Blog Archives
how to detect WireLurker malware
Security researchers have this week been getting themselves het up about a new malware threat to both iOS and OS X. WireLurker appears to be emanating out of Chinese file exchange sites and, at least at the moment, looks fairly limited in both its spread and its damage (update: Business Insider is reporting that Apple has blocked WireLurker-infected apps from launching).
However, researchers at Paolo Alto Networks are pointing out that what makes WireLurker particularly worrying is that the malware exploits weaknesses in Apple’s software that could, they claim, be easily be used for far more dangerous threats.
You can easily scan for the malware threat with my free app FastTasks 2 (v 1.53 or later). If you don’t see the warning as in the screenshot above or any results in the Analyser ‘Issues’ pane, you’re clean of any of the currently known files associated with WireLurker. If you do see the warning, locate the infectious files from the Analyser pane and delete (OS X will demand your Admin password to remove some of them), then restart your mac.
🙂
how to fix the “Shellshock” security flaw
Apple have today released updates to Bash for Lion, Mountain Lion and Mavericks. All users are recommended to update to Bash version 3.2.53(1) to patch the recently found “Shellshock” exploit.
At the time of writing the update for 10.9 wasn’t coming through OS X’s built in ‘Software Update’. The updates are available for download and install here:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks
how to easily encrypt your files
Keep the spooks and data thieves out of your personal data with this easy-to-use, drag-and-drop 128-bit AES encryption applet. It’s a simple 1-2-3 process:
1. Download EncryptMe, copy to your Applications folder and drag the icon to your Dock.
2. Select the files you want to encrypt and drop them onto EncryptMe’s Dock icon.
3. Choose a password and you’re done!
That’s really all there is to it, but let’s take a moment to go over the details of Step 2 and 3.
How does it all work?
First of all, note that EncryptMe is an Automator “droplet” app. That means you use it by dropping files on it, not by clicking or double-clicking the icon (which will just produce an error message). If you want to know how EncryptMe works (or make your own), just open up Automator.app and take a look a the ‘New Disk Image’ action. EncryptMe sizes the disk image to fit the files you drop on its icon as long as you have enough free space on your drive.
Secondly, take a moment to pause and think about the password options. You can use OS X’s built-in password generator or make one up of your own. However, be careful. This encryption won’t just keep the bad guys out; it’ll keep you out too if you forget the password!
For that reason, you’ll need to think carefully about whether you’re going to tick the ‘Remember password in my Keychain‘ checkbox or not. Doing so gives you far more insurance against losing the password. The flipside is that anyone will be able to access your encrypted files if they gain access to your computer while you’re logged in. Leaving the box unchecked is more secure: the password you set here will have to be supplied every time an attempt to open the files is made even when you’re logged in. The bad news? Forget the password, and you’ll be in the same boat as the spooks and the data thieves, locked out of your data forever. So choose carefully here.
check for security flaw in OS X and iOS
Update: Mavericks users can now update to 10.9.2 which fixes the flaw. 🙂
News is just breaking of a flaw in Apple’s implementation of SSL security, which could affect anyone using iOS and 10.9 OSX over public/open access wifi ‘hotspots’.
If you’re using iOS, please ensure you do Software Update immediately as a patch has already been released by Apple.
No word from Apple on OS X at time of writing. You can test to see if you have the problem by clicking the following link. Basically, if SSL is working properly you shouldn’t be able to read the message on this page:
https://www.imperialviolet.org:1266
If you can read the message on that website from your Mac computer, the best advice to date is to stay off public/open access wifi networks until we hear something more from Apple.
Ars Technica have more information on the security flaw here.
security: keeping OS X’s nose out of your data
Well, probably. For most people, most of the time. But not always. The security implications of having your OS (and even Apple) copying everything you type, open or edit on your computer can sometimes be disturbing. What if you need to open a confidential pdf in Preview but are required to make sure (either morally or contractually) that all copies of that document are destroyed after viewing? No one wants to be zeroing their hard-drive every week; and what if you need to edit a Pages or Numbers document but don’t want the changes pushed to the cloud? Turning iCloud on and off is no 2-second job and can have implications for your other workflows and data. Making duplicates to save locally risks having copies stored in the hidden .DocumentRevisions-v100 folder.
