Another day, another raft of apps removed from the iOS App Store. Well, actually it’s not quite that bad, but it does seem to be getting a bit more common.
In any case, Apple have just released this statement:
“Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data. This monitoring could be used to compromise SSL/TLS security solutions. If you have one of these apps installed on your device, delete both the app and its associated configuration profile to make sure your data remains protected.”
The only minor problem being they haven’t actually named which apps have been removed, making it sort-of impossible to follow their advice.
Not to worry. You can tell if you have one of the not-mentioned apps simply by going to
Settings > General and looking for the Profile option.
If you don’t see ‘Profile’ anywhere in the list, then you can rest easy. You don’t have any of those apps.
If you do see ‘Profile’ in the list, look at what’s in it. Anything you don’t recognise should be removed. There shouldn’t be anything in there that you didn’t explicitly approve of and know about.
Anything you do recognise but are not sure if its safe, contact the developer and/or Apple directly.
Keeping an eye on General > Profiles is a good idea. We recently found a website that will download a config profile and install apps to your iOS device without that device being either Jailbroken or requiring you to enter an AppleID for the download.
Fair enough, it does require the user to click-through a few “do you want to trust this…” type dialogue boxes, but that’s hardly child-proof. If you’re a parent who lets your children use your iOS devices without constant surveillance like most of us, that’s a real security issue (and yet another reason why we at Applehelpwriter insist user accounts is a must-have feature Apple need to implement in iOS sooner rather than later).
Back in the days of Mountain Lion when Apple introduced GateKeeper, a lot of talk was heard about the best way to protect your mac being to only download apps from the App Store. With several hundred malware infected apps discovered in the App Store last month alone, what’s clear is that leaving your security up to someone else (even if its Apple) is short-sighted at best, and disastrous at worse, particularly if your reliable source just happens to be of great interest to hackers (especially if its Apple!).
Rather than relying on others for your protection, the solution is to have a system in place that will protect you and allow you to recover completely and quickly regardless of the source of the infection. In this post I’m going to share with you (part of) my security set up. Of course, at least in part, it uses my own s/w (if I can’t trust my own software, who can? And besides, my s/w is free!), but there are other ways to achieve the same thing. What’s important is the process, rather than the particular tools mentioned to implement it.
I’ll break these five essential security tips down into two parts, protection and recovery. However, if this post looks too intimidatingly long, skip to the end where I summarise the essential points in the TL;DR. OK, here we go:
1. Log changes to your system
I achieve this with my app DetectX (my app FastTasks 2 also does this, but DetectX is better at it). I have DetectX (v2 or higher) in my Login Items. This means every time I login, DetectX reports what’s changed on my system. If you’re starting from a clean bill of health as hopefully you are now, this is vital information in tracking down what’s changed when new trouble begins.
If I don’t log out at the end of the day, I run DetectX the next day, and I always run it after downloading and installing any new software. That means I have a record of what that s/w has done and I know exactly how to uninstall it if I need to.
Incidentally, as soon as you’ve launched DetectX and taken a note of any changes (signalled by the yellow alert triangle), you can quit it. It doesn’t need to be running. It just needs to launch and scan (literally, takes a second) and then quit.
2. Do NOT use your AppleID for your admin account password
Use a unique password for your Admin user account and do NOT allow the options for the user to reset the password using AppleID or to administer the computer using your AppleID. This is a massive security flaw (this setting is made in System Preferences > Users & Groups). Your AppleID is hackable and indeed there has been at least one famous case of a Wired journalist who had his entire mac wiped in front of his eyes while sitting at home by a hacker who had ascertained his AppleID.
3. Use a Password manager
I use 1Password myself, but any similar product will do. The point is that i. you’re not using the same credentials on more than one site and ii. that you’re using passwords whose length and structure is uncrackable. No matter how ingenious you think your passwords may be, trust me if you made them up yourself they are not. Do a search on ArsTechnica.com for “password cracking” and weep at the ease with which this is possible. A password manager is the only sensible solution.
