Checklist 13: Q&A Grab Bag

• iCloud calendar spam.
• Anti-malware software for Macs – needed, or not?
• iCloud Security – How is Apple protecting your data?
• Routers, switches, and modems – what’s the difference?
• Online banking – how to stay safe?

Welcome back to another episode of The Checklist! On this week’s episode, we’re going to do something a bit different, and rather than focusing on one topic, we’ll be answering some listener questions on-air! Please feel free to shoot us an e-mail if you ever have a question about a topic we’ve covered, have a specific topic you’d like us to cover in the future, or need some advice when it comes to the security of your devices — we love hearing from our listeners!

iCloud calendar spam. So this first topic actually hits pretty close to home, because we actually encountered this issue recently on our own phones, and after tweeting about it we had some listeners ask for more information on the spam notifications many iOS users saw in the past few weeks. Basically, what’s been happening is that a spam campaign has specifically been targeting iCloud users in a rather unique way, causing spam notifications for various brand-name clothes and accessories to appear on iOS devices. The spammers are taking advantage of a built-in feature in iOS that’s normally really helpful – when an e-mail with a calendar invite comes in, iOS automatically converts it into an in-app push notification, allowing you to quickly accept or decline the calendar invite. This feature is really useful 99% of the time, but obviously this situation falls outside the norm. Now, it would be much less of an issue if you could simply delete the spammy invites from your calendar, but unfortunately you can’t do that without sending a reply to the spammer, effectively letting them know that their spam got through to a real person, and opening yourself up to more spam from them in the future.

Another downside to this normally helpful feature is that the original spam e-mail containing the calendar invite is automatically deleted by iOS when it’s converted to an in-app notification, so there’s no way to mark it as spam or otherwise ignore future messages from the spammer! The end result of this whole mess is that a lot of users are left scratching their heads as to why they’re suddenly seeing all these spam notifications on their iOS devices, and have no clue how to stop them from coming in. Luckily, an enterprising iOS developer by the name of Aaron Douglas is here to help, and has figured out a specific set of steps to take to block the barrage of those annoying spam notifications:

1. Open iCloud.com in your favorite web browser, and log in using the same account you use on your phone.

2. Click on Calendar.

3. Click on the settings gear button in the lower left corner of the screen.

4. Click on Preferences, then click the Advanced tab.

5. Under the Invitations section, change the option for “Receive event notifications as” to “Email” (rather than in-app notification, which is the default setting).

Once you take those steps, all of the invites you receive on your iCloud e-mail account will come through as e-mails, rather than being automatically converted to in-app notifications – at which point you can flag them as spam if they make it all the way to your inbox!

Now, word on the street is that this problem seems to have abated for now. Unfortunately, we don’t know if that’s the result of some action on Apple’s part, or if the spammers have just decided to lay low for a while now that the issue has been brought to light. We’re hoping that Apple took some much-needed action to solve this problem, as all they’d need to do is adjust the spam filters on the iCloud e-mail servers to check for calendar invite spam, and block it from ever reaching the devices of iOS users in the first place!

Anti-malware Software for Macs – needed, or not? Listener Doug H. writes in with the following question:

I had heard that anti-malware is not needed for macs. For instance, one blogger who is seemingly knowledgeable wrote:

Beyond XProtect, Gatekeeper, and MRT, there’s no evidence of any benefit from other automated protection against malware.

This was written a few years back and I wanted to get your take on it. But after visiting your site, I sense you do not agree since one of your products is MacScan. What benefits are provided by MacScan that are beyond the built in Apple protections?

Now, we could (and probably should!) spend an entire episode going over the common myths and misconceptions when it comes to the need for anti-malware software on a Mac, but for today we’ll just stick with the basics.

– Apple’s built-in protections are limited, and by themselves won’t stop you from getting infected. Most adware encountered these days is signed with a valid Developer ID certificate from Apple, so Gatekeeper is no help there until Apple becomes aware of the rogue software and revokes their certificate. (SecureMac has informed Apple of malware they weren’t aware of on more than one occasion)

– Adware is the number one problem encountered by users, and is often installed by tagging along with other software.

– If you’re a power-user, and are comfortable digging into the guts of the system, you might not need anti-malware.

– Forums are filled with steps to take to remove various malware/adware infections. The problem is that many times there are newer variants of the malware floating around, and the original instructions may not fully remove all components, and it’s very easy to cause real problems when manually typing in terminal commands, etc, which are generally part of those removal directions.

– If you’re a normal home-user, anti-malware is definitely something we’d recommend.

