LittleBITS: TidBITS Formatting Bug, Ransomware Protections, More OCR in Images

Originally published at: LittleBITS: TidBITS Formatting Bug, Ransomware Protections, More OCR in Images - TidBITS

This week, Adam asks for help tracking down an email formatting bug in TidBITS issues, points those worried about ransomware to RansomWhere and Retrospect 18, and looks at more utilities that perform OCR on text in images.

Re: Ransomware Protections
You mentioned Colonial Pipeline as a high profile ransomware attack. I understand the attack was due to an employee who re-used a password on another service that was hacked and not requiring 2 factor authentication to access a Colonial Pipeline administrator account.

Passwords are notoriously insecure. They can stolen, phished, intercepted, and all too often guessed. While 2-factor-authentication is an improvement, the user experience is awful and using SMS messaging to send a confirmation code is still insecure. Even authenticator apps still rely on entering a secret that can be phished or compromised.

The future is passwordless. You authenticate to your smartphone (something you have and something you are Face-ID or Touch-ID), and your smartphone authenticates to the “Relying Party” using modern cryptography such that no secrets are exchanged.

Apple recently joined the FIDO Alliance elevating it to a de-facto industry standard. The next step is mass adoption which users can encourage by letting service providers know they want passwordless authentication. Details of course matter like what if you lose your phone and need to re-enroll?

The vision is simple: navigate to a service and click a button to approve logging in from your smartphone. No password to enter or remember.

Any mail server passed through could be rewriting the CSS causing the formatting problem. You should ask for a copy of the email including all headers from those experiencing the problem. (An easy way to explain that to Mac Mail users might be to say to send the message with “Forward as attachment”.)

I find it interesting that all those Adobe apps are setting off the RansomWhere alarm. I’ve found that Adobe always have several processes running in the background even if I have none of their apps open. This is the why I’ve avoided using Adobe-anything if there is an alternative I can live with.

Re: More OCR in Images
For my extremely meager OCR needs, an unlikely solution turns out to be Google Docs. Open a picture file in Google Docs, and if any text in there is relatively straight and in focus, you will get a file with usable (?) text.
Google Docs doesn’t do a thing to preserve text styles, and don’t think you can throw multi-column text at it. But if you need some text that you can work with in another app, give it a try.

Apple Mail does this when you have it set to forward mail to another address. It inserts breaks in the message HTML, which depending on where they are, can break the mail formatting.

first thanks for this extremely helpful article. I’ve started to use RansomWhere based on this article and will look into Retrospect (I am currently a CCC user, with time machine; and coincidentally am experiencing problems with some files, which though not due to malware are a vivid reminder of the importance of file hygiene; I’m a super diligent “backer upper”, but there’s always room for improvement ).

Now my question: Does anyone know of a utility that lists all modified change files? Does one of the two utilities mentioned actually list the changed files (conveniently)? Or does it just use that info in its processes? I’d rather not have to wade through a super long output; I’d like to focus specifically on daily “changed file” logs.

Rationale:

1. One can’t rely on date modified in Finder meta-data / spotlight, xattributes , because malware could manipulate that.
2. This would allow me to do a visual audit at the end of each day. Seems to me that this would be superior to AI for false negatives – or at least a great adjunct.

I’d be willing to use regular expressions to parse the software’s output into something like that.

Coincidentally, on Nov 14 (day before the article here) , CBC Radio aired Diagnosing healthcare’s cyber hygiene problem | CBC Radio. This included interviews with

• Benjamin Fung “Canada Research Chair in Data Mining for Cybersecurity and a professor of information studies at McGill University. He previously worked as co-curator of cybersecurity in the World Economic Forum”
• a Microsoft VP or director of cybersecurity . I’ve forgotten her name

both mentioned limitations of signatures, and need for AI in Ransomware detection.

BTW: I am super impressed by the quality and relevance of information on TidBits. I subscribe to few newsletters, but I do read my TidBit round emails on Mondays with interest.

Now my third reply for the day… (each different angles on this) :

anyone care to share an opinion regarding Malwarebytes re ransomware protection? Is it purely signature based? I think they have an organizational product, but I’m looking for something local. (My own main organization CogSci Apps Corp. is distributed.)

Re: Ransomware
I have been learning to use ChronoSync. It occurred to me that I could install ChronoSync on an old MacMini and ChronoAgent on our main computer and have ChronoSync maintain an archive with several versions of our files. If ransomware did get onto our main computer somehow, it wouldn’t have access to the MacMini to encrypt the backups. Does anyone see any holes in this idea?

Currently Malwarebytes is almost entirely signature or filename+location based, so would only be effective against known, current ransomware and since all of the known Mac ransomware is extinct, I doubt there are any such signatures in the current database. I’m confident that if a new ransomware 0day threat emerges, Malwarebytes will have distributed appropriate signatures within a few hours of obtaining a sample, as it did with previous exploits.

