Archive (September 2019)

If you’ve set up or restored an Apple device recently and have two-factor authentication enabled on your Apple ID, you may have seen a message during configuration that defies your understanding of how Apple maintains device privacy and account security.

The message reads something like, “Enter Mac Password. Enter the password you use to unlock the Mac ‘name here’. This password protects your Apple ID, saved passwords, and other data stored in iCloud. Your password is encrypted and cannot be read by Apple.” The prompt might instead ask for your iPhone or iPad passcode.



I had to take a photo of this unusual login screen, as it was during setup and screen capture wasn’t available.

Doesn’t this seem contradictory, confusing, and just plain wrong? Why would Apple ask for the password or passcode for one of your other devices? Could it be some sort of scam? What exactly is going on here?

I encountered this issue, as did Take Control publisher Joe Kissell, in preparing the iOS 13 and iPadOS 13 revision to my long-running networking and security book, Connect and Secure Your iPhone and iPad. (It has a new, shorter title in this release, and is already updated for iOS 13.1—check it out if you’re looking for more information about iOS networking, privacy, and security.)

While I had heard of this prompt happening once last year, I had never seen it myself. Now I’ve figured out what is going on by reviewing Apple’s documentation and deducing the missing pieces. The short answer is that this prompt is actually Apple working to protect your security, and the explanation is accurate. But it’s not sufficiently detailed—that would require screens of text—to explain what’s going on. Here’s the skinny.

iCloud Stores Two Kinds of Secured Data for You
All the data that’s synced between your devices via iCloud is encrypted while in transit  (generally using HTTPS) and at rest on Apple’s servers. Some of it is available in decrypted form if you were to access it via iCloud.com. For that subset, Apple maintains the encryption keys that protect the data when it’s at rest, and it could turn over that data if forced to by law enforcement.

Apple discloses which data is stored with encryption keys it possesses. In very rare circumstances, someone who compromised Apple’s keys or server security could extract that iCloud.com-accessible information from a transmission or from iCloud. It’s extremely unlikely, but it’s not strictly impossible.

This data could also be at risk in a successful phishing attack. Phishing requires only that an attacker fools someone into thinking they are entering their credentials into a legitimate site that is, instead, a man-in-the-middle. There are many kinds of phishing attacks, one severe type of which involves obtaining fraudulently issued HTTPS certificates that can have all the trappings of a legitimate and secure site.

The attacker could then simply use your login name and password to initiate an attempt to log in to iCloud, even triggering Apple to send you an extra login token used for two-factor authentication, which, if you entered it on the phishing site, could be used by the attacker at iCloud.

Apple users have been phished, of course, although as far as I know, Apple has never suffered from a fraudulent certificate attack. Some visitors to Google sites were phished in this way on multiple occasions several years ago. Since then, certificate-issuing and -tracking procedures and the way browsers check for legitimately issued documents have substantially reduced but not eliminated that particular risk.
Because of phishing risks, Apple has chosen to protect some data that it views as highly secure or very private with end-to-end encryption that prevents Apple from knowing anything about the contents of the synced data. Apple doesn’t possess any of the keys required to decrypt this data passing through its servers. Instead, those keys reside only on individual iPhones, iPads, and Macs.

There’s a full list of end-to-end encrypted services at Apple’s iCloud security overview page, but they include iCloud Keychain, Screen Time information, Health data, Wi-Fi passwords, the People album in Photos, and the new Find Me service’s crowdsourced location information. There are also likely other bits of data that facilitate device-to-device interactions.

As a result, you cannot view these categories of data at iCloud.com, only using your devices. In essence, iCloud acts as a sync service with zero knowledge about what it’s transmitting. If Apple were asked to disclose this information by a government, it could only produce unreadable encrypted data, by design. (This approach is distinct from the way Apple stores even more sensitive data—credit-card numbers, passcodes, and fingerprint or face parameters—in the Secure Enclave of iPhones, iPads, and Macs with T2 chips. That data never even leaves the Secure Enclave, and much of it is stored in the chip already irreversibly transformed through one-way encryption.)

Apple’s iCloud syncing system relies on public-key cryptography, which uses linked pairs of keys: one public and one private. The public key can be shared freely and used by anyone who wants to encrypt material meant for the owner of the private key, who can then decrypt that data. For iCloud Keychain and similar sensitive data, Apple has your devices generate and maintain a set of public and private keys that enable interaction with the information synced across iCloud. The devices never reveal their private keys and have the public keys of all the other devices connected to an iCloud account.

