Thursday, October 18, 2018

Apple's New Privacy Pages:
Your Reading Assignment!

--

In this day and age, when the western world is being increasingly China-fied and Russia-fied, IOW devolving into totalitarian surveillance states, it's wonderful to watch Apple resist and insist upon user privacy. Good on 'em!

It used to be that Apple merely provided semi-annual transparency reports, annual white papers on Apple gear security and some diffuse documents about securing, hardening our Apple devices. Now, everything has been gathered into one area on their website for easy access along with elaborations no doubt inspired by EU's GDPR, General Data Protection Regulations.


Where to start:


Privacy - Apple
The pages tend to be iOS centric, no surprise of late. But Apple's privacy policy is relevant to Mac gear as well. As we dig into the various sub-subjects, we find an elaborate exposition of Apple security details. Take an hour and dig around. If you require security on your Apple gear, it's worth the time to read through it all in order to know what Apple offers and how to put it to work for you.

Topics include:

  • Encryption (Get stuffed Australia surveillance maniacs!)
  • Apple Pay
  • iMessage, FaceTime
  • Health and fitness data
  • Analytics (under our control!)
  • Safari
  • iCloud
  • Education
  • Advertising
  • Photos
  • Siri & Dictation
  • HealthKit
  • Music
  • News
  • Maps
  • Siri & Spotlight
  • DeviceCheck
  • HomeKit
  • ResearchKit
  • CareKit
  • CloudKit
There are odds and ends here I'd hadn't been aware of!

The core of the Privacy site is Manage Your Privacy. All of us should dig through this page in order to maximize our understanding and control of our own privacy settings.


What everyone should read NOW:


Manage Your Privacy:

Each of these sections provides links to helpful, more detailed information. 

Of most immediate concern is this section under Manage your Apple ID:

Beware of phishing! Phishing spam has become increasingly elaborate and deceitful. The worst of these are the fake charge receipts. The idea is to send us scrambling to UNdo charges we are lead to believe have been made without our permission. They are remarkably successful, as has been demonstrated most explicitly in China in recent weeks. Apple provides further elaboration about phishing HERE 


It takes time to pour through all this, but it's well worth it.


.
--

Tuesday, October 16, 2018

iOS 12.0.1 Security Bug Workaround (O_o)

--

Yes, here we go again. The Bug:

New iPhone Bug Gives Anyone Access to Your Private Photos
...The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages. 
Since the new hack requires much less effort than the previous one, it leaves any iPhone user vulnerable to a skeptic or distrustful partner, curious college, friend or roommate who could access your iPhone's photo album and grab your private photos....
The new passcode bypass method works on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12 to 12.0.1
Until Apple comes up with a security patch, you can temporarily fix the issue by disabling Siri from the lockscreen. Here's how to disable Siri: 
Go to the SettingsFace ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under "Allow access when locked."
(Bolding mine).

If you kept the workaround for the similar bug in iOS 12.0, then you're already safe. 


The general consensus at this point is that it is UNSAFE to leave Siri on when the screen of an iOS device is locked. Therefore, we might want to leave Siri disabled when locked. That means we have to unlock the device first, then access Siri. As ever, it's convenience versus security. Take your pick, find your balance.


--

Saturday, September 29, 2018

iOS 12.0 Security Bug Workarounds

--

One of my common themes is the difficulty of writing secure software in our ever more complicated coding times. [Detailed rant withheld.] Therefore, any code of substantial complexity is going to have bugs and the worst bugs are typically security holes. The computer security community gradually adjusts to increased code complexity through new processes of complex code scrutiny. Here are a couple excellent examples along with, thankfully, a couple convenient workarounds. I've added relevant screenshots below:

Complex iOS passcode bypasses grant access to iPhone Contacts and Photos
By Mikey Campbell @appleinsider
Friday, September 28, 2018
A pair of extremely involved passcode bypasses discovered in Apple's latest iOS 12 can grant attackers access to Contacts and Photo data on a user's iPhone, including models protected by Face ID. . . .
Apple has yet to address the vulnerabilities in the latest iOS 12.1 beta. Concerned users can minimize exposure to the apparent bugs by disabling Siri lock screen access in Settings > Face ID & Passcode or Settings > Touch ID & Passcode under the "Allow access when locked" heading. The second attack can be thwarted by enabling password protection for Notes by navigating to Settings > Notes > Password



Please read through Mikey Campbell's article before enacting the workarounds in order to understand what you're changing in iOS 12. Turning off Siri at the lock screen may not cause problems. However, creating and having to use a password for your Notes may create inconvenience. It's the usual theme of security vs. convenience.

--

Thursday, June 7, 2018

Another In-The-Wild Adobe Flash Exploit,
Another Out-Of-Band Update

--

Same old story. Flash is being exploited in-the-wild again. Adobe has pushed out another unscheduled Flash update. The new version is Adobe Flash 30.0.0.113. Update ASAP if you don't already have Flash automatic update running. Or simply tip the Flash Internet plugin into your Trash and empty it.

