Categories
Security

Mac security and the need for endpoint protection

There’s been a lot going on in the Mac security world lately. Just after Apple dropped its Platform Security Guide on February 18, a mysterious new Mac malware named Silver Sparrow swooped in to infect 30,000 endpoints. In the same week, Forbes covered Corellium — the security research startup that Apple is suing — tracking their momentum after a December court win against Apple. Later, on March 9, Apple released a patch for iPhones, iPads, and MacBooks to fix a security flaw found by researchers at Google and Microsoft. 

And then there’s what we uncovered in our State of Malware Report, where Mac detections on business endpoints increased by 31 percent over the previous year. And Mac malware — primarily backdoors, data stealers, and cryptominers — was on the rise by 61 percent overall in 2020. 

All of this paints the picture of a Mac threat landscape primed to erupt.

Apple shines and buffs Mac security — but is it enough to stop today’s malware? 

Lately, it seems Apple aren’t the impenetrable fortress they’ve claimed to be. Just last week, the company released a patch for iPhone, iPad, and MacBook for a bug that could allow code execution through websites hosting malicious code. This means its browsers were vulnerable to exploits that could be launched from malicious website content. 

Apple didn’t comment on whether this vulnerability had been discovered by cybercriminals. However, the company released patches for three separate security bugs that were being actively exploited in January 2021. And just a couple weeks ago, there was Silver Sparrow. 

Silver Sparrow is a new Mac malware that was found on nearly 40,000 endpoints by Malwarebytes detection engines. While it’s not as dangerous a threat as initially believed (researchers now believe it’s a form of adware), Silver Sparrow is nevertheless a malware family that has mature capabilities, such as the ability to remove itself, which is usually reserved for stealth operations. One of its more advanced features is the ability to run natively on the M1 chip, which Apple introduced to macOS in November, and which is central to the apparent security paradigm shift happening within the company’s walls. 

And what paradigm shift is that? Macs running the M1 chip now support the same degree of robust security consumers expect from their iOS devices, which means features like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), and Pointer Authentication Codes. There are also several data protections and a built-in Secure Enclave. 

In other words: Apple have baked security directly into the hardware of their Macs. 

Looking at the security improvements made to Macs over the last several months — the M1 chips, system extensions replacing external ones, an entirely new endpoint security framework — it appears Apple is making great strides. In fact, they should be commended for developing many beneficial technologies that help Mac users stay more secure. However, not all of the changes are for the better. For example: 

  • External validation of the security components of M1-based Macs are harder to analyze and verify.
  • Security researchers and the tools they develop/use may be thwarted by the relative opacity of the environment.
  • Threat actors with the right resources can develop or pay for a zero-day exploit and jump over Apple’s defenses — then be protected by them once inside.
  • System extensions enable potentially unwanted programs (PUPs) developers to apply for and be granted approval from Apple, which then gives them total protection by the macOS framework.

That last bullet is great for legitimate third-party software programs, like Malwarebytes for Mac, especially in protecting against outside threats that might try to disable security software during an attack. But not every company that applies for system extensions is legitimate. We’ve already seen a few examples of developers with a long history of cranking out potentially unwanted programs (PUPs) get their extensions from Apple. Because of this, some PUPs can no longer be removed by Malwarebytes (or any other security vendor). And while there are some ways that users can manually remove these programs, they are by no means straight-forward or intuitive. 

And sure, you might be saying, “It’s only PUPs!” But PUPs and adware are a significant issue on Mac computers. While many like to trivialize them, PUPs actually open the door for more vulnerabilities, making an attack by malicious software even easier. Adware, for example, could host malicious advertising (malvertising), which often pushes exploits or redirects to malicious websites. If the most recent vulnerability patched by Apple wasn’t already being exploited, that would have been a perfect opportunity for cybercriminals to penetrate the almighty Apple defenses. 

As we found in our State of Malware Report, malware on Mac endpoints belonging to businesses increased by 31 percent in 2020. There may not be as many “actual” malware attacks on Mac endpoints as on Windows, but the share of Macs in business environments has been increasing, especially since the start of the pandemic. You really don’t want some targeted malware hitting your high-value Macs. 