The data protected in this way is stored as individual packages—for example, a URL, account name, and password as a single unit—and identified with random metadata that’s meaningless except to establish a unique ID for each data package. Devices in the user’s sync set, including newly enrolled hardware, sync by exchanging metadata information. Let’s say your iPhone is missing a Web site login you just created on your Mac. The Mac encrypts the login entry with the public key of the iPhone, which receives it via iCloud sync, and then decrypts it with its private key. This approach is both typical and sensible.

The hard part isn’t syncing data privately. Rather, it comes when you want to add a new device to this set. To understand how that works, we need to understand the role of your iCloud password.

An Extra Element to Protect against Interception
Apple’s iOS 12 security white paper explains this system in some depth, noting that your iCloud Apple ID account password by itself can be used to enroll a new device. That isn’t as worrying as it might sound, because Apple doesn’t know your password. Instead, it stores only an encrypted form of the password. Whenever you enter your password, it’s run through a one-way encryption algorithm that performs a vast number of mathematical operations—the process is called “hashing”—that makes it effectively impossible to determine the original password. (This is also used for a lot of data stored in a Secure Enclave, like your passcode.)

You could enable an iCloud Security Code as an “out-of-band” element—something that is never transmitted by the same means as other data. Out-of-band elements are a common way to block data hijacking by requiring a secret that has never been put online. In this case, it’s something you create or Apple creates for you on one device and that you enter on another.

(Never heard of an iCloud Security Code? You’re not alone! It’s barely mentioned on Apple’s site, and Apple’s white paper doesn’t discuss the code deeply. I recall using one years ago, and TidBITS publisher Adam Engst had never heard the term before editing this article.)

But there’s a flaw in both the iCloud password and the iCloud Security Code approaches, and I wonder if that’s why Apple is now asking for passwords or passcodes from other devices in your sync set. The iCloud Security Code is yet another piece of information to remember and deal with and thus runs counter to Apple’s commitment to simplicity. It was also created when iCloud Keychain was the only set of data Apple secured end-to-end and synced via iCloud, and before both two-step verification and the later two-factor authentication for Apple ID. It may not be robust enough to match Apple’s current security and authentication requirements.

As for the iCloud password, it suffers from a different set of concerns. While Apple doesn’t know your iCloud password, whenever you log in at iCloud.com, your encrypted password is sent to Apple, which holds it just long enough to perform the hash and test it against its stored value. However, it’s not inconceivable—though, again, it’s unlikely—that the password could be captured during that transmission, phished, or stolen in some other way. Apple obviously thinks about it in this way: Since it’s conceivable that the password could be intercepted, Apple has to defend against interception as though it happens every day.

Some companies have tried to move away from the need to transfer even a hashed password. AgileBits, for instance, built 1Password.com around newer browser-based encryption algorithms—no unencrypted passwords or data are stored by AgileBits or ever sent to the browser. Instead, the browser itself performs all the necessary encryption and sends the encrypted data to AgileBits. After login, the 1Password.com servers only send encrypted packages to the user’s browser, which holds encryption keys locally and only for the duration of the session.

Apple hasn’t transitioned to this method with iCloud.com, and so it makes sense that instead of relying on an iCloud password, which could be stolen or phished, it has instead moved to this device-passcode/password system. Apple hasn’t yet documented this new approach, which is why I’m not being more precise about how it all works. None of the text on the screen users see appears on Apple’s support or marketing sites, and there’s no mention of the process in the white paper noted above or elsewhere. But I’ve heard about the process previously from readers, Take Control publisher Joe Kissell recently saw it on setting up a new device, and I finally saw it after upgrading to iOS 13 on my iPhone.

Here’s how the new system works, as far as I can determine:
You log into your Apple ID on the device you’re setting up and confirm a second-factor login. (Password-only Apple ID accounts, which Apple strongly discourages and which we recommend against, don’t seem to get these dialogs.)

On at least one of the devices in the iCloud sync set, Apple adds an encrypted version of that device’s passcode or password to the set of shared information. The only information attached to that payload that Apple can read is the type of device and the name of the device.

Apple syncs this information to iCloud, and the setup process on the new device then pulls it down, prompting you to enter the passcode or password.

Once you enter the correct passcode or password, the new device dumps the passcode/password data from the set, instead generating and relying on a new pair of encryption keys, just like the other devices. The new device becomes part of the trusted set of devices that can sync your end-to-end encrypted iCloud data.

It’s possible that Apple retains the encrypted passcode and password of the shared key for every device that’s in the set. However, that would seem to be an ongoing risk, as it would conceivably allow someone who obtains that secret to gain further access.
What this process appears to show is that Apple never sees, handles, or stores your device passcode or password in unencrypted form, and it never passes the passcode or password over anything but secure transport. It requires only your Apple ID account name and password, sent over HTTPS, as the first stage of logging into iCloud, but not for the later stages.

