Ntiva Live: Apple for Business

Silver Sparrow, Big Sur Security, & USB Accessories
February 23, 2021

Episode Overview

In this episode, we discuss Silver Sparrow, and the frustrations of USB variants. We’ll talk about:

  • What Silver Sparrow is, and how to find it on your machine
  • USB-C expanders and docks, allowing you access to more ports
  • Security and Privacy settings for apps like Zoom and Teams
  • Big Sur 11.2.1 updates and bug fixes

 

Sign Up Today

Complete the form to register for the Ntiva Apple for Business Livestream series. You’ll get an email reminder before each livestream, plus an email with a link to the recording in case you miss any of the live events.

Episode Transcript

Ben:

It's Tuesday, February 23rd. This is the Ntiva Live Apple for Business broadcast. Thanks for joining us. We've got a full crowd here. We've got Chad Calease, Michelle Charles, Wyatt Russell, and we've got Holly from Ntiva who set this all up for us and we're still working out the bugs. And I apologize for all the changes. I know we keep moving platforms, and this is the platform going forward. Everyone does need to register. That'll make it easier for you to get the recordings and easier for us to improve something that's not changing so much, and tips and tricks for anyone who does use a green screen chat.

Ben:

I know you have one and I have one I occasionally throw up. Don't wear a green sweater if you're trying to work in front of a green screen, because it just causes all sorts of problems. Today we're going to talk about something that we had not planned on talking about, but it came up in the news so we can't really ignore it. And that is the malware on the Mac that is known as Silver Sparrow. So Chad, do you want to take it from here?

Chad:

Yeah, sure. I'd be happy to. Well, first of all, we have to give a shout out to our friends at Malwarebytes and Red Canary too, for that matter, who've done an incredible job, synthesizing this as quickly as possible. It's not easy to put something like this together on short notice, right? Obviously, because it's brand new and it's novel, and no one's really seen this sort of thing before. And so this-

Ben:

Chad, this was announced, what Friday night or Saturday morning? When did it come out?

Chad:

Well, in some way, shape, or form, we started seeing it around December. The CNC, all the infrastructure that they use to control the malware, those domains were registered in August and December respectively. So, we know that there has been some planning for some time, but all of the infections that anyone might see are very, very recent. So we know that.

Ben:

But publicly in the news, it hit-

Chad:

In the news, no. Outside of the security research community, no. It has really just come to light for the mainstream. This is what we know about it. I give a shout out to Thomas already. So we know that the malware's installed by a package file or PKG file by these names. We don't know how it's delivered. There's a lot of speculation right now, whether it's a web plugin, browser plugin, or just a malicious link that's sprayed out in a phishing campaign. We don't know. We continue to collect a lot of information. The lifecycle is interesting. It uses JavaScript as an installer, which is pretty unique. And in the wild, this is... We're going to blaze through this. It's just a summary. If you have any deeper questions about this, you can feel free to reach out to us. But these are the detections by country. So you can see that the US is definitely one of the more targeted regions.

Ben:

And Chad, these detections, these are all from Malwarebytes? These are records from Malwarebytes?

Chad:

Yeah. The majority of them.

Ben:

[crosstalk 00:03:23]

Chad:

It's aggregated from multiple... They find about 30,000 infected machines in the wild so far, which is a lot. That's a lot of Macs. We haven't seen it for any of our clients. We don't have any detections yet. The detections have improved, which is excellent. But these are some of the indicators of compromise. And that means if any of these files or these directory paths exist on a machine, then it's likely that you've been compromised. Or maybe not. A lot of this, especially this one, this is worth looking at, this dot ensue directory, which tends to wipe out the rest of the traces of that. But it leaves... Of course this is all today.

Ben:

Yeah.

Chad:

This could all change tomorrow afternoon. Right.

Ben:

And Chad, just to be clear, these are all directories that nobody would ever go into intentionally?

Chad:

Nobody would ever go into these. Right.

Ben:

There's no reason to go in here. I don't even recommend you go in here unless you're specifically looking to see if you might have Sparrow. If you are running Malwarebytes, Malwarebytes does look for this, right, and remediate against it? Okay.

Chad:

That's right. Yep.

