Category: Security

The MacOS System Permission Dialog

Computer users are frequently asked to enter passwords. They are often confused by these requests. Their two most common questions are:

  • Which of my many passwords does it want?
  • Is it legitimate and safe to enter my password here?

The MacOS System Permission Dialog can help you with the answers.

Which Password does it want?

When you see a dialog similar to this, you know it is from your own Mac. It wants either the username and password that you use to sign onto your Mac at startup, or the credentials of an administrator account on the computer.

Installer is trying to install new software. Enter an administrator's name and password to allow this.

So, don’t enter your iCloud password, or the password to any of your other on-line accounts. You should use a username and password for the Mac that you are sitting in front of at the moment.

The details of this dialog may vary. It might say Installer, or some other program, and the wording may vary depending on the situation.

Is it safe?

How do you know it is safe to enter your account password in this dialog? With MacOS, Apple controls the type of dialog boxes and windows that programs are allowed to display. Programs are not allowed to display windows without title bars. That is reserved for system dialogs. Apps can ask the system to display dialogs on their behalf, and text from the App may be included in the dialog, but the overall dialog is controlled by MacOS. You will notice that these system permission dialogs do not have title bars at the top. The usual red, yellow and green dots are not present.

MacUpdater wants permission to update. Enter an administrator's name and password to allow this.

This could still be spoofed to an extent. After all, you are looking at such a dialog box right now, displayed on a web page. Would it be safe to enter your password here? No. Web pages can and do display whatever they want, as do application programs.

Although they will probably pop up in front of some other window, legitimate system dialog boxes can be dragged to the desktop, where they will display in front of your desktop pattern, without any title bar, as seen above. Malicious web sites or programs cannot duplicate this behavior.

However, to make it tricky, you may have to grab them by the very top of the window, where the title bar would be, in order to be able to move them.

The other safety test is really up to you. Even though the dialog itself is legitimate, it may be asking you for a permission you don’t want to grant. For installer permissions, only grant permission if you are knowingly in the process of installing or updating a program. Don’t agree to install a program just because a web site told you to.

Think twice before giving programs special permissions. Does a word game legitimately need permission to access your microphone and camera? Probably not. You shouldn’t grant it unless there is some real, unusual reason.

Administrator privileges are required to make changes to CCC backup tasks. Enter your password to allow this.
Carbon Copy Cloner asking for Administrator Privileges

Above, the application Carbon Copy Cloner is asking for Administrator Privileges. This is a very powerful and sweeping request. You should trust the program and it should have a very good reason before granting this request. Carbon Copy Cloner has a long and good reputation, and it is performing system-level functions, so I choose to give it permission.

There is an exception to every rule. The legitimate dialog below from the System Settings app cannot be moved or dragged. Because it appears in the context of System Settings (a built-in and integral part of MacOS) I trust it anyway.

Privacy & Security is trying to modify your system settings. Enter your password to allow this.

I hope this discussion has given you some useful hints about entering passwords on your Mac. I hope the computer elves were good to you this Christmas and happy New Year to you.

Preparing Your Digital Legacy

MacMad Meeting Topic September 2023

What happens to your digital possessions after your death? How can you make sure that they are available (or not available) to your heirs as you wish?

The same preparations that will help your heirs after your death can help you while you are alive. They can help with disaster recovery after a fire, flood, etc. They can help in the event you have to go to the hospital or are temporarily incapacitated. They can help if your phone or computer is lost, destroyed or just quits working.

Apple ID and iCloud

For Apple users, the obvious place to start is your Apple ID. This single ID controls your Apple email account, your iCloud on-line storage and many other things you may or may not be using.

If your heirs know your Apple ID credentials, they can access your stored photos and documents, read your email, unlock your locked devices and prepare computers and devices for sale. Without your Apple ID, they may be completely locked out of doing any of those things.

Apple has a Legacy Contact Provision that you can use to designate a person to have access to your Apple ID after your death.

How to add a Legacy Contact for Your Apple ID

If someone has died without a Legacy Contact, you may still, in some circumstances, get access to their account.

How to request access to a deceased family member’s Apple account

Make a List

Make a list of your on-line accounts and keep it in a safe place for your heirs. Note that probably every company you do business with has an on-line account. The list can be on paper, or in digital form. Just make sure that your heirs will be able to access the list.

You should make some notes as to the purpose and significance of each account. If you have an account at foobar.biz, will your heirs have any idea if that’s important, or why you had it? In a year or two, will you yourself remember why you created that account?

