Apple | SecurePC LLC - Computer Repair, Maintenance and Security

MAC Computers Are Still Suffering From EFI Hack

One of the first, best pieces of advice computer owners get is to always keep their operating system up to date. It’s sound advice, because OS manufacturers generally do a good job of responding to new attack vectors and releasing security patches designed to make sure that hackers don’t have an easy time breaking into your system.

Mac users, though, face a slightly different problem. It’s one that can’t be solved by something as simple as keeping their OS current.

The issue lies with EFI, which stands for Extensible Firmware Interface. This technology was designed by Intel, not Apple, and it is the bit of code that runs before the Apple OS boots up and takes over. Unfortunately, any code, firmware included, can contain flaws and security vulnerabilities, and in the case of EFI, hackers have found a way in that bypasses Apple’s normally robust security measures.

By injecting malicious code prior to the OS taking the reins, hackers have been able to quietly infect a surprising number of Mac machines, and because the firmware isn’t part of the OS proper, none of Apple’s security updates touch it.

It’s certainly possible for the company to push firmware updates, but these are handled differently than OS security patches, and as such, not all users get them. Even if they get a notification, they may not install the update.

In fact, recent research by the security company “Duo Labs” analyzed more than 73,000 Macs and found that 4.2 percent of them were running firmware versions with known vulnerabilities.

This is a problem badly in need of a robust solution. Users have been conditioned to install OS security updates, but rarely think about the firmware that controls the initial boot process, and as such, have a blind spot for the dangers that outdated firmware represents.

So far, Apple has shown surprisingly little interest in offering a more reliable firmware update solution, so if you use Mac computers in your home or office, for the time being at least, it falls to you to be sure that you’re updating not just the OS that drives your machine, but the firmware that your OS relies on.

Bug in macOS Could Allow Hackers Root Access

Do you own a Mac? Is it running Apple’s latest macOS, the “High Sierra?” If so, be extra careful with who you allow access to your machine.

A security flaw recently discovered by a developer named Lemi Orhan Ergin can easily allow anyone unfettered access to everything on your machine, and by extension, give them an easy “in” to whatever network it’s connected to. All they need is physical access.

Exploiting this vulnerability is a lesson in simplicity. All a hacker has to do is enter “root” in the username field, leave the password field blank, and press Enter.

Done.

They now have total access.

Needless to say, this is a large and rather glaring security issue, and one which Apple will be remedying in the near future via a patch. Until they do, however, be aware that the physical security of your Mac is of paramount importance. Leaving your workstation unsecured and unattended, even for a few minutes, is all it would take to lose control over all the files on your machine and give a hacker access to the even more sensitive data lurking elsewhere on your company’s network.

Unfortunately, as bad as this security flaw is, it’s not the only recent stumble by Apple. Just last month, the company had to issue an emergency patch to fix a flaw that affected encrypted volumes, where the password hint section was displaying the actual password in plain text.

To try this exploit out for yourself to verify how easy it is to use, simply do the following:

Open your machine’s System Preferences and select “Users and Groups”
Click on the lock icon, which will allow you to make changes. You’ll get a user name and password box at this point
Type in “root” in the username field
Move the cursor into the password field and hit enter

That’s all there is to it.

Until Apple issues their patch, the best thing you can do is leave your machine on and lock your workstation when you step away. At least that way, the hacker would have to know your current password in order to gain access.

Of course, they could simply power the machine off and reboot, but that would take a bit more time, during which they could be discovered.

It’s far from perfect, but for the time being, it’s the best protection you have.

Fake Symantec Blog Post Is Spreading Mac Malware

Sometimes hackers opt for a stealthy approach. Other times, their attempts are downright brazen. That’s definitely the case with a newly launched malware campaign that seeks to spread “Proton Mac,” a strain of malware designed to steal passwords from Mac users.

The hackers registered a domain very similar to Symantec’s blog, mirrored its content and then created a fake post about a new version of CoinThief, which was moderately successful back in 2014.

After going into a bit of faux analysis about this nonexistent threat, the post recommended downloading a nonexistent piece of software called “Symantec Malware Detector” which it claimed was the best means of protecting against the new version of CoinThief. Unfortunately, “Symantec Malware Detector” is actually Proton Mac in disguise.

It’s a good scam, and it’s proven to be highly effective thus far. Its effectiveness is due in no small part to the fact that references to the post have been tweeted, initially by fake Twitter accounts, and later, by a growing number of legitimate ones.

Although the fake blog is quite good, it doesn’t stand up to intense scrutiny. For one thing, the email address used to register the domain isn’t a Symantec address. For another, their SSL certificate comes from Comodo, rather than Symantec’s own certificate authority. Unfortunately, the overwhelming majority of users don’t look that closely at websites they visit, so they are unlikely to recognize the fake for what it is.

