macOS High Sierra Automatically Performs Security Check on EFI Firmware Each Week

Mac users who upgrade to macOS High Sierra will benefit from a significant new security feature that works in the background.


macOS High Sierra automatically checks a Mac's EFI firmware against Apple's database of "known good" data to ensure it hasn't been tampered with, according to a series of tweets from an Apple engineer.

The tweets have since been deleted, but a summary remains available on the Mac blog The Eclectic Light Company.
The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac's firmware against Apple's database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple.
If the check fails, a prompt will appear with options to "Send to Apple" or "Don't Send." The selection is remembered in subsequent weeks.


The "eficheck" tool sends the binary data from the EFI firmware, and preserves user privacy by excluding data which is stored in NVRAM, according to The Eclectic Light Company. Apple will then be able to analyze the data to determine whether it has been altered by malware or anything else.

The database's library will be automatically and silently updated so long as security updates are turned on.

macOS High Sierra will be publicly released on the Mac App Store later today.

Related Roundup: macOS High Sierra
Tag: security

Discuss this article in our forums

Hacker Releases Firmware Decryption Key for Apple’s Secure Enclave

A hacker released what he claimed to be a firmware decryption key for Apple's Secure Enclave on Thursday, initially sparking fears that iOS security had been compromised.

Apple's Secure Enclave Processor (SEP) handles all cryptographic operations for the Apple Watch Series 2, the A7 processor that powers the iPhone 5s, the iPad Air, the iPad mini 2 and 3, and subsequent A-series chips. The encrypted SEP is completely isolated from the rest of the system and handles Touch ID transactions, password verifications, and other security processes on a separate OS to maintain data protection integrity even if the kernel has been compromised.

One of the ways the SEP does this is by generating a Unique ID (UID) for each device for authentication purposes. The UID automatically changes every time a device is rebooted and remains unknown to other parts of the system, further enhancing its security.

Beyond that, little is known about how the SEP actually works outside of Apple, but that's by design – the enclave's isolation serves to obfuscate it from the rest of the system, preventing hackers from rifling through its code to make it as secure as possible.


The decryption key posted on GitHub yesterday would not enable hackers to access data stored inside the Secure Enclave, but it could allow hackers and security researchers to decrypt the firmware that controls it and potentially spot weaknesses in the code.

Speaking to TechRepublic, the hacker that released the key claimed that Apple's effort to obfuscate the code was itself cause for concern.
"The fact that the SEP was hidden behind a key worries me," said xerub. "Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?" He added that while SEP is amazing tech the fact that it's a "black box" adds very little, if anything to security. "Obscurity helps security — I'm not denying that," he said, but added that relying on it for security isn't a good idea.

"I think public scrutiny will add to the security of SEP in the long run," xerub said, noting that was also his intention with releasing the key.
Xerub claimed it's theoretically possible that the decryption key could be used to watch the SEP do its work, which could potentially allow hackers to reverse-engineer its process and gain access to its contents, including passwords and fingerprint data. However, he admitted that a lot of additional work would need to go into exploiting the decrypted firmware.

It's still unclear what the longer term repercussions could be, but an Apple source who wished to remain anonymous told TechRepublic that the release of the SEP key doesn't directly compromise customer data.
"There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information," they said. "It's not an easy leap to say it would make getting at customer data possible."
More accurately, it makes research into the structure of the SEP possible, which could allow hackers to find flaws in its workings. Apple said it did not plan to roll out a fix at this time.


Discuss this article in our forums

‘Real People’ Don’t Need Encrypted Messaging Services, Claims U.K. Home Secretary

The U.K. home secretary Amber Rudd has argued that "real people" do not want secure end-to-end encryption on messaging platforms and are more concerned with usability and features than unbreakable security (via Yahoo News).

Rudd made her case in a newspaper article, published ahead of a meeting today with technology companies in San Francisco, where she will warn tech giants that their services are being misused by terrorists. Writing in The Daily Telegraph, Rudd said:
"Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?

"So this is not about asking the companies to break encryption or create so-called 'back doors'.

"Companies are constantly making trade-offs between security and 'usability', and it is here where our experts believe opportunities may lie.

"Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."
Rudd's comments were immediately criticized by privacy campaigners, with civil liberties organization Big Brother Watch calling her viewpoint "at best naïve, at worst dangerous".

