Friday, October 6, 2017

"Forgot Password" button reveals your actual password

from nakedsecurity.sophos.com

It’s only eight days since Apple’s latest and greatest macOS 10.13 release, better known as High Sierra.

But the first security update has already come out, and we suggest you apply it urgently.

The update is called High Sierra 10.13 Supplemental Update, detailed in the security advisory APPLE-SA-2017-10-05-1.

There are two bugs fixed; the facepalming one is described thus:

[BUG.] A local attacker may gain access to an encrypted APFS volume. If a [password] hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint.
To explain.

APFS is short for Apple File System, Apple’s new way of organising hard disks that replaces the old (but still supported) HFS Plus, a 20-year-old filing system itself derived from Apple’s Hierarchical Filing System, or HFS, that dates back to the 1980s.

By some accounts, APFS was long overdue: HFS Plus dated from the early days of Mac OS, and wasn’t really designed for the Unix core that was introduced in OS X (now macOS).

For example, HFS Plus can’t deal with dates after 2040, and doesn’t allow multiple processes to access the filesystem at the same time, making it more sluggish and less future-proof than other widely-used filing systems such as NTFS on Windows and ext4 on Linux.

New drivers, new utilities

APFS was introduced as Apple’s default and preferred filing system in High Sierra.

This means new drivers inside the operating system to support disks formatted with the new system, and new features in Apple’s disk management utilities to prepare APFS disk volumes for use.

There are two main disk management tools in macOS – the easy-to-use graphical tool Disk Utility, and the super-powerful but arcane command line program diskutil.

It turns out that the APFS support in the High Sierra version of Disk Utility has feet of clay, as we’ll show here.

We erased a USB disk and created a new APFS (Encrypted) volume on it.

Disk Utility prompted us for a password (twice) and an optional hint.
We entered keepthisSecret as the password and The hint should be shown as the hint.

Disk Utility created the encrypted volume and mounted it automatically.
We unplugged the USB disk and then plugged it back in, and macOS asked for the password. We entered keepthisSecret and the disk was unlocked and mounted, showing that the password had been set as expected.
So far, so good, until we unplugged the device and plugged it back in:

Again, macOS asked for the password. This time, we clicked the [Show Hint] button before entering the password.
The password dialog revealed that keepthisSecret has been set as the hint as well as the password.

The text The hint should be shown had, it seemed, simply been thrown away.

In other words, if you set a password hint as suggested, anyone who stole your disk could “hack” the password simply by using Disk Utility’s [Show Hint] button!

What to do?

If you haven’t created any new APFS encrypted volumes since upgrading to High Sierra, you are OK. If you created an APFS encrypted volume but didn’t specify a hint, you are OK.  If you created an AFPS encrypted volume using diskutil you are OK (the bug is in Disk Utility, not the operating system itself).
If you upgraded to High Sierra from an earlier version of macOS, your disk will have been converted to APFS, but any hint you had before is left untouched (so
far as we can tell), so you are OK.

Apply the APPLE-SA-2017-10-05-1 Supplemental Update as soon as you can.
By the way, you can blank out the password hint on any APFS volume, just in case, with the following diskutil command in a terminal window:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -clear
Removing any hint from cryptographic user XXXXXXXX on APFS Volume diskYsZ
$

If there wasn’t a hint, no harm is done, but you’ll see an error message like this, so by repeating the above command until you provoke the error message, you can verify that any hint was indeed scrubbed:

Error editing cryptographic user on APFS Volume:
Unable to set APFS crypto user passphrase hint (-69554)
Alternatively, you can overwrite the existing password hint by using the command line option -hint, instead of -clear, like this:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -hint "Your hint here"
Setting hint "Your hint here" for cryptographic user XXXXXXXX on APFS Volume diskYsZ
$

Whatever you do, though, don’t follow the suggestions of Apple’s own diskutil help text, which offers this terrible advice:

$ diskutil apfs hint help
[. . . .]
Set a passphrase hint for an existing cryptographic user; you can specify
"disk" for the "Disk" user. Specifying "-clear" will remove any hint.
Ownership of the affected disks is required.
Example:  diskutil apfs setPassphraseHint disk5s1 -user disk -hint NameOfMyPet
$

Pets’ names makes a dreadful passwords, because they’re usually neither secret nor hard to guess, and setting a hint to tell a crook that you have made a dreadful password choice just makes a bad thing worse.