What’s in the List

  • A descriptive name, e.g. A fabulous Example Site
  • The URL of the Web Site, e.g. example.com
  • Username, e.g. John Doe
  • eMail address associated with the account, e.g. [email protected]
  • Password, e.g. monkey123
  • 2FA info, e.g. This site doesn’t support 2FA
  • Notes, e.g. A social media site primarily for dogs

Note that your Username on a site might be an email address or not. Note that the site probably doesn’t have anything to do with the email domain (me.com, in the example), unless the site is an email provider.

Passwords are case sensitive. For handwritten lists, make sure your writing is clear, and that upper and lower case letters are clearly distinguished. One convention is to underline capital letters. eMail addresses are never case sensitive, and are usually written in all lower case.

Password Managers

A password manager is essentially a place to keep a list of all your accounts, while keeping the passwords safely encrypted. This is ideal information for your heirs, if they can get access.

Legacy access is just another reason to use a password manager.

Popular Password Managers include:

You may be able to establish an emergency or legacy contact for your password manager. You may be able to have shared password vaults with your family members, so that they always have access to those accounts.

Things You Should Keep On Paper

You should keep a paper copy of at least your most important accounts and passwords. This would likely include your password manager and passcodes to your devices. You should include backup 2FA (2nd factor Authentication) codes, if you use 2FA for those accounts. Don’t forget to mark on the 2FA codes exactly which service and account they are for. Put all these papers somewhere like a safe or safety deposit box.

eMail Accounts Are Important

You might think that your email is unimportant — just a pile of silly memes and spam. But your email is often the key to accessing your other, more important, accounts. Most accounts require an email address to sign up. If you forget your password (or your heirs don’t know it), the forgot password password recovery process uses your email to reset your password.

This is why you should use strong passwords and good security on your email accounts, and also why you should make sure your heirs can get access.

Keep accounts separate from your spouse

Death is another good reason not to use shared email and other accounts. You don’t want your account to be closed because your spouse has died.

Your Phone is Important

Your phone is another way to access your accounts. The account sign-on or recovery process often includes a text message or phone call with a sign-in code. If you or your heirs lose access to your phone, that process will be stymied.

Apps on your phone are often the easiest way to access your accounts. If you have authenticator app(s) (for 2FA codes) on your phone that you use to sign in, how will your heirs sign in without access to your phone?

Google, LastPass, Microsoft and others have stand-alone authenticator apps.

The Apple Wallet App is probably only accessible on your iPhone or Apple Watch. Your heirs might need that to pay the credit card bills.

Precautions

  • Back up your iPhone periodically, either to your computer, or to iCloud.
  • Make sure your heirs can find your iPhone passcode.
  • Consider adding your spouse’s fingerprint or face ID to your device

If you need to restore a phone because of a forgotten passcode, almost everything will be restored, except Authenticator App data, and the Apple Wallet.

Other Accounts

Every web site and company will have its own methods for account security and recovery. There are a few things you can do to make account recovery easier for you and for your heirs.

Establish backup email addresses, and backup telephone numbers if the site supports them. Add your trusted spouse’s phone, for example as a secondary method of receiving login codes.

Similar to your Apple ID, your Google account is multifaceted. It governs Gmail, Google Photos, Google Pay and Google Drive (and more). Many people have important documents and precious photos in Google Drive and Google Photos.

If you can’t or don’t want to provide credentials to your account to your estate, you can set up a policy with the Inactive Account Manager. You can specify what happens to your Google account when it becomes inactive for a specified time — presumably when you have died. You can give access to specified people, and/or specify that your account is to be deleted.

Many accounts have no legacy or inheritance feature. The survivors have to go through a process with a death certificate or letters of administration to gain control of the deceased account.

What’s Most Important to Your Heirs

  • Where’s the money?
  • How can I get access?
  • Where’s the tax information for final IRS return?
  • Where are the family photos?
  • How can I delete or close the account?
  • How can I sell the device?
  • How can I cancel the subscriptions?

Other Things to Consider

Financial Accounts

  • Banking
  • PIN
  • Investment
  • Insurance
  • Cryptocurrency wallets and exchanges
  • PayPal
  • What will your heirs need in order to pay all the bills?
  • Retirement accounts
  • IRS.gov, ID.me accounts. Heirs need to file your final tax return.

