Protecting your data from ransomware

With ransomware being able to go after data on your Mac, external drives and even network shares, how do you protect your precious files?
Yours truly wrote a post on Intego’s Mac Security Blog that tells you all about it. Have a look here.

Posted in Security Tagged with: , , ,

Using your password manager the right way

I have mentioned 1Password before. It is, in my book, the best password manager for Mac and iOS available. If you are not familiar with it, I highly recommend you check it out and start using it sooner rather than later.

If you have been using 1Password or are about to use it now, this post is for you.

Using a password management tool like 1Password is a great first step. “There are more steps?” Absolutely. Replacing your sticky notes or a contact in your address book called “Passwords” (I’ve seen it…) with a password manager is a good start but there is a right and wrong way to use it. In this article I’ll cover some ways to perform maintenance and improve your overall password strategy.

Actually use it.

I have seen many users install 1Password, put in the passwords they remember at the time and then they never touch it again. After a while they forget their master password or need a password that was never entered into 1Password. If you commit to using a password manager, actually use it. Just accept the fact there will be a small learning curve and change in the way you use your computer. After a few days, you wonder how you’ve gone without a password manager for so long.

Use all available features.

A good password manager is so much more than that. 1Password can hold passwords, credit cards, software licenses and more. If it can do it, use it. It will make your life easier and more secure. After all why would you store your passwords in a secure vault but leave your credit cards on your desk? I store everything that has value in 1Password so I always know where to find it and I know I’m the only one that has access to it. Using the built in sync on any one of my computers or from my iPad or iPhone, my passwords, secure notes, router login details and credit cards are available.

Speaking of knowing where to find it…

Transfer every saved password over to your password manager. Your browser saves passwords for you. Which password is saved where? Do those passwords get synced securely to your other devices? An alarming amount of people still use sticky notes or other insecure ways to save passwords. Where did you write down the password for this service? Having them all in one place will ensure you have every password whenever you need it. In your browsers (through the 1Password extension), on your other devices (through sync) and it’s as secure as can be.

Now, let’s have a look inside your password manager to see if it’s being used in the best way and if it can benefit from some maintenance.

Known vulnerabilities.

Fire up 1Password and look down the left column. Look for “Security Audit” which is closed by default. Click on the little “Show” button next to it to expand all the options.
1Password password manager Security Audit
This is where the good stuff is hidden. First up is Watchtower. Watchtower checks the URL you have saved in your password note and notifies you if there may be a past or present vulnerability.
1Password password manager Watchtower learn more
If there are any items listed in Watchtower, select them and click the red banner in the right column. A small explanation will pop up with a “Learn more” link. It is typically a good idea to follow the recommendation and change your password for that site. I have, however, seen a few sites listed that give no indication as to why 1Password feels there may be a problem. Use your best judgement if you come accross a site like that.

Weak passwords.

With the ability to generate insanely long and complex passwords in 1Password, this category should always be empty. 1Password remembers the passwords for you so there is no reason to use passwords you can remember! Have a look at the items listed, if any, and the password strength meter will show you right away if it could do with a new password.
1Password password manager weak password indicator
For these items, click the “Edit” button and fill in a new password. I recommend you use the built-in password generator and make the new password something you could not ever dream up yourself. You can do this by using the icon next to the password field.
1Password password manager new password generator1Password password manager new password recipe

These days my passwords are at least 20 characters and include plenty of symbols and digits. Allowing characters to repeat is technically less secure but in passwords that are this complex one repeated letter or number hardly makes a difference.

Use the same built-in password generator when cleaning up the Duplicate Passwords (hint; there should not be any).

The last few categories sort your saved passwords by age. Depending on how often, if at all, you change your passwords this is very convenient. I try to change my passwords once a year so the “1-3 years old” category is what I keep my eyes on.

With the Security Audit done, what else can you do?

Delete old passwords.

Go through your list of passwords and find those services you signed up for long ago but haven’t used since. Visit their website and see if you can delete your account completely. A service like justdelete.me might come in handy here.

Review all saved items you have left.

Services and websites you created an account for a long time ago may now have additional security in place. Check every service in your list and see if they now offer 2 Factor Authentication for example. Something that should be enabled for every service and website that offers it. Also, are the URL’s that are saved with your password http or https? Most sites that offer https will automatically redirect but it’s better to end up on an https enabled site directly. A lot of websites use your email address as your account ID when you sign up. Check all items in your list to ensure a current email address is used. If you signed up for a site years ago with an email address that no longer exists or is now inaccessible, you may run into problems if you ever need a password reset. Companies also email their clients if there was a security breach, without a current email address on file you miss out on those important updates.