Of course, if you had set a hint with Disk Utility, then for all you know someone who knew the [Show Hint] trick might have seen your password, so you ought to change it.

You can update the passphrase on an APFS Encrypted volume quickly and easily as follows:

$ diskutil apfs changepassphrase /Volumes/[YOURNAME] -user disk
Old passphrase for user XXXXXXXX: ..........
New passphrase: ..........
Repeat new passphrase: ..........
Changing passphrase for cryptographic user XXXXXXXX on APFS Volume diskYsZ
Passphrase changed successfully
$

A bad look for Apple, letting a buggy system utility like that into a production release…

…but a creditable response by Apple in getting a fix out quickly.

Saturday, April 29, 2017

Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic

from macrumors.com

A malware research team has discovered a new piece of Mac malware that reportedly affects all versions of MacOS and is signed with a valid developer certificate authenticated by Apple (via The Hacker News). 

The malware has been dubbed "DOK" and is being disseminated through an email phishing campaign which researchers at CheckPoint say is specifically targeting macOS users, making it the first of its kind. 

The malware works by gaining administration privileges in order to install a new root certificate on the user's system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL. 

The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware. Apple's built-in Gatekeeper security feature reportedly fails to recognize it as a threat because of its valid developer certificate, and the malware copies itself to the /Users/Shared/ folder and creates a login item to make itself persistent, even in a rebooted system. 

The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the "update", the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic. 


According to the researchers, Mac antivirus programs have yet to update their databases to detect the DOK malware, and advises that Apple revoke the developer certificate associated with the author immediately. 

Back in January, researchers discovered a piece of Mac malware called Fruitfly that successfully spied on computers in medical research centers for years before being detected. 

The latest discovery of malware, which appears to target predominantly European users, underlines the fact that Macs are not immune to the threat as is sometimes supposed. As always, users should avoid clicking links or downloading attachments in emails from unknown and untrusted sources.

Tuesday, January 31, 2017

Apple Malware Remained Un-patched for Almost 20 Years

from news.filehippo.com
Antivirus Software Maker Spots Apple MacOS Vulnerability
Named Quimitchin by Malwarebytes and called Fruitfly by Apple, the ‘new’ back door may actually have been lurking in the background of macOS for years, taking advantage of vulnerabilities in code that hasn’t been updated since the late 1990s, according to the antivirus software publisher’s blog post.

A masterclass in simplicity, the malware contains just two files designed to open a backdoor into the Macs it infects, letting it receive instructions from the hacker’s computer, known in the cybersecurity world as a command and control server (C&C).

Thomas Reed from Malwarebytes said: “These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.

“However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation.

“It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

Thomas Reed goes on to say that ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent. “This makes it easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it easy to detect and easy to remove.”

The good news is that Apple has released an update that will be automatically downloaded behind the scenes to protect against future infections.

Also, as you might expect, Malwarebytes will detect Fruitfly, or Quimitchin (Why the name? Because the quimitchin were Aztec spies who would infiltrate other tribes. Given the “ancient” code, they thought the name rather fitting!).

Friday, September 16, 2016

More iOS 10 woes: Some users can’t sync music between devices

from thenextweb.com
This morning has basically been a disaster for Apple. First its highly-anticipated roll-out of iOS 10 welcomed users with a bricked device. Now, following the release of iOS 12.5.1, users report they can no longer connect to iCloud Music Library — the lynchpin required to sync music across supported devices.

iPhone, iPad, iPod touch, Mac or Windows (and Linux) PC users are all susceptible to whatever is causing the issue and many are finding their content inaccessible while the service is down.

When attempting to access the feature after today’s update, users are met with the following error message. After clicking ‘OK’ the message disappears, only to reappear seconds later.

We’ve reached out to Apple for comment and we’ll update if necessary.