Home

  • Alarm Codes
  • Keypad codes (door locks)
  • Safe combinations
  • Websites for alarm systems
  • Solar generating systems
  • Home Monitoring services

Cars

  • Pin and Keypad codes (yes, some cars have these)
  • On-line account credentials (yes, some cars have these)
  • SiriusXM subscription
  • Dashcam account
  • SunPass account (toll transponders)

2FA Keys

  • Physical Keys, (Yubikey)
  • 2FA Apps
  • BACKUP CODES – make sure you have printed out backup 2FA codes for your accounts and stored them safely

Other Companies & Web Sites in General

  • Frequent Flyer Miles, Travel Points (can be valuable) Airline miles – often not “officially” transferable, but can be if you have the credentials
  • do you have an email account at your ISP that you use?
  • Genealogy – you did it for your heirs, right?
  • Access to family tree
  • Access to DNA test results
  • Amazon
  • music, photos, videos, books

What would your heirs need in order to sell your computer?

iPad and iPhones, Apple Watch

Digital Media (usually can’t be officially transferred)

  • Purchased Music
  • Purchased Movies & TV Shows
  • Purchased Software (Software Licenses)
  • Purchased eBooks

Social Media Accounts

  • How your heirs might notify folks of your passing
  • Heirs might want to close the account(s)
  • Access to photos stored on-line
  • If you didn’t use your real name/birthday on FB or others, your heirs might not be able to delete or memorialize the account because the details on the death certificate don’t match.

Clubs and Organizations

  • Club accounts
  • Webmaster signons
  • Treasury accounts
  • Domain name registrar accounts

Introducing Passkeys

Why are they better than passwords?

In the coming months, you will probably change how you sign on to your favorite web sites.

Passkey support is coming to your devices and web sites to provide a sign-on process that is both more secure and more convenient than the familiar but annoying username and password system.

Passkeys were developed and supported jointly by Google, Apple and Microsoft through the FIDO Alliance.

Passkeys are superficially similar to the Logon with Apple or Logon with Google buttons you may have seen on some web sites. Passkeys, however, represent a single, unified standard logon mechanism that a web site can implement once, which then supports all platforms. The buy-in from major tech companies means that passkeys will probably be widely adopted.

This short video from iThemes (2:58) gives a quick overview of Passkeys. Although it is specific to WordPress and iThemes Pro, most of what is described is general-purpose.

This video from the Apple Developer Conference gives a good overview of passkeys in the first 7:30 or so. After that, the video goes deep into developer technical details.

To use passkeys to logon to a site, passkeys must be supported by both the web site and by your device. For a device to fully support passkeys, it must have biometric authentication. On Apple devices, that means Touch ID or Face ID.

However, you can use your phone (which has Touch ID or Face ID) to logon to a web site on a computer that lacks biometric authentication. You will simply scan a QR code presented by the site with your phone, and passkeys can log you in.

Biometric authentication is used only to identify you to your device. Your face or fingerprint is never transmitted to the website or outside your device.

To sign in, you will first enter your username or email address as usual. But, instead of entering a password, you will simply click Login with Passkeys, and your device will log you in securely. Since you don’t have a password, it can’t be stolen, either from you, or from the web site.

Once you have set up a passkey for a site on one of your Apple devices, it will be automatically available on your other Apple devices through iCloud. Remember, that it can only work on newer devices that have Touch ID or FaceID.

At present, there is no way to share passkeys between platforms, so your Passkeys created on an Apple device won’t easily transfer to your Microsoft Windows PC, or vice versa.

PassKeys is already supported in current versions of iOS (iOS 16.x) and MacOS 13 (Ventura). Microsoft’s implementation of passkeys is part of “Windows Hello”.

Right now, just a few web sites support passkeys, but the list is growing.

If you want to try passkeys yourself, there is a demonstration web site which lets you try creating a passkey and logging on with it.

Password Managers

Whatever password manager you are using, don’t get rid of it yet. Some sites will continue to use passwords. Passkeys will work in conjunction with Apple’s own password manager, Keychain. The popular password managers, Bitwarden and 1Password will probably have some sort of support for passkeys in the future.

If you are in the habit of writing your passwords down in a little black book, all you will need to record is the name of the website, your username or email, and “Use passkeys”. Anyone looking at that book would not be able to logon as you, because they won’t have your device or your face or fingerprint.

The same (lack of) information is probably what would be recorded in a password manager app. Again, it’s nice that there is no password for anyone to steal.

Beware Fake iCloud or App Store emails

There has been a recent spate of phishing emails purporting to come from Apple. Typically they show some sort of a purchase or subscription that you supposedly bought from Apple. As always, DO NOT CLICK LINKS in emails.