Check the one password you do need to remember.

Securing your password vault with a password such as “Password 123” is of course useless. Make sure the master password is long, sufficiently complex yet easy to remember.

Backup your 1Password database.

By default 1Password stores local backups of your database. These backups can be found in /YourHomeFolder/Library/Application Support/1Password/Backups. It is a good idea to have an off-site backup as well though. Open up the Preferences and go to the Sync tab, here you have an option to sync your database to iCloud or Dropbox. You can select “Folder” and point it to a local file server, however this is not recommended by 1Password.
1Password folder sync warning
This is their nice way of saying “1Password will completely freak out of it can not find the file server”.

Remind yourself to do all of the above.

Set a reminder or calendar alert to perform all of the above maintenance every month or every few months. You can even include a link to this article so you don’t have to remember all the things you have to check on. After a while it will become part of your routine and you find yourself doing this maintenance without the need for reminders.
Calendar reminder

Do you use a password manager? Which one and how often do you perform maintenance like this? Let me know in the comments!

Posted in Security Tagged with: , , , ,

Ransomware

Ransomware. You’ve probably heard it mentioned recently as some pretty big targets fell victim to it and though rare, the Mac has been targeted as well. A few months ago ransomware named KeRanger was found to encrypt user files and when successful the victim had to pay $400 to have their files unlocked or lose the data forever.

This wasn’t the first and definitely won’t be the last. So how do you protect yourself? Unfortunately antivirus is probably the least effective in detecting and stopping this type of malware. For an antivirus to detect this immediately it needs to use true heuristics, which no Mac AV does. By the time it gets a signature update to recognize it, your files may already be encrypted and it’s too late.

Of course not opening suspicious files goes a long way, not visiting any shady websites generally helps too (though any website can hand out malware through compromised ad networks and other connections it makes) and of course having a solid backup in place in case things do go south is always a good idea. Then I came across RamsomWhere? (question mark included in the name) and it sounded to be exactly what I was looking for:

“By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks.”

The creator is Patrick Wardle from Objective-See and I have mentioned him before in regards to another great utility KnockKnock. So I had to see what this was all about. Mind you I have not pitted this utility against actual ransomware so knowing if it truly works remains to be seen but I did make a few observations.

The utility can be downloaded here, that page will also explain how it works, how to install it etc.

Once installed I noticed high CPU usage (normal behavior) and once it was done establishing itself CPU usage dropped so low it’s using less resources than any other app or process. Then I just sat back and forgot about it after a few days. There is no menu bar or dock icon, no application that’s always on to remind you everything is ok. Just a process that runs in the background. Then one morning I woke up to a notification from Carbon Copy Cloner, it had failed to perform a clone. I walked to my Mac and noticed RansomWhere? had blocked CCC as it attempted to encrypt some files. So it worked! I allowed CCC to encrypt the files it needed to encrypt and RansomWhere? has respected my choice ever since. Another warning I got was for Plex Media Server which apparently does some light encryption on/in it’s own database.

These two examples along with Patrick’s quality work in the past has made me a believer in this utility. Again, until it thwarts some actual Ransomware it’s hard to say if this will make a good line of defense. The website is also very clear on the software’s limitations.

Still I think it’s worth installing as it does not take any noticeable resources and well, it’s yet another layer of defense and one can never have enough of those.

Have a look at the above mentioned link and also check out his other products which include; KnockKnock, Lockdown and Dynamic Hijack Scanner. These tools are all free so if you think they can help you (or have helped you in the past), consider making a donation so we can keep seeing these awesome utilities in the future as well.

Posted in Security Tagged with: , ,

We’re back!

officeHaving a baby, running a business and working on several other projects, something had to give and securityspread.com was it. With the business running smooth and the baby now 5 months old, I had some time to practice time-management in this new situation and I think I have it figured out to a point where old projects can be dusted off and restarted. Of course starting with this website.

So, imagine my office looked like the one in the picture after a year of not being used, it is now cleaned up, upgraded and ready to be used again 🙂

First, a big thank you to all those who have kept in touch during this period of inactivity, I do appreciate it.