Wednesday, September 14, 2016

Warning: iOS 10 is reportedly screwing up people’s phones

from thenextweb.com
After releasing iOS 10 earlier today, some users are reporting ‘bricked’ devices after attempting to update to the new operating system. Most of the issues seem to come from over-the-air (OTA) updates, meaning a device that attempts to download and install the update without plugging it in — something Apple used to require.

The issues seem fairly widespread. The OTA update begins and leaves users staring at a ‘Connect to iTunes’ screen that forces a complete firmware re-install. If you forego the wiping and re-installation of iOS from your iPhone or iPad, you’re left with a bricked and completely useless device.

Not all users are having the issue though. I updated from the last beta version of iOS 10 to the launch version this morning without incident.

A Twitter search for iOS 10-related keywords show the problem could be affecting a significant portion of those upgrading. In fact, nearly all of the iOS 10-related update problems appear to be the same issue, a bricked device after a prompt to connect to iTunes.

For what it’s worth, Apple claims the problem has since been fixed, according to a 9to5 Mac tweet.

Users, however, are still reporting the problem, so maybe Apple isn’t quite done remedying the issue just yet. Still, if you absolutely have to have iOS 10 today, it’s never a bad idea to do a fresh backup before you make the upgrade.


Saturday, July 23, 2016

Hackers can steal your iOS and Mac passwords with a single image file

from: thenextweb.com
A new vulnerability discovered by a Cisco researcher could allow hackers to gain access to the internal storage and stored passwords on your iOS or Mac device – and all they’d have to do is send you a malicious image file.

Tyler Bohan of Cisco Talos found that a TIFF format file – sent via MMS, email or placed on a webpage that a victim is guided to visit – can hide malware which can run automatically, without being detected.

In addition to beaming across your authentication credentials on iOS, Mac OS X, tvOS and watchOS, the vulnerability can also allow attackers to remotely control Macs which don’t support sandboxing.

Thankfully, these issues have been patched by Apple; you’ll need to update to the latest versions of their operating systems – iOS 9.3.3, El Capitan 10.11.6, tvOS 9.2.2 and watchOS 2.2.2 – to stay safe.

If this sounds familiar, it’s because the security flaw is eerily similar to the Stagefright vulnerability discovered in Android devices last year. After it was spotted last August, a second version was uncovered in which hardware could be compromised by sending across an audio file.

Wednesday, January 20, 2016

Apple Gatekeeper still lets malware in

from komando.com
If you use a Mac, you may be comforted by its reputation for being secure. For decades, Apple had done a great job of keeper hackers out.

That is, until Apple products started becoming really popular in recent years. Then, hackers began to pounce. Now, Macs are often hit by hackers, or found to be vulnerable to attack.

That's the case with Apple Gatekeeper. Ironically, it's a program that's meant to keep the bad guys out. If you download apps, you can tell Apple to only let in apps from trusted providers.

As Apple puts it, Gatekeeper helps "protect your Mac from malware and misbehaving apps downloaded from the Internet." Apple says it screens all the apps on Mac App Store, and those created by developers with an Apple Developer ID.

Apple goes on to say: "If an app was developed by an unknown developer, one with no Developer ID, or tampered with, Gatekeeper can block the app from being installed." (See photo.)

The problem is cybersecurity experts last year found there's a flaw with Gatekeeper. The flaw, CVE-2015-7024, lets hackers get in. Once in, they can use malware to steal your personal information, take over your Mac and demand ransom, spy on you, and more.

Last year, this same cybersecurity expert alerted Apple about the flaw in Gatekeeper. Apple issued a patch to fix the problem.

However, as it turned out, Apple patched only some of the entryways for hackers to get in. The problem is, hackers can still get into Gatekeeper.

They can access a trusted app and load a .dmg file malware onto your Mac. It's vulnerable if you're not using the secure HTTPS protocol, or you're not accessing the app from the Mac App Store.

As of now, Apple is said to be working with cybersecurity experts to fully patch up the security flaw in Gatekeeper.

While Apple and cybersecurity experts work on fixing this vulnerability, you should make sure you're protecting yourself, your financial information, and your digital devices. You should use a suite of strong security tools, including an anti-virus program. We recommend our sponsor, Kaspersky Lab.