If you want to check your account, do so from within iTunes, or by logging in at iCloud.com or Apple.com yourself.

In the email there are some suspicious indicators if you look for them. First of all, the email is not from the domain apple.com.

Second, the mail addresses you as “Valuable Customer”, not by name.

This email is fake!

The bad guys expect you to be outraged that you are being charged for something you didn’t order — and that you will rashly click on the link they provided.

I don’t know what happens when you do that. Probably, it is a fake imitation of the Apple sign-in page where your credentials will be stolen. However, it may be some kind of attack that takes place merely by visiting the site.

Be safe out there, folks!

Two-Factor Authentication for Apple ID

Two-Factor Authentication and One-Time Passwords

MacMAD Meeting Topic for June 20, 2017

Your Apple ID is your single set of credentials for everything from Apple, including:

  • Email
  • iCloud files, calendars, contacts, etc.
  • Photos
  • purchases on the iTunes store
  • buying hardware on the Apple Store

This is pretty important stuff, right? You don’t want your credentials to fall into the wrong hands!� Until recently, those credentials consisted of only your username and password, which seldom change. If a bad guy got hold of those, he’d have complete access to your Apple identity.

To help prevent that, Apple set up Two-Factor Authentication (2FA).� With 2FA, in addition to username and password, you must also give a verification code. Verification codes are sent to your phone or other trusted device. The verification code is different each time you log on.

Two-Factor Authentication is optional for users. However, you may now be forced to use it if you use certain apps — those which access your iCloud account.

Some apps require access to your files in iCloud, and therefore need your iCloud credentials to do so. This is fine, but you don’t want them to have the keys to your entire kingdom, do you? You don’t want a calendar app to order a new Macintosh, or delete your photos.

To control such apps, Apple now requires them to access iCloud using a One-Time password. This allows them to bypass 2FA, but using a special password which is only useable by that app for limited purposes. Once you give a one-time password to an app, and it uses it, it can never be used again for any other purpose.

You do not need to store or remember one-time passwords. If for some reason you need to re-authorize an app, you can simply generate a new one-time password for it.� Dennis explains how to do all this in these slides from this month’s meeting:

Apple Two-Factor Authentication 2017

 

 

 

VPN – Virtual Private Network Meeting Topic

MacMAD’s October, 2016 Meeting topic is VPNs (Virtual Private Networks). Here are some accompanying links and information.

People generally use a VPN for these reasons:

  • Security and privacy when using a public network, such as at a coffee shop or hotel.
  • To allow access to online content which is subject to geographical restrictions.
  • To allow remote access to a private local network such as your home network or your employer’s network
  • Provide privacy at home (prevent your ISP from knowing what you are up to)

VPN Features to Look For

  • Automatic connection and reconnection – prevents accidental leakage of unencrypted data
  • Choice of VPN endpoint – What country would you like to be in today?
  • Self Installation/Configuration – Avoids lots of technical settings

Client and Server

VPNs follow a client-server model. The client app usually runs on your computer or portable device. The server can be either a commercial VPN service or you can run your own VPN server at home on your router (some models) or on another computer. There are many (hundreds) commercial VPN providers. The following list is not at all complete.

Commercial VPN Providers

VPN Software

VPN Protocols

Your choice of protocol will probably be determined by what your server or provider supports.

  • PPTP – (Point-to-Point Tunneling Protocol) Old, do not use. No longer supported in macOS Sierra. or� iOS 10.
  • L2TP – (Layer 2 Tunneling Protocol) needs IPSec or similar to be secured.
  • IPSec – (Internet Protocol Security) A modern protocol.� Can work in conjunction with L2TP.
  • IKEv2 – (Internet Key Exchange version 2) A modern protocol.

Here’s the MacOS VPN Dialog in System Preferences

vpn-dialog
MacOS Network Preferences — adding a VPN interface

 

openvpn-1
The iOS app OpenVPN

July 2016 Security & Backup Meeting Slides

We’re trying something a bit different this meeting. So you don’t have to take notes, we’re putting the presentation on-line. And we’re doing it the Apple Way – using iCloud. You should be able to view these links on Mac or iOS. They are Keynote documents.

Here are the slides for tonight’s meeting as a shared iCloud (Keynote) document.

And here are the slides from November 2015’s Security presentation.

After clicking one of these links, you will be able to view the slides in your web browser, or you can download and open a copy in Keynote. Here’s what that looks like in iOS:

iCloud Share