last month alone, what’s clear is that leaving your security up to someone else (even if its Apple) is short-sighted at best, and disastrous at worse, particularly if your reliable source just happens to be of great interest to hackers (especially if its Apple!).
Rather than relying on others for your protection, the solution is to have a system in place that will protect you and allow you to recover completely and quickly regardless of the source of the infection. In this post I’m going to share with you (part of) my security set up. Of course, at least in part, it uses my own s/w (if I can’t trust my own software, who can? And besides, my s/w is free!), but there are other ways to achieve the same thing. What’s important is the process, rather than the particular tools mentioned to implement it.
I’ll break these five essential security tips down into two parts, protection and recovery. However, if this post looks too intimidatingly long, skip to the end where I summarise the essential points in the TL;DR. OK, here we go:
1. Log changes to your system
I achieve this with my app DetectX (my app FastTasks 2 also does this, but DetectX is better at it). I have DetectX (v2 or higher) in my Login Items. This means every time I login, DetectX reports what’s changed on my system. If you’re starting from a clean bill of health as hopefully you are now, this is vital information in tracking down what’s changed when new trouble begins.
If I don’t log out at the end of the day, I run DetectX the next day, and I always run it after downloading and installing any new software. That means I have a record of what that s/w has done and I know exactly how to uninstall it if I need to.
Incidentally, as soon as you’ve launched DetectX and taken a note of any changes (signalled by the yellow alert triangle), you can quit it. It doesn’t need to be running. It just needs to launch and scan (literally, takes a second) and then quit.
2. Do NOT use your AppleID for your admin account password
Use a unique password for your Admin user account and do NOT allow the options for the user to reset the password using AppleID or to administer the computer using your AppleID. This is a massive security flaw (this setting is made in System Preferences > Users & Groups). Your AppleID is hackable and indeed there has been at least one famous case of a Wired journalist who had his entire mac wiped in front of his eyes while sitting at home by a hacker who had ascertained his AppleID.
3. Use a Password manager
I use 1Password myself, but any similar product will do. The point is that i. you’re not using the same credentials on more than one site and ii. that you’re using passwords whose length and structure is uncrackable. No matter how ingenious you think your passwords may be, trust me if you made them up yourself they are not. Do a search on ArsTechnica.com for “password cracking” and weep at the ease with which this is possible. A password manager is the only sensible solution.
If you care at all about your data you need to invest in a structured backup system. Simply plugging in Time Machine isn’t sufficient since, as many have already discovered, TM will back up all the ‘infections’ along with everything else. When you try to recover, you just end up re-infecting your machine.
This is what I do.
4. Use a variety of both clones and Time Machine on a staggered schedule
I have a TM disk always connected. On top of that, I clone my entire internal HD on Wednesday and Saturdays. This clone is NOT connected to the mac except during backup. I also clone my HD onto a separate disk once a month. Again, this disk is never connected to the mac except when I’m backing up. (I use an app called Carbon Copy Cloner to manage these schedules.)
If any one of these disks gets ‘infected’ or just dies out of natural usage, I’m covered. If I were to get some kind of infection, I’ve got known clean backups for at least one month. So long as the problem manifests itself within that period, I can simply boot from a clean clone and diagnose the problem using the tools mentioned above in PROTECTION. I can then clean my TM Disk and any others once I’ve determined the problem, and of course then I haven’t lost any backup data.
5. Consider CrashPlan or similar online recovery service
I don’t use it myself because I consider my user behaviour as very low risk and my precautions adequate, but if I were either less technically inclined or without the time to manage a system like I described above, CrashPlan is a way to insure yourself without the hassle, (albeit at a cost, so you need to weigh that up). In particular, what I like about the CrashPlan idea is that it offers you protection against ransomware threats (not that we’ve had any serious ones on the mac yet, but I wouldn’t bet against these appearing in the not too distant future). Note that services like CrashPlan are not at all the same kind of thing as Dropbox or iCloud, but the best way to find out more is to head on over to the CrashPlan page and read up on what they offer.
Those are the 5 essential things I think you need to do or consider, but let’s just round this off with some things that you probably don’t need to do.
Do you need AV Software?
Some people are adamant about using this kind of software because of its necessity on Windows machines, where there’s decades of reusable malware going around which makes this kind of app necessary.
On a mac, there isn’t that kind deep history of malware in circulation; the really dangerous stuff is perhaps only now just being written, and none of the AV tools will know about that until after the fact. In other words, any decent malware being written for macs now will get past all the AV vendors. Moreover, much of the worst of known malware is already blocked by Apple via OS X’s Xprotect system. That means your AV software isn’t really doing much other than what OS X is already doing for you.
The other problem with AV software is that its always running on your machine and slowing things down.
Finally, most AV software requires you to give it your Admin password and runs its processes in a persistent ‘super user’ or admin mode. That’s a security compromise in at least two ways. First, it means you are at risk from the AV software vendor if they are not trustworthy themselves. Second, it means your system is vulnerable to bugs or exploits existing in the security software. Hackers love nothing better than finding ways to compromise security software, and if a hacker can get into your machine through bugs in an AV program running on your mac with admin privileges, well, then, you are “pwned” as they say.:o
By way of contrast, DetectX doesn’t need to know about threats in advance; it will tell you whether something new has been added to your mac and where, regardless of what it is, so it will also spot even those kinds of “zero day exploits” that try to sneak malicious files onto your mac. DetectX doesn’t run any ‘always on’ processes or use any system resources in the background. Finally, DetectX doesn’t require you to give it an Admin password.
(Technical note: if you use the Trash function in DetectX, then OS X will ask for your password to trash files outside of your user account, but that’s not a request coming from my app, but from the system. Importantly, authorising that request only allows the system to do what you told it to do: delete the given file selected in DetectX. It cannot be hijacked to do anything else and the authorisation is single-use only. If you tried the same operation again it wouldn’t work without being authorised again).
Should I avoid updating my mac?
In short, no – you should always be on the most recently available update
for your release of OS X as updates almost always address security flaws that have come to light since the last update.
However, update doesn’t mean upgrade. Generally, if you’re going to upgrade (such as from Yosemite to El Capitan), do the upgrade on a spare external disk first and test that everything works OK. Whatever you do, do not just install an upgrade directly over your one-and-only copy of your HD. If you don’t follow the advice above about testing the new OS on an external drive, then at least make an external bootable clone (not Time Machine, too unreliable) of your internal HD first. Anything less is asking for trouble.
Pretty much the same advice can be applied to updates, certainly the early ones. It’s not unknown for a .1 or .2 update to break something serious. These kind of bugs get less likely as you get nearer .4 and .5 updates when everything is fairly stable, but it’s still never a bad idea to make a complete bootable back up of your system just before doing either an update or upgrade. That way, you’re covered whatever happens and can easily roll back to the previous version if necessary.
OK, if I wanted to sum up all of this into two simple golden rules for security and protection it wouldn’t be ‘use this app or that app’ or ‘only trust this source or that source’ it would be: educate yourself about how your mac works, where malicious files hide and keep an eye on those places on a regular basis. That’s what I wrote DetectX to do, but you can do it in other ways without using my app. Secondly, backup regularly and backup onto different disks on a staggered schedule so that you always have a clean, uninfected backup to turn to in case you need it.
Enjoy and share! :)