If you have downloaded “Symantec Malware Detector,’ then you’ve got Proton Mac running on your machine right now.

It’s designed to log your username and password in plain text, sending this and any other PII (Personally Identifiable Information) on your machine to a hidden file. It will also capture browser auto-fill data, keychain files and the like, and send all of this to the hackers controlling the software.

If you have been infected, you should treat all online passwords as having been compromised and change them immediately, once you have verified that the malware has been completely removed from your system. Enabling two-factor authentication will also help make you more secure.

Fake Symantec Blog Post Is Spreading Mac Malware

The hackers registered a domain very similar to Symantec’s blog, mirrored its content and then created a fake post about a new version of CoinThief, which was moderately successful back in 2014.

If you have downloaded “Symantec Malware Detector,’ then you’ve got Proton Mac running on your machine right now.

New iPhone X May Be Susceptible To Burn-In

<img class=”alignleft size-full wp-image-7088″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/New-1-1.jpg” alt=”” width=”300″ height=”225″ />Apple’s new iPhone X is a technological marvel that boasts the best display in the industry today, featuring Super Retina OLED display technology and offering a mind boggling 1,000,000 to 1 contrast ratio.

Unfortunately, there’s a problem, as revealed by a new support document the company released on the iPhone X. In it, Apples states that users may experience shifts in hue and color, and burn-in with the new display, especially if they maximize the phone’s brightness and keep the same image displayed for long periods of time.

According to the support document itself:

“If you look at an OLED display off-angle, you might notice slight shifts in color and hue. This is a characteristic of OLED and is normal behavior. With extended long-term use, OLED displays can also show slight visual changes. This is also expected behavior and can include ‘image persistence’ or ‘burn-in,’ where the display shows a faint remnant of an image even after a new image appears on the screen. This can occur in more extreme cases such as when the same high contrast image is continuously displayed for prolonged periods of time. We’ve engineered the Super Retina display to be the best in the industry in reducing the effects of OLED ‘burn-in.'”

The company also recommends a simple workaround users can employ to minimize the chances of this occurring. If it’s something you’re concerned about, simply adjust your phone’s brightness as follows:

• Go to Settings, and then into General
• From General, tap Accessibility, and then Display Accommodations
• Adjust to taste from there

Another simple thing you can do would be to set your phone to auto-lock after a shorter period of time. To make changes to that feature:

• Go to Settings
• From there, select Display & Brightness
• Then, go to Auto Lock and set whatever time period you deem appropriate

While neither of these are perfect solutions, they will certainly get the job done for the overwhelming majority of users.

Apple’s New Face ID May Have Been Compromised

Tech companies of all shapes and sizes have been on the hunt for the “Holy Grail” of security features since before the rise of the internet. So far, a number of strategies have been developed, but none have proved to be successful. Hackers have found ways around each and every one to date.

Apple recently made another attempt when they released their new iPhone X, complete with a new “ultra-secure” Face ID security feature, which was touted during the new phone’s September launch event. During that event, Apple’s Senior VP of Worldwide Marketing, Phil Schiller, had this to say about the new feature:

“Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID.”

Unfortunately, the new feature has proved to be somewhat less “ultra-secure” than was originally advertised. Just one week after Apple’s announcement, the Vietnamese security firm Bkav was able to unlock the iPhone X using a mask.

It cost the company roughly $150 to create the mask, which was built using a combination of 2d images, a bit of makeup and a few 3D-printed components, with special attention paid to the areas around the eyes, cheeks and nose (which was printed on a 3D printer).

A spokesman for Bkav had this to say about their efforts:

“Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means that the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

All that to say, don’t put too much faith in the new “ultra-secure” Face ID feature. It’s far from the bullet-proof security feature the company touted it as being.

Apple Is On Track To Become A Trillion Dollar Company

Recently, Apple’s stock closed at $175.88, giving it a market valuation slightly above $900 billion. A Drexel Hamilton analyst named Brian White predicts that over the course of the next twelve months, the company’s stock could be trading as high as $235 per share, and at that price, Apple’s market valuation would be over one trillion dollars, making it the only trillion-dollar company on the planet.

“With a market cap of over $900 billion, we believe Apple is on its way to becoming a ‘trillion dollar baby’ as reflected in our price target. We were the first on Wall Street to project that Apple would reach a $1 trillion market cap as reflected by a price target; our current price target of $235 equates to approximately a $1.2 trillion market cap.”