Use a secure USB
With USB flash drives now coming in at large GB sizes and relatively low cost, one solution is to load and delete sensitive files via a USB. Wiping a flash drive takes considerably less time than wiping a hard disk and keeps your sensitive data nicely partitioned from everything else, but there are problems. First, there’s always the danger of negligence; in the heat of deadlines or other pressures, we might just forget to wipe that disk; second, there’s the danger of loss or theft; and third, there’s always the possibility of deep recovery by people with the appropriate tools and know-how. Some of those issues can be mitigated by encrypting the drive using Disk Utility.
Set up a RAM disk on OS X
Using an encrypted USB can be a great idea, but it both takes time to create and is not always unobtrusive. If another party should get physical access to your USB, the fact that it’s encrypted also tells interested parties that you might have secrets to hide. A faster and less conspicuous solution could be to use a RAM disk, a portion of your RAM memory that is partitioned and formatted just like any other disk. RAM disks were once common on Macs when peripherals were considerably slower at loading data, but with the speed of modern drives few people bother with them anymore. However, a RAM disk has another advantage apart from being the fastest way to read and write data: its entirely non-persistent. There’s no way of recovering something that was once in RAM once that memory has been flushed.
A 0.5GB RAM disk
Making, using and deleting a RAM disk is incredibly simple. Here I’ve created one that’s a half a gigabyte. To create it, you just need a one liner in Terminal. Triple-click the following line and copy and paste it directly into a Terminal window:
diskutil erasevolume HFS+ "ramdisk" `hdiutil attach -nomount ram://1165430`
After you hit ‘return’, you’ll see a new disk icon on your desktop and in the Finder sidebar. You can now use the RAM disk just like any other disk. Use it as the location to download, open or create sensitive files that you know you are going to destroy after use. You can, of course, even create copies of applications and run them from your RAM disk, too.
The RAM disk, while it exists, will behave just like any other disk, so it will have its own .Trashes directory, and its own Versions and Spotlight indexes just as all other disks do. That means you get all the comforts of OSX’s failsafes while the disk is mounted, but as soon as you eject or unmount the disk, all the Versions and Autosaves and Trashes disappear completely and unrecoverably. RAM disks are ideal for reading or editing short pieces of information (such as messages or passwords) that you want to quickly review or store before discarding without a trace.
You can eject the disk either in the usual way from within Finder or the Desktop, or you can use another Terminal line:
hdiutil detach /dev/disk1
And if you want to flush the contents of your entire RAM buffer for good measure, you can also do:
sudo purge
followed by an admin password (if you’re using any version of OS X before 10.9, you can just type ‘purge’ at the command line. No need for sudo or a password).
A word of caution, however. The strength of a RAM disk from a security point of view is simultaneously a danger from almost every other: — the volatility of RAM means you could easily lose everything in your RAM disk if any of the following occur: you eject the disk accidentally, the computer crashes, the power fails or battery runs flat, you log out or restart the computer. Keep these points in mind and only use your RAM disk for short sessions. Never store anything solely on a RAM disk if preserving the data is of importance to you.
🙂
protect your mac from malware, viruses and other threats
If you’re new to Mac, you’re probably thinking that it’s a no-brainer that you need some kind of anti-virus app. Once you start looking around the web for reviews, it’s inevitable that you’re going to come across the Great Mac AntiVirus Debate: in the one corner, those who say Mac users who forego antivirus protection are arrogant and just setting themselves up for a fall, and in the other those who’ve used Macs for umpteen years, never had or heard of any real threat, and consequently say AV software is a waste of time.
You can read round this debate for years and never come to a satisfying conclusion, largely because its as much about what you ‘ought’ to do as it is about what is the case. Just because you’ve never had any viruses, doesn’t mean you won’t get one tomorrow. And yet, there are NO viruses in the wild known to affect macs, and so when one does arrive, it will be unknown to your AV scanner. Hence, an AV Scanner is just a waste of system resources (and possibly money, if you paid for it). Yikes! What do I do!!
