Sunday, December 3, 2017

Number of malware attacks on Macs increased by more than 70%


70% more malware against Macs
In the first three quarters of 2017, the number of malware attacks on Macs increased by more than 70% and PUA (potentially unwanted applications such as adware) by 50% over the previous year (source: F-Secure Labs). The number of threats is growing rapidly as attackers are clearly shifting their efforts towards the often-unprotected Macs.

On October 17, Reuters  reported a security  breach of the Microsoft Vulnerability Tracking System. A violation that occurred  more than four years ago in 2013  . And what was the attack vector related to this security breach? Macs.  That these were Macs, our security adviser Sean Sullivan suspected right from the start.

Back in February 2013, he had correctly deduced that Apple Macs were involved in  a related hack on Twitter  . Given the serious potential damage such hacks could have caused,  Sean wrote :

"People who use their Mac for work should not have the same sense of security as home users. It's obvious that work-based Macs are more of a goal, and security expectations should be scaled according to the threat level. "

Nothing about the current Mac threat landscape has led Sean to question his earlier assessment. If you're using a Mac for business, Sean says, "You need to take the time to rethink your security profile."

The latest analysis from F-Secure Labs  shows that the new malware is predominantly in the spyware category and over a third of the attacks are targeted attacks. That may not surprise anyone:  Macs need protection. However, there are huge differences in how companies have handled the safety of their various endpoints. A quick way to solve this is  to opt for cyber security all-round protection, such as  Protection Service for Business . The new version includes the advanced  XFENCE technology, which provides the next level of Mac security.

Glitch forces iPhones to reboot over and over


NEW YORK – Apple iPhones were rebooting themselves over and over Saturday morning.

Phones across the world running iOS 11 encountered a glitch that triggered at 12:15 a.m. local time. A bug in the 11.1.2 software meant that phones using third-party apps to send recurring notifications, like reminders from work out apps or medical apps, would reboot over and over.

Apple did not respond to a request for comment about the glitch and it’s unclear exactly how many users were affected.

A number of iPhone users took to social media and message boards to learn about the glitch and voice frustrations.

“Looks like i found this late but glad it’s patched. I thought my phone was having a hardware failure, worst iOS bug i’ve ever experienced. This was really bad,” wrote Reddit user KarlKrum.

“This is embarrassing. Facepalm,” wrote Reddit user Siannath.

The company took the unusual step of releasing a software update on a Saturday when it pushed iOS 11.2.

The update fixes the rebooting issue and also includes Apple Pay Cash, the company’s new peer-to-peer payment system, faster wireless charging, and new live wallpapers.

Apple typically releases software updates on Tuesdays.

This is just the latest in a string of glitches for Apple over the past few weeks.

In early November, users encountered an error with its text messaging service in which the device would change a typed lower case “i” into a capital “A.”

Earlier this week developers found a security flaw in the company’s macOS High Sierra computer operating system that allowed users to gain administrative access without inputting a password.

For users still experiencing the rebooting glitch, Apple recommends the following steps.

–Tap Settings > Notifications.

–Tap an app, then turn off Allow Notifications. Repeat this step for each app.

–Update your device to iOS 11.2.

–After updating, tap Settings > Notifications and turn Allow Notifications on again for each app.

Friday, October 6, 2017

"Forgot Password" button reveals your actual password


It’s only eight days since Apple’s latest and greatest macOS 10.13 release, better known as High Sierra.

But the first security update has already come out, and we suggest you apply it urgently.

The update is called High Sierra 10.13 Supplemental Update, detailed in the security advisory APPLE-SA-2017-10-05-1.

There are two bugs fixed; the facepalming one is described thus:

[BUG.] A local attacker may gain access to an encrypted APFS volume. If a [password] hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint.
To explain.

APFS is short for Apple File System, Apple’s new way of organising hard disks that replaces the old (but still supported) HFS Plus, a 20-year-old filing system itself derived from Apple’s Hierarchical Filing System, or HFS, that dates back to the 1980s.

By some accounts, APFS was long overdue: HFS Plus dated from the early days of Mac OS, and wasn’t really designed for the Unix core that was introduced in OS X (now macOS).

