I’m weary of defending Apple and I explain why. In Dumb Question Corner Steve Davidson asks for an explanation of whether the new iPhones from Verizon and AT&T can actually be moved between the two carriers and I find the answers at https://www.apple.com/iphone-6/specs/ and http://www.techwalls.com/differences-between-iphone-6-6-plus-models/. Steve and I continue our adventure figuring out how to back up one Drobo with another. I mention the Belkin Thunderbolt dock from Amazon, ResistorVision to read resistor values, Chronosync backup software from Econ Technologies and a hack to convince the Mac Mini that it has a monitor connected when it doesn’t. In Chit Chat Across the Pond Bart breaks down the Shellshock vulnerability, and in Taming the Terminal Part 21 of n, we learn more about searching from the Terminal.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday September 28, 2014 and this is show number 490.
Hey that sounds like a great segue for an ad for Clarify! Like I said, I didn’t do the tutorial for anyone but me, but it’s amazing how often someone else finds one of these tutorials useful so I always share them no matter how arcane they are. I dropped in links to things like the Apple support article explaining how if you have an Airport device or an Apple TV, either one of them will just magically make your Macs wake up for you if you need them. I put in screenshots, blurred out usernames and passwords, drew boxes around buttons I should push next time and made myself little notes to explain why I set switches a certain way. It’s not a complex tutorial or even all that complicated to execute but I just hate having to figure out something a second time.
If you’re forgetful or even just lazy (I’m both) grab yourself a copy of Clarify from clarify-it.com and save yourself time and energy. Heck, you don’t even have to share your tutorials with anyone but yourself to get productivity out of Clarify.
Chit Chat Across the Pond – Time 23:24
Security Medium – Shellshock
This week it emerged that there has been a nasty bug in BASH for years. Initially it was just ‘the BASH vulnerability’, but someone nicknamed it Shellshock, and it stuck, so that’s how the media are running with it now.
The vulnerability is in how BASH handles environment variables, and the result of exploitation is code execution. While you might think the shell is not very exposed over the network, the problem is that lots of services utilise environment variables, and lots of Linux and Unix servers use BASH to handle environment variables (at least by default), so in reality remote code execution through stuff like web servers is actually as easy as sending a request to the server containing a carefully crafted HTTP header. Researchers have also found that some DHCP implementations (NOT Apple’s custom one) expose the vulnerability.
A server bug allowing remote code execution is exactly what you need to get an internet worm going, and that’s exactly what is starting to happen in the wild. Researchers have already found botnets spreading themselves using this vulnerability.
Most Unix and Linux distributions were quick to shift a patch, so sysadmins all around the world spent Wednesday night and Thursday patching like mad.
Then it turned out the first patch didn’t really fix all of the problem, so a second patch had to be released – so all those overworked sysadmins got to do it again 24 hours later!
The big problem is that not all things that use BASH have been patched:
- There is no patch from Apple yet, but they say they are working on one, and that the vast majority of Mac users are not in danger
- There are more embedded devices with BASH on them than you can shake a stick at. In theory we should all be getting lots of firmware updates soon, but of course many older devices will never get patches, and even on devices where there are patches, loads of people will never bother to apply the updates, or even know that they should.
Then, on Saturday, we got another sting in the tail – security researchers are now saying that even the second patch does not actually fully resolve the problem, and that really, BASH needs fundamental changes that will break backwards compatibility in order to really lock this down. Expect sysadmins to be playing bash whack-a-mole for some time to come 🙁
People have been saying this is on the same scale as heart bleed, but it’s actually WORSE – heart bleed just leaked data, this gives attackers the ability to execute any code of their choice on vulnerable devices!
What should you, as a user, do?
