SecureMac, Inc.

Checklist 231: Security News Roundup

May 21, 2021

This week in security news: The Mac’s malware problem | The Colonial Pipeline ransomware attack | An App Tracking Transparency bug fix

Checklist 231: Security News Roundup

On this Checklist, we’re talking about a few big security news stories from the past week:

The Mac’s malware problem

In testimony offered this week in the ongoing Epic v. Apple court case, one Apple executive made a comment that has some Mac users worried.

Craig Federighi, Apple’s Senior VP of Software Engineering, admitted that there is “a level of malware on the Mac” that he and other Apple execs “don’t find acceptable”.

This may come as something of a shock to the “Macs don’t get malware” crowd, but Checklist listeners already know about the history of malware on macOS (see Checklist 46: A Brief History of Malware). What is somewhat surprising is that an Apple executive talked about Mac malware so openly — and used the issue to defend Apple’s tight grip on iOS and the App Store!

Federighi pointed out that iPhones make an especially “attractive target” for potential attackers, because a compromised iOS device could be used to view user location data, access microphones and cameras, or bypass two-factor authentication. For this reason, he argues, it’s essential to keep the iPhone relatively closed off to third-party vendors — so that it won’t experience the same malware problem that currently affects the Mac. (Epic disagrees, of course, saying that Apple’s stance has less to do with security and more to do with the 30% cut of App Store sales that they take!).

Apple is walking a fine line by using the prevalence of macOS malware to defend its walled garden approach to iPhone security. In fact, some observers say the company is “throwing the Mac under the bus” to “save the iPhone”.

But we think that’s a bit overstated. For one thing, Federighi’s testimony isn’t really telling the public anything new. The Mac security community, for example, has been warning about the growth of macOS malware for years now.

And while macOS does have a very real malware problem (as even Apple admits), the Mac is still a relatively safe platform. For example, the most common varieties of Mac malware don’t typically spread by exploiting system vulnerabilities. They simply trick users into downloading and running something that they shouldn’t. This is why we spend so much time on The Checklist talking about things like how to avoid online scams, how to spot phishing emails, best practices for password security, and how to deal with social engineering.

Nevertheless, malware on macOS is definitely something that Mac users should be aware of. Despite Apple’s best efforts, new varieties of Mac malware crop up all the time, and can infect large numbers of Macs before they’re discovered. In addition, Macs do have security vulnerabilities (sometimes serious ones, like the recently patched macOS 0-day). For this reason, Mac users need to be a little more careful than iPhone users — and may want to have the added protection of a third-party malware detection and removal tool.

What really happened with Colonial Pipeline?

If you follow the news, you probably know that Colonial Pipeline, a major fuel distributor in the United States, was hacked a couple of weeks ago. The Colonial Pipeline ransomware attack shut down one of the largest fuel pipelines in the US — a system that supplies as much as 45% of all fuel used by the eastern United States.

Colonial has been communicating openly with the press, and has described their decisions as “the right thing to do for the country”. However, some observers have started to question the company’s official story — and their motives.

The ransomware attack, it turns out, didn’t affect Colonial Pipeline’s infrastructure, or the process control systems that keep the pipeline running. It only affected the company’s corporate IT network. The reason that the pipeline went offline is because Colonial Pipeline took it offline as a “proactive” measure.

While Colonial says this was done for security reasons, some commentators suspect that the company’s real motivation may have been financial. With the corporate network offline, it would have been impossible for the company to track customer fuel usage, or to bill suppliers and distributors accurately. In other words, Colonial turned the gas off “to make sure they’d get paid”.

That’s a cynical take, but it’s not a completely unreasonable one — especially considering how poorly other large companies have handled cybersecurity incidents in the past. However, industry insiders say that Colonial Pipeline may really have had legitimate security reasons to shut their pipeline down.

As cybersecurity journalist Kim Zetter notes, Colonial’s compromised IT network is connected to the pipeline’s process control network. According to a source who works for one of Colonial’s channel partners, this means that a hack of the IT network could (potentially) impact the security of the pipeline itself. To quote Zetter’s article:

While the connection between Colonial’s corporate business network and the process control network is “mostly in one direction” the source says, “there’s nothing that stops it from going bi-directional” — meaning that depending on how secure the firewall that divides them is, a hacker can pass from the corporate network through the firewall and into the process network to impact systems there. Colonial is believed to use Cisco ASA firewalls, which have had serious vulnerabilities in the past. Once on the process control network, a hacker can install malware or manipulate data.

In other words, the cynics could be correct … but there may also have been a legitimate cybersecurity concern that led Colonial to turn off its pipeline after the initial compromise.

ATT is all about choice

We’ve already talked quite a bit about App Tracking Transparency (ATT), the iOS 14 feature that requires app developers to get users’ permission before they track them across other websites and apps. But while the ATT rollout is now largely complete, there was still one minor issue affecting some users.

By default, the global ATT control in iOS — the Allow Apps to Request to Track toggle — is set to “off”. When the switch is toggled off, apps can’t even ask users for permission to track them. They just receive an automatic “no” instead!

As expected, the vast majority of iOS users have turned that switch off and completely opted out of tracking. But there were people who, for whatever reason, wanted to opt in … and found that they couldn’t.

It seems that for a minority of iOS users, if the toggle was set to off by default, then they couldn’t toggle it on. As of this week, however, Apple says that they’ve fixed the bug, which means that all iOS users should now be able to opt out or opt in to tracking as they prefer.

We’re not sure why users would want to opt in to more tracking (maybe they feel sorry for Facebook?). But App Tracking Transparency has always been about giving iOS users a choice, not about enforcing our, or Apple’s, or anyone else’s vision of privacy. With this bug fix, Apple continues to deliver on the promise of ATT, and leave decisions about tracking firmly in the hands of their users.

To learn more about digital security and privacy, check out The Checklist archive. If you have a privacy or security question, and you’d like for us to answer it on a future edition of The Checklist, write to us and let us know!

Get the latest security news and deals