Checklist 203: T2, Revisited Plus an Actual Checklist

On this week’s Checklist, we’ll cover:

• How Macs are perceived in the enterprise
• An addendum to last week’s T2 story
• A checklist of security tips from the NCSA

Survey says…

Do you feel like your Mac is the best choice for security? You’re not alone.

A recent survey conducted by enterprise software management platform Jamf asked businesses—both ones that used Macs and ones that didn’t—what they thought about the Mac in terms of security.

Across the board, 77% of all organizations polled said that they believed the Mac to be more secure “out of the box”, though around 50% of IT teams at those organizations say they’d still want to invest in security software in order to prepare for new and emerging threats.

The perception that Macs are more secure is driving adoption in the enterprise, with 65% of predominantly non-Mac organizations saying that they have plans to increase the number of Mac deployments in their company sometime in the coming year. Over half of these companies say that the Mac’s reputation for security had a positive impact on their buying decisions. Organizations that already skew Mac are clearly sold on Apple: 74% say they are also planning to add more Macs in the year ahead.

Interestingly, the Mac’s reputation for security may derive in part from how Apple handles vulnerabilities: the survey found that Mac users implement OS security updates 30% faster than non-Mac users!

The cable question redux

Last week on The Checklist, we spoke with Mac security researcher Patrick Wardle about the recently discovered T2 vulnerability that affects all newer Macs. The vulnerability is caused by a flaw in the T2 chip (the chip that handles many of the Mac’s security features, including integrity checking and Touch ID) that could be used to take control of a Mac. Worse yet, because the bug occurs in the “baked-in” code of the hardware itself, it can’t be patched with an OS update—and thus is here to stay!

The “silver lining” of the T2 vulnerability is that it requires physical access to a Mac in order to work, which at least rules out remote exploitation. During our conversation, we discussed the possibility of a malicious USB cable being used to trick a user into running the exploit, but determined that this wasn’t possible—at least according to the information released by the team that discovered the vulnerability: a separate device of some sort would be required to “host” the exploit, and this would have to be connected to the target Mac in order to compromise it.

However, cybersecurity news stories are nothing if not quick to change: This week, the team of security researchers that discovered the T2 issue announced that they had developed a real-world attack using a weaponized USB-C cable! The specialized hacking tool was reverse-engineered from leaked Apple debugging cables, and employs techniques similar to what Apple itself uses when troubleshooting Macs.

If used in tandem with the T2 exploit, one of these cables can put a Mac into Device Firmware Update (DFU) mode and open it up to attack—no additional device required! The team that developed the cable will soon be selling versions of it to the public to use for research purposes. 

So does this change our advice, or our risk assessment, from last week in any fundamental way? For most people, no. Unless you’re a particularly “high-value” target (i.e. you work for the government, you’re a corporate executive, you have access to sensitive intellectual property, or you’re a wanted political dissident), it’s unlikely that anyone would go to the trouble of using a malicious cable to hack your Mac.

Users who do fit this profile should be extra cautious about the physical security of their devices—and should never leave them unattended or where someone else could gain access to them. In addition, they should not plug in any USB device unless they’re absolutely certain of its origin: “gift” or promotional cables should be treated as the potential security risks that they are. Of course, this is good security advice for any user, even those of us who aren’t four-star generals or CEOs!

A shareable security checklist

It’s Cybersecurity Awareness Month, and the National Cyber Security Alliance (NCSA) is pulling out the stops to raise public awareness of security issues and best practices for staying safe.

They’ve recently put out a great checklist of security tips — some of which may sound familiar to listeners of The Checklist:

1. 1

   Create long, unique passphrases

   When it comes to passwords, longer is better — which is why it often helps to create passphrases instead of passwords. A 12-character minimum length is recommended, so focus on coming up with phrases, which will satisfy the length requirement and be easier to remember. Of course, the more random the better: “ilovechocolate” is technically long enough, but it’s the kind of thing that many people have used before, so it can’t be considered truly secure. If you need a little help with randomness, consider using a password generation tool like xkpasswd, which we discussed with creator Bart Busschots on a Checklist earlier this year. If you don’t feel like remembering multiple passphrases for all of your accounts, look into getting a password manager — they’re easy to use and do all the hard work of creating and remembering passwords for you! 

