Category Archives: Mac

Infosec highlights – October 5, 2016

Cryptocurrency-mining malware known as Mal/Miner-C is targeting specific Seagate Central Network Attached Storage (NAS) devices. The malware locates the devices when they’re exposed to the Internet and installs a special file in a public folder. Unwary users try to open the file, which installs the malware on their Windows computer. Once installed, the malware uses available resources to mine the Monero cryptocurrency. There are about 7000 of these devices globally.

It’s standard practice to tell users to lock their computers when they walk away from their desks. A locked computer presents an obstacle to anyone with physical access who’s interested in poking around or stealing data. But in reality, once someone has physical access to a computer, there are ways to gain full access, even when that computer is locked. Now there’s a new technique that simplifies this task. A specially set up thumb drive is inserted in the target computer (Mac or PC), and 20 seconds later, the intruder has valid login credentials in their hands.

Two Factor Authentication (2FA or MFA) is an increasingly-common way to bolster your security when using Internet-based services and web sites. It adds a second step to the login process, which usually involves entering a special code. Many sites and services that offer 2FA send codes to your registered cell phone via SMS text messages. Unfortunately, that specific method (codes via SMS) can be co-opted by attackers who already have your password (which is increasingly likely with all the recent breaches). If you’re using SMS text for 2FA, you should look into more secure methods. Google Authenticator generates temporary, time-limited codes using an app on your smartphone. Duo Security has an app that receives special ‘push’ messages from the site you’re trying to access, and all you have to do is click a button on your cell phone to get in.

Bruce Schneier wants everyone to stop blaming the user for security problems and create systems that are more inherently secure. As things are today, the user gets most of the blame when something goes wrong. Clearly, using weak passwords, re-using passwords, and generally being vulnerable to phishing and other manipulation point to the user as the weak link. But Schneier thinks pointing at the user isn’t helpful, especially when that link is unlikely to ever change. Instead, he wants to limit the involvement of the user; to create fewer security pitfalls. He points to current efforts along those lines, including automatic security updates, and virtualization. Which are both great ideas, as long as us techie folks have a way to bypass those things.

Security and privacy roundup for January 2016

Your devices are talking about you

You already know that your web browser is tracking your activity. You are probably also aware of ‘The Internet of Things‘ – the increasing prevalence of devices that are connected to the Internet – and you recognize that any such device can also track your activities. Bruce Schneier reveals the next step in this evolution: enabling devices to share information about you. Of course, since the goal of all this surveillance is merely better-targeted advertising, most people are unlikely to care. Still, if privacy and control are important to you, this will not be welcome news.

Brian Krebs reminded us that ransomware can affect files in your cloud storage space as well as on your physical computer and network-connected devices.

A summary of software vulnerabilities over at VentureBeat shows Mac OS X topping the list for 2015. Microsoft’s security efforts seem to be paying off, as the highest-ranked version of Windows on the 2015 list is Windows 8.1 at number 10, and fewer than half the vulnerabilities as OS X.

Serious vulnerabilities were discovered in OpenSSH (a very commonly-used secure terminal client), OpenSSL (the ubiquitous security library), and Trend Micro antivirus software.

Vulnerabilities in the Linux kernel (affecting Android phones and Linux PCs) remain unpatched on many affected devices.

Google produced more patches for vulnerabilities affecting Android devices, but as always, the patches are finding their way to devices very slowly.

The very weak hashing functions MD5 and SHA1 are still being used in HTTPS encryption in some contexts.

It’s official: your smart TV can become infected with malware.

Network devices made by Juniper and Fortinet were found to contain serious vulnerabilities, including an NSA-developed back-door function and a hard-coded back-door password (more).

The free-to-use deep search tool Shodan made the news when researchers showed that it can be used to find household cameras, including baby-cams. Note that the problem here is not Shodan, which is just a useful search tool. The problem is the failure to properly secure Internet-connected devices.

There were more serious corporate security breaches in January, at Time Warner and Linode. As usual in these cases, the login credentials of subscribers were obtained by the attackers.

Amazon’s security practices were (unwillingly) tested by a customer, and found seriously deficient.

More malicious apps were found in the Google Play store. Google removed those apps, but not until they were downloaded millions of times by unsuspecting Android device users.

LG fixed a critical security hole affecting as many as ten million of its mobile devices.

Security & privacy roundup for September 2015

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.

FREAK vulnerability affects Windows, Mac, mobiles

It’s been about two weeks since the FREAK vulnerability was first reported. The flaw itself has existed for at least ten years, and we now know that it affects mobile devices, Mac OS X, and Windows.

From the related US-CERT alert:

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.

It’s now clear that this is a teaching moment for the Internet. The FREAK flaw exists because of the ridiculous (and short-lived) insistence by the US government that encryption software designated for export be made deliberately weak. The imposed restrictions ended, but the code involved in switching between strong and weak encryption remained. This intentional weakening of encryption is similar to the kind of ‘golden key’ (back door) for which intelligence organizations are currently clamouring. The lesson: Encryption Backdoors Will Always Turn Around And Bite You In The Ass. Bruce Schneier calls this a ‘security rollback‘. The Economist puts it succinctly, “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”

Update 2015Mar19: Researchers determine that exploiting the remaining vulnerable systems is much easier than originally estimated. Thousands of iOS and Android apps are vulnerable.