Security updates available for Flash Player | APSB18-19
Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user. 
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
And Adobe has also pushed out at the same time Adobe AIR 30.0.0.107. So far, the update has no security update document.

Remember to ONLY download Adobe stuff DIRECTLY from Adobe. Never, ever, ever trust any Adobe installers that are shoved at you by any website. They're 100% fake and a prominent source of malware infection.

Those Adobe download pages are:

Adobe Flash: https://get.adobe.com/flashplayer/
Adobe AIR: https://get.adobe.com/air/
Adobe Reader DC: https://get.adobe.com/reader/
Adobe Shockwave: https://get.adobe.com/shockwave/

--

Monday, May 14, 2018

Critical Out-Of-Band Adobe Security Updates!
And ongoing minor Mac concerns...

--
Adobe has just announced to critical updates for Adobe Acrobat and Reader and Adobe Photoshop CC. The announcements are linked and summarized below:
APSB18-09: Security update available for the Adobe Acrobat and Reader

Originally posted: May 14, 2018

Summary: Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities, and successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.

Priority Rating: Adobe categorizes this update as priority 1.


APSB18-17: Security updates available for Adobe Photoshop CC

Originally posted: May 14, 2018

Summary: Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve a critical vulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.


Priority Rating: Adobe categorizes these updates as priority 3.
The new patched versions are:

• Acrobat DC and Acrobat Reader DC v2018.011.20040
• Acrobat 2017 and Acrobat Reader DC 2017 v2017.011.30080
• Acrobat DC (Classic 2015) and Acrobat Reader DC (Classic 2015) v2015.006.30418

• Photoshop CC 2018 v19.1.4
• Photoshop CC 2017 v18.1.4

Update IMMEDIATELY. Exploits have not been reported by Adobe to be in-the-wild. But the Acrobat patches are of highest priority and plentiful.

There was also the usual monthly security patch of awful Adobe Flash on 'Patch Tuesday', the second Tuesday of the month. Several other security patches were released as well. The list of Adobe's latest security patch updates can always been found here:

https://helpx.adobe.com/security.html

- - - -



What Else Is Up?

There aren't many Mac security concerns at the moment. In the mean time, I highly recommend everyone obtain and use the free Malwarebytes Anti-Malware application, run it and keep it up-to-date. My colleague Thomas Reed has been doing a great job enabling it to find all current adware and PUPs (potentially unwanted programs) as well as the few active Mac malware.

Up and coming is Thomas Reed's Malwarebytes for iOS, seeing as Thomas is now in charge of mobile security as well as Mac security at Malwarebytes. The free version of the app will assist iOS device users with ad blocking and text message filtering. The Premier version will help protect users from malicious cell phone calls and malicious web sites. The app is currently in beta.

There isn't any active malware of iOS these days. Subsequently, Apple has removed and forbidden any apps that scan for iOS malware. Meanwhile, Apple has identified and removed several apps that surveil users from its App Store. They are in violation of Apple's iOS programming rules. It's disconcerting that these apps were originally approved and allowed to run on user devices. Thankfully, Apple has caught up with their oversight and removed the problem.

The biggest security hole in the entire Mac and iOS security system remains the same as last year: Rogue developers who've paid for Apple security certificates then applied those certificates to malicious software. The consequences of this security hole in Apple's certification system pop up all over the world from time to time. I wish these rogue certificates were an impossibility. However, Apple's only solution for now is to pull these certificates, making the malicious applications essentially inert. Stolen certificates from enterprise developers remains a problem. But Apple appears to have taken better control of them as I have not heard of any enterprise certificates being applied to malicious software in 2018. Let's hope it stays that way.

Spectre & Meltdown 



Of GREAT concern to every Intel and AMD CPU user is the ever evolving and elaborating Spectre (speculative execution) hardware security vulnerability catastrophe. Apple, as well as other computer manufacturers, have been responding as best they can in coordination with Intel and AMD. But the Spectre problems are profound and have no full solution in sight. Fortunately, exploiting Spectre is relatively difficult and no major exploitation has been reported in-the-wild. As this catastrophe unfolds, be certain to keep up-to-date with Apple security patches.

Of related concern has been the Meltdown vulnerability in Intel, AMD, ARM (Apple A-Series) and IBM Power CPUs. Meltdown has been easier to mitigate and has not become a concern on Mac computers. Just be certain you're up-to-date with Apple security updates.

Apple has provided a document about Spectre and Meltdown and its mitigations here:

About speculative execution vulnerabilities in ARM-based and Intel CPUs

iMore has kindly provided further information here:

'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw

Rowhammer
Continuing and evolving is exploitation of the DRAM Rowhammer phenomenon. It affects all DDR3 and DDR4 SDRAM. It affects all modern Mac computers. There is no for solution for this problem. The phenomenon is a product of the ever shrinking and subsequently spatially intimate physical components of RAM chips. Some attempts at using software mitigations have been tried and more are forthcoming. But the problem has not been solved. Fortunately, there have not been any active exploits on Mac or iOS hardware. If an exploit is reported, I'll be posting.