2. 2

   Use 2FA

   We’ve discussed two-factor authentication before on The Checklist, and for good reason: adding a second authentication factor to your accounts means that even if the bad guys somehow get hold of your password (and this is possible, given the prevalence of phishing attacks and the existence of zero-day exploits), they still won’t have that additional factor required to access your account. 2FA is essential, and can mean the difference between having to spend 3 minutes thinking up a new password, or having to spend 3 months undoing the effects of identity theft.

3. 3

   Don’t click

   Malicious links don’t just come in phishing emails—they show up in tweets, SMS messages, IMs, and online ads. If you receive a link or attachment from an unknown source, your default move should be not to click on it or download it. It’s almost always better to open up your web browser and search for the information that the link (alledgedy) contains on your own.

4. 4

   Update everything

   Unpatched software, operating systems, and devices are one of the first things that malicious actors look for when they’re trying to hack a system or network. Don’t make it easy for them. Set up all of your devices to receive automatic updates, both for operating systems and also installed apps if possible. If you have IoT devices in your house that can’t be configured for automatic updates, create calendar reminders to help you remember to perform this essential maintenance at regular intervals.

5. 5

   Back everything up

   Ransomware is a growing threat, system crashes happen, and devices get lost, stolen, or damaged all the time. It pays to back up your data! If some rogue toddler spills juice on your laptop, you might be out some money, but at least you’ll be able to recover your important files from the backup. And if you do find yourself infected by ransomware, having access to clean, recent backups goes a long way to taking away the bad guys’ leverage: after all, why would you pay a ransom when you could just wipe your system and restore everything from a backup!

6. 6

   Be proactive about privacy

   When you sign up for new accounts or install a new app, take a moment to make sure that you’re not sharing more of your personal information than you’re comfortable with. This can be done manually, of course, but as we discussed on a recent Checklist, iOS 14 is set to make this easier than ever, with features rolling out in the next several months that will provide insight into apps’ privacy practices and allow you to disable tracking for all apps globally. In addition, Sign in with AppleM is a great way to create new user accounts for apps and websites without having to share personal information — or give developers and third parties access to your real email address.

7. 7

   Don’t overshare

   Everything we post online can reveal information about us to others, so before you post, consider the fact that someone else may be watching, and may be able to use this information against you. Reduce public visibility and search engine indexing for your social media accounts by using built-in account privacy controls; remove location data from photos whenever possible; and consider creating alternative personas for online use in order to disassociate your social media activity from your real-life identity. In addition, if you’re a parent, consider the privacy risks to your children before you post pictures of them on social media.

8. 8

   Be wary of public Wi-Fi

   Any public Wi-Fi network should be considered insecure by default. The fact is, if you don’t know who set up the network, you also don’t know what their intentions were, or how well they followed best practices for security when configuring the network. In addition, public Wi-Fi networks are vulnerable to monitoring by admins, ISPs, and even dedicated hackers with the correct tools and know-how. When you’re on public Wi-Fi, consider limiting your sensitive activity (such as logging into key accounts or using financial services). If you do need a secure connection on public Wi-Fi, use a VPN to safeguard your data and your privacy.

9. 9

   Share this list (but do it gently)

   If you listen to the Checklist, a lot of this advice is probably stuff you’ve heard before. But we all have people in our lives who are a little less tech savvy than us, and in the spirit of Cybersecurity Awareness Month, we may want to help keep them safe by sharing the above list. Problem is…it’s a pretty big list! If you hit them with all of that information at once, you could end up overwhelming the very people you’re trying to help, which may result in them not following any of the recommended security practices. Our suggestion? Go over the above points one at a time, and do it in a respectful, low-key way that lets them know that you’re concerned about them, but that you’re not lecturing or criticizing them. Even if they only do one thing on this list, as long as it’s something they weren’t doing before, it’s definitely a win, because they’re safer today than they were yesterday!

If you’d like to keep learning about security and privacy issues while you wait for the next Checklist, take a moment to browse through our show archives, where you’ll find audio and notes for every episode going all the way back to Checklist 01. And if you have an idea for a future Checklist, or if you just want to send us a comment or a question, be sure to write to us and let us know!