For example, HFS Plus can’t deal with dates after 2040, and doesn’t allow multiple processes to access the filesystem at the same time, making it more sluggish and less future-proof than other widely-used filing systems such as NTFS on Windows and ext4 on Linux.

New drivers, new utilities

APFS was introduced as Apple’s default and preferred filing system in High Sierra.

This means new drivers inside the operating system to support disks formatted with the new system, and new features in Apple’s disk management utilities to prepare APFS disk volumes for use.

There are two main disk management tools in macOS – the easy-to-use graphical tool Disk Utility, and the super-powerful but arcane command line program diskutil.

It turns out that the APFS support in the High Sierra version of Disk Utility has feet of clay, as we’ll show here.

We erased a USB disk and created a new APFS (Encrypted) volume on it.

Disk Utility prompted us for a password (twice) and an optional hint.
We entered keepthisSecret as the password and The hint should be shown as the hint.

Disk Utility created the encrypted volume and mounted it automatically.
We unplugged the USB disk and then plugged it back in, and macOS asked for the password. We entered keepthisSecret and the disk was unlocked and mounted, showing that the password had been set as expected.
So far, so good, until we unplugged the device and plugged it back in:

Again, macOS asked for the password. This time, we clicked the [Show Hint] button before entering the password.
The password dialog revealed that keepthisSecret has been set as the hint as well as the password.

The text The hint should be shown had, it seemed, simply been thrown away.

In other words, if you set a password hint as suggested, anyone who stole your disk could “hack” the password simply by using Disk Utility’s [Show Hint] button!

What to do?

If you haven’t created any new APFS encrypted volumes since upgrading to High Sierra, you are OK. If you created an APFS encrypted volume but didn’t specify a hint, you are OK.  If you created an AFPS encrypted volume using diskutil you are OK (the bug is in Disk Utility, not the operating system itself).
If you upgraded to High Sierra from an earlier version of macOS, your disk will have been converted to APFS, but any hint you had before is left untouched (so
far as we can tell), so you are OK.

Apply the APPLE-SA-2017-10-05-1 Supplemental Update as soon as you can.
By the way, you can blank out the password hint on any APFS volume, just in case, with the following diskutil command in a terminal window:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -clear
Removing any hint from cryptographic user XXXXXXXX on APFS Volume diskYsZ

If there wasn’t a hint, no harm is done, but you’ll see an error message like this, so by repeating the above command until you provoke the error message, you can verify that any hint was indeed scrubbed:

Error editing cryptographic user on APFS Volume:
Unable to set APFS crypto user passphrase hint (-69554)
Alternatively, you can overwrite the existing password hint by using the command line option -hint, instead of -clear, like this:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -hint "Your hint here"
Setting hint "Your hint here" for cryptographic user XXXXXXXX on APFS Volume diskYsZ

Whatever you do, though, don’t follow the suggestions of Apple’s own diskutil help text, which offers this terrible advice:

$ diskutil apfs hint help
[. . . .]
Set a passphrase hint for an existing cryptographic user; you can specify
"disk" for the "Disk" user. Specifying "-clear" will remove any hint.
Ownership of the affected disks is required.
Example:  diskutil apfs setPassphraseHint disk5s1 -user disk -hint NameOfMyPet

Pets’ names makes a dreadful passwords, because they’re usually neither secret nor hard to guess, and setting a hint to tell a crook that you have made a dreadful password choice just makes a bad thing worse.

Of course, if you had set a hint with Disk Utility, then for all you know someone who knew the [Show Hint] trick might have seen your password, so you ought to change it.

You can update the passphrase on an APFS Encrypted volume quickly and easily as follows:

$ diskutil apfs changepassphrase /Volumes/[YOURNAME] -user disk
Old passphrase for user XXXXXXXX: ..........
New passphrase: ..........
Repeat new passphrase: ..........
Changing passphrase for cryptographic user XXXXXXXX on APFS Volume diskYsZ
Passphrase changed successfully

A bad look for Apple, letting a buggy system utility like that into a production release…

…but a creditable response by Apple in getting a fix out quickly.

Saturday, April 29, 2017

Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic


A malware research team has discovered a new piece of Mac malware that reportedly affects all versions of MacOS and is signed with a valid developer certificate authenticated by Apple (via The Hacker News). 