Ben:

So, we encourage Malwarebytes. We have it running on our own computers. We have it running on many of our client computers. Anyone who's not running Malwarebytes, if you are in our management system, we are going to look for these files to see if they exist or not. And if they do, we'll be contacting you. We still encourage you to run Malwarebytes. It's faster to find these things and remediate against these things and protect against these types of things.

Chad:

Instantly. Yeah. Right. Yeah. Absolutely. There's one more thing to note about this, is it's currently not doing anything.

Ben:

Mm-hmm (affirmative).

Chad:

All right. It's not unleashing some malicious payload and anything like that. And that's what's particularly interesting. So it could be just a new framework to deliver adware, which we're all very familiar with that. And it should help us all take those infections more seriously. Historically, we've ignored adware, like, "Oh, it's just adware. It's just a nuisance." But it's becoming more and more a gateway for things that are a little more serious.

Ben:

Yeah. And the point is, you don't want something unknown running on your computer, but that's not what anyone wants. You only want authorized software running. And in fact, Apple did revoke the certificate for this.

Chad:

They did.

Ben:

Yeah. Which means-

Chad:

Which is great, but it leaves the door open for more. Right? If they got through those tollbooths once, it's pretty trivial to get through them again, which is all the more reason to have endpoint protection on your Mac.

Ben:

Yeah. Yeah. Well, I'm sorry that this came up because it's a chicken and egg thing. We know the potential for this stuff is out there. That's why we run Malwarebytes. And in fact, every time we install Malwarebytes on an organization's fleet of Macs, we find something.

Chad:

Always.

Ben:

And most of the time, it's pretty harmless, as you said, adware stuff. Adware, that stuff that hijacks your browser, and every time you go searching for something that redirects you, not to Google, but to some other search engine and tries to ratchet up some ad clicks and benefit the person or organization that convinced you to install the adware. That's most of what we find. But the Mac is a growing target because it's growing in popularity. And so we know we have to be prepared for this stuff and we have to be prepared to respond faster. And that's why we do recommend endpoint protection. And Malwarebytes is our choice. We do have clients, especially in large enterprise organizations where they have teams of people who can monitor this using other solutions that may be just as good. But for most of our clients, especially small businesses, Malwarebytes is a great tool. So if you're not running it, let us know. Anything else we want to add about Sparrow, other than [crosstalk 00:07:30].

Chad:

We'll keep you up to date.

Ben:

We know what it does, we just don't [crosstalk 00:07:32].

Chad:

That's unfolding.

Ben:

We just don't want them on our machines.

Wyatt:

I have a question for Chad. So Chad, I guess the disconcerting thing for the tinfoil hat me. I'm not wearing it today, for the web cast. I only wear it when I'm not on camera. I guess what was disconcerting about this is that it doesn't seem to have an apparent payload to it. Right? And I guess the question is why would the bad actors show us this method of getting in if there's no payload? Is it kind of here's what we could do kind of thing? [crosstalk 00:08:09] Obviously we don't know, but-

Ben:

Right. Yeah. I think the point is we don't know. And will we ever know? Maybe, once they investigate this further. Or not.

Chad:

It's possible.

Ben:

You just don't want something unknown running on your computer. So Apple's on it. Malwarebytes is on it. There's lots of people in the community that are tracking it.

Chad:

We'll keep you posted.

Ben:

Any other shout outs, Chad?

Chad:

Red Canary. Those folks. Katie and Tony over at Red Canary are fantastic. They had a webinar on Twitter yesterday, a live Q and A, which was fantastic. Not a lot more info, but certainly it's an amazing community. And Malwarebytes is great because they're Apple focused. It's an Apple team behind it. That's not often the case. Some of the other providers are quickly catching up, for sure. But yeah, that's all I got for today. Thanks.

Ben:

Well, thanks, Chad. And that leads into something we were going to talk about if we had time, but maybe we should talk about it now. And that is Apple's security and privacy settings. Apple has become more strict over the last few years, starting with, I think, it was 10/14, where they started to tighten the security and privacy settings on Mac OS. And that caused a lot of frustrations for a lot of people, including our own team, including me as a user. But this is a good example of why they're doing that. We have to have these roadblocks to try to keep bad actors off of our machines. And even when Apple does that, this still got on a machine. So these security and privacy settings, as much as they annoy me, they're there for a good reason.