Overall, this new approach seems rational and secure. Apple would do well to give users more confidence in what’s happening by providing an explanatory support document, and I hope Apple will give in-depth details when it updates the iOS security white paper for iOS 13.
A computer virus may interfere with your Mac’s performance and health by corrupting or destroying data on your Mac. A virus can have profound and damaging effects. This short article explains how you can protect your Mac from viruses and other malware. They are annoying, time consuming, and very frustrating.

Even thought the terms “virus” and “malware” are often used interchangeably, they do not mean the same thing. Malware is any type of malicious software. A virus is a type of malware. Common types of malware include:
virus
adware, for example see: Amazon Winner, Free Gift Card, Congratulations Scams & How To Stop Them
trojan horse
worms
spyware

Can my Mac get viruses or malware?
The short ansIr is yes. No computer system is completely immune. HoIver, Mac is less susceptible to viruses than Windows PC. It is Certain that macOS is more secure than Windows. But it is also very simple to prevent viruses from getting on your Mac.
See also: Your System Is Infected With (3) Viruses

How do I know if my Mac has a virus?
You may be able to tell if your Mac has a virus if you experience any of the conditions below:
ads and popups are appearing often
your Mac is very slow
your Mac is behaving oddly
you are having Safari homepage problems

Do Macs need antivirus software?
This is up to you. I personally do not have any antivirus software installed on my Mac. I think if you follow the tips described in this article, you will not need an antivirus program.

It is important to note here that many-antivirus software is not compatible with macOS. There are also many fake anti-virus programs that contain malware. Be very careful if you want to get a antivirus program.

Simple Tips to Secure your Mac
If you think that you might have malware or adware on your Mac, follow the tips below:
1.Restart your Mac from time to time
This is important because macOS includes built-in features that remove known malware when you restart your Mac. To restart your Mac, you can choose Restart from the Apple menu.

1. Keep your software up to date
Periodically, Apple releases macOS updates that can help protect your Mac. You can update your Mac easily. To do this, simply choose System Preferences from the Apple menu and then click Software Update. If there is an update available, click Update Now.

Note: you may also want to check the “Automatically keep my Mac up to date” box.

2. Do not install software on your Mac that you do not know
The safest place to download programs and apps is the Mac App Store. HoIver, not all credible apps might be available in the Mac App Store. If you need to download and install a third party app and you are sure that that app cannot have any viruses, then download it from developer’s Ib site.

3. Do not click links in emails
If you do not know the sender, do not click any links. Further, do not open attachments. Some viruses may spread as soon as you open the attachment.

4. Use the Mac Firewall app
Mac Firewall can help notify you about suspicious activity. Here is how you can configure this:
Open System Preferences on your Mac
Click Security or Security & Privacy
Click the Firewall tab
Click “Turn On Firewall” (make sure that you unlock this section, simply by click the lock in the loIr-left corner that says “click the lock make changes”  and enter your password)
To configure the Firewall preferences, click Advanced. You can also configure the options by clicking the Firewall Options button.


5. Turn on popup blocker in Safari
You can do that by going to the Ibsites tab of Safari preferences. From the column on the left, select “Pop-up Windows”.  Then select “Block and Notify” or “Block”. Please note that some Ibsites may use pop-ups for information content. You can read this article to learn more.

6. Use Safari’s security features
Open Safari and click Safari and Preferences. Then click the “Security” tab and check the “Warn when visiting a fraudulent Ibsite” box. This will help you to recognize harmfull Ib sites.

See also: Critical Security Warning! Your Mac is Infected

Further notes, never download any Flash Player update because you got a pop-up window saying t it was out of date. I recommend deleting Flash Player. But if you want to use Flash Player, update it by going to System Preferences > Flash Player and then click the Updates tab and click Check Now.

I see that there are many Mac cleaner apps that are heavily advertised online. Do not download them if you are unsure that they are credible.
If you upgraded to IOS 13, your iPhone just got a major security upgrade. Here are some of the ins and outs.

If you own a relatively new iPhone, this week you should have received a notification that the latest iOS 13 update is ready to download. Besides the more obvious additions—like the introduction of dark mode, and the unexpected joys of Apple Arcade—it also features a raft of security and privacy enhancements.

This is not mean’t to be a tutorial, although some of the screen shots show where to go to make some settings. Here is some information how the latest version of IOS keeps you even more protected.