Apple has developed some impressive armor for its Macs, but it doesn’t protect against the full scope of threats in the wild. In addition, Apple only uses static rules definitions for its anti-malware protection, which means it won’t stop malware it doesn’t already recognize. A security program that uses behavioral detection methods (heuristic analysis), like Malwarebytes Endpoint Detection and Response, has the potential to catch a lot of bad apples that Apple hasn’t seen yet. 

As time goes on, we’re increasingly in danger of a major attack waged against Macs. There are still a myriad of Mac users who don’t install any third-party security. Fundamentally, Macs still aren’t all that difficult to infect — even with all the bells and whistles. And by closing their systems, Apple is limiting the capabilities of additional third-party security layers to assist in stopping that major attack from doing major damage. 

For a deeper exploration of Mac threats, security changes, and the ways they thwart full protection, read the article in Malwarebytes Labs: 
https://blog.malwarebytes.com/mac/2021/03/apple-shines-and-buffs-mac-security-is-it-enough-to-stop-todays-malware/

To read more about Malwarebytes’ research with Red Canary on Mac malware Silver Sparrow: 
https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/

Categories
General

Privacy made simple: translating EULAs into perfect prose

The problems with long-winded, small-printed EULAs and Terms of Service (TOS) have long been lamented. Packed with jargon and legalese, it’s well-known these lengthy documents receive a skim of the eye at best before users click “I agree.” According to Visual Capitalist, it can take longer to read the TOS of some online companies than it does to read an entire book. That’s great news for an organization trying to hide shady privacy practices. But what about users who care about how their data is used by the businesses they support?

Beyond the content itself, the timing and format of TOS and EULAs — typically served via pop-up once users have already decided to install the product — encourages users to blow past the fine print instead of stopping to educate themselves. In addition, some EULAs include sections in all capital letters, a throwback to when these contracts were written using a typewriter. Instead of having the intended effect of getting the reader to pay more attention to those sections, trying to scan all-caps paragraphs via browser is a visual nightmare.

But again, why should organizations care if most people click through and accept those terms blindly? Setting aside any moral obligations for a second, privacy is becoming more and more important to users in the wake of various abuses of personal data by organizations, such as social media giants, parental monitoring apps, and other online platforms. In early January, WhatsApp made changes to its privacy policy that allowed for more sharing of its users’ data between Facebook-owned apps. Its userbase promptly flocked to Telegram and Signal, driving downloads of those more private messengers into the millions. Organizations such as ProtonMail, DuckDuckGo, and Apple have also baked privacy into their brand identities, framing it as a commodity that gives them a competitive edge.

To help privacy-conscious users better understand how your organization is using their data, it’s important to simplify the language of privacy policies, TOS, and EULAs, or add plain language “translations” next to legal jargon. In addition, explaining why your organization needs to collect particular data — for certain functions of the software or for better metrics/performance — helps educate users on which data is critical for product functionality, which is optional, and which should be anonymous or discarded. Describing the why also helps users establish trust in your organization and keeps their confidence high should changes need to be made to the policy in the future.

If establishing trust in your data and privacy policies is of interest, you’ll want to revise your legal documents like Terms of Service, EULAs, and privacy policy, as well as portions of your website or even advertising campaigns to include readable prose. Some advice on how includes:

  • Section off portions of legal language required for a contract and list their plain language “translations” parallel to or below the sections they describe.
  • Clearly identify the types of data collected by your organization/product and explain why that data is needed.
  • Use both the company website and blog to outline your organization’s views on privacy to customers earlier in the buyer’s journey — before they are ready to install. In this way, users will spend more time with the content and absorb it in a visually appealing format (as opposed to a wall of text crammed into a small pop-up).
  • Raise awareness of your privacy-positive positioning through advertising and content marketing campaigns, SEO, press, or even through advocacy.

Ideally, by crafting smart privacy policies that protect users and clearly communicate which data you will use and why, your prospects will have a solid sense of where you stand on privacy long before they click “Install.” And if you manage to make privacy a commodity that your customers are willing to pay for: Congratulations! You’ve done the right thing by your users and you’ll profit from it. Win, win!

For a look at Malwarebytes’ privacy policy, check out our webpage: https://www.malwarebytes.com/privacy/

Happy Privacy Day!