If you care at all about your data you need to invest in a structured backup system. Simply plugging in Time Machine isn’t sufficient since, as many have already discovered, TM will back up all the ‘infections’ along with everything else. When you try to recover, you just end up re-infecting your machine.
This is what I do.
4. Use a variety of both clones and Time Machine on a staggered schedule
I have a TM disk always connected. On top of that, I clone my entire internal HD on Wednesday and Saturdays. This clone is NOT connected to the mac except during backup. I also clone my HD onto a separate disk once a month. Again, this disk is never connected to the mac except when I’m backing up. (I use an app called Carbon Copy Cloner to manage these schedules.)
If any one of these disks gets ‘infected’ or just dies out of natural usage, I’m covered. If I were to get some kind of infection, I’ve got known clean backups for at least one month. So long as the problem manifests itself within that period, I can simply boot from a clean clone and diagnose the problem using the tools mentioned above in PROTECTION. I can then clean my TM Disk and any others once I’ve determined the problem, and of course then I haven’t lost any backup data.
5. Consider CrashPlan or similar online recovery service
I don’t use it myself because I consider my user behaviour as very low risk and my precautions adequate, but if I were either less technically inclined or without the time to manage a system like I described above, CrashPlan is a way to insure yourself without the hassle, (albeit at a cost, so you need to weigh that up). In particular, what I like about the CrashPlan idea is that it offers you protection against ransomware threats (not that we’ve had any serious ones on the mac yet, but I wouldn’t bet against these appearing in the not too distant future). Note that services like CrashPlan are not at all the same kind of thing as Dropbox or iCloud, but the best way to find out more is to head on over to the CrashPlan page and read up on what they offer.
Those are the 5 essential things I think you need to do or consider, but let’s just round this off with some things that you probably don’t need to do.
Do you need AV Software?
Some people are adamant about using this kind of software because of its necessity on Windows machines, where there’s decades of reusable malware going around which makes this kind of app necessary.
On a mac, there isn’t that kind deep history of malware in circulation; the really dangerous stuff is perhaps only now just being written, and none of the AV tools will know about that until after the fact. In other words, any decent malware being written for macs now will get past all the AV vendors. Moreover, much of the worst of known malware is already blocked by Apple via OS X’s Xprotect system. That means your AV software isn’t really doing much other than what OS X is already doing for you.
The other problem with AV software is that its always running on your machine and slowing things down.
Finally, most AV software requires you to give it your Admin password and runs its processes in a persistent ‘super user’ or admin mode. That’s a security compromise in at least two ways. First, it means you are at risk from the AV software vendor if they are not trustworthy themselves. Second, it means your system is vulnerable to bugs or exploits existing in the security software. Hackers love nothing better than finding ways to compromise security software, and if a hacker can get into your machine through bugs in an AV program running on your mac with admin privileges, well, then, you are “pwned” as they say.:o
By way of contrast, DetectX doesn’t need to know about threats in advance; it will tell you whether something new has been added to your mac and where, regardless of what it is, so it will also spot even those kinds of “zero day exploits” that try to sneak malicious files onto your mac. DetectX doesn’t run any ‘always on’ processes or use any system resources in the background. Finally, DetectX doesn’t require you to give it an Admin password.
(Technical note: if you use the Trash function in DetectX, then OS X will ask for your password to trash files outside of your user account, but that’s not a request coming from my app, but from the system. Importantly, authorising that request only allows the system to do what you told it to do: delete the given file selected in DetectX. It cannot be hijacked to do anything else and the authorisation is single-use only. If you tried the same operation again it wouldn’t work without being authorised again).
Should I avoid updating my mac?
In short, no – you should always be on the most recently available update
for your release of OS X as updates almost always address security flaws that have come to light since the last update.
However, update doesn’t mean upgrade. Generally, if you’re going to upgrade (such as from Yosemite to El Capitan), do the upgrade on a spare external disk first and test that everything works OK. Whatever you do, do not just install an upgrade directly over your one-and-only copy of your HD. If you don’t follow the advice above about testing the new OS on an external drive, then at least make an external bootable clone (not Time Machine, too unreliable) of your internal HD first. Anything less is asking for trouble.