- If you run Linux – patch it
- If you run a Mac – sit tight, Apple is working on a patch, and unless you are running your Mac as an internet-accessible server, you are probably safe anyway. If you do run your Mac as a server, you should consider manually updating BASH
- Keep an eye out for firmware updates for routers and IP cameras and other smart devices, and install them as they come out
- Buy a sysadmin a coffee – they could probably do with one 🙂
- A nice human-friendly Shellshock FAQ from Naked Security – http://nakedsecurity.sophos.com/2014/09/25/bash-shellshock-vulnerability-what-you-need-to-know/
- A good summary by Brian Krebs – http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/
- Apple release a statement saying most users are not in danger, but that a patch is on the way – http://arstechnica.com/security/2014/09/apple-working-on-shellshock-fix-says-most-users-not-at-risk/
- A great summary form a Mac-user point of view from Rich Mogull on TidBits – http://tidbits.com/article/15105
- Exploits are happening the wild – http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/
- There may be even MORE vulnerabilities – http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/
Important Security Updates:
- Apple release iOS 8 Patching many security bugs (this means the iPhone 4 is now dead – http://www.intego.com/mac-security-blog/if-you-care-about-security-throw-away-your-iphone-4-right-now/)
- Apple release and then very quickly un-release iOS 8.0.1 when it causes problems on some new iPhones – http://www.macrumors.com/2014/09/24/ios-8-0-1-issues-possible-fix/, Apple also release instructions for down-grading to iOS 8.0 – http://support.apple.com/kb/HT6487
- Apple release iOS 8.0.2 – a non-broken version of iOS 8.0.1 – http://arstechnica.com/apple/2014/09/ios-8-0-2-released-to-fix-touchid-cell-network-woes-on-newest-iphones/
- Mozilla fix a bug in their certificate-processing code that made it possible to fake certs – this fix is in all the products you’d expect like FireFox and Thunderbird – http://nakedsecurity.sophos.com/2014/09/25/mozilla-fixes-phishing-friendly-cryptographic-bug-in-firefox-and-thunderbird/, but that same code is also used on many other applications because it is available separately from FireFox & Thunderbird as a certificate validation package called NSS (Netscape Security Services), which is used to validate certificates in many versions of Linux. Thankfully the NSS patch came out about the same time as the first of the BASH patches, so most sysadmins will have caught both patches at the same time – http://www.kb.cert.org/vuls/id/772676
- Apple update OS X to 10.9.5, and patch OS X 10.8 & 10.7 as well – http://arstechnica.com/apple/2014/09/apple-releases-os-x-10-9-5-with-fixes-new-code-signing-requirements/
- Apple updates Apple TV version 7 – http://support.apple.com/kb/HT6442
- Adobe release critical patch to Acrobat & Reader – http://krebsonsecurity.com/2014/09/critical-update-for-adobe-reader-acrobat/
Important Security News:
- Apple expand 2FA to protect iCloud backups – http://arstechnica.com/security/2014/09/apples-two-factor-authentication-now-protects-icloud-backups/
- Google stops a malicious advertising campaign, but not before malware was served in ads placed on big reputable sites including Last.fm, the Times of Israel, and The Jerusalem Post – yet more proof that you are in danger EVERYWHERE on the web, not just on ‘dodgy’ sites – http://arstechnica.com/security/2014/09/google-stops-malicious-advertising-campaign-that-could-have-reached-millions/
- Jimmy Johns confirms breach in 216 stores – http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/
- Signature Systems, the POS vendor blamed for the Jimmy Johns breach says the breach may be bigger than just Jimmy Johns, and include 100 other independent restaurants –http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/
- Trip Advisor’s Viator lost 880K Credit Cards – fraudulent transactions are showing on some of the stolen cards – http://www.macobserver.com/tmo/article/880k-creditcards-stolen-in-tripadvisor-data-breach
- We continue to learn more about the massive Home Depot breach (56M cards, problem was probably on self-checkout lanes, former employees claim the problems had been highlighted for years, but never fixed): http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/, http://krebsonsecurity.com/2014/09/in-home-depot-breach-investigation-focuses-on-self-checkout-lanes/, http://arstechnica.com/security/2014/09/home-depots-former-security-architect-had-history-of-techno-sabotage/ & http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/
- * Just how much data leaks out through the so-called Metadata the NSA etc insist we should not care about them slurping up – thanks to an experiment by dutch man Ton Siedsma, we now have at least one data point to help us figure that out – http://nakedsecurity.sophos.com/2014/09/16/just-how-much-information-can-be-squeezed-from-one-week-of-your-metadata/
- * Cloudflare announce a great new service allowing HTTPS to be delivered by content delivery networks without the content providers having to give them their SSL private key – this will make it more efficient and easier to deliver large-scale fast secure content, which is a good thing for the future of the net – http://arstechnica.com/information-technology/2014/09/in-depth-how-cloudflares-new-web-service-promises-security-without-the-key/
- * Hacker exposes weakness in many printers by remotely installing a playable version of Doom on printers (who knew you could do so much on those teeny screens!) –http://arstechnica.com/security/2014/09/hacker-exploits-printer-web-interface-to-install-run-doom/ – yet another reminder, DON’T EXPOSE YOUR PRINTERS TO THE INTERNET, there are a lot of problems with printer firmwares!
- LinkedIn are fixing a bug that allowed their system to be used to discover the email addresses of celebrities (that kind of information is very valuable if you want to go on and hack the celebrity further to get, say, nude pics!) – http://krebsonsecurity.com/2014/09/linkedin-feature-exposes-email-addresses/
- Facebook meet with LGBT community to discuss some negative side-effects from their real-name policy – http://nakedsecurity.sophos.com/2014/09/18/facebook-meets-with-lgbt-community-over-real-name-policy/
- Google’s latest transparency report reveals a hike in government data requests – http://nakedsecurity.sophos.com/2014/09/17/new-google-transparency-report-details-hike-in-government-user-data-requests/
- Dropbox also released a new transparency report, and their data shows government requests remaining steady – https://www.dropbox.com/transparency
Main Topic – Taming the Terminal Part 21 of n – More Searching
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, Blue Mango Learning at bluemangolearning.com makers of Clarify. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter and app.net @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.