Tuesday, 23 January 2018

Fresh Sophos home for Mac install via TeamViewer Gotcha

17:17 Posted by G No comments
After much pulling of hair, and thinking what am I missing, it turns out that Apple have changed permissions on remote installs in OSX 10.13 (High Sierra) of some software that install kexts .

Anyway I'm sure as anyone who happens to have IT in their job title knows, one becomes the default tech support for all our family.  This is exacerbated by Christmas 'could you just have a quick look at...'

Anyway I was checking the father-in-laws Mac, and to save time I was using Teamviewer so I could do it from the comfort of my own home.  All was going well, I downloaded Sophos home for Mac, and got to the final stage of the install, and needed to 'apply' a setting in system preferences.

I could see it via team viewer, but whatever I tried I couldn't click it !

After many different approaches, like most men I finally reverted to RTFM and found the following on the Sophos website - https://community.sophos.com/kb/en-us/127413

Here's the text from the advisory:

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.
Note: Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.
  1. After installing Sophos Anti-Virus got to Security & Preferences in the Apple System Preferences window.
  2. Near the bottom of the window, it will list the blocked Kernel Extensions (kexts) by Sophos. Click Allow.
Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation.  This step is not needed again on a reinstall. Kernel extensions already installed during an upgrade from MacOS 10.12 are automatically authorized.
So after a quick call to the father-in-law and him pressing 'Apply' locally at the appropriate moment, all is good.  Hope this saves you some time and heartache fellow family IT support !

Patching cadence becomes a thing

16:05 Posted by G No comments
I recently wrote on the Hiscox London Market Blog (with the help of the excellent Simon Challis) about the Meltdown / Spectre vulnerabilities in CPU's (article is here). Two immediate things, firstly it shouldn't be a popularity contest for which bugs have the nicest logo and website and secondly most of my thoughts are reflections of Kevin Beaumont, who I think is one of the most incisive commentators on IT security (and suitably irreverent at the same time).

image from Corax website

So what's the big deal ? Well nothing really. These vulnerabilities have the potential to be a really big deal, but at the moment, they're just not. That doesn't by any mean you should rest easy, and certainly after careful testing you should apply (if safe to do so) all the relevant patches.

What interests me most is how this is changing patching from a boring but necessary (and often neglected) back office task into something that the board, and soon investors will be taking notice of. The race is on currently, can enterprises patch before malware authors come up with a remote way to exploit these newly discovered vulnerabilities.

What makes this even more interesting is the fact that it's now easier to watch this battle from the sidelines. A new industry has sprung up to measure cyber risks.

Both the pure risk scoring players such as Bitsight and FICO, but also a new breed of insurance startups premised on cyber risk scoring and aggregation, such as Cyence (recently acquired by GuideWire), CyberCube (recently spun off by Symantec) and Corax.

How long before the board asks for their own risk score, or during M&A discussions a company's risk score is one element that is considered before financial investment ?

If you're interested in learning more about Cyber insurance, here's a link to a BBC article in which I'm quoted here