"Suggesting that people don't really want security from their online services is frankly insulting," said Renate Samson, chief executive of BBW. "What of those in society who are in dangerous or vulnerable situations, let alone those of us who simply want to protect our communications from breach, hack or cybercrime."

"Once again the government are attempting to undermine the security of all in response to the actions of a few. We are all digital citizens, we all deserve security in the digital space."

Rudd is due to give her speech to tech companies like Twitter, Facebook, and Microsoft, in which she will urge them to do more to remove extremist content online or face new laws forcing them to do so.

Speaking to the BBC, Rudd said she wanted to work more closely with companies on encryption so that "where there is a particular need, where there is a targeted need" the government should be given access to metadata and encrypted content.

But Facebook's chief operating officer, Sheryl Sandberg, pushed back against that argument, and warned about pushing criminals into even harder to reach parts of the internet.

"If people move off those encrypted services to go to encrypted services in countries that won't share the metadata, the government actually has less information, not more," she said.

Tuesday's summit is the first gathering of the Global Internet Forum to Counter Terrorism, an organization set up by the major tech companies following recent terror attacks. Organization members are likely to resist any action that would result in compromised encryption, however.

In a joint statement, the companies taking part said they were co-operating to "substantially disrupt terrorists' ability to use the internet in furthering their causes, while also respecting human rights".

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Encrypted Chat App Telegram to Remove Terrorist Content Following Ban Threat in Indonesia

Telegram is to form a team of moderators to remove terrorist-related content from the encrypted messaging platform in Indonesia, after the country's government threatened to ban the app.

Indonesia's Ministry of Communications and Information Technology has already blocked access to the web version of the chat platform, citing concerns that it was being used to spread "radical and terrorist propaganda" in the country, according to Reuters.

"This has to be done because there are many channels on this service that are full of radical and terrorist propaganda, hatred, ways to make bombs, how to carry out attacks, disturbing images, which are all in conflict with Indonesian law," the communications ministry said in a statement on its website.
Telegram co-founder Pavel Durov said on Sunday that the service had blocked channels reported by the government and that it would take further action to remove the illegal content.
"We are forming a dedicated team of moderators with knowledge of Indonesian culture and language to be able to process reports of terrorist-related content more quickly and accurately," Durov said in a Telegram post quoted by Associated Press.
Telegram has been criticized by governments before for its use by terrorist groups to spread propaganda and recruit members. Last month Telegram agreed to provide basic information about the company to Russia after authorities threatened to block access to the service.

Despite pressure from governments, Telegram's founders have refused to bow to demands for backdoors into the platform for authorities to access encrypted messages, arguing that security and privacy are central tenets of the service.

Speaking to The Wall Street Journal on Sunday, Durov said Telegram is "heavily encrypted and privacy-oriented, but we're no friends of terrorists – in fact, every month we block thousands of ISIS-related public channels".

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Australia Proposes Law That Would Compel Tech Companies to Decrypt Messages

Australia on Friday proposed new laws that would require companies like Apple to provide law enforcement authorities with access to encrypted communications (via Reuters).

Australia's proposed legislation will compel companies to help security agencies intercept and read messages sent by suspects. It appears to take cues from the U.K.'s Investigatory Powers Bill, which includes provisions that require technology companies to bypass encryption where technically feasible.
"We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Australian Prim Minister Malcolm Turnbull told reporters in Sydney.

"The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."
The proposal will be introduced when parliament resumes in August and could be adopted within months, according to lawmakers. Other nations have said they will introduce similar laws.

Apple, along with Facebook, Google, and other major tech companies, have historically opposed such law changes, which they say threaten online security protocols.

For example, Apple claimed the U.K.'s recent bill would "weaken security" for millions of law-abiding customers. "The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," Apple stated in December 2015. "A key left under the doormat would not just be there for the good guys. The bad guys would find it too."

Facebook rejected the need to introduce the new Australian law, insisting it already had a system in place to work alongside security agencies, while the new legislation could not be implemented on an individual basis.

"Weakening encrypted systems for them would mean weakening it for everyone," a spokeswoman for Facebook told Reuters.

Notably, Australia has not explained how the proposed law would prevent nefarious actors from using open-source encryption tools to encrypt messages that can be transferred through conventional means such as email.

Last month it was reported that Australia attended a meeting of officials from the "Five Eyes" intelligence sharing network, where it pushed for greater international powers to thwart the use of encrypted messaging services by terrorists and criminals.