Newly discovered is a method of exploiting Rowhammer using GPU memory chips on Android devices. The exploit is called GLitch and can be triggered by malicious JavaScript embedded into web pages.  So far, there has been no similar exploit discovered for iOS devices.

APFS: Not Ready For Prime Time 


In March, there was concern over a severe programming bug found in Apple's as yet unfinished APFS file system, exploitable on devices running macOS 10.13 and 10.13.1 High Sierra. The bug allowed a simple command in the OS terminal to reveal the administrative password for an APFS encrypted Mac device. The exploitation command could be enacted either by direct physical access to the Mac or via malicious code on a web page. Macs running macOS 10.13.2 and higher have been patched against this security bug. More about this situation can be found here:

Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
It should be noted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypting the drive.
My advice regarding APFS, the new Apple File System, remains the same: Don't use it. 

• The finished APFS specification has not been released to developers or the public.

• APFS is still incompatible with Fusion drives.

• There continue to be problems accessing APFS partitions from HFS+ Macs, despite Apple's attempts to provide a solution.

• There is no complete method for repairing APFS systems apart from Apple's meagre Disk Utility application. Micromat was the first and currently only disk utility developer to provide partial repair support for APFS in TechTool Pro 9.6+. But Micromat make it clear that it is not a complete APFS repair solution. All disk utility developers point out that the reason for this delay continues to be Apple and their unwillingness / inability to provide finished APFS specification documentation.

IOW: APFS is not a finished standard. It is not ready for prime time. IMHO, it is to be avoided.

Meanwhile, Apple says:
When you install macOS High Sierra on the Mac volume of a solid-state drive (SSD) or other all-flash storage device, that volume is automatically converted to APFS. Fusion Drives, traditional hard disk drives (HDDs), and non-Mac volumes aren’t converted. You can’t opt out of the transition to APFS.
Wrong. There is a solution to Apple's forced conversion of HFS+ to APFS when installing High Sierra. I suggest enacting this solution unless you have some compelling reason to experiment with APFS. You can read about the solution here:

How to Skip Converting to APFS When Installing macOS High Sierra
Despite the Apple support article saying that you can’t opt out of the transition to APFS, it turns out that you can skip APFS if you choose to start the installer from the command line of Mac OS and give a directive to skip file system conversion.



Potentially helpful for those who have converted to APFS is the free downloadable APFS Retrofit Kit available from Paragon:
If you work on a Mac computer with macOS 10.10 to 10.12 and want to read APFS-formatted HDD, SSD or flash drives, you need APFS Retrofit Kit for macOS by Paragon Software. 
Paragon is working to provide the kit for Windows and Linux users as well. Due to my concern that APFS is an unfinished standard, use Paragon's kit with caution. 

And as ever, Make A Backup before engaging in any computer device adventure. It will save your butt. It's the #1 Rule of Computing!

HEY APPLE! FINISH APFS ALREADY! Sheesh. 

Stay safe out there kids.

:-Derek

~ ~ ~ ~ ~ 


Addendum Reading Assignment:

How many ways can a PDF mess up your PC? 47 in this Adobe update alone
Tons of critical fixes for Reader, Acrobat and Photoshop
--

Sunday, February 4, 2018

Active Adobe Flash Zero-Day Exploit Active
In-The-Wild

--

Same old story. Don't Use Flash v28.0.0.137 (or earlier) until Adobe provides an update! The update should be out this coming week. Keep an eye out.

The current known attack vector, CVE-2018-4878, is a malicious Microsoft Excel document containing a malware Flash object which, when opened, triggers the installation of ROKRAT, (Remote Administration Tool), capable of taking over the infected computer. At this time, the infection vector is assumed to have originated in North Korea and is primarily targeting South Korea.

Adobe's Security Advisory:
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5.
More about the exploit from Dan Goodin at Ars Technica:

An Adobe Flash 0day is being actively exploited in the wild
Adobe plans to have a fix for the critical flaw next week.
... While the number of in-the-wild attacks exploiting Flash zerodays has dropped significantly over the past year or two, the risk posed by the Adobe media player remains unacceptably high relative to the benefit it provides most users. And now that word of the vulnerability is circulating, it wouldn't be surprising for other groups to use it against a much wider audience.
[Note that Ars Technica quotes the CVE as "2018-4877" as opposed to 2018-4878. I consider '2018-4877' to be a typo. Sadly, as usual, Dan's article is being quoted verbatim around the Internet along with the wrong CVE number. Stick with CVE-2018-4878, the CVE identified by Adobe. Because of the precautions taken at CVE.Mitre.org, it's impossible to identify the differences between these two CVE numbers until after the current zero-day as been patched. Meanwhile, the NIST (National Standards of and Technology) CVE database doesn't yet list either number. Bureaucracy at work. Zzzz.]

CONCLUSIONS:

Don't use Microsoft Excel
Don't use Adobe Flash

:-Derek

--