Pretty much the same advice can be applied to updates, certainly the early ones. It’s not unknown for a .1 or .2 update to break something serious. These kind of bugs get less likely as you get nearer .4 and .5 updates when everything is fairly stable, but it’s still never a bad idea to make a complete bootable back up of your system just before doing either an update or upgrade. That way, you’re covered whatever happens and can easily roll back to the previous version if necessary.
OK, if I wanted to sum up all of this into two simple golden rules for security and protection it wouldn’t be ‘use this app or that app’ or ‘only trust this source or that source’ it would be: educate yourself about how your mac works, where malicious files hide and keep an eye on those places on a regular basis. That’s what I wrote DetectX to do, but you can do it in other ways without using my app. Secondly, backup regularly and backup onto different disks on a staggered schedule so that you always have a clean, uninfected backup to turn to in case you need it.
Enjoy and share! 🙂
With recent adware attacks exploiting a vulnerability in OS X and giving themselves sudo permissions without the user providing a password, we thought it’d be a good idea to have FT2 show you info on the Sudo permissions file. This feature has been added in today’ update, FT2 v1.68.
The file in question, sudoers, lives in the (usually) hidden /private/etc folder at the root of your hard drive. Most ordinary users won’t have cause to go digging around in there and probably don’t even know it exists. However, sudoers is the file that determines who can get admin access in the shell (aka ‘the Terminal’), and adding a user to the sudoers file gives them pretty much a carte blanche over the system.
It appears that Apple have already taken steps to block the recent attack, and the next version of OS X (likely due out next month) will restrict what even sudoers can do to the system (although not to the user). Nevertheless, we think it’s good idea to have an easy visual check as to whether the sudoers file has been modified or not. You can find the sudoers information in the Analyser just before the System section (marked by the green dashed line).
Be aware that it is entirely possible that if an attacker gains access to your system, they could not only modify the sudoers file, but completely replace it with a new one. That’d give a new creation date but no modification date. With that in mind, it’s worth checking just when the file was created. Running the public release of OS X Yosemite, build 14E46 (you can find the build number in FastTasks menu), my default sudoers file has a creation date of 2014-09-10. If you are running a different build of Yosemite or OS X you may see a different date. Obviously, if you have modified (or given an app or process permission to modify) the file, that will cause you to see different dates also.
DetectX 1.30 is now available. Aside from the fancy new icon you can see above :p, we also added the Sparkle updater to make updates more convenient for users and made a few tweaks to improve the search definitions.
FastTasks 1.67 is now available. The latest version updates the Analyser and adds AppleScript support. The functions available to AppleScript are fairly limited at the moment, but we’d love to add more. Tell us how you’d like to script FT2 (or any other Sqwarq apps!) in the comments below and we’ll look into adding your suggestions to future updates.
Security researchers have this week been getting themselves het up about a new malware threat to both iOS and OS X. WireLurker appears to be emanating out of Chinese file exchange sites and, at least at the moment, looks fairly limited in both its spread and its damage (update: Business Insider is reporting that Apple has blocked WireLurker-infected apps from launching).
However, researchers at Paolo Alto Networks are pointing out that what makes WireLurker particularly worrying is that the malware exploits weaknesses in Apple’s software that could, they claim, be easily be used for far more dangerous threats.
You can easily scan for the malware threat with my free app FastTasks 2 (v 1.53 or later). If you don’t see the warning as in the screenshot above or any results in the Analyser ‘Issues’ pane, you’re clean of any of the currently known files associated with WireLurker. If you do see the warning, locate the infectious files from the Analyser pane and delete (OS X will demand your Admin password to remove some of them), then restart your mac.