I would guess that probably would not prevent new ransomware from from accessing the MacMini since it has write access to those files, but it would have to be designed to recognize a ChronoSync file as one that it would bother encrypting. Ransomware only encrypts certain files that it deems critical to the user in order to finish quickly while doing the most damage.

Re: More Text in Image Recognition Utilities
Always worth mentioning that Shortcuts combined to the Live-Text feature of Monterey let you build your own (free) screen text/ locked PDF text extraction tool. Look at the explanation provided by Gary Rosenzweig from macmost.

The problem is that there’s no way of knowing what a hypothetical ransomware app could do. If the Macs are both on the same network, the ransomware could theoretically hop from one to another, for instance. The only thing that’s truly safe is some sort of WORM method that guarantees that nothing can mess with the backups.

But as I said in the article, I really don’t think protecting against ransomware is worth much effort for individual Mac users at this point. There’s just no credible threat. RansomWhere is easy to run and worth having as a small bit of insurance, and a good backup strategy is likely to be sufficient to recover even if there is a new piece of ransomware that targets Macs in the future, given how weak they’ve been so far.

Obviously, should a new and aggressive form of ransomware for Macs appear, all that advice would have to change.

It’s like protecting your house from meteor strikes. They’re not inconceivable now, but they’re so infrequent that there’s no reason to live in an underground bunker just in case. But if something happened such that parts of the moon started breaking off and hitting the Earth, we’d all be adjusting our housing preference.

I’ve not used this, but FSMonitor claims to do it and has a trial version.

https://fsmonitor.com/

And there’s this StackExchange discussion about how to do it on the command line.

That’s how I’d think most Unix-thinking people would solve the problem—there has to be some command-line incantation that just does this.

The problem that I think you’ll run into is that a LOT of things change on a Mac daily, and it may be difficult to narrow it to just things that you care about.

This is one of the reason why off-line (if not off-site) backups are an important part of any backup strategy.

In addition to automatically scheduled backups (e.g. Time Machine, Chronosync, etc.), you should also perform periodic manual backups to external storage (e.g. a USB hard drive) that is powered-off or disconnected when not actively being used (to backup or restore files).

This way, if you get some malware (ransom or otherwise) that starts trashing connected backup media, it won’t be able to get those disconnected backups.

If your backup software makes snapshots (e.g. as CCC does), then even if your current data got corrupted, you will probably have a backup (if not the most recent one, then a previous one) with the good data. Not quite as robust as the Retrospect solution, but probably good enough for individual/home users. (Of course malware could actively seek out and delete snapshots - that’s why it’s not a perfect solution - but I don’t think we’ve seen this happen yet.)

Fully agree. Offline/off-site backups are as simple as clones to an external HDD that then gets removed and dumped into a closet at work/vacation home/brother’s house.

HDDs are super cheap these days, even large capacity. USB-SATA docks cost next to nothing. SuperDuper has a free mode that will do a simple straightforward clone with literally two clicks.

I have a rotating set that sees one of these disks updated about monthly. If a ransomware attack were to occur, the worst I’d lose is the not cloud-backed up stuff from the last month. That’s very little, and none of it is really important. I feel what I’m doing is neither expensive, time consuming (cloning takes place over night), nor complicated. And the added peace of mind is more than worth the little effort.

quickly glancing I couldn’t tell whether they encrypt the backups – and in a way that only can be decrypted by myself. I wouldn’t want my data residing unencrypted on someone else’s server. I guess I could do the encryption myself and only send the encrypted files up to the server. That of course complicates matters (as encrypting a drive complicates recovery).

unfortunately, the interview I quoted above (perhaps it was the Microsoft person saying this; they have a bigger problem) said that current RW modifies its own “signature” i.e., does not have a signature.

Yes, Retrospect 18 offers encryption:

End-to-End Security:

Retrospect supports a variety of encryption algorithms, including AES-256, for both at-rest and in-transit security options

Definitely, though it’s important that those drives not be connected to the machine before the ransomware is removed, or they could be encrypted or damaged as well at that point. That’s an advantage of Internet backup as long as there’s versioning in place so you can always roll back to before the ransomware-encrypted data started to be backed up.

The real problem with ransomware is that there’s sufficiently big money involved that the crazy hypotheticals have to be considered seriously. For instance, Backblaze has versioning so it would seem to provide protection. But there are ways that Backblaze backups can be deleted by the user, so if the ransomware could simulate those actions, it could prevent Backblaze from being a possible restoration option. That’s why the way Retrospect uses Cloud Object Lock to create immutable backups is important—there’s no theoretical attack that can affect its data. (Short of a massive infiltration of an entire cloud service provider and the assumption that there’s some possible way of disabling Cloud Object Lock as a result of that infiltration.)