Sign In With Apple

Photograph: Apple
As well as using Facebook, Google, and Twitter to sign into new apps and services, you can now sign in with Apple too. The option limits data passed over to the third party to your username and email address, and Apple will even create a temporary email address for you if you like—if you start getting unwanted messages, you can just shut it down and walk away.

Fine-Tune Location Controls
You now get more granular control over how apps access to your current location. In addition to being able to grant that permission all the time or only when the app is running, you can now also allow it just once on a temporary basis. The next time the app needs your location, it'll have to ask for it again.
As in iOS 12, you'll get occasional pop-ups reminding you which apps are tracking your location. In iOS 13 though, you can see more of the data that the app actually logs, as well as the app's explanation for why it needs that data in the first place. If you don't buy the argument, you can block access.

Block Bluetooth Access
After you've installed iOS 13, you might see a flurry of apps asking for permission to transmit data over Bluetooth—data that can, in some cases, be used to track where you are, via Bluetooth beacons in stores and elsewhere. If you're not happy with granting permission, turn it off. Note that the permission to able to transfer data over Bluetooth is separate to streaming audio over Bluetooth, so you won't suddenly lose your connection to your headphones.

Stay Safe From Wi-Fi Tracking
As with Bluetooth, in a pre-iOS 13 world some unscrupulous apps were able to track your location without actually asking for permission to do so. Instead, they would take note of the public Wi-Fi networks you passed by. This has now been disabled in iOS 13. There's no option for it or setting to toggle; the privacy feature is baked in automatically.

Share Photos Without Locations


Of course you want to share your photos with friends and family, but maybe you don't want to share your home and office address with everyone you post a picture to. In iOS 13, when you share a picture through the Photos app, you'll notice a new option to strip the location data before you send it.

Silence Unknown Callers

You can, if you want, route calls from unknown numbers straight to voicemail in iOS 13. The feature is a little smarter than you might think , though: A well as checking numbers in your Contacts app, it also looks through Mail and Messages for unsaved numbers that you might be familiar with. Also, when calls are carrier-verified as genuine and not spoofed, you'll see a tick next to the number to let you know it's probably not yet another spammer.

Find Devices Anywhere
You'll notice a new Find My app on your iPhone after you install iOS 13, which helps you keep track of both your friends and your Apple devices, however you've mislaid them. As well as the features you'll already be used to—being able to ring your iPhone remotely, for instance—the new app can even locate your devices when they're not actively connected to Bluetooth or Wi-Fi.



This works via a very low-power Bluetooth signal emitted by your lost device. Apple creates an anonymous, invisible, secure scouting network from all the other Apple devices out there in the wild. If any of these devices detects your phone, you'll get an update on where it is.

Set Permissions for Individual Websites
Safari for iOS 13 now lets you control access to the camera, the microphone, and your current location on a site-by-site basis. If you're happy about some sites getting access to these permissions but not others, you can tailor it to your liking. The feature is managed through the Safari section of Settings. Cross-site tracking, where ad networks can follow you across multiple sites, is now prevented by default too—in iOS 12, it was optional.

Keep Contacts More Private
There's a small but perhaps significant change in the Contacts permission as well. Apps that get access to your list of contacts will no longer be able to read the notes field alongside each contact. If you've used these fields to record sensitive data—like your father's PIN code or your real feelings towards your aunt—third-party apps will no longer be able to view them.

Block VoIP Apps From Collecting Data
In iOS 13, Voice-over-IP apps—those ones that let you make audio and video calls over the web—are no longer able to collect data in the background while they're not running. While this data collection could ostensibly be used to connect calls faster if you didn't have the relevant app open, it was also open to potential abuse. It's expected that apps like WhatsApp and Snapchat will need to be redesigned as a result.

Encrypt HomeKit Video Streams
Part of the reason that there aren't as many devices that work with HomeKit as with, say, Amazon Alexa or Google Assistant, is that Apple has some fairly restrictive rules that manufacturers need to meet. One of those, new in iOS 13, is the requirement that HomeKit-compatible security cameras must encrypt footage before it leaves your home, so no one else can see it.

Put HomeKit on Your Router
Another security feature introduced with HomeKit on iOS 13 is support for HomeKit-enabled routers. When these devices appear on the market, they'll be able to isolate individual smart home devices, so if a malware infection should strike one of them, it won't be able to spread to the others.

A mac mini diplay of Catalina

My Mac is old, can I upgrade to macOS Catalina?

The latest Mac operating system will run on the following devices:

MacBook (2015 or newer)
MacBook Air (2012 or newer)
MacBook Pro (2012 or newer)
Mac mini (2012 or newer)
iMac (2012 or newer)
iMac Pro (2017 or newer)
Mac Pro (2013 or newer)