Ben:

And let's talk about security and privacy just for a minute. And sorry, Wyatt, I know we brought you on here to talk about something else.

Wyatt:

Oh Ben, no, please don't apologize. While you are pointing that out though, I will note that a lot of our users are picking up how to get into security and privacy and how to allow applications in there for microphone use, camera use, screen recording, aka screen sharing. Seems like that's catching on. So that's really good to see.

Ben:

Yeah, this is something we've been working on communicating endlessly, I feel like for the past couple of years. And I'm running Big Sur, which is 10.11, I've only been running it since 11.2 was released. No sooner did I install it, and Apple released 11.2.1, which is a bug fix for Big Sur. And, typically, traditionally we don't start recommending this to clients until we see .4 release. There's still more releases to come. The beta has already been released for 11.3. We should be seeing that soon. So if you're not running Big Sur at work, that's understandable. I'm not sure that you should be, unless there's a real business use case for it. Or if you bought a new machine that shipped with Big Sur.

Ben:

So just because I'm running it, doesn't mean everyone should be running it. We're testing it, trying to figure out what the issues are with it. But one of the big issues, whether you're running 10.15, 10.14, or even Big Sur, are the security and privacy settings. And I want to point out, in under system preferences, security and privacy, privacy, camera, and microphone, and screen recording. Those are the big three that we get calls too.

Wyatt:

Accessibility as well, then.

Ben:

Accessibility? Okay. And you can see if I click on accessibility, I see teams, Microsoft teams. I see RingCentral, I see Zoom. Screen recording. Same three. I also see Microsoft Edge, the browser that I use. Camera. I see all the same. So any time I want to join a webinar or host a webinar or share a screen, I need to give the computer privileges to do so. Back in the old days-

Chad:

On each application, right? Not just once for each app that's requesting. So if you're in a WebEx call, you need to set those settings for WebEx. If you're on a RingCentral call, RingCentral, Zoom, et cetera. So every single platform, we need to give our attention to those settings.

Ben:

Yeah. And not just every single platform. If you join via a browser, Microsoft S for example-

Chad:

Yeah, that's a good point.

Ben:

- you're going to have to give the browser access. You join from Safari, from Chrome, from Firefox. You're going to have to give each browser access. And this is where people are getting really frustrated because they invite people let's say to a Zoom meeting. And Zoom, if it doesn't get authorized, it's not going to work. If it does get authorized, they think they're done. But then later they decide to join via a web browser and they have to do it again. And then they decide to use a different web browser, and then they to do it again. So they don't understand why they have to keep doing it. And even in some cases, Mac OS security updates or patches can even reset some of these settings and you have to go in and do it again.

Ben:

Back in the old day, IT could just install an app and you were done with it. Today, the app can get installed by IT, but unless you have additional MDM tools, which we often do, but it takes planning and coordination. We have to know you need the app. We have to install the app. We have to approve the app. If you just install it without that communication, then you have to do this. And even if you call us, we can't even do it remotely. It can only be done physically, when you're sitting at the computer. Someone has to physically click the button. And, that's to protect you from somebody remoting into your machine, nefariously, and clicking on things that they shouldn't. Chad, questions?

Chad:

I think it's also designed to elevate our awareness. All right. We've never paid the collective royal. I've never really paid attention to privacy and security settings. And I think it's Apple's initiative to bring a lot more awareness to everyday people about these things.

Ben:

So I will say, it's easy to forget that we've done this, but I recently wiped my machine in order to get Big Sur on here. I wiped it and I rebuilt it. And because I rebuilt it, I had to go check all these boxes. But of course, I couldn't do it all at once because I wasn't using Zoom and RingCentral and Teams and Edge all at once. I had to do it each time I took that next step. And unfortunately, I wouldn't do it until I needed it because, we're all busy. Why would I do that? Why would I plan ahead? I would just do things. And so, I would have to share my screen and I wouldn't have privileges to do so. And I'd want to share my screen, but it would often present itself as I want to record my screen.

Ben:

I don't feel like I'm recording my screen. I just want to share it. But that's really what I'm doing. I'm giving privileges for the app to record my screen so I can share it. And so, it's a little bit confusing sometimes, but I would have to click that. And then as soon as I click it, it would say, well, you can't actually do that unless you restart the app. And that's something that's very common. What a lot of people don't know is you can say, I'll do that later. And you'll get visual sharing working, you just won't have mouse and screen control working. So you'll get enough to share your screen. You won't have enough to give someone remote control to your screen until you restart the app.