Discuss this article in our forums

Popular Mobile VPN Services Shut Down in China

A popular virtual private network service has been forced to close in China on orders from the government, it emerged on Monday. Bloomberg reported that GreenVPN sent a notice to its customers saying it would end the service from July 1 after "receiving a notice from regulatory departments".

VPNs route and encrypt internet traffic to servers outside of the country, making them popular with users in China who have limited access to online content because of government restrictions. VPNs allow access to sites like Facebook and Twitter, which are otherwise blocked by China's "Great Firewall".

Some users of the GreenVPN iPhone app reported that the service failed to load over the weekend. Apps for GreenVPN and SuperVPN are still listed in the App Store, but users reportedly had trouble downloading them or turning them on. Bloomberg was unable to contact SuperVPN's offices, while Apple didn't immediately respond to requests for comment.

It's unknown whether the timing of the VPN shutdown is related to the politically sensitive 20th anniversary of the handover of Hong Kong from Great Britain to China. In January, China's Ministry of Industry and Information announced new priorities for controlling online content which included restrictions on VPNs.

Last year, Apple faced its own issues with Chinese state regulators regarding a controversial independent movie which led to the shut down of iTunes and iBooks in the country.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Tags: China, security

Discuss this article in our forums

Australia to Push for Greater Powers on Encrypted Messaging at ‘Five eyes’ Meeting

Australia is set to push for greater international powers to thwart the use of encrypted messaging services by terrorists and criminals, according to reports on Sunday (via Reuters).

The topic will be addressed this week at a meeting of officials from the "Five Eyes" intelligence sharing network, which includes the U.S., the U.K, Canada, Australia, and New Zealand.

Australia claimed the increasing use of strong encryption on smartphones and other devices was hindering law enforcement's capacity to gather and act on intelligence, and said it wants tech companies to do much more to give intelligence and law enforcement agencies access to encrypted communications.

Security experts and privacy groups regularly argue that any such methods would simply weaken overall security for everyone.
"I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption," Australian Attorney General Senator Brandis said in a joint statement.

"These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies."
The announcement followed the U.K. government's recent statement of intent to pressure technology companies to do more to put an end to the "safe spaces" that the internet offers extremists. The country has also called for measures to "regulate cyberspace", following terror attacks in the country.

In related news, a leaked draft technical paper prepared by the U.K. government states that technology companies would be required to remove encryption from private communications and provide the raw data "in an intelligible form" without "electronic protection". However, it's not clear if the Conservatives still intend to pursue these powers after recent elections left the party with a minority government and a diminished mandate.

Last year Apple refused requests from the FBI to break the security of its mobile software, following the recovery of an iPhone used by the San Bernardino shooter. Apple argued the FBI's request would set a "dangerous precedent" with serious implications for the future of smartphone encryption. The dispute ended after the government found an alternate way to access the data on the iPhone through the help of professional hackers.

Last week, the European Union published draft proposals that would enforce end-to-end encryption on all digital communications and forbid backdoors that enable law enforcement to access private message data. If ratified, the law would put it at odds with both the U.S. and U.K. intelligence communities.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Russia Threatens to Ban Encrypted Messaging App Telegram

Russia has threatened to block access to the Telegram messaging platform unless the company that runs the app provides more information about itself (via Sky News).

The head of communications regulator Roskomnadzor, Alexander Zharov, said repeated efforts to obtain the information had been ignored by the company and warned that "time is running out" for the app.

"There is one demand and it is simple: to fill in a form with information on the company that controls Telegram," Zharov said in an open letter. "And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information."
Telegram's non-response appears to be down to the repercussions of handing over the requested details: Doing so would effectively add it to the state regulators' registry, which would require it to retain users' chat histories and encryption keys and share them with authorities if asked, according to Russian news agency TASS.

The demand isn't the first time the Russian founders of Telegram – Kremlin, Nikolai and Pavel Durov – have failed to comply with state requests. In 2014, the Durovs refused to turn over data on Ukranian users of Vkontakte, a social network they also set up together.

Telegram claims to split its encryption keys into separate data centers around the world to ensure "no single government or block of like-minded countries can intrude on people's privacy and freedom of expression".

According to the group's policy, it can only be forced to hand over data if "an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world".

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Swiss Encrypted Email Provider Launches ProtonVPN With Free Subscription Tier

Encrypted email provider ProtonMail today launched its own VPN service called ProtonVPN, which includes a free user tier in its pricing plan.

