Tuesday, February 18, 2020

New & Useful Article Strategy: The Daily (mostly) Collection of Mac Security Articles

--


Despite distractions, I still scan all the computer security news every day. Therefore, why not simply list the pertinent articles every day in the Mac-Security blog? So will it be.

I suspect I’ll still elaborate upon major situations and notable blundering in the field. But I figure it will be useful to scan daily (mostly) lists of collected Mac Security articles to those who like to keep up but don’t have the time to dig for research.

These daily data dumps will be relatively quick and easy for me and hopefully useful to others. Article titles will list collection dates as well as major topics of concern. And of course, as subjects of keen interest arrives, I’ll post the usual dedicated declamations. Inspired illustrations will arrive by whim.

Share and Enjoy.

:-Derek


--

Monday, December 23, 2019

Oh Good, A Secure IoT Standard At Long Bloody Last, Kind Of... Sort Of... Maybe...

--
I'll believe it when I see it. 
Don't count your horses just yet. ;-)


Meanwhile, read with hope in your heart:

The IoT wars are over, maybe? Amazon, Apple, Google give up on smart-home domination dreams, agree to develop common standards
The bad news: You may have to buy all new kit if you want things to work
By Kieren McCarthy in San Francisco 18 Dec 2019 at 19:41
https://www.theregister.co.uk/2019/12/18/iot_standards_war/
After years of trying and failing to dominate the smart home market with their own standards, tech giants Amazon, Apple and Google have finally agreed to work on a set of common code that will allow smart home products, from thermostats to cameras to plugs to digital assistants, to work together seamlessly. 
The new “Connected Home over IP” approach will be developed through a new working group within smart home veteran organization the Zigbee Alliance, and the broad brush blueprint of the new standard is stark in its obviousness. It will be an IP-based protocol so it can connect directly to the internet rather than require a hub; it will be open-source and royalty-free and allow for end-to-end secure communication; and it will work with core standards like Bluetooth and Wi-Fi. 
The new standard should emerge in draft form in late 2020, meaning that 2021 will be the start of a new era in smart home tech, where Alexa talks to Nest and you can have a single app on your phone to talk to everything else....
OK!
But wait!
What about...?

Microsoft built its own custom Linux OS to secure IoT devices
https://thehackernews.com/2018/04/microsoft-azure-sphere-iot-linux.html

AND

FIDO Alliance looks to create standards for internet of things devices
https://www.cnet.com/g00/news/fido-alliance-looks-to-create-standards-for-internet-of-things-devices/

--

Tuesday, October 15, 2019

Filler: What I'm Up To...

--

An explanation of what I've been up to. For visitors who've wished I had been around lately, thank you.


I continue to keep up with Mac security news every day. Somehow, it's play time for my brain. But I've lost a sense that I have much to contribute to it here at Blogger. The blog sometimes had 1000 readers a day, but that hasn't been enough of an incentive for me. Doing the routine of collecting and repeating what's going on in the field isn't inspiring or useful. Instead, I've been posting around the net about ongoing Mac security situations when I see a need for comments. I'm a regular at both Ars Technica and The Register.


Recently, the majority of the Mac security gestalt I've been part of has gone professional. My oft-times collaborator Al Varnell and I continue to contribute to the group when something unique, obscure and important shows up. But generally, we wander and stray where we are needed. Most of the rest of the group is now in a semi-state of competition. That's a good thing as it is part of the maturing of the Mac security community. It means blogs like this one are less necessary and useful. There are now some excellent places to keep up with Mac security news and methods.


Locally, I'm still working with the computer/technology user group as it inevitably shrinks. I tend to present something each month about security. Lately, I've been presenting about block chain and cryptocurrency.


Meanwhile, the computer security business in general, both practical and journalistic, remains unprofessional, unscientific, unstandardized, haphazard, detrimentally lazy and ignorant. The more I chatter about this fact, the less inclined I am to bother. There is little ongoing change apart from the very beneficial proliferation of people involved with computer security and places to learn about and keep up with what's going on. There is still plenty of wrong information being proliferated, a standard ignorance of best security practices and standards. Software and hardware coding quality isn't improving. General cynicism regarding human comprehension of technology and coding increases, not decreases, over time. Scapegoating technology for the failings of we humans subsequently increases via the usual default human behaviors. Short-term thinking in pursuit of quick cash remains the norm, along with the inevitable long-term catastrophes. A simple example, IMHO, is continued blight that is the Android operating system, despite supposed efforts to bring its security under control.


I can also point at Apple's periodic lackadaisical attitude toward security. This has been a relatively horrible year for Mac and iOS device security with some outright stunning and occasionally irreparable harm done. Still, Apple gets accolades because their lethargy is far superior to the vast majority of the rest of the technology industry. 


The most extreme ongoing example of worthless garbage, absent of reliable security, is IOT: The Internet Of dangerous Things. Abominable. If I were to write a blog about IOT, it would consist of the same statement every day: DON'T. There is at last a working security standard for IOT. But whether it catches on, whether it actually helps, we'll have to wait and see. For now, IOT is GeeWhiz! techno garbage for the tech-ignorant consuming masses. Again, the lack of professionalism in computer security resounds. Or is this assumed incompetence actually or partially a method of extending hacker, business and governmental surveillance of the world's citizenry? Time will tell.


So, be careful out there. If something critical shows up in the Mac security community, if I have something insightful or professorial to offer, I'll still be around.


:-Derek



--


Thursday, October 18, 2018

Apple's New Privacy Pages:
Your Reading Assignment!