The biggest request I received almost weekly was an update to the antivirus tests. As this takes up enormous amounts of time I will not be able to do that just yet. My malware sample sets are very out of date, virtual machines need to be upgraded, test licenses need to be obtained again for the AV products and of course the testing itself takes days. While I have some time to regularly update this site again, testing AV will have to wait.

Thanks for visiting and being patient. Now let’s get this party going again.

Posted in Just an update

A few days with OS X 10.11 El Capitan [Updated]

I mentioned in a previous post I had high hopes for El Capitan. After installing it on September 30th, I am not disappointed. My system is fast, scrolling through large directories is smooth, Finder does not choke up when working with lots of folders open, Mail is no longer freaking out because my Mail folder is 22GB. I am very happy with this upgrade.

One issue I did have though is my Messages app refused to sign in. The account worked before the upgrade, it works on my iPhone but after the El Capitan install it no longer worked on my Mac. It became clear very soon that a lot of people are having this problem. For me it was not a dealbreaker as I can use iMessage on my phone or iPad but for some it might be a bigger deal. Luckily there is a fix.
– Shut down your Mac.
– Power on your Mac and immediately hold the Option(or Alt)+Command+P+R keys. Keep holding them until your Mac sounds the boot chime. Keep holding them but when you hear the boot chime for the second time…
– Immediately let go of the above mentioned keys and hold down the shift key instead.
– Let go of the shift key when you see the Apple logo and progress bar.

This boots your Mac into safe mode. Boot time will be much longer than usual so be patient. You might also see slow display refresh rates or other glitches, just ignore those. Once your Mac is booted, open the Messages app and sign in. It will let you sign in without issues if all goes well. Do the same for FaceTime if that gave you problems before too. Quit the apps and restart your Mac.

Now your Messages should work.

Another issue that seems to be the hot topic after every new OS X release is Mail. The most common complaint after the El Capitan upgrade is mail disappearing and certain accounts being unable to send mail. I have not experienced this myself on my machines or any of the others I have upgraded but the message boards are full of reports about this. As of yet I have not seen a solution. Some people have had luck rebuilding the affected mailboxes, for others it did no good. To rebuild your mailbox, select it in the mailboxes list and select “Rebuild” from the Mailbox menu. Depending on the amount of mail this can take a while.

Something I did experience is that Apple Remote Desktop stopped working. On my end, the administrator, all of the client computers were grayed out even though I knew they were online. The fix was simple; in System Preferences > Sharing (on the client machines), turn off Remote Management, then turn it on again. This solved the issue for me with roughly 48 Macs. I think this problem is caused by the client computer but I have also heard people say this is a problem on the admin side. Either way it’s a quick fix. If you do not have access to the remote machine, hold off on upgrading to El Capitan on both sides, just to be safe. In some cases the Screen Sharing app or Finder buttons still worked but this was random.

Finally, an issue I hear a lot of people mention is that Outlook no longer works or works poorly. This has been a reported issue since El Capitan went into beta and seems to affect Outlook for Office 2011 only. If you rely on Outlook (any version), make sure others report it works well on El Capitan or contact Microsoft to ask if an update will be released soon to address these issues. No issues were reported with the other Office applications like Word and Excel. Microsoft is working on a fix. Microsoft has released an update that fixes the problem.

These are the highlights of El Capitan issues as far as I can tell. Message boards are flooded with people damning El Capitan to hell, it broke my stuff, nothing works, Apple failed us all… etc etc. This is the same stuff I read every year after a new OS X version is released and this will most likely never change. Despite the few glitches I have seen myself, those mentioned above, I am very happy with this upgrade.

If you are not sure if El Capitan is right for you or worth the risk just backup your data and give it a try. If something goes wrong or if you experience bugs you can not live with, your old system is just a restore away 🙂 You can also clone your system to an external drive, boot up from that and then run the upgrade. If it does not work out just boot up from your internal drive again and you’ll be set.

I have mentioned a few backup options in my “Get ready for OS X 10.11 El Capitan” article.

You can also play it safe and wait for Apple to release the 10.11.1 update which usually follows soon after the initial release of a new system. Either way El Capitan is worth the upgrade as it offers many improvements to security, stability and usability. So upgrade now or wait for some of the bugs to be squashed and upgrade later but definitely consider upgrading.

[Updates]
As new bugs are discovered I will report them here. This will only cover the bugs that are widespread and/or I have been able to confirm myself.