At the time of writing the update for 10.9 wasn’t coming through OS X’s built in ‘Software Update’. The updates are available for download and install here:
Keep the spooks and data thieves out of your personal data with this easy-to-use, drag-and-drop 128-bit AES encryption applet. It’s a simple 1-2-3 process:
1. Download EncryptMe, copy to your Applications folder and drag the icon to your Dock.
2. Select the files you want to encrypt and drop them onto EncryptMe’s Dock icon.
3. Choose a password and you’re done!
That’s really all there is to it, but let’s take a moment to go over the details of Step 2 and 3.
How does it all work?
First of all, note that EncryptMe is an Automator “droplet” app. That means you use it by dropping files on it, not by clicking or double-clicking the icon (which will just produce an error message). If you want to know how EncryptMe works (or make your own), just open up Automator.app and take a look a the ‘New Disk Image’ action. EncryptMe sizes the disk image to fit the files you drop on its icon as long as you have enough free space on your drive.
Secondly, take a moment to pause and think about the password options. You can use OS X’s built-in password generator or make one up of your own. However, be careful. This encryption won’t just keep the bad guys out; it’ll keep you out too if you forget the password!
For that reason, you’ll need to think carefully about whether you’re going to tick the ‘Remember password in my Keychain‘ checkbox or not. Doing so gives you far more insurance against losing the password. The flipside is that anyone will be able to access your encrypted files if they gain access to your computer while you’re logged in. Leaving the box unchecked is more secure: the password you set here will have to be supplied every time an attempt to open the files is made even when you’re logged in. The bad news? Forget the password, and you’ll be in the same boat as the spooks and the data thieves, locked out of your data forever. So choose carefully here.
Update: Mavericks users can now update to 10.9.2 which fixes the flaw. 🙂
News is just breaking of a flaw in Apple’s implementation of SSL security, which could affect anyone using iOS and 10.9 OSX over public/open access wifi ‘hotspots’.
If you’re using iOS, please ensure you do Software Update immediately as a patch has already been released by Apple.
No word from Apple on OS X at time of writing. You can test to see if you have the problem by clicking the following link. Basically, if SSL is working properly you shouldn’t be able to read the message on this page:
If you can read the message on that website from your Mac computer, the best advice to date is to stay off public/open access wifi networks until we hear something more from Apple.
Ars Technica have more information on the security flaw here.
Over the last few years, Apple have made great strides in protecting users from losing their data, be it from system failure, software crashes, accidental deletion, disk corruption or just the plain negligence of forgetting to save before quitting. We now have Time Machine for automatic backups, application savedStates and Resume for crashes, and Autosave and Versions for negligence. As if all that wasn’t enough, iCloud is probably syncing your browser tabs, photos, and pretty much anything else you want straight up to Apple’s servers and pushing it back down the pipe to your other devices as and when needed. All this is a good thing, right?
Well, probably. For most people, most of the time. But not always. The security implications of having your OS (and even Apple) copying everything you type, open or edit on your computer can sometimes be disturbing. What if you need to open a confidential pdf in Preview but are required to make sure (either morally or contractually) that all copies of that document are destroyed after viewing? No one wants to be zeroing their hard-drive every week; and what if you need to edit a Pages or Numbers document but don’t want the changes pushed to the cloud? Turning iCloud on and off is no 2-second job and can have implications for your other workflows and data. Making duplicates to save locally risks having copies stored in the hidden .DocumentRevisions-v100 folder.
Use a secure USB
With USB flash drives now coming in at large GB sizes and relatively low cost, one solution is to load and delete sensitive files via a USB. Wiping a flash drive takes considerably less time than wiping a hard disk and keeps your sensitive data nicely partitioned from everything else, but there are problems. First, there’s always the danger of negligence; in the heat of deadlines or other pressures, we might just forget to wipe that disk; second, there’s the danger of loss or theft; and third, there’s always the possibility of deep recovery by people with the appropriate tools and know-how. Some of those issues can be mitigated by encrypting the drive using Disk Utility.