Chad:

Ben, it sounds like a lot.

Wyatt:

One thing I'd like to add-

Ben:

Yeah, it's confusing.

Wyatt:

It's very confusing. Very nice, it looks like in OS 11 here that you can manually go in and add to screen recording. Whereas in [crosstalk 00:16:27] Mojave, you cannot for screen recording. There are work arounds though. So if you need to prepare for a Zoom meeting, if you need to prepare for RingCentral, Teams, what have you, there are ways to trigger the dialogue to allow it in there. And without being able to get on Ben's computer and show you that, if you go into... Let's just use Microsoft Teams as an example. If you go into preferences, you can go then into camera. And when you go to the camera preferences, it's going to trigger the camera.

Ben:

Are you talking about within Microsoft teams?

Wyatt:

Yeah.

Ben:

Okay.

Wyatt:

Yeah, within any app. Maybe Zoom or RingCentral's a better [crosstalk 00:17:15].

Ben:

- preferences.

Wyatt:

Yep.

Ben:

Let me get my preferences.

Wyatt:

Yeah. So as soon as you go to the video, if you haven't already allowed the camera and Zoom, as soon as you click that video preference, it's going to ask you. It's going to prompt you, right then, do you want to allow it? And it's going to put it into the security and privacy. Same with microphone. And screen-sharing is a little trickier. I like that Apple has made that a manual option here. And then accessibility, you can also go and add that manually. That, I believe, relates to certain aspects of screen-sharing, and then a couple-

Ben:

I think, screen control maybe.

Wyatt:

A couple of other things as well. Yeah. So there are ways if you have a meeting that's coming up in Zoom or Teams, or any of these platforms, you can go into the preferences and trigger the dialogue to get those to go in.

Ben:

And that's a whole other level of confusion because you can see here that I actually don't have access to do this until I authenticate. And I have to authenticate as an administrator, in some cases, but not all cases. So depending on what area I'm in, I could add or remove devices if I'm an administrator or in some cases, if I'm a standard user. And then in other situations, I can't do anything unless I'm prompted by the application, like you mentioned.

Wyatt:

Right. [crosstalk 00:18:47] camera. That's a great example.

Ben:

There's no plus or minus button here, so I can uncheck and I can check, but I can't add or remove. And if I'm prompted, the prompt, at least in the old OS, I don't know if it's changed, it would show up here and I would approve it here.

Ben:

So there's a whole bunch of stuff that makes it super confusing. What will make it easier is if we know in advance that you, as an organization want to authorize an app, if you want to off authorize an app, we can install a profile. And these are My Profiles. And if I go find one here, Malwarebytes, for example. Malwarebytes also needs approval. I mean, Malwarebytes looks nefarious at first glance because it wants to scan your hard drive and look for problems. And if you give a bad actor access to that, then who knows what they're going to do. So if I give Malwarebytes to somebody, they're going to have to approve it before it will actually ever work. But if we plan it ahead of time, we can install what's called a profile that verifies that Malwarebytes has access to your computer.

Ben:

And so there are ways to have your team avoid all of this stuff, or at least diminish the need for it dramatically. We just have to plan ahead. So let us know if there's something that your team's getting annoyed by with these popups. We can either try to put a profile in place, or we can have an educational training session about this. So that's security and privacy. That's malware. What we wanted to talk about today, and we only have a few minutes left, but we can go over a little bit. So we wanted to talk about docks and dongles, just because it's so much fun to say docks and dongles. That's a whole lesson. I said, we want to talk about this. I don't know, are they still called dongles? We used to call them dongles back in the day, but now I think they're called adapters.

Chad:

Adapters.

Ben:

Apple frowns upon the term dongles, and we just call them adapters.

Chad:

I like adapters.

Ben:

Why did we want to talk about this? Wyatt, do you want to take it from here?

Wyatt:

Yeah. So, any Mac laptop that was produced from 2016 on has what's called USB-C to the world on it, and what Apple calls Thunderbolt 3. That makes it very difficult for you to connect anything that has USBA, which is the rectangle you're used to seeing. USB. SD cards. Ethernet, if you want to wire your computer in. Things like that, those aren't there on those new machines. So we have a lot of clients that are getting these new computers, and then they can't connect anything. So there are options out there. And as is the case with a lot of electronics, you've got the really inexpensive stuff, and then you've got the expensive stuff. And there's not a lot in between. Personally, from what I've seen and speaking with the team on the inexpensive side of things, we like a brand called Anker. A-N-K-E-R.

Wyatt:

They generally make very reliable stuff and it's affordable. You can get docks from them or adapters, whatever you prefer. And then, there's also some higher end companies. There's a company called Sonnet. Ben actually shared the other day, a dock that's made by Sonnet. That's going to run around $200, maybe a little more. And you might want to look at a unit like that if you're really reliant on those connections. So for audio, video production, things like that, where you have to have a solid connection, you can't have that adapter or dock fail. You might want to look at getting something a little bit more expensive. If you're just connecting a printer, you want to wire your computer in, connect an SD card, most of the Anker stuff will probably do the job for you. Yeah, Chad?

Chad:

Yeah. That's a great point. Maybe you were going to answer what I was going to say, is it depends on how you use your machine too. A lot of us are spending way more time at home these days. We're not as mobile as we once were. And so then, a case like that might be more appropriate for a dock. If you're running off to, catching a train or flight, and starting to do that, then the portable ones, the Anker ones are probably a better fit.

Wyatt:

Absolutely. Yeah. I completely agree, Chad. And then, there's also a third option, which I actually utilize, which is my monitor. My monitor has USB-C connectivity. It charges my laptop and then it also has USBA on it. So I have my webcam plugged into it, a printer plugged into it. So if you have a monitor, the tricky part here is that most monitors, AKA displays, either way you want to call them, aren't compatible with Macs in that sense. They have to have USB-C connectivity, and you really need to look at the specifications. We're happy to make suggestions. We have a few monitors that we suggest to our clients. The one that I'm using right now, I love. Ben got it for me back in the spring. Thank you, Ben. It's worked out really well. So you can use a monitor as a dock, kind of a workaround as well. Just kind of depends on what your needs are, like Chad said.

Chad:

Yeah.

Ben:

And to that point, if you're buying a display today and you run a Mac, get a display with native USB-C because you don't want to have to deal with an adapter for your display when you could just get USB-C. And then, those displays often have their own hub or features built in for additional support. I still have an old Apple display, technically an Apple Thunderbolt display. So I do have to use an adapter to get to USB-C. But once I do that, because Apple was kind of ahead of the game, as they often are, with building things into their displays. They have ethernet built in. They have USB built in. They have FireWire built in, which I don't use much anymore. But it's still a great display.

Ben:

I wish Apple still made an affordable display. Unfortunately they do not. They do not make an affordable display.

Chad:

They make displays.

Ben:

They make displays. They do not make affordable displays. I warned Wyatt that I was going to share this story, because I am a little down on docks. We cannot get by without adapters today, because Apple is streamlined to just USB-C connections and limited. Some only have two USB connections. And you need one for power. So that really leaves you just one. The bigger ones have four, two on each side. And so we all need adapters today. I don't know. Way back when docks were all the rage. And the whole idea was, you just take your laptop into the office, you dock dock it, and then you get access to everything, your keyboard, your mouse, your display, your external hard drive, I don't know, your headset, everything.

Ben:

And it sounded like a great concept. But I swear every single dock a client purchased would fail within six months. We got so many calls. It was always the connector was broken or they jammed the wrong connector into the wrong hole so many times it eventually failed. So I got to a point where I was really down on docks because I'm like, "You can buy one. It's not going to last very long and it's just going to frustrate you. And frankly, you're going to call me in to troubleshoot it for like four hours until I can determine that the thing doesn't work." So I was really anti dock. Now, I think they've gotten better. Even the connectors have gotten better. USB-C is by far the most beautiful connector I've ever seen. It can go in, and you can't mess this up. Right? All the other connectors, some of them look so similar, it's easy to get upside down. And then you're like, why isn't this working? And then you've just broken it. So these are really nice connectors. And I love them.