--

In this day and age, when the western world is being increasingly China-fied and Russia-fied, IOW devolving into totalitarian surveillance states, it's wonderful to watch Apple resist and insist upon user privacy. Good on 'em!

It used to be that Apple merely provided semi-annual transparency reports, annual white papers on Apple gear security and some diffuse documents about securing, hardening our Apple devices. Now, everything has been gathered into one area on their website for easy access along with elaborations no doubt inspired by EU's GDPR, General Data Protection Regulations.


Where to start:


Privacy - Apple
The pages tend to be iOS centric, no surprise of late. But Apple's privacy policy is relevant to Mac gear as well. As we dig into the various sub-subjects, we find an elaborate exposition of Apple security details. Take an hour and dig around. If you require security on your Apple gear, it's worth the time to read through it all in order to know what Apple offers and how to put it to work for you.

Topics include:

  • Encryption (Get stuffed Australia surveillance maniacs!)
  • Apple Pay
  • iMessage, FaceTime
  • Health and fitness data
  • Analytics (under our control!)
  • Safari
  • iCloud
  • Education
  • Advertising
  • Photos
  • Siri & Dictation
  • HealthKit
  • Music
  • News
  • Maps
  • Siri & Spotlight
  • DeviceCheck
  • HomeKit
  • ResearchKit
  • CareKit
  • CloudKit
There are odds and ends here I'd hadn't been aware of!

The core of the Privacy site is Manage Your Privacy. All of us should dig through this page in order to maximize our understanding and control of our own privacy settings.


What everyone should read NOW:


Manage Your Privacy:

Each of these sections provides links to helpful, more detailed information. 

Of most immediate concern is this section under Manage your Apple ID:

Beware of phishing! Phishing spam has become increasingly elaborate and deceitful. The worst of these are the fake charge receipts. The idea is to send us scrambling to UNdo charges we are lead to believe have been made without our permission. They are remarkably successful, as has been demonstrated most explicitly in China in recent weeks. Apple provides further elaboration about phishing HERE 


It takes time to pour through all this, but it's well worth it.


.
--

Tuesday, October 16, 2018

iOS 12.0.1 Security Bug Workaround (O_o)

--

Yes, here we go again. The Bug:

New iPhone Bug Gives Anyone Access to Your Private Photos
...The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages. 
Since the new hack requires much less effort than the previous one, it leaves any iPhone user vulnerable to a skeptic or distrustful partner, curious college, friend or roommate who could access your iPhone's photo album and grab your private photos....
The new passcode bypass method works on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12 to 12.0.1
Until Apple comes up with a security patch, you can temporarily fix the issue by disabling Siri from the lockscreen. Here's how to disable Siri: 
Go to the SettingsFace ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under "Allow access when locked."
(Bolding mine).

If you kept the workaround for the similar bug in iOS 12.0, then you're already safe. 


The general consensus at this point is that it is UNSAFE to leave Siri on when the screen of an iOS device is locked. Therefore, we might want to leave Siri disabled when locked. That means we have to unlock the device first, then access Siri. As ever, it's convenience versus security. Take your pick, find your balance.


--

Saturday, September 29, 2018

iOS 12.0 Security Bug Workarounds

--

One of my common themes is the difficulty of writing secure software in our ever more complicated coding times. [Detailed rant withheld.] Therefore, any code of substantial complexity is going to have bugs and the worst bugs are typically security holes. The computer security community gradually adjusts to increased code complexity through new processes of complex code scrutiny. Here are a couple excellent examples along with, thankfully, a couple convenient workarounds. I've added relevant screenshots below:

Complex iOS passcode bypasses grant access to iPhone Contacts and Photos
By Mikey Campbell @appleinsider
Friday, September 28, 2018
A pair of extremely involved passcode bypasses discovered in Apple's latest iOS 12 can grant attackers access to Contacts and Photo data on a user's iPhone, including models protected by Face ID. . . .
Apple has yet to address the vulnerabilities in the latest iOS 12.1 beta. Concerned users can minimize exposure to the apparent bugs by disabling Siri lock screen access in Settings > Face ID & Passcode or Settings > Touch ID & Passcode under the "Allow access when locked" heading. The second attack can be thwarted by enabling password protection for Notes by navigating to Settings > Notes > Password



Please read through Mikey Campbell's article before enacting the workarounds in order to understand what you're changing in iOS 12. Turning off Siri at the lock screen may not cause problems. However, creating and having to use a password for your Notes may create inconvenience. It's the usual theme of security vs. convenience.

--

Thursday, June 7, 2018

Another In-The-Wild Adobe Flash Exploit,
Another Out-Of-Band Update

--

Same old story. Flash is being exploited in-the-wild again. Adobe has pushed out another unscheduled Flash update. The new version is Adobe Flash 30.0.0.113. Update ASAP if you don't already have Flash automatic update running. Or simply tip the Flash Internet plugin into your Trash and empty it.

Security updates available for Flash Player | APSB18-19
Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user. 
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
And Adobe has also pushed out at the same time Adobe AIR 30.0.0.107. So far, the update has no security update document.

Remember to ONLY download Adobe stuff DIRECTLY from Adobe. Never, ever, ever trust any Adobe installers that are shoved at you by any website. They're 100% fake and a prominent source of malware infection.

Those Adobe download pages are:

Adobe Flash: https://get.adobe.com/flashplayer/
Adobe AIR: https://get.adobe.com/air/
Adobe Reader DC: https://get.adobe.com/reader/
Adobe Shockwave: https://get.adobe.com/shockwave/

--