What you do is sidestep the whole debate and stop thinking only about virus scanners, which after all deal with only a small subset of all the possible attack vectors in the internet age, and start thinking in terms of vulnerability scanners. Unlike a simple virus scanner, a vulnerability scanner examines your system not only for malware but also for any vulnerabilities in commercial software, plug ins, your system setup (including network and other sharing settings) and other installed items. The scanner will not only explain the threat and its severity but also tell you what, if anything, you need to do, recommend patches and guide you to links for more info where available.
You can use something like Nessus for free if you are a home user, which will give you a far better insight into the possible attacks someone could implement on your system (and it will check your system against almost all of the major virus scanner databases like Symantec, etc).
Even better, a vulnerability scanner like Nessus won’t just examine your machine, it’ll look at everything else (and all the installed apps) of anything on your home network including phones (any platform), other computer systems (any OS), and even your router.
are keyloggers ethical?
I recently helped a user track down a keylogger on his computer. While this case was certainly one of being ‘snooped’ on (the keylogger had been installed on his own machine by a third party), this got me to thinking: are keyloggers ever ethical?
While they can be used for nefarious purposes (spying on your partner or colleagues, for example), they can also help you track down a stolen laptop, aid companies in detecting illegal behaviour or corporate espionage by employees, and help parents protect their children from internet pests.
Feeling conflicted, I thought the best people to ask would be you! So what do you think? Click on one of the options below and hit ‘vote’ to take the poll, and/or leave your thoughts in the Comments!
Take Our Pollhow to remove Lion Recovery disk
If you have reverted your mac to Snow Leopard from Lion, its important that you also remove the Recovery HD, as it can compromise the security of your Snow Leopard installation (for security issues with Lion, see here). Reverting to SL via Time Machine or restoring from a clone will leave the Recovery partition in place, meaning anyone can boot into it and reset your Snow Leopard passwords merely by restarting your mac while holding down the ‘option’ key.
To remove the Recovery disk follow this procedure:
1. Revert back to Snow Leopard using Time Machine or a clone.
2. Once you’re up and running and have confirmed everything is good, go to Terminal (Applications > Utilities > Terminal) and paste/type this command to confirm the presence of the Recovery HD:
diskutil list
then press ‘Return’. If you see a partition labelled something like this
Apple_Boot Recovery HD (see image above)
then you will need to continue with the rest of the procedure. If the Recovery HD is not listed here, you do not have the Recovery partition and need not worry further.
3. If you find the Recovery HD in the list, paste the following command into Terminal:
defaults write com.apple.DiskUtility DUDebugMenuEnabled 1
Press ‘Return’.
Now open Disk Utility (Applications > Utilities > Disk Utility). In the menubar at the top, choose Debug > ‘Show every partition’
On the left in the main Disk Utility window, you’ll be able to see ‘Recovery HD’ (it’ll be greyed out). You can click ‘Mount’ in the taskbar to make it active, and you can now delete it using control-click/right click – erase or by using the ‘erase’ tab in DU’s window.
If you want to confirm that the Recovery disk is no longer present, go back to Terminal and type the command from step 2.
Related posts:
how to secure your mac (OS X Lion)
how to secure your mac (OS X Lion)
Security in OS X Lion is a big problem that not many people are aware of, and here’s why: your Lion computer contains the install/recovery disk on the internal drive. That means anyone with a basic knowledge of Mac and Lion can start up your mac and reset your passwords, thereby accessing your user accounts and all your personal data. The same trick can help kids easily get round restrictions applied through OS X’s ‘Parental Controls’ feature.
How is this possible, you may ask? First, a little history. Among the 250 changes vaunted about Lion over its predecessor, Snow Leopard, there is one that is widely known but whose implications are rarely pointed out: you download the OS rather than install it from a disc. In the past, if your OS went bad and needed to be recovered, or you forgot your admin passwords, the simplest answer was to insert your install disk. From that, you could restore the OS and reset your passwords. That made your Mac a little safer (though not entirely safe) so long as your disc was kept somewhere physically different from your computer.