Keychain Access
When running Keychain First Aid, the user is unable to enter a password.
Solution: Apple removed the ability to check or repair keychains completely in 10.11.2.

Disk Utility RAID configuration
As this is not a feature I use every day I had not discovered this in the beta builds. Apple has removed the ability to create or edit RAID configurations in Disk Utility.
Solution: Use the terminal diskutil command. Instructions can be found here.

Finder
When browsing a folder that has a scroll bar, open one of the folders and then go back. You will notice the previous window does not remember the scroll position like it did in previous OS X versions. When scrolling through large directories especially this is very annoying.
Solution: Fixed with 10.11.2 update.

Posted in Just an update Tagged with: , , , ,

Get ready for OS X 10.11 El Capitan

While I am not crazy about the new name, I am very excited about the product. Some new features are introduced but the majority of the work has been under the hood to improve responsiveness, stability and usability. My favorite versions of OS X to date have been 10.4.11 Tiger and 10.6.8 Snow Leopard, both releases that worked hard on under the hood improvements and it showed. OS X versions since then have had some nice features added but to me OS X has not felt like smooth and intuitive operating system I used to love.

My hope is that will change with the latest release that hits the virtual shelves tomorrow. I would love to add OS X 10.11 to my list of favorite OS versions. Hopefully Apple will not let the system slide again after this, turning future OS X versions into the same mess 10.7 – 10.10 were before focusing on serious maintenance and cleanup again. Typically in the past, any new OS comes with some bugs and a .1 update follows quickly to resolve these issues. El Capitan will probably be no different so don’t expect perfection immediately after upgrading. With that said, I have been using the pre-release versions for a while and am very impressed so far.

Hardware requirements
Alright, let’s get started. First of course you have to make sure your machine can handle the new OS. While exact system requirements have not been published yet, everyone pretty much agrees the following Macs can run El Capitan:
• iMac – Mid 2007 or newer
• MacBook – Aluminum Late 2008 and Early 2009 or newer
• MacBook Air – Late 2008 or newer
• MacBook Pro
– 13-inch Mid 2009 or newer
– 15-inch Mid/Late 2007 or newer
– 17-inch Late 2007 or newer
• Mac mini – Early 2009 or newer
• Mac Pro – Early 2008 or newer
• Xserve – Early 2009

If your Mac is one that is listed above exactly, you might want to hold off on upgrading for now. If it’s newer than those listed above, you should be ok to upgrade as long as your Mac meets the following requirements:

• At the very least, 4GB of RAM
• At the very least, 20GB of free hard drive space
• Highly recommended, a graphics card with more than 512MB of memory

But wait, Apple says all I need is 2GB of RAM, 8GB of free drive space and they don’t even mention the graphics card! I know. And your Mac will run OS X alright with those specs. The problems start when you want to run any other applications. 2GB is the minimum requirements for OSX, meaning OS X needs those 2GB to run properly. It does not mean you can run OS X + Mail + iTunes + Safari with 10 tabs + Photoshop (which will require 4GB at minimum, 8GB preferred).

You want to take the minimum suggested requirements and double them for better results or triple them for smooth operation. So if you have a Late 2008 MacBook Air with 2GB of RAM and 10GB of free drive space… do yourself a favor and don’t upgrade. Or at least wait until you hear/read about how the system performs for others that also have Late 2008 MacBook Airs.

Software compatibility
Check the websites of the manufacturers to see if the software you use is compatible with El Capitan. You may need a software update or you may need to purchase a brand new version. Find out now so there are no surprises after you upgrade.

Skipping versions
If your Mac is running 10.9 or 10.10 you should be able to upgrade to 10.11 El Capitan without any issues. However if your Mac runs 10.7, the jump to 10.11 might cause issues. Apple typically states you can upgrade from any Mac running 10.6.8 to the latest OS X but speaking from experience, this rarely goes off without a hitch. If the upgrade is skipping a few versions you may want to consider starting fresh, meaning an erase and install. If your system is currently experiencing issues (regardless of the OS version you have installed) like slow performance, freezing, spinning beachball or applications unexpectedly quitting do not upgrade. An upgrade is not a magical fix, it will almost certainly make the issue worse. Instead resolve the problem first and then upgrade. Depending on the issue a clean install may be the best solution.

After a clean install you can migrate your user data back from a Time Machine or Clone backup. This will ensure you have a brand new and fresh OS rather than a patched one an upgrade would provide.