Mr. White is not alone. Another analyst, Amit Daryanani, working for RBC Capital Markets, has made a similar prediction, stating:

“In our view, Apple’s quarterly results will be less important this summer as investors are focused on the iPhone 8 this fall, along with the company’s raised capital distribution initiative, depressed valuation and potential new innovations. We believe Apple remains among the most underappreciated stocks in the world.”

If you don’t yet own stock in the company, now would probably be a great time to buy. As Apple edges closer to the one trillion-dollar threshold, it’s sure to generate an increasing number of headlines, which will increase interest in the company and push the stock price higher still, hastening the day when it hits the mark.

If you already own a stake in the company, hold onto it, and if you concur with Daryanani’s assessment, add to it as you’re able. You could soon be the proud owner of a tiny slice of investment history.

New “MailSploit” Allows Email Spoofing

Phishing attacks just got a whole lot easier.

A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.” At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.

The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.

Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.

The email clients vulnerable to this type of attack include:

Apple Mail
Mail for Windows 10
Microsoft Outlook 2016
Mozilla Thunderbird
Yahoo! Mail
AOL Mail

And many others, but Haddouche notes that Gmail is unaffected by the exploit.

There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.

Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.

Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.

Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.

Your IT staff’s job just got a whole lot harder.

Be Careful Of Downloads – Google Play Store Sees Malware Increase

Google’s Play Store is under siege. In recent month, there has been a sharp spike in malware campaigns launched against the store, with a shocking number of poisoned apps slipping past Google’s robust system of checks designed to prevent, or at least minimize such occurrences.

The spike in poisoned apps has been reported by three different security companies: Dr. Web, McAfee and Malwarebytes.

According to the latest McAfee report, 144 Play Store apps have been identified as containing malware. To give you a sense of the scope and scale of the attack, McAfee analyzed a sample of 34 of the malicious apps and found that they had been downloaded between 4.2 million and 17.4 million times.

Of the malware strains found to be present on the Play Store, far and away the most common is Grabos, which is designed to push fake notifications that trick unsuspecting users into installing other apps. Based on the observed behavior, it’s likely that Grabos’ authors generate revenue based on the number of installs achieved. Based on the sheer number of downloads, it’s a model that’s paying handsome dividends for the hackers.

The second most common malware strain identified in the McAfee report is AsiaHitGroup, which utilizes an IP blacklist to specifically target users in Asian countries. This malware was initially found in an app named “QR Code Generator,” and once it infects a user’s machine, it will download a second-stage threat in the form of an SMS Trojan, which auto-subscribes infected users to premium phone numbers using SMS text messages.

Since its initial discovery in QR Code Generator, the AsiaHitGroup malware has been found in a variety of other apps, including alarm clock, photo editor and internet speed test apps.

The security firm Dr. Web found a third distinct malware strain called Android.RemoteCode.106.origin, which was found to be embedded on nine different Play Store apps that had been downloaded between 2.37 million and 11.7 million times.

This campaign opens an “invisible” browser page that shows ads and is the least intrusive of the malware strains found. It’s likely that the hackers controlling this one get paid via ad impressions which are spoofed on the invisible browser window.

In addition to these, ESET has identified a fourth threat, having identified eight different apps that are infected with the MazerBot banking Trojan. This one is potentially the most damaging of the recently identified threats.

Google’s Play Store is clearly a fair bit more dangerous currently than its users are accustomed to. Be very careful when downloading apps until Google can beat back these recent attacks.

Granting Photo Access In iPhone Might Allow Unauthorized Photographing

An Austrian software engineer named Felix Krause has made a disturbing discovery about iPhones using iOS11. Once an app has been given permission to access the device’s camera, it can take pictures and videos without alerting the user and upload them to the internet in real time.

Unfortunately, there are a lot of apps that users grant camera permissions to. Basically, any time you upload an avatar or post a picture with an app, you’ve got to give it camera permissions to do that.

Krause documented his findings in a short video presentation. As long as an app with camera permissions was in the foreground, it could snap photos literally every second, all without the user being alerted to what was going on.

Krause was quick to point out that he wasn’t naming names, and so far, at least, there are no known instances of malicious apps abusing this flaw, nor are any legitimate apps misusing it to anyone’s knowledge. The simple fact that it is possible, though, opens the door to a whole host of malicious apps that could, and that’s disturbing.

For the moment, there are really only two ways to address the issue: either go in and modify all your apps’ permissions so that they no longer have camera access, or use lens covers to make it so that your front and back cameras can’t record anything unless you specifically want them to.

Longer term, there are a number of things Apple could do to address the issue. The two simplest fixes would be introducing expiring permissions for apps to allow for more precise user controls, or introducing LED lights that would activate any time the camera was in use, thus giving the user a clear visual marker.

In any case, for the moment, it’s important to know that your phone may be watching and/or recording you.