LittleBITS: TidBITS Formatting Bug, Ransomware Protections, More OCR in Images

Re: More OCR in Images
For my extremely meager OCR needs, an unlikely solution turns out to be Google Docs. Open a picture file in Google Docs, and if any text in there is relatively straight and in focus, you will get a file with usable (?) text.
Google Docs doesn’t do a thing to preserve text styles, and don’t think you can throw multi-column text at it. But if you need some text that you can work with in another app, give it a try.

1 Like

Apple Mail does this when you have it set to forward mail to another address. It inserts breaks in the message HTML, which depending on where they are, can break the mail formatting.

first thanks for this extremely helpful article. I’ve started to use RansomWhere based on this article and will look into Retrospect (I am currently a CCC user, with time machine; and coincidentally am experiencing problems with some files, which though not due to malware are a vivid reminder of the importance of file hygiene; I’m a super diligent “backer upper”, but there’s always room for improvement :slight_smile: ).

Now my question: Does anyone know of a utility that lists all modified change files? Does one of the two utilities mentioned actually list the changed files (conveniently)? Or does it just use that info in its processes? I’d rather not have to wade through a super long output; I’d like to focus specifically on daily “changed file” logs.

Rationale:

  1. One can’t rely on date modified in Finder meta-data / spotlight, xattributes , because malware could manipulate that.
  2. This would allow me to do a visual audit at the end of each day. Seems to me that this would be superior to AI for false negatives – or at least a great adjunct.

I’d be willing to use regular expressions to parse the software’s output into something like that.

Coincidentally, on Nov 14 (day before the article here) , CBC Radio aired Diagnosing healthcare’s cyber hygiene problem | CBC Radio. This included interviews with

  • Benjamin Fung “Canada Research Chair in Data Mining for Cybersecurity and a professor of information studies at McGill University. He previously worked as co-curator of cybersecurity in the World Economic Forum”
  • a Microsoft VP or director of cybersecurity . I’ve forgotten her name

both mentioned limitations of signatures, and need for AI in Ransomware detection.

BTW: I am super impressed by the quality and relevance of information on TidBits. I subscribe to few newsletters, but I do read my TidBit round emails on Mondays with interest.

1 Like

Now my third reply for the day… (each different angles on this) :

anyone care to share an opinion regarding Malwarebytes re ransomware protection? Is it purely signature based? I think they have an organizational product, but I’m looking for something local. (My own main organization CogSci Apps Corp. is distributed.)

Re: Ransomware
I have been learning to use ChronoSync. It occurred to me that I could install ChronoSync on an old MacMini and ChronoAgent on our main computer and have ChronoSync maintain an archive with several versions of our files. If ransomware did get onto our main computer somehow, it wouldn’t have access to the MacMini to encrypt the backups. Does anyone see any holes in this idea?

1 Like

Currently Malwarebytes is almost entirely signature or filename+location based, so would only be effective against known, current ransomware and since all of the known Mac ransomware is extinct, I doubt there are any such signatures in the current database. I’m confident that if a new ransomware 0day threat emerges, Malwarebytes will have distributed appropriate signatures within a few hours of obtaining a sample, as it did with previous exploits.

1 Like

I would guess that probably would not prevent new ransomware from from accessing the MacMini since it has write access to those files, but it would have to be designed to recognize a ChronoSync file as one that it would bother encrypting. Ransomware only encrypts certain files that it deems critical to the user in order to finish quickly while doing the most damage.

1 Like

Re: More Text in Image Recognition Utilities
Always worth mentioning that Shortcuts combined to the Live-Text feature of Monterey let you build your own (free) screen text/ locked PDF text extraction tool. Look at the explanation provided by Gary Rosenzweig from macmost.

1 Like

The problem is that there’s no way of knowing what a hypothetical ransomware app could do. If the Macs are both on the same network, the ransomware could theoretically hop from one to another, for instance. The only thing that’s truly safe is some sort of WORM method that guarantees that nothing can mess with the backups.

But as I said in the article, I really don’t think protecting against ransomware is worth much effort for individual Mac users at this point. There’s just no credible threat. RansomWhere is easy to run and worth having as a small bit of insurance, and a good backup strategy is likely to be sufficient to recover even if there is a new piece of ransomware that targets Macs in the future, given how weak they’ve been so far.

Obviously, should a new and aggressive form of ransomware for Macs appear, all that advice would have to change.

It’s like protecting your house from meteor strikes. They’re not inconceivable now, but they’re so infrequent that there’s no reason to live in an underground bunker just in case. But if something happened such that parts of the moon started breaking off and hitting the Earth, we’d all be adjusting our housing preference.

3 Likes

I’ve not used this, but FSMonitor claims to do it and has a trial version.

https://fsmonitor.com/

And there’s this StackExchange discussion about how to do it on the command line.

That’s how I’d think most Unix-thinking people would solve the problem—there has to be some command-line incantation that just does this.

The problem that I think you’ll run into is that a LOT of things change on a Mac daily, and it may be difficult to narrow it to just things that you care about.

1 Like

This is one of the reason why off-line (if not off-site) backups are an important part of any backup strategy.