Backup and Clone
Upgrading to a whole new OS is a very invasive undertaking. In case something goes wrong (see prior point but even if your system is fine, stuff can still go wrong) you want a backup to restore from. You should already have some kind of backup strategy in place like Time Machine but in cases like these it’s a good idea to have a clone of your system as well. A clone is a 1:1 copy of your hard drive contents and will allow you to boot up from it or restore the entire system. If you upgrade to El Capitan and find out you hate it, have too many incompatible applications or it just doesn’t run well on your older machine, just start up from the clone drive and copy the whole thing back to your Mac. Once the clone is done and you restart it’ll be like nothing ever happened.

SuperDuper is my preferred cloning tool and I recommend using an external hard drive that supports FireWire 800, USB 3.0 and/or eSATA for best performance. USB 2.0 and FireWire 400 will work but both the cloning and booting from it, if needed, will be painfully slow. Keep running your Time Machine backups as usual too of course.

Remember your passwords
After installing the new system you will be asked for your Apple ID so that features like iCloud and Messages can be enabled so make sure you know the login details before you upgrade. You can set up your iCloud and Messages later on but entering these details during the installation will make for a smoother experience when it’s done.

Duplicate important documents
Once you upgrade and start working on a document in a new version of Numbers, just to name one, you can not open that document in older versions anymore. This is the case for a lot of software. With a new OS usually come big application updates or upgrades as well. If you have important documents that you still need to be able to work on even if you decide to downgrade back to your previous system later on (with that clone I mentioned), make a copy and work on that instead. If you open/edit the original file you may not be able to use it anymore if you downgrade your system.

Having a backup (clone preferred) will ensure you can go back to the previous state of your system and is therefor the most important step when it comes to any upgrade.

Posted in Just an update Tagged with: , ,

Be sure you are prepared for iOS9

This exact article is recycled every year when a new iOS is about to be released. I have edited it where needed and republished it so you can be ready for tomorrow’s upgrade to iOS 9.

Tomorrow Apple’s iOS 9 will be available to the public. The next few days you’ll hear a lot of the following:
– I love it! It’s amazing!
– It’s great but….
– Where did all my *name data* go?!
– My *name app* doesn’t work anymore!
– My phone is messed up now!
– I hate it, I wish I could go back.

As always there will be people from all of the above camps out there. You won’t know what camp you’ll be in until you install iOS 9 so it’s important to prepare properly so you won’t lose data and/or can downgrade back to iOS 8. If you upgrade, love it and don’t experience a single issue, great. Then you’ll have done all of the following for nothing but hey, better safe than sorry 🙂 Let’s begin.
Read more ›

Posted in Just an update Tagged with: , , , ,

Adobe Flash Player, it’s time to say goodbye.

FlashUninstallI can’t remember a time without you. You’ve caused sluggish performance, slow page loads and have put me at risk many times. Adobe Flash Player, it’s time to go.

It’s no secret that Flash Player is not the best web plug-in to have. A long history and list of security vulnerabilities. Very demanding on your system causing older machines to feel terribly slow when they really shouldn’t be. And these days HTML5 pretty much replaced Flash everywhere it matters.

I have removed Flash Player from my system before but somehow it always found it’s way back on. Today however I decided to remove it once and for all.

Why? Security mostly. I don’t have any Macs that are too old to properly load and run a website that relies on Flash Player but the never ending security vulnerabilities basically just pissed me off. I keep Flash Player up to date. The second an update is available, I install it on all my systems thinking at least it’ll protect me from the latest vulnerabilities. Sure there are vulnerabilities out there that have yet to be discovered but as long as they are not known to the mainstream, I should be safe from them.

Today another Flash Player vulnerability was patched, a 0-day that was being used in the wild for quite some time. Hacking Team, a company that specializes in surveillance software and will sell to anyone that pays, was hacked a few days ago. The hackers cleaned out their poorly secured servers and dumped all the data online for anyone to see (over 400GB worth). In that data this Flash Player 0-day was discovered and Adobe pushed out a patch as soon as possible.

It’s not the first 0-day to be discovered and it most certainly won’t be the last. But this one may have been around for a while and could have been sold to government agencies and dictatorships alike and be in active use by them. That just irks me. When I tell friends and family to update their Flash Player the first thing I hear is “I just did that!” or “Again?!” and they’re right, it’s ridiculous. So, goodbye and good riddance Adobe Flash Player. Its a headache I can do without.