Shellshock: a very bad vulnerability in a very common *nix tool

Linux and other flavours of the Unix operating system (aka *nix) run about half of the world’s web servers. Increasingly, *nix also runs on Internet-enabled hardware, including routers and modems. A huge proportion of these systems also have BASH configured as the default command interpreter (aka shell).

A serious vulnerability in BASH was recently discovered. The full extent of the danger related to this vulnerability has yet to be determined, because the bug opens up a world of possible exploits. As an example, the bug can be demonstrated by issuing a specially-crafted request to a vulnerable web server that results in that server pinging another computer.

Patches that address the vulnerability (at least partially) became available almost immediately for most Linux flavours. Apple’s OS X has yet to see a patch, but presumably that will change soon, although Apple has been oddly slow to respond to issues like this in the past.

Most average users don’t need to worry about this bug, but if you run a web server, or any server that’s accessible from the Internet, you should make sure your version of BASH is updated.

As new information emerges, I’ll post updates here.


Update 2014Sep27: The first patch for BASH didn’t fix the problem completely, but another patch that does is now available for *nix systems. Still nothing from Apple for OS X. Scans show that there are thousands of vulnerable web servers on the Internet. Existing malware is being modified to take advantage of this new vulnerability. Attacks using the BASH vulnerability are already being observed. Posts from Ars Technica, Krebs on Security and SANS have additional details.

Update #2: It looks like there are more holes to be patched in BASH.

Update 2014Oct01: Apple releases a bash fix for OS X, more vulnerabilities are discovered, and either attacks based on bash vulnerabilities are increasing or attacks are subsiding, depending on who you ask.

Update 2014Oct08: Windows isn’t affected, unless you’re using Cygwin with bash. Oddly, Apple’s OS X bash patch is not available via the App Store; you have to obtain it from the main Apple downloads site. A security researcher claims to have found evidence of a new botnet that uses the Shellshock exploit.

Update 2014Oct23: Ars Technica: Fallout of Shellshock far from over

Extremely critical security flaw may affect Macs

Apple recently patched a critical vulnerability in iOS, the operating system that runs all iPhones. Now it appears that the same flaw may affect all Macs running OS X as well. So far there is no official confirmation from Apple, but security experts are warning Mac users to avoid using public networks until we know more.

Update 2014Feb24: Apple released a patch for iOS that fixes this flaw on iPhones. Meanwhile, it looks like the flaw does affect Macs (OS X). A security researcher at ImperialViolet has created a proof-of-concept test page (no longer functional). Steer your Mac web browser to that page; if you get an error message, your browser is not affected by the flaw. Vulnerable Mac browsers will see a message to that effect. Tests on my own Mac show Safari as vulnerable, while Firefox is not.

Update 2014Feb25: TechDirt has an amusing article on the surprising lack of information coming from Apple. There’s a general sense of dissatisfaction with Apple, and increasing clamour for information – any information – on how this issue affects Macs.

Update 2014Feb26: Apple has released an update for OS X that addresses this issue. OS X 10.9.2 includes several other security fixes and bug fixes.

Operating System and browser use statistics

Ars Technica recently posted an interesting summary of usage stats for operating systems and web browsers on desktop, laptop, and mobile computing platforms.

Here are a few highlights:

  • Almost half of all computers are running Windows 7, and a third still run Windows XP.
  • Internet Explorer is used on over half of all computers.
  • There is still a sizable population of computers running Internet Explorer 6.

Latest Ouch! newsletter: personal backups

This month’s Ouch! newsletter (warning: PDF) from SANS explains the importance of backups. Well worth reading, especially if you aren’t currently at least backing up your data. If you’re not sure whether you’re making backups, then I strongly recommend that you read this.

For my computers, I use a combination of techniques for backup. But the key component in my backup system is a set of tasks that run nightly, using Cobian Backup (Windows freeware) to back up data to an external hard drive.

Mac Mini: first impressions

I’ve been using the Mac for a little over a week now, and in general, it’s pretty slick. Before Apple made the move to a Linux-based operating system with OSX, I had little use for Macs. The UI was clunky at best, and the inability to multitask was a show-stopper.

Disclaimer: I access the Mac via a KVM switch, using a multi-button mouse and a professional Windows keyboard with mechanical switches. But more often, I use the Mac through a VNC connection from my main Windows PC.

Keyboard issues

Because I’m not using a Mac keyboard, I had to figure out how to press Mac-specific keys, but that turned out to be easier than I expected. OSX recognizes different keyboards and maps keys appropriately. For instance, when accessing the Mac directly, the Alt key works as the Option key, the Control key is the Command key, and the Windows key is the Apple key.

