Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Securing your Dessert

By

(C) Depositphotos / belchonock

I have a joy/frustration relationship with Apple.  Their products are amazing and have changed my life, and at the same time some of their design decisions and choices are user hostile (dongles).  Their software usually just works, but when it doesn’t, well, you get Siri. On one point though, their heart – and code – is in the right place, and that’s with security and privacy, so kudos Apple: Mojave certainly isn’t a barren desert – it’s a good dessert when it comes to security and privacy.

In their upcoming releases, Apple is doing a number of things to dramatically improve security and privacy.  Safari will now take steps to prevent ‘fingerprinting’ by returning only generic configuration information, and by blocking the tracking embedded in comments and social media buttons.  They’re also removing social media account integration into the OS.  Both those are big changes that provide passive protection against invasive tracking.

Other changes include a really nice password API for tools like 1Password(my password manager of choice and recommendation).  The built-in tools are ok, but I’d rather have a purpose built solution, and Apple’s now putting that choice into our hands. There’s camera and microphone warnings, end-to-end facetime encryption and a lot of other small refinements too.

One of the more controversial changes is that they will now block USB data access starting one hour after a passcode was last entered.  That renders Greykey and similar devices useless – it’s a class-protection feature, rather than whacking the specific bug currently exploited.  Without getting into the policy issue of law enforcement back doors – after all math is hard and unforgiving (that’s why gravity is not just a good idea, it’s the law) – this is a protection that we all want. Why?  Because it’s only a matter of time before a Greykey is stolen and reverse engineered.  Then we get a dark-web service ‘Send us the stolen device, and we’ll send you the data back’.  No thanks.

What else would I like to see?  An option to, after initial connections (e.g. to a captive portal), change my DNS servers to Quad 9 or 1.1.1.1 for further tracking and malware protection (I recommend Quad 9 by the way).  Split DNS would be even better – use the network provided one for local traffic, but a standard one for all other queries.    While we can do that on home routers, it’s a real problem when on cellular data.

I’d also like to see an iOS application outbound firewall.  I really don’t want my games sending data back, and while I can block it on cellular, I can’t on wifi.  That’s been an outstanding request in their queue for years.

A bigger stretch (because the content providers would probably freak out) as a separate paid service, would be an iCloud based VPN that ‘just works’ to protect against ISP eavesdropping, tracking, and HTML injection.  The ultimate would be an Apple search engine that doesn’t monetize search data.  Just please don’t have Siri do it, or we’re likely to get a Beatle’s album when we’re looking for information on apple pie recipes J.

Seriously, Apple’s gone a long way to making security consumable by everyone, not just those who have the time and inclination to follow (or build) their own recipe.  Kudos to the company, and particularly to Tim Cook for building a business model of serving customers instead of exploiting consumers. That’s a big reason why I recommend Apple  products to my family and friends – secure apple pie makes a great dessert.

Rotten Apples: Mac Anti-malware

By

(c) Depositphotos / eggheadphoto

Macs get Malware.  There, let the flames begin.  There’s still an impression that Macs are somehow immune and you don’t need any sort of protection.  While it’s true that viruses are very rare, malware (i.e. anything I don’t want running on my system) is quite common.  So what’s the state of Mac Antimalware these days?

Back when I ran windows, buying antimalware software was a no-brainer.  But the mac has been different – there’s far less malware, the OS is harder to infect (though Windows 10 closed a lot of the gap), and Apple does a decent job with XProtect of killing the truly malicious software that’s been discovered.  If you remove Java and Flash (you should) and stay off the seedy side of the Internet, your risk of infection is pretty low.

Yet in the past month, I’ve removed malware from two of my friends’ macs.  One was a bit out of date (and had several infections) but the other was current and fully patched.  In both cases it was a form of adware – something that monitored all internet traffic, phoned home, and inserted ads on web pages.  At least one appears to have been installed from a malicious phishing link, but the others infection path wasn’t clear.  After removing it, they both asked me about installing antimalware software, and that’s a challenge.

Over the past year I’ve been searching for a solution that would provide key features:

  • Antiphishing (privacy friendly URL filter)
  • Antimalware (including adware)
  • Stable
  • Low overhead
  • Proactive updates before Apple updates break things with new releases
  • Priced based on the risk (i.e. lower than Windows – but don’t expect free)
  • No spyware/adware/etc

Unfortunately, in my search, I’ve yet to find a package that does it all.  I looked at nearly every vendor, including Norton, Kaspersky, Bitdefender, Intego, Trend Micro, Sophos, ESET and Malwarebytes among others.

None of them provided privacy-friendly anti-phishing.  All did a pretty good job at antimalware, but only some covered adware.  Most caused stability and performance impacts that weren’t acceptable.  Some were good at being current, others were really bad.  The best were overpriced for the risk, and a number of free ones had things that made me wonder about privacy.  There were a couple I didn’t even look at let alone install (not listed above), as they are nearly malicious in their own right and require nuking the machine from orbit to remove.

In the end, I picked an updated version of my old standby – and the one I used to remove the adware: Malwarebytes.  They’ve recently added real-time protection/prevention capabilities, which is a big boost.  On the mac, I think it’s moderately overpriced versus the risk and functionality, but not grossly so.   A privacy friendly URL filter remains a wish-list item.  For the threat that I see, which is primarily adware, it’s the most optimal overall solution for personal or small business use.

We are Root – Major MacOS Security Flaw

By

I don’t normally do ‘breaking news’ but this one’s pretty big.  There’s a login flaw in MacOS High Sierra that allows anyone with physical access to a running machine to gain root privileges – we are all root (apologies to the guardians of the galaxy).  Details here: https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

The workaround in the story, and from Apple is to set a root password.  Historically that has caused other problems, so beware.  An alternative appears to be to power off the machine (cold boot – not just suspend or hibernate) when leaving it unattended.

It’s a nice find by the researcher.  I doubt we’ll find out the root (pun intended) cause, but it’d be fascinating to know how this happened.   It reminds me when I managed to unlock my Grandfather’s new Lincoln by simply pushing all the buttons on the door keypad in order twice.  Not a use case that’d show up in testing, but a typical 10-year-old boy could find in 2 minutes.

This is something similar.  It looks like it’s a result of several well-intentioned attempts to hide security complexity from the user:  architecture choices (use a UNIX core), design choices (hide root from the user), security choices (don’t set a root password), and a new change in high Sierra, all chained together that cause a major security vulnerability.  The stuff of nightmares.