With Lion having no install disc, Apple had to find an answer as to how to provide the recovery option. The solution was to install a Recovery partition on the same disk as the operating system itself. In the event that the OS goes bottoms up and needs to be recovered or re-installed, you just restart your computer holding down the ‘command’ and ‘r’ keys to access the Recovery partition.
So far so good, but likewise, just as with the old DVD install discs, you — or anyone else — can also reset the user account passwords from the Recovery partition. That means your passwords are effectively useless. Anyone who wants to hack your user account just has to restart your Mac holding down ‘command’ and ‘r’ and then use the built-in Password Utility to make new passwords for your accounts. Now I’m not going to tell you quite how to do it (you do need a little knowledge to get the user account names and know how to do the reset) but it is widely publicized elsewhere, and indeed even in Apple’s own online documentation (so if you really want to know, google is your friend or follow some of the links in this post…).
What’s the answer to this security nightmare? Here’s one thing that’s NOT the answer but which I have seen widely touted: setting a firmware password. If you’re not familiar with the concept of the firmware password, don’t worry. It is practically useless, since anyone can reset that simply by taking off the back of your computer, and then pulling out and then putting back in one of the memory chips.
Apple, of course, thought about this problem. Their own solution is to encourage you to use FileVault 2 (FV2) to encrypt all your data. Indeed, this is the BEST solution. Without your password, no one can access the disk on your computer no matter what they do (and that includes YOU if you forget it…). However, there are a couple of drawbacks to FV2. One is that it requires extra disk space, and if you have more than one partition on your hard drive, or a lot of data, and little space you may not be able to encrypt and decrypt your data. The other drawback is that FV2 places a little extra wear-and-tear on your hard disk (though that may be negligible given the security pay off).
Using FileVault 2 is really the only security option if you’re using Lion. However, if you don’t have the space for it, there is a ‘second-best’ strategy (see below why it’s only ‘second best’), and that is to remove the recovery disk and use a clone as your recovery option instead (WARNING: the Recovery disk is required for FileVault 2, so by removing it you will also remove the ability to use FV2).
There’s a couple of ways to remove the recovery partition on your internal disk, but this is probably the best:
1. Clone your current system to an external disk using Carbon Copy Cloner. This will clone your entire system exactly as it is now, but it will not copy the Recovery disk.
2. Still booted into your internal OS (the one on your machine), open Terminal.app and paste the following command:
defaults write com.apple.DiskUtility DUDebugMenuEnabled 1
Press ‘Return’.
3. Open Disk Utility.app (Applications/Utilities/Disk Utility.app). In the menu bar of Disk Utility, choose Debug > Show Every Partition.
4. In the left-hand pane of Disk Utility, you can now see the Recovery HD. Click on it. Then click on the Erase tab on the (larger) right-hand pane. Click the Erase button down there on the bottom right.
5. Quit Disk Utility.
Now you can use your bootable clone as your recovery disk if your OS becomes corrupt and no one can boot up your computer with ‘command-r’. If you keep the clone backed up on a regular incremental schedule (you can choose anything from once an hour, once a day, week, or month), you can simply restore a corrupted internal disk to exactly the same state as your last backup.
Why only ‘second best’?
As alluded to earlier, it is still possible for advanced users to start up your mac and reset the password without the Recovery partition (this was also true in Snow Leopard even without the install disc). In fact, what this procedure does is give your OS X Lion installation the same security level as an OS X Snow Leopard installation, which is not actually that great, but better than Lion with a Recovery disk! Also, if you are storing highly sensitive data, don’t neglect the fact that someone who has complete unfettered access to your hard drive could even remove the disk and recover the data using special software.
The short story is if you want to be absolutely certain that your data is secure, FileVault 2 is really your only option.
featured picture Security Workstation by digitalhadz
applehelpwriter.com 