The biggest problem I had with the keyboard was the Home and End keys. On Windows, those keys move the cursor to the beginning and end of a line, respectively. On a Mac, they move the cursor to the beginning and end of the document, respectively. This messed with my motor memory in a big way, and I looked at a variety of remapping solutions. Eventually I was able to fix this by creating the file ~/Library/KeyBindings/DefaultKeyBinding.dict and adding these lines:
/* Remap Home / End to be correct :-) */
"\UF729" = "moveToBeginningOfLine:"; /* Home */
"\UF72B" = "moveToEndOfLine:"; /* End */
"$\UF729" = "moveToBeginningOfLineAndModifySelection:"; /* Shift + Home */
"$\UF72B" = "moveToEndOfLineAndModifySelection:"; /* Shift + End */
"^\UF729" = "moveToBeginningOfDocument:"; /* Ctrl + Home */
"^\UF72B" = "moveToEndOfDocument:"; /* Ctrl + End */
/* Remap Ctrl-left/right to go to previous/next word */
"^\UF702" = "moveWordLeft:";
"^\UF703" = "moveWordRight:";

Update: This solution for the Home and End keys seems to work for all applications, with one exception: Firefox. I reported the problem on Mozilla’s Bugzilla site as Bug #918859.

Another keyboard problem I’ve run into is that the Enter (Return) key works differently on the Mac. In Windows dialogs and Explorer, Enter opens the currently-highlighted item. If it’s a folder, the folder opens; if it’s a file, the file opens. Makes sense to me, and it’s something I do all the time. Oddly, on the Mac, Enter renames the highlighted file or folder. I haven’t found a permanent solution to this, so in the meantime I’m trying to remember to use Alt-O (Command-O) to open folders/files from the keyboard.

One final keyboard difference worth noting is the fact that there is no Insert key on the Mac. On Windows, this key toggles between insert and overtype modes. On the Mac, you’re always in insert mode.

No single-button mouse for me

I’m glad I can use my multi-button mouse. Again, I’m just so accustomed to right-clicking UI elements to show context menus that I would have a hard time changing to the Apple approach, which is to hold down the Control key and click the (only) mouse button.

Installing open source software

I recently moved all my public-facing services onto a new, powerful Linux computer. Almost all of my work with the Linux server happens at the command line. I don’t find either of the graphical UIs most commonly used on Linux (KDE and Gnome) all that compelling. In any case, I’m now comfortable using the APT system to install and manage open source software packages in Linux, so I was surprised to find nothing similar on the Mac. A bit of research led me to a tool called ‘Homebrew’; having installed this software, I can now download and install software using the ‘brew’ command, which is similar to APT.

Remote access with VNC

Although my KVM works well with the Mac, I find it more convenient to use remote control software. This allows me to continue to use my Windows machine as my primary work environment while providing quick access to the Mac. OSX includes a VNC server, but it’s disabled by default. Enabling it is a simple matter of going to the Sharing panel in System Preferences, putting a checkmark next to Remote Management, assigning the users who should have access, and configuring access (click the Options button). There are numerous VNC client software packages available. I’m currently using TightVNC, which was simple to set up and seems to work reasonably well. Just point your VNC client at the name displayed on the Remote Management settings page on the Mac to connect.

Remote login with SSH

I’m accustomed to accessing my Linux server via command line interface using SSH. This also works for the Mac, but again it has to be enabled first. To do that, again go to System Preferences. Put a checkmark next to Remote Login, and assign the users who should have access. Connect using an SSH client like Putty.

Miscellaneous Mac weirdness

One thing that has always bothered me about the Mac is that closing an application’s windows doesn’t close the application itself. Well, usually. That’s part of the problem: there’s no consistency to it. Some apps close when you close their last open window, and some don’t. A very odd design choice in any case.

Now about those three little buttons at the top left of windows: there’s a close button (the red ‘X’), a minimize button (the yellow ‘-‘), but what does that third button do? It’s a green ‘+’, so one might reasonably expect it to maximize the window, right? But sometimes it does, and sometimes it doesn’t. Weird.

One final bit of weirdness is the way icons work. When you click an icon, for example on the desktop, you see a nice square frame around the entire icon, regardless of the shape of the icon’s image. This encourages a belief that the Mac understands that the shape and size of the icon’s image is not important in terms of selecting (or double-clicking) the icon. That belief is erroneous. In fact, if an icon’s image has any transparent ‘holes’, you cannot select the icon by clicking on any of the holes. As a result, some icons are easier to select that others, and trying to select an icon with a lot of transparent areas can become an exercise in frustration. On Windows, clicking anywhere inside the square boundaries of an icon selects it.

Must-have free desktop software for the Mac

(cricket chirping)

Seriously. Most of the desktop software I use on my Windows PC is free or open source. That’s relatively rare on the Mac, at least in my (admittedly limited) experience. I guess there’s a general understanding that Mac owners have money to burn. The App Store doesn’t even allow sorting or filtering search results by price.

My new Mac Mini

One of my consulting clients is developing iPhone/iOS apps. I’ll be helping out with testing, deployment, and probably some development. To that end, the client has provided a Mac Mini.

I’ve used Macs before. I even started a blog about my experiences with a new Mac way back in 2004. Some of my earlier observations may still be valid; others may not. In any case, I plan to post anything interesting/cool/weird/annoying that I discover about the new Mac. I’ll try not to let my Windows bias show through, but I can’t guarantee anything.