– We offer an anti-malware product (MacScan 3) which is designed to complement the built-in security features of your Mac. MacScan 3 offers a variety of features that go above and beyond those found in XProtect and Gatekeeper, including scan scheduling, automatic tracking cookie cleaning, detailed scan logs, automated malware definition and tracking cookie blacklist updates, web file cleaning, and more. You can learn more about MacScan 3 here on our website.

iCloud Security – How is Apple protecting your data? Listener Steve D asked the following question:

Now that Apple has offered us the ability to store all our Documents (and Desktop) on iCloud (enabling access from all our devices), I think it would be useful to discuss its security. In particular, how is Apple protecting our data (are the files encrypted?)

While the exact data protection mechanisms for iCloud used to be a bit of a black box, Apple has thankfully opened up quite a bit in recent years, and actually publishes a page on their site detailing the different security measures they’ve implemented for each category of data stored in iCloud!

Here’s the overall breakdown:

– Everything is encrypted in transit (as it’s being sent from your Mac or iOS device to Apple’s iCloud servers or vice-versa).

– Almost everything is encrypted at rest (on Apple’s iCloud servers).

– Calendar, Contacts, Bookmarks, Notes, Reminders, Photos, Documents in the Cloud, iCloud Drive, Backup, Find My iPhone, and Find My Friends are all encrypted with a minimum of 128-bit AES encryption. Server-side encryption for Notes is only available when using iOS 9 (or later) or OS X El Capitan.

– iCloud Keychain uses 256-bit AES encryption to store and transmit passwords and credit card information, and also uses elliptic curve asymmetric cryptography and key wrapping.

– iCloud.com and Back to My Mac sessions are encrypted with SSL, as is all traffic between your devices and iCloud Mail. However, consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers.

– Finally, purchased or matched music files from iTunes in the Cloud are not encrypted on server because they don’t contain any personal information.

Routers, switches, and modems – what’s the difference? Listener Corrie A. asks:

What is the difference between a router, a switch and a modem anyway? Most people don’t know.

It’s easy to get these three terms confused, especially since the hardware provided by most Internet Service Providers (ISPs) combines two or more of them into a single unit these days!

– A modem is the piece of hardware that sets up a connection to your ISP so you can access the internet. Anybody who started using the internet back in the early to mid 90’s might remember the funky noises old dial-up modems made as they connected to AOL, eWorld, Compuserve, or Prodigy. Back then, modems made use of your telephone line, and if somebody picked up the phone while you were online, you’d most likely be disconnected shortly thereafter! These days, most modems connect over cable or DSL, which provide much faster connection speeds.

– A router is a piece of hardware that “routes” traffic between the various devices on your home network. It’s the thing that keeps track of which piece of data goes to which device, so you can read the news on your Mac while another family member catches up with friends on Facebook on their phone. When you connect to your home wi-fi network, you’re connecting to your router. Most of the time, your ISP will supply a single piece of hardware that acts as both a modem and a router these days.

– A switch is commonly found in larger networks, such as those found at educational institutes or corporations. Switches provide more fine-grained control as far as data filtering and traffic control goes, and often include advanced security features and load balancing functionality.

Online banking – how to stay safe? Listener Robert M. wants to know more about online banking:

How about devoting an episode to online banking? My bank uses FinanceWorks from Intuit. How about other web based banking sites like Mint (also from Intuit)? Or the various banking apps that reside locally on a Mac?

While Quicken has long reigned supreme as the de facto standard when it came to personal finance management, more and more options have become available in recent years. Which one you choose is generally a matter of personal preference, but going with one supported by your bank will generally make life easier. There are a few best practices to follow when it comes to personal finance management apps and services:

– Make sure your computer is running the latest operating system, and is up-to-date with the latest security updates and patches.

– Make sure your web browser is up-to-date with the latest version and patches.

– Run up-to-date anti-malware software on a regular basis.

– Use well-known commercial personal financial management software to ensure that your data is encrypted both on your computer and while in transit to and from your bank’s servers. Never store sensitive information such as your bank account, social security, or credit card numbers in an unencrypted format (such as a plain text file).

– Only use a secure network connection for online banking. Never do online banking from a public wifi network.

– Keep backups of your financial data files (either on an external hard drive, burned to CD or DVD, or as physical print outs if necessary). Store your backups in a secure location such as a safety deposit box at your bank, or in a high-rated fire safe at home. Never store your financial data on a usb thumb drive, which can be easily lost or misplaced.

That wraps things up for this episode! If you’d like more information on any of the topics we’ve covered today, or if you’d like to see your question featured on a future episode, send us an e-mail at checklist@securemac.com!