The Swiss-based company said it had been testing its VPN service for four months with the help of over 10,000 members of the ProtonMail community, and the group was ready to make ProtonVPN available to everyone starting Tuesday.


The Proton group said they were motivated to create ProtonVPN to combat increased threats to online freedom, such as the recent repeal of Obama-era rules designed to protect consumer internet browsing history, calls by British Prime Minister Theresa May for increased online surveillance, and the attempts by the U.S. FCC to dismantle net neutrality.
"In the past year, we have seen more and more challenges against Internet freedom," said ProtonMail Co-Founder Dr. Andy Yen, "now more than ever, we need robust tools for defending privacy, security, and freedom online.

"The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them," said Yen. "This is why, as with ProtonMail, we're committed to making a free version of ProtonVPN available to the world."
The group says it has worked to make the best possible VPN service by addressing many of the common pitfalls with existing VPNs. Features therefore include a Secure Core architecture that routes traffic through multiple encrypted tunnels in multiple countries to better defend against network based attacks, a no logs policy backed by Swiss law, as well as seamless integration with the Tor anonymity network. Headquartered in Switzerland, the VPN is also outside of E.U. and U.S. jurisdiction and is not a member of the fourteen eyes surveillance network.

The free tier includes servers in three countries and usage on one device, but bandwidth speeds cannot be guaranteed. The Basic tier costs $4 a month (billed as $48 a year) and includes access to all 112 ProtonVPN servers across 14 countries, high speed bandwidth, and usage on up to two devices, while the Plus tier ($8 per month/$96 per year) offers the highest bandwidth, connection on up to 5 devices, Tor servers, and access to Secure Core data networks hosted in Switzerland, Iceland, and Sweden. The Highest tier ($24 a month/$288 a year) includes a ProtonMail Visionary account.

ProtonMail began crowdfunding in May 2014 and launched in March 2016, led by a group of scientists from CERN and MIT who aimed to deliver an easy-to-use end-to-end encrypted email service with freely available open source code. Earlier this year, the team launched a Tor-based site to make ProtonMail available to users in regions under the oppression of strict state online censorship.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

EU Proposes Enforcing Data Encryption and Banning Backdoors

The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has published draft proposals that would enforce end-to-end encryption on all digital communications and forbid backdoors that enable law enforcement to access private message data.

The proposed amendment relates to Article 7 of the EU's Charter of Fundamental Rights, which says that EU citizens have a right to personal privacy, as well as privacy in their family life and at home. By extension, the "confidentiality and safety" of EU citizens' electronic communications needs to be "guaranteed" in the same manner.

Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication.

The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and messaging provided through social media.
The regulation states that the disclosure of contents in electronic communications may reveal highly sensitive information about citizens, from personal experiences and emotions to medical conditions, sexual preferences and political views, which could result in personal and social harm, economic loss or embarrassment.

In addition, the committee argues that not only the content of communications needs to be protected, but also the metadata associated with it, including numbers called, websites visited, geographical location, and the time, date, and duration of calls, which might otherwise be used to draw conclusions about the private lives of persons involved.

The regulations would apply to providers of electronic communication services as well as software providers that enable electronic communications and the retrieval of information on the internet. However, the amendment goes further by stating that the use of software backdoors by EU member states should be outlawed.
When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.  

Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.
The proposals appear to have been tabled in response to comments made by EU member states such as the U.K., which has argued that encrypted online channels such as WhatsApp and Telegram provide a "safe haven" for terrorists because governments governments and even the companies that host the services cannot read them.

The U.K. home secretary Amber Rudd recently claimed that it is "completely unacceptable" that authorities cannot gain access to messages stored on mobile applications protected by end-to-end encryption. A leaked draft technical paper prepared by the U.K. government was leaked shortly after Rudd's comments, containing proposals related to the removal of encryption from private communications.

The EU proposals could also put European security policy at odds with federal legislators in the U.S., who recently called on technology companies to compromise the encryption built into their mobile software. Last year, Apple and the FBI were involved in a public dispute over the latter's demands to provide a backdoor into iPhones, following the December 2015 shooter incidents in San Bernardino.

Apple said the software the FBI asked for could serve as a "master key" able to be used to get information from any iPhone or iPad - including its most recent devices - while the FBI claimed it only wanted access to a single iPhone.

The European Union proposals have to be approved by MEPs and reviewed by the EU council before the amendments can pass. It remains unclear how the laws would apply in the U.K. after Brexit, initial negotiations for which begin on Monday. 

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums