I am NOT happy with my Apple products this week. From an iPhone that had to be restored to factory settings, to an iPad with a dying battery down to an Apple Watch that restarted in German, it’s not been a happy week. I try to answer the question of whether these new plans by AT&T, Verizon and Apple are a good deal to get a new iPhone each year. I did a lot of research, read terms and conditions, even called Apple on the phone to make sure my math was sound so you might want to check out the spreadsheet. The research was meant to help you understand the options, not to tell you what the right answer was for you and your family. in Dumb Question Corner Lynn asks whether there’s a way to encrypt her Time Machine backup without starting over and losing her history and Bart gives her a great answer that extends to other backup services as well. In Chit Chat Across the Pond Bart introduces a new series called Programming by Stealth with episode 1 of X.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Monday October 12, 2015 and this is show number 544. I sure hope you got the message that I was delaying the show by a day. If you sign up for the NosillaCast News you get notifications of events like this. I do feel bad for the folks who depend on the NosillaCast for their Monday morning commute when I delay like this, but Steve and I decided it would be way more fun to go to Oktoberfest with our daughter Lindsay and her husband Nolan at Ballast Point brewer than to drive back home and do the show for you! We had an extra good time because we got to meet up with Adam Christianson, host of the MacCast at the brewery.
Dumb Question Corner
This week’s Dumb Question Corner comes from listener Lynn York:
Hi Allison, I have done some research on this question and I find a variety of answers. Most of the posts are from 2014 or earlier, mention OS’s older than Yosemite and are not for sources that I know and trust.
Problem: I run file vault on my MacBook Pro, but as far as I can determine, my Time Machine backup is not encrypted. Can I set it to encrypt without starting over – losing my existing history or buying a new drive? There isn’t much data safety in an encrypted MBP sitting next to an unencrypted TM drive. The same is true for stand alone backups using SuperDuper or other apps. There is a lot of reminders about security on-line but I think we could use a refresher on protecting the backups. Some of the old on-line posts even say not to encrypt a TM backup – I would hope it is safer now, but is it?
Thought this might be a good topic for the show, so sending it direct rather than posting to the group. Thanks, Lynn
Firstly, enabling encryption on all backups is a very good idea. I’ll break the rest of my answer into two parts:
1) Time Machine:
You can enable encryption after the fact without losing your history, here is the official Apple Doc: https://support.apple.com/kb/PH18852?locale=en_GB (you’ll find the same advice all over the net on various forums and mac websites).
2) A SuperDuper disk is just another disk, so if you format it HFS+ Encrypted, it will be encrypted, if you don’t it won’t. Before OS X 10.8 you could only encrypt drives as you formatted them, but that changed in 10.8, assuming a drive is appropriately formatted, you can now enable encryption without re-formatting it: http://www.macobserver.com/tmo/article/os-x-encrypting-external-disks
We recently upgraded Steve’s mom and dad’s computers to shiny new Mac Minis. It was a great opportunity to give them clean, up to date operating systems and that’s when we go them both started on 1Password. We forgot one thing when we did the upgrades – we did not install Flash for them. Had we thought about it, we wouldn’t have installed it in Safari, but we would have installed Google’s Chrome for them so they had a way to watch Flash when they really needed to/wanted to. As you guys all know, Apple doesn’t keep Flash up to date for you but Google does. Avoiding Flash is a good idea for all the vulnerabilities in it but there are times you just have to have Flash.
Steve’s dad likes to watch live videos from his investment company, and unfortunately they deliver them in Flash. I was able to help him install Chrome using Skype’s screensharing capability. Ken’s pretty good at sharing his screen while we chat over Skype audio so I can walk him through step by step and tell him where to click since I can watch him work.
That worked but then I needed to help him remember what to do when he runs into the warning on Safari telling him he needs Flash. He followed along just fine but it’s the remembering next time maybe a month or two later that he needs to copy the URL, open Chrome and then paste it in to watch that’s the hard part.
I opened Clarify on my computer, took a couple of screenshots, dropped in a couple of annotations and a sentence or two here and there to explain why he needed to do each step and then hit the publish to PDF button, attached it to an email and he was in business. He LOVES these tutorials I make for him with Clarify. He prints them out in color and puts them in a little notebook so he has them at his fingertips whenever he needs them.
If you have friends or family or co-workers who need a little assistance once in a while, consider trying out Clarify to make them tutorials. They’ll love them, and even better when they forget how to do something, you can just point them back to the tutorial rather than having to explain things over and over again. You look like a hero and overall you save yourself time. Check out the free trial over at clarify-it.com.
Chit Chat Across the Pond
Security Medium – YiSpecter iOS Malware
YiSpecter malware became a big news story this week, despite the fact that there is very little ‘there’ there. The headlines all blared about how it could infect non-jailbroken phones, but must articles left out the important piece – users had to accept an enterprise provisioning profile before the malware could even run! Because many users are programmed to just click ‘OK’ or ‘Continue’ no matter what, some people did get infected.
Enterprise provisioning profiles have been used to spread a lot of iOS malware this year, precisely because so many users ignore security warnings, and happily infect themselves. Because of this, Apple changed how Enterprise provisioning works in iOS 9 – it is no longer possible to bypass the warning! The message is the same, but the ‘Continue’ button is gone.
Enterprise provisioning still exists, but you now have to install the profile before you can run the apps. In effect this is just a small tweak to the UI and UX, but it makes social engineering much more difficult, and should help protect naive and/or stupid users from themselves.
- the original research paper from Paloalto Networks – http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
- Apple comments on Yispecter – http://www.imore.com/apple-comments-yispecter-malware
- iOS 9’s new approach to Enterprise Apps explained – http://www.imore.com/how-install-enterprise-apps-ios-9
Important Security Updates:
- Apple release security updates for OS X, Safari & iOS – https://www.us-cert.gov/ncas/current-activity/2015/09/30/Apple-Releases-Security-Updates-OS-X-El-Capitan-Safari-and-iOS (includes fix for the lock-screen bypass we talked about last time)
Important Security News:
- Apple have removed ad blockers that install TLS root certificates from the iOS app store (editorial by Bart: this is a very good move by Apple. IMO the real question is why dangerous apps like this ever got approved!) – http://www.imore.com/app-store-removes-root-certificate-based-ad-blockers-over-privacy-concerns
- RELATED – how to see and remove root certs on iOS – http://www.imore.com/how-remove-root-certificates-your-iphone-or-ipad
- This month is cyber security awareness month, so here are two articles with advice for creating a culture of cyber security at work: http://www.intego.com/mac-security-blog/how-to-create-a-culture-of-cybersecurity-at-work-infographic/ & https://nakedsecurity.sophos.com/2015/10/09/practical-it-how-to-create-a-culture-of-cybersecurity-at-work/
- Google to give marketers the ability to target users via email address – https://nakedsecurity.sophos.com/2015/09/30/google-to-give-marketers-the-ability-to-target-us-via-email-address/ (google’s own Orwellian spin: http://adwords.blogspot.com/2015/09/Google-brings-you-closer-to-your-customers.html)
- A cautionary tale – Facebook blocked Mr. Something Long And Complicated’s Facebook account because of their real-name policy. It was his real name. He described how Facebook’s mistake ruined his life (editorial by Bart: the real story here is that this guy, and MANY more people, are using FaceBook as the ONLY place their store their photos – this is really dumb since you are not a Facebook customer, and they owe you NOTHING!) – https://nakedsecurity.sophos.com/2015/10/08/facebook-relents-something-long-and-complicated-is-not-a-fake-name/
- FireEye warn of new Android malware that uses root-kit technology to firmly embed itself in infected devices – yet another reason not to side-load apps – http://arstechnica.com/security/2015/10/android-adware-wields-potent-root-exploits-to-gain-permanent-foothold/
- Google releases patches for StageFright 2 – these will now trickle down to some Android users in the usual way – https://nakedsecurity.sophos.com/2015/10/06/google-issues-android-patches-for-stagefright-2-for-some-users/
- Brian Krebs warns about the data embedded in the 2D barcode on airplane boarding cards – enough info to log in as you to your airline website and even cancel or alter your flights in some circumstances! – http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
- The European Court of Justice (the highest court in the EU) has ruled the ‘safe harbour’ treaty that allowed US corporations to bye-pass European data protection laws illegal – EU citizens data will now be protected from the US’s much less protective laws – https://nakedsecurity.sophos.com/2015/10/06/safe-harbor-agreement-ruled-invalid-by-top-eu-court/
- 15 Million T-Mobile customers hit by Experian data breach – https://nakedsecurity.sophos.com/2015/10/02/t-mobile-customers-hit-by-experian-breach-get-credit-monitoring-by-experian/
- Trump hotels affected by year-long breach – malware in payment terminals – http://krebsonsecurity.com/2015/10/trump-hotel-collection-confirms-card-breach/
- Card breach at Hilton Hotel Properties – http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/
- Scottrade breach exposes sensitive data for 4.6M customers – http://arstechnica.com/security/2015/10/scottrade-breach-exposes-sensitive-data-for-4-6-million-customers/
- 15 GB of user data dumped online after Patreon breach – payment data was not compromised, and passwords were well protected, but all private messages are now public, as are the records of who is making how much money via Patreon – what’s worse is that the mistake was a particularly bone-headed one, and they were warned about the problem 5 days before the breach and didn’t fix it – http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack-of-patreon-donations-site-dumped-online/ & http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-website-flaw-5-days-before-it-was-hacked/
- A nice summary of OS X El Capitan’s security features – http://www.intego.com/mac-security-blog/os-x-el-capitan-security-and-privacy-features-overview/
- As EMV (‘chip and pin’) cards come to America en-mass, the IC3 warns that while EMV is a big improvement over ‘swipe and sign’, it is not a panacea, and you still need to defend yourself against fraud – http://www.ic3.gov/media/2015/151008.aspx
- The Clean Software Alliance tries to put an end to the arms race between AV software and ad-supported software –https://nakedsecurity.sophos.com/2015/10/08/will-the-clean-software-alliance-save-us-from-the-scourge-of-unwanted-software/
- Tim Cook tackles privacy and encryption in NPR interview – http://www.imore.com/tim-cook-tackles-privacy-and-importance-encryption-npr-interview
- New attacks on SHA1 show it to be weaker than previously thought. Researchers suggest the time-table to abandon the hash be moved forward, warning that real-world attacks could be possible in as little as three months from now – http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/
- Chatham House study finds that many nuclear power plants around the world are ‘insecure by design’ – http://arstechnica.com/security/2015/10/report-finds-many-nuclear-power-plant-systems-insecure-by-design/
- It’s not just cars that have standards-gaming firmware – Samsung TVs found cheating energy efficiency ratings – http://www.theguardian.com/environment/2015/oct/01/samsung-tvs-appear-more-energy-efficient-in-tests-than-in-real-life
- Microsoft sites leak profile data in plain text when when you browse to them over HTTPS – http://arstechnica.com/security/2015/10/microsoft-sites-expose-visitors-profile-info-in-plain-text/
Main Topic – Programming by Stealth – 1 of X (Introduction)
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.