The malware has been dubbed "DOK" and is being disseminated through an email phishing campaign which researchers at CheckPoint say is specifically targeting macOS users, making it the first of its kind. 

The malware works by gaining administration privileges in order to install a new root certificate on the user's system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL. 

The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware. Apple's built-in Gatekeeper security feature reportedly fails to recognize it as a threat because of its valid developer certificate, and the malware copies itself to the /Users/Shared/ folder and creates a login item to make itself persistent, even in a rebooted system. 

The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the "update", the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic. 

According to the researchers, Mac antivirus programs have yet to update their databases to detect the DOK malware, and advises that Apple revoke the developer certificate associated with the author immediately. 

Back in January, researchers discovered a piece of Mac malware called Fruitfly that successfully spied on computers in medical research centers for years before being detected. 

The latest discovery of malware, which appears to target predominantly European users, underlines the fact that Macs are not immune to the threat as is sometimes supposed. As always, users should avoid clicking links or downloading attachments in emails from unknown and untrusted sources.

Tuesday, January 31, 2017

Apple Malware Remained Un-patched for Almost 20 Years

Antivirus Software Maker Spots Apple MacOS Vulnerability
Named Quimitchin by Malwarebytes and called Fruitfly by Apple, the ‘new’ back door may actually have been lurking in the background of macOS for years, taking advantage of vulnerabilities in code that hasn’t been updated since the late 1990s, according to the antivirus software publisher’s blog post.

A masterclass in simplicity, the malware contains just two files designed to open a backdoor into the Macs it infects, letting it receive instructions from the hacker’s computer, known in the cybersecurity world as a command and control server (C&C).

Thomas Reed from Malwarebytes said: “These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.

“However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation.

“It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

Thomas Reed goes on to say that ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent. “This makes it easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it easy to detect and easy to remove.”

The good news is that Apple has released an update that will be automatically downloaded behind the scenes to protect against future infections.

Also, as you might expect, Malwarebytes will detect Fruitfly, or Quimitchin (Why the name? Because the quimitchin were Aztec spies who would infiltrate other tribes. Given the “ancient” code, they thought the name rather fitting!).

Friday, September 16, 2016

More iOS 10 woes: Some users can’t sync music between devices

This morning has basically been a disaster for Apple. First its highly-anticipated roll-out of iOS 10 welcomed users with a bricked device. Now, following the release of iOS 12.5.1, users report they can no longer connect to iCloud Music Library — the lynchpin required to sync music across supported devices.

iPhone, iPad, iPod touch, Mac or Windows (and Linux) PC users are all susceptible to whatever is causing the issue and many are finding their content inaccessible while the service is down.

When attempting to access the feature after today’s update, users are met with the following error message. After clicking ‘OK’ the message disappears, only to reappear seconds later.

We’ve reached out to Apple for comment and we’ll update if necessary.

Wednesday, September 14, 2016

Warning: iOS 10 is reportedly screwing up people’s phones

After releasing iOS 10 earlier today, some users are reporting ‘bricked’ devices after attempting to update to the new operating system. Most of the issues seem to come from over-the-air (OTA) updates, meaning a device that attempts to download and install the update without plugging it in — something Apple used to require.

The issues seem fairly widespread. The OTA update begins and leaves users staring at a ‘Connect to iTunes’ screen that forces a complete firmware re-install. If you forego the wiping and re-installation of iOS from your iPhone or iPad, you’re left with a bricked and completely useless device.

Not all users are having the issue though. I updated from the last beta version of iOS 10 to the launch version this morning without incident.

A Twitter search for iOS 10-related keywords show the problem could be affecting a significant portion of those upgrading. In fact, nearly all of the iOS 10-related update problems appear to be the same issue, a bricked device after a prompt to connect to iTunes.

For what it’s worth, Apple claims the problem has since been fixed, according to a 9to5 Mac tweet.

Users, however, are still reporting the problem, so maybe Apple isn’t quite done remedying the issue just yet. Still, if you absolutely have to have iOS 10 today, it’s never a bad idea to do a fresh backup before you make the upgrade.