SecureMac, Inc.

Checklist 163: Encryption Minus the Encryption

November 14, 2019

On this edition of The Checklist: Apple Mail Encryption, Now with Less Encryption!, Ransomware Revisited, and A Ring of Insecurity.

Checklist 163: Encryption Minus the Encryption

This week on the Checklist, we take a look at a serious encryption issue with Apple Mail. We talk about how to deal with a ransomware attack in progress (and what you can do to prepare for ransomware attacks). And we return to Amazon’s Ring with yet another reason to be skeptical of this “smart” device.

Here’s the week’s Checklist:

  • Apple Mail encryption: Now with less encryption! 
  • A ransomware refresher
  • Putting a Ring on it: revisited

When encryption fails: Apple Mail edition

Apple Mail promises privacy and security via encryption — which is why it came as something of a shock last week when researchers found that snippets of encrypted emails were being stored on Macs in unencrypted plain text files. The files were apparently being collected, along with other data, in order to help Siri create contact suggestions for Apple Mail users.

What was even more surprising was that these files were still being stored even when Siri was turned off. Many people would assume that disabling Siri could prevent something like this from happening. Apple’s virtual personal assistant is often thought of as the “face” of macOS — and thus users incorrectly believe that when Siri is not enabled, their Macs are no longer “listening”.

In reality, though, Siri is there for the users, not the Mac: She’s essentially just another part of the user interface. And many of the things that must be done in order to make this interface helpful to users are carried out by other parts of the OS — whether or not Siri is enabled — including the abovementioned email storage behavior. 

While this is somewhat sloppy security on Apple’s part, the good news is that most Apple Mail users are unlikely to be affected by the vulnerability.

First of all, a malicious actor looking to access these text files would need physical access to a Mac in order to get at them, and would need to know where to look for them as well. While the files are not that hard to find for anyone with a solid knowledge of macOS, the fact that they’d need physical access to the machine in order to see them is something of a relief.

Secondly, macOS only stores small snippets of Apple Mail emails, meaning that even if someone did see these files, the likelihood that they would contain truly sensitive information isn’t all that high. It’s not as if a hacker would have access to your entire inbox.

And finally, anyone who has enabled FileVault would not be affected by this. This is because FileVault encrypts a Mac’s hard disk and forces users to log in with a password. If a bad actor got hold of a FileVault protected computer, they still wouldn’t be able to access its contents without the password.

Apple has responded to this story with a promise to fix the issue in a future update, but while you wait for that to happen, there are a few things you can do to protect yourself:

  1. Turn on FileVault if you haven’t already done so. You can do this by going to the Apple menu and then to System Preferences > Security & Privacy. There you will see a tab for FileVault — click on this and then on the padlock icon. You’ll be prompted to provide your administrator name and password, and once you’ve entered these, you’ll have the option to Turn on FileVault. FileVault will now encrypt the contents of your Mac automatically in the background (as long as your computer is awake and connected to a power source), and will require an administrator name and password each time you start your Mac up.
  2. Turn off Siri Suggestions for Mail. To do this, go to System Preferences and click on Siri > Siri Suggestions & Privacy > Mail. Then uncheck the “Learn from this app” box.
  3. To delete any partial emails already stored to your system, use Finder to go to the Library folder, and then click on Suggestions. The partial emails are stored in a file called snippets.db, but the easiest way to handle this is to simply delete any file with the word “snippets” in its name.

Reboot to ransom

Despite what the tech support folks may tell you, rebooting your computer isn’t always the first thing you should try. In a ransomware attack, it could actually help the attacker.

Ransomware, as you may know, is malicious software that performs some sort of digital nastiness and then demands a ransom in order to make it stop. Sometimes this involves threatening to publish sensitive information, but more often than not it has to do with encrypting files or locking you out of your system until you pay a ransom. But the basic scenario is the same: Pay up, or something bad happens.

Ransomware can make its way onto a network or personal computer through malicious links and downloads, social engineering and phishing scams, or good old-fashioned physical access. Ransomware is a growing problem — both in terms of prevalence and in terms of the sophistication of the malware itself — and experts say it’s affecting macOS users more and more frequently.