Chad:

And the variety that's offered is pretty great. I have one, for example, that has HDMI. It has ethernet. It has a couple of extra USB ports. And so you're right. You can't plug it in wrong and they just work. It's a pretty great way to add utility.

Wyatt:

I should clarify what I mean by docks and what Ben's referring to, because when I think of a dock, I'm not thinking of what Ben's referring to, where you take your laptop and slam it in and then everything works. I'm thinking more of that Sonnet unit I was talking about, which you could think of as more of an adapter. Anker does make some docks that you plug into the side that chew up both. So if you only have... Most of our clients have four USB-C ports, two on either side. Two in the front, two over the wing, two in the back. No, I put two on either side. You can put that on there.

Wyatt:

I tend to lean to the ones that have the flexible cord on them, because let's say... Ben was talking about, if you take that dock and you chew up two of those ports, it still has a pass through for power on it, so that won't be an issue. But let's say you accidentally hit your cup of coffee on it, or bend your laptop a little bit. Those little USB-C ports, those will bend easily. And especially on some of the cheaper units, too. So we would probably encourage folks to get the ones that have the flexible cord on them. If you're not getting something like the Sonnet unit, which is by itself and that will have a cord that connects to it. I think that we all would agree to stay away from docks in general.

Chad:

Now. I'm sure, they're first gen, and a lot of them haven't been around very long, but in time, to Ben's point, they are improving.

Ben:

You just have to take care of them. More and more stuff does work wirelessly. I must admit, I'm always a little hesitant because I know when you plug something in, it's just going to work. Whereas wireless can still flake out, sometimes. We've all had problems with our headsets, our Bluetooth headsets, even a Bluetooth mouse, trying to troubleshoot a Bluetooth mouse can be a real pain because it's like, well, is it the Bluetooth? Is it the battery? We got to rule some things out if it's plugged in. But pretty much, you plug it in, it works or it doesn't. But, I must say, as I get more comfortable and these products get more reliable, wireless is so nice. Isn't it?

Wyatt:

It's very convenient, and it's getting better as you say. But call me old, but I still prefer wired over wireless anything because like you're saying, it takes out all of those variables if we're trying to troubleshoot something. If it's wired, so much easier to troubleshoot than if it's wireless. And it's that balance between convenience and functionality, much like we have in the security sector, convenience and functionality. So, you as an end user have to decide, what's more important to you. And again, we're here, happy to answer questions. And suggestions. I'm happy to make suggestions on all of these units as well.

Ben:

Yeah, it's really a case-by-case. Contact us if you have any questions about connectivity or docks or adapters, and we can help you out. And yeah, unfortunately-

Wyatt:

Displays too. I didn't mean to interrupt you Ben. Oh, and then I have one more thought, I'm sorry, on the monitors and displays. So, you can get a really high quality, 1080P 4k monitor that will work wonderfully on a Mac and charge your Mac for right around $500. If you want it, that's the sweet spot right now. Yes. You can get monitors for $200 and less, but it's really not worth it. It's worth spending that extra money. You get the dock functionality, you're going to get a better display, higher quality, better warranty, et cetera, et cetera, et cetera. So we would encourage folks to look in that $500 range, that's right around where the sweet spot is right now, at least in the 27 inch range.

Ben:

Mm-hmm (affirmative).

Wyatt:

Concessions we're happy to make.

Ben:

Yeah. In our show notes, let's make sure we get some links out about a couple of displays and adapters and docks that we have seen and we've used and we like. But it's often case by case, so just contact us if you have questions. Well, I think we did almost everything. Only two minutes over. So great job team. Holly, thanks for getting us set up with Zoom Webinar.

Ben:

And we're going to get everything working more smoothly in the future. We still have a few more accounts to set up for our panelists and our co-host. But we will see you in two weeks. And thanks for joining us.

Chad:

Thanks for listening.

About the Ntiva Apple for Business Livestream

Ntiva’s Ben Greiner and Chad Calease host the Ntiva Apple for Business livestream every other Tuesday from 12:00 to 12:30pm CT. These live events, presented by the Ntiva team of Apple experts, are sharply focused, easily digestible, and cover topics including the latest Apple/macOS/iOS technology updates, cybersecurity, data privacy, MDM and BYOD policies, and more! We take questions from the audience and share what's working—and not working—for us and others in the industry.

VIEW MORE LIVESTREAMS