Set up a RAM disk on OS X
Using an encrypted USB can be a great idea, but it both takes time to create and is not always unobtrusive. If another party should get physical access to your USB, the fact that it’s encrypted also tells interested parties that you might have secrets to hide. A faster and less conspicuous solution could be to use a RAM disk, a portion of your RAM memory that is partitioned and formatted just like any other disk. RAM disks were once common on Macs when peripherals were considerably slower at loading data, but with the speed of modern drives few people bother with them anymore. However, a RAM disk has another advantage apart from being the fastest way to read and write data: its entirely non-persistent. There’s no way of recovering something that was once in RAM once that memory has been flushed.
Making, using and deleting a RAM disk is incredibly simple. Here I’ve created one that’s a half a gigabyte. To create it, you just need a one liner in Terminal. Triple-click the following line and copy and paste it directly into a Terminal window:
diskutil erasevolume HFS+ "ramdisk" `hdiutil attach -nomount ram://1165430`
After you hit ‘return’, you’ll see a new disk icon on your desktop and in the Finder sidebar. You can now use the RAM disk just like any other disk. Use it as the location to download, open or create sensitive files that you know you are going to destroy after use. You can, of course, even create copies of applications and run them from your RAM disk, too.
The RAM disk, while it exists, will behave just like any other disk, so it will have its own .Trashes directory, and its own Versions and Spotlight indexes just as all other disks do. That means you get all the comforts of OSX’s failsafes while the disk is mounted, but as soon as you eject or unmount the disk, all the Versions and Autosaves and Trashes disappear completely and unrecoverably. RAM disks are ideal for reading or editing short pieces of information (such as messages or passwords) that you want to quickly review or store before discarding without a trace.
You can eject the disk either in the usual way from within Finder or the Desktop, or you can use another Terminal line:
hdiutil detach /dev/disk1
And if you want to flush the contents of your entire RAM buffer for good measure, you can also do:
followed by an admin password (if you’re using any version of OS X before 10.9, you can just type ‘purge’ at the command line. No need for sudo or a password).
A word of caution, however. The strength of a RAM disk from a security point of view is simultaneously a danger from almost every other: — the volatility of RAM means you could easily lose everything in your RAM disk if any of the following occur: you eject the disk accidentally, the computer crashes, the power fails or battery runs flat, you log out or restart the computer. Keep these points in mind and only use your RAM disk for short sessions. Never store anything solely on a RAM disk if preserving the data is of importance to you.
Featured picture: OCD — security by kenns
If you’re new to Mac, you’re probably thinking that it’s a no-brainer that you need some kind of anti-virus app. Once you start looking around the web for reviews, it’s inevitable that you’re going to come across the Great Mac AntiVirus Debate: in the one corner, those who say Mac users who forego antivirus protection are arrogant and just setting themselves up for a fall, and in the other those who’ve used Macs for umpteen years, never had or heard of any real threat, and consequently say AV software is a waste of time.
You can read round this debate for years and never come to a satisfying conclusion, largely because its as much about what you ‘ought’ to do as it is about what is the case. Just because you’ve never had any viruses, doesn’t mean you won’t get one tomorrow. And yet, there are NO viruses in the wild known to affect macs, and so when one does arrive, it will be unknown to your AV scanner. Hence, an AV Scanner is just a waste of system resources (and possibly money, if you paid for it). Yikes! What do I do!!
What you do is sidestep the whole debate and stop thinking only about virus scanners, which after all deal with only a small subset of all the possible attack vectors in the internet age, and start thinking in terms of vulnerability scanners. Unlike a simple virus scanner, a vulnerability scanner examines your system not only for malware but also for any vulnerabilities in commercial software, plug ins, your system setup (including network and other sharing settings) and other installed items. The scanner will not only explain the threat and its severity but also tell you what, if anything, you need to do, recommend patches and guide you to links for more info where available.
You can use something like Nessus for free if you are a home user, which will give you a far better insight into the possible attacks someone could implement on your system (and it will check your system against almost all of the major virus scanner databases like Symantec, etc).
Even better, a vulnerability scanner like Nessus won’t just examine your machine, it’ll look at everything else (and all the installed apps) of anything on your home network including phones (any platform), other computer systems (any OS), and even your router.