If you want to uninstall Flash Player, go to your Applications > Utilities folder and in it you’ll see “Adobe Flash Player Install Manager.app”. Run that and Flash Player will be removed from your system. I doubt you’ll miss it as all sites that matter have switch to HTML5 by now which requires no plug-in to function. If you’re a laptop user and use a lot of websites that call on Flash Player, you should notice an increase in battery life and every computer user, laptop or desktop, will lighten the load on their processor.

[UPDATE July 10] The Hacking Team leaked data has revealed a second 0-day exploit which is at the time of writing still unpatched. Now that it’s public, expect this exploit to be in the wild very soon, if not already.

[UPDATE July 12] Oops, make that TWO new 0-day exploits that are unpatched. Still have Flash Player installed after all this? Good luck.

Posted in Security Tagged with: , , ,

Apple releases updates for OS X and iOS

While you’re reading this, have your Time Machine or other backup running.

Today Apple released software updates for OS X and iOS. The update for iOS is 8.4 and it’s main purpose is the introduction of iTunes Music but as always some security related issues were addressed as well. A total of 35 security issues were fixed making this more than just a music service update. Back up your iOS devices to iCloud or iTunes and install the update when you can. Read the installer for all the details on what the update has to offer.

For OS X users we got a new version of Safari. Available for users of OS X 10.8.5, 10.9.5 and 10.10.3. While only 4 WebKit issues were addressed, they are not insignificant:
•  A maliciously crafted website can access the WebSQL databases of other websites.
•  Visiting a maliciously crafted website may lead to account account takeover.
• Clicking a maliciously crafted link in a PDF embedded in a webpage may lead to cookie theft or user information leakage.
• Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution.
By installing this update, Mountain Lion users will get Safari 6.2.7, Mavericks users will get Safari 7.1.7 and Yosemite users will get Safari 8.0.7. It is recommended to install this update soon, specially if Safari is your primary browser.

Also released today was OS X Yosemite 10.10.4. Fixing a whopping 79 security issues it is recommended you install this update as soon as you can. A few of the security fixes are:
• (Admin Framework) A process may gain admin privileges without proper authentication.
• (Admin Framework) A non-admin user may obtain admin rights.
• (Admin Framework) An attacker may abuse Directory Utility to gain root privileges.
• (ATS) Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution.
• (Bluetooth) A malicious application may be able to execute arbitrary code with system privileges.
• (Certificate Trust Policy) An attacker with a privileged network position may be able to intercept network traffic.
• (EFI) A malicious application with root privileges may be able to modify EFI flash memory.
• (EFI) A malicious application may induce memory corruption to escalate privileges.
The list goes on and on. While I have not confirmed this yet, some or all of the included security fixes address the recently discussed XARA vulnerabilities which makes this (amongst many reasons) a great update. The included EFI fixes address a serious vulnerability that were recently found and could compromise a Mac. Another reason a lot of people are excited about the 10.10.4 update is the return of mDNSResponder. Starting with OS X 10.10 Apple replaced the process with Discoveryd, a move that was ill advised since the very beginning but Apple did it anyway. A host of network related issues, high CPU usage, battery life problems, wake from sleep issues and more were attributed to this new process. It’s finally gone making folks very excited to see all those issues (hopefully) disappear. If you experienced any of these issues, Wi-Fi issues and network issues in general, this update might solve your woes. I am hoping the removal of the dreaded Discoveryd process will return my OS X server to something worth having.

That brings us to the next update specifically for OS X 10.8 Mountain Lion and 10.9 Mavericks users. It’s called “Mac EFI Security Update 2015-001” and addresses the same EFI vulnerability mentioned above. While OS X 10.10 Yosemite users have this EFI fix included in the 10.10.4 update, users of older OS X versions must install this stand-alone update. Backing up your data before any update is a good idea but with EFI Firmware updates, make extra sure your backup is recent and in working order. A software update gone bad can be fixed with a reinstall. A firmware update gone bad can result in your Mac becoming a brick with no way to reinstall. I have updated over 65 machines this afternoon without a single issue but you never know. Better safe than sorry.

Update your backups and start installing updates!

Posted in Security Tagged with: , , , , ,

XARA sets it’s sights on OS X and iOS

Researchers have discovered “a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data.” Sounds ominous huh? It is.