In addition to automatically scheduled backups (e.g. Time Machine, Chronosync, etc.), you should also perform periodic manual backups to external storage (e.g. a USB hard drive) that is powered-off or disconnected when not actively being used (to backup or restore files).

This way, if you get some malware (ransom or otherwise) that starts trashing connected backup media, it won’t be able to get those disconnected backups.

If your backup software makes snapshots (e.g. as CCC does), then even if your current data got corrupted, you will probably have a backup (if not the most recent one, then a previous one) with the good data. Not quite as robust as the Retrospect solution, but probably good enough for individual/home users. (Of course malware could actively seek out and delete snapshots - that’s why it’s not a perfect solution - but I don’t think we’ve seen this happen yet.)

2 Likes

Fully agree. Offline/off-site backups are as simple as clones to an external HDD that then gets removed and dumped into a closet at work/vacation home/brother’s house.

HDDs are super cheap these days, even large capacity. USB-SATA docks cost next to nothing. SuperDuper has a free mode that will do a simple straightforward clone with literally two clicks.

I have a rotating set that sees one of these disks updated about monthly. If a ransomware attack were to occur, the worst I’d lose is the not cloud-backed up stuff from the last month. That’s very little, and none of it is really important. I feel what I’m doing is neither expensive, time consuming (cloning takes place over night), nor complicated. And the added peace of mind is more than worth the little effort.

1 Like

quickly glancing I couldn’t tell whether they encrypt the backups – and in a way that only can be decrypted by myself. I wouldn’t want my data residing unencrypted on someone else’s server. I guess I could do the encryption myself and only send the encrypted files up to the server. That of course complicates matters (as encrypting a drive complicates recovery).

unfortunately, the interview I quoted above (perhaps it was the Microsoft person saying this; they have a bigger problem) said that current RW modifies its own “signature” i.e., does not have a signature.

Yes, Retrospect 18 offers encryption:

End-to-End Security:

Retrospect supports a variety of encryption algorithms, including AES-256, for both at-rest and in-transit security options

Definitely, though it’s important that those drives not be connected to the machine before the ransomware is removed, or they could be encrypted or damaged as well at that point. That’s an advantage of Internet backup as long as there’s versioning in place so you can always roll back to before the ransomware-encrypted data started to be backed up.

The real problem with ransomware is that there’s sufficiently big money involved that the crazy hypotheticals have to be considered seriously. For instance, Backblaze has versioning so it would seem to provide protection. But there are ways that Backblaze backups can be deleted by the user, so if the ransomware could simulate those actions, it could prevent Backblaze from being a possible restoration option. That’s why the way Retrospect uses Cloud Object Lock to create immutable backups is important—there’s no theoretical attack that can affect its data. (Short of a massive infiltration of an entire cloud service provider and the assumption that there’s some possible way of disabling Cloud Object Lock as a result of that infiltration.)

2 Likes

I’m intrigued by TextBuddy, cited under “More Text in Image Recognition Utilities.”

I’m looking for an app like this for iOS. Can anyone recommend something?

macOS makes the encryption easy. Simply create an encrypted drive, then back up to it.

(If for some reason you don’t want to encrypt the drive, then make an encrypted sparse bundle disk image and back up to it. That will add some small complications. The whole disk method is as simple as pie. Simpler than pie. Do it once. If you like, CCC will remember the password for you in a keychain.)

I have two 2.5" hard drives and rotate them through the trunk of my car. Many cars have obscure places in the trunk to stash things where car burglars are not likely to look. Even if stolen, or burned in a crash, I have the previous backup in the house.

THanks, @tidbits44 . I’ve been using encrypted disk images since around the time they were introduced, and yes I do encrypt all my numerous b/u drives.

My encryption questions were re Retrospect WORM SaaS , per Adam’s answer.

Regarding file history, the kind folks at Mac Backup Software | Carbon Copy Cloner | Bombich Software told me in email:

CCC already offers this. First, though, note that CCC uses file size and modification date differences by default to determine if a file should be updated. If the file’s content changed but the size and modification date remained the same, that file would only get updated if your task is using the “Find and replace corrupted files” setting (Advanced Settings > Performance & Analysis). If CCC finds any files that were copied only due to a differing checksum, then those files get a special icon in the Task Audit.

Also note that we have several ways of verifying the integrity of files in CCC v6 (this was actually one of the big features we added to v6):

How to verify a backup

If the file verification finds files that differ only in checksum, these files get highlighted in red.

[Luc:] There would be false positives, but the only false negatives (I think) would be if I forgot to use Spotlight to see what has changed recently.

We deal with these too :slight_smile: There are a handful of file types that regularly get modified without changing the size or modification date. […] We point these out, but reign in the panic by noting that they might be false-positives.

what the above means is that I can use Spotlight regularly to manually keep an eye on files that have changed, and CCC to detect/deal with changed files that have same date stamp, and RansomWhere too. So now I have a lot more peace of mind than before I read the original article. So : thank you everyone!

I’ve updated to Carbon Copy Cloner 6 and am pleased as always .

2 Likes