Ransomware specialists are now warning computer users not to reboot their system if they catch a ransomware attack in progress. This is because some variants of ransomware malware encrypt system files, and require an active file encryption protocol in order to do this. When users “spot” a ransomware attack in progress, it’s usually because something has gone wrong with the malware’s file encryption, causing it to stop midway through the process. But if the system is rebooted, the encryption process may start up again, allowing the malware to finish the job!

If you do catch ransomware malware “in the act”, the best thing to do is to disconnect from your network immediately — either by turning off WiFi or by pulling the ethernet cable — both in order to protect other machines on your network, and also to keep the malware from communicating with a remote command and control server set up by the hackers.

Next, put your computer in a hibernation state if possible, rather than powering down completely. This will preserve a copy of the memory, which may help an IT professional to mitigate the damage or recover important files.

Lastly, reach out to an expert for help. Ransomware is serious, and some modern strains are extremely powerful and well-engineered. Gone are the days when you could just reboot in safe mode and handle the problem yourself. Get someone who has experience dealing with ransomware infections to help you.

Unfortunately, the vast majority of ransomware attacks never offer any warning until it’s too late, rendering the above advice moot for most victims. That’s why it’s important to take steps that will mitigate the damage of a ransomware attack if it does happen.

The best thing you can do to defend yourself against ransomware attacks is to perform regular backups. That way, if you do get hit, you can essentially “roll back the clock” to an earlier system state before the infection occurred, with minimal loss of data.

You can back up your system and files using Apple’s own native services like Time Machine and iCloud. There are also third-party backup solutions like Backblaze. In a pinch, even cloud storage services like Dropbox or Google Drive can be used as a cost-effective and simple way to back up important files.

Of course, for backups to help you in a ransomware attack, you need to back your system and files up regularly. Set backup services to run at least once a day. Since some ransomware can lie dormant on a system for weeks before activating, it makes sense to allow services like Time Machine, which stores multiple backup files until the backup drive is full, to keep backup files around for as long as possible.

If the worst happens, and you do get hit by ransomware, you will now have the option of doing a clean install of your OS and restoring lost data from your backup solution. If you aren’t sure how to do that or if you’d like a little help with the process, you can always reach out to an IT pro for assistance with the specifics (they’ll probably thank you for making their job easy by having full backup files available).

Ring revisited

Back on Checklist 154, we covered a story about Amazon’s Ring doorbell camera system — and provided a number of reasons to avoid it. Our concerns were focused more on the privacy and civil rights implications of Ring, but this week we return to the story with another reason to be wary of this “smart” technology. 

We’ve talked quite a bit about how Internet of Things (IoT) devices are plagued with security issues. Amazon’s Ring seems to be no exception. It turns out that Ring’s software contained a vulnerability which could have allowed a malicious actor to get hold of homeowners’ WiFi usernames and passwords. With those credentials, they would not only be able to access Ring data, but also the user’s network — giving them a way to attack the other devices operating there.

The vulnerability was that the Ring Video Doorbell device made its initial connection to the user’s home WiFi network using an insecure protocol to transmit network login credentials. A nearby hacker with the correct network monitoring tools would thus be able to intercept and read the credentials as they were transmitted.

If this seems too remote a possibility to worry about, remember that hackers have ways of knocking a device off its network, and will sometimes do this intentionally in order to persuade their target to take some action which will expose them to attack. For example, a malicious actor could send a flood of deauthentication messages until a Ring device was dropped from its network. The Ring user, believing that his or her device was malfunctioning, would likely attempt to troubleshoot the issue, first by reconnecting the device to the network (which wouldn’t work due to the repeated deauthentication messages) and then, finally, by reconfiguring it. As soon as they did this, they would end up resending their credentials using the aforementioned insecure transmission protocol — which, of course, would be exactly what the bad actors were waiting for, and how they would be able to capture the network login and password.

The folks at Amazon were alerted to the issue back in June, and responded with an automatic software update in September — which is a bit long to wait for a patch, but also understandable considering the sort of testing that needs to occur when a vulnerability like this is discovered. The patch is, to reiterate, automatic — so if you are a Ring user, you should already be covered.

All in all, though, this story offers another reason to be cautious about Ring…and smart devices generally.

Join our mailing list for the latest security news and deals