The researchers built a malicious app, submitted it to Apple, beat all the tests and security screenings and got the app into the App Store. This app was able to snatch data from the keychain (where all your passwords live on a Mac) using a very simple trick. Your keychain allows the sharing of resources. Your stored facebook password for example can be accessed by other applications if you allow it. This app created a false entry for facebook stored login credentials. Next time the user actually logs in to facebook the login details are stored in the keychain entry created by the malicious app. Now the app has your facebook login credentials. You can imagine a truly malicious app by malware creators will go after your entire keychain and harvest whatever it can. They routed their app through Apple to make a point but of course malware can come from any source.

The above described method is just one of the cross-app resource access (XARA) attacks that were performed. WebSocket and Scheme were also tested and did not fare well. Even the implementation of sandboxing (making sure each app stays in it’s own confined space and can’t access data it shouldn’t) Apple uses was found to be flawed “exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID.” The Bundle ID is is a unique identifier for each app that comes from the App Store. Applications that use bundled helper apps like 1Password have a Bundle ID but the helper app does not. In the case of 1Password that would be the browser extension. The researchers found that they were able to intercept traffic between 1Password and the browser extension, giving them access to the things you don’t want anyone to access.

1Password has been working on this issue for a while and has yet to find a fix. All they can do is recommend users always keep their 1Password Mini running and pay attention to what you install. The reason for their first suggestion is that the researchers launched the malware before 1Password Mini and were able to accomplish the intercept of sensitive data. If 1Password Mini launches right when you log in to your Mac, the malware should not be able to get between 1Password Mini and the browser extension. Agilebits full discussion on this topic can be found here.

To allow applications to communicate with their helpers they often set up a server. In the case of 1Password, the application runs a server and opens a few different ports waiting for requests from the browser extension. That inter-app communication is the weak link. It might even be the communication between the 1Password Mini and the 1Password app, I’m not sure. Either way, there is no fix as of yet. Disabling the browser extension won’t help, disabling 1Password Mini won’t help and clearing all names and passwords from your system and keeping them in a notepad is not only a very bad idea, it’s just impractical.

“Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications.” the reearchers pointed out. To see just how widespread these issues were, they developed a scanner that automatically analyzed OS X and iOS app binaries.

“In our study, we ran the analyzer on 1,612 most popular MAC apps and 200 iOS apps, and found that more than 88.6% of the apps using those mechanisms and channels are completely exposed to the XARA attacks, and every app’s container directory has been fully disclosed. The consequences are dire: for example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and se- cret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome; from various IPC channels, we intercepted user passwords maintained by the popular 1Password app (ranked 3rd by the MAC App Store) and the secret token of Evernote (ranked 3rd in the free “Productivity” apps); also, through exploiting the BID vulnerability, our app collected all the private notes under Evernote and all the photos under WeChat. We reported our findings to Apple and other software vendors, who all acknowledged their importance.”

Affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others.
XARA

I can go on and on sharing every step of the research, rag on Apple for not fixing these issues (they have known since October 2014) and get into the technicalities but for now all you need to know is this:
• These vulnerabilities are huge and there is no fix.
• Now that the news is out, bad guys will jump on this and implement it in their malware.
• Right now no known malware uses these techniques.
• Malicious apps can come from any source, including the App Store.

Until more is known and Apple provides a fix, continue using your best practices.
• Don’t install software unless you absolutely need it.
• Whatever you do install should come from a well known reputable developer and only from original sources (developer website or App Store).
• Use Little Snitch. Any malicious application that uses these techniques will have to send your stolen data somewhere. Little Snitch will show you that outgoing connection attempt and if it’s something you don’t recognize or find suspicious, block it. In theory, even if you were to be infected with this type of malware, the stolen data will remain on your system.

Unfortunately iOS does not have a Little Snitch and was found to be vulnerable as well, though not as much as OS X. So be extra careful with what you install on your iDevice.

[UPDATE] Friday June 19th.
Apple has commented stating: “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store,” an Apple spokesperson told iMore. “We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.”

The full report can be found here. (PDF, Links to Google Drive)
A youtube video that shows how one of the exploits can work can be seen here.
A youtube video that shows how a WebSocket attack against 1Password is done can be seen here.
And how to steal iCloud tokens in a Keychain attack… here.

Posted in Security Tagged with: , , , , ,

Malware Detection Rate Results

Last updated:
Sunday October 5th, 6:40PM EST
436 Samples, 44 Applications
#1 Avast
#2 Intego
#3 Norman
Get it here.