New Mac Roundtable up at macroundtable.com answering the question “Big or Small?” All episodes of Taming the Terminal are now available as a standalone podcast at http://bartb.ie/ttt and where fine podcatchers are found. New logo for the spinoff of Chit Chat Across the Pond courtesy of Terry Austin. I’m using a new Digital Audio Workstation – Amadeus Pro from hairersoft.com for the podcast, we’ll see if I like it eventually. Don’t forget to use the Amazon Affiliate link on podfeet.com to do your holiday shopping. I go on a rant about how much I dislike the implementations of split screen and pinned tabs in El Capitan. In Security Lite Bart dives into the problems surfaced this week in 1Password (spoiler, your usernames and passwords are still secure). This is the first NosillaCast without a Chit Chat Across the Pond since 2007 so be sure to subscribe! If it isn’t up in iTunes or your other podcatchers, you can add it manually by pasting in the feed url: https://podfeet.com/ccatp/ccatp-rss.xml.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday October 25, 2015 and this is show number 546. You know what’s hard? Launching a new podcast. You know what’s harder? Launching two new podcasts. You know what you can do to make it even harder? Decide to use a different service you’re not well versed in to host the audio files AND change your recording software. Welcome to my week!
This is the first episode of the NosillaCast without Chit Chat Across the Pond since 2007!
Before I dig into how much “fun” this has been, I wanted to alert you that we did another Mac Roundtable. It was an awesome episode with me, Don McAllister, Bart Busschots and Chuck Joiner. I asked them the question, “Big or Small?” I wanted to hear how we all make decisions on whether to get the iPhone regular or plus size, 42mm or 38mm Apple Watch, iPad Mini, iPad Air or iPad Pro, the MacBook, MacBook Air or MacBook Pro, heck even the iMacs come in two high res models now, and then of course on Monday we have to decide which size AppleTV to get. It was great fun and I hope you give it a listen over at macroundtable.com
Dorothy brings us her Clarify testimonial this week. She has a Windows VM with Quicken in it that she uses for her banking. For some reason the printer driver gets borked up and every time she tries to delete and re-add the printer she runs into problems. Turns out she has to remember to turn off the Windows firewall. She made herself a Clarify tutorial so now she’ll never forget. Unless she forgets to look at the tutorial that is! If you don’t have Clarify yet, head on over to clarify-it.com and get the free trial for Mac or Windows and tell them Allison sent you!
Security Medium – 1Password Metadata Leak
- This week Dale Myers, an engineer at Microsoft, highlighted a shortcoming in the design of the 1Password keychain format (.agilekeychain ‘files’).
- While the content of all keychain items is securely encrypted, Agile Bits, the company who make 1Password decided not to encrypt URLs to make searching quicker. This is a decision they took a long time ago, when particularly mobile devices were much slower than they are today. The details of the format, including this questionable design decision have been documented on their website for years.
- Anyone who can see your .AgileKeychain file can read the titles of your stored items, and the URLs of websites you have accounts on.
- Some people publish their keychain on their websites so they can easily access them on the move. Google has found and indexed many of these keychain files, so these people’s meta data is exposed, and easy to find.
- Agile Bits realised that times had change, and developed a new keychain format that encrypts everything back in 2012. While this format is available, it is not used by default, and people’s existing keychains are not easy to migrate.
- To be VERY clear, no encrypted data is leaked, there is no problem with 1P’s crypto – the issue is that metadata is not encrypted at all!
Does Metadata matter?
- Since no passwords or credit card numbers, or secure notes content is exposed, this may sound like a very minor issue, and it probably is for most.
- However, there are situations in which people knowing where you have accounts puts you in danger. A simple example, it could be easy to deduce from your metadata that you are gay. There are many states in the US where it is 100% legal to fire you from your job and evict you from your house for being gay. This leak could cost you your income and your home! There are places in the world where a similar revelation could be even worse – it could get you killed! This is just one example of how leaked metadata can do real harm.
- If you’re not sure what information about you is leaking, you can see for yourself by exploring the contents of your own keychain using the Finder and TextEdit. Right-click on your keychain file in the Finder, and choose ‘Show Package Contents’, then open the ‘data’ folder, and inside that, the ‘default’ folder. In that folder you’ll find a file called ‘contents.js’, open that file in TextEdit (or any programming editor), and you’ll see all the exposed meta data.
How Exposed is my Metadata?
- If you do not encrypt the disks on any device that has your 1Password keychain on it, anyone stealing that device can access the metadata
- If you synchronise your 1Password keychain using a cloud service, the operators of that cloud service can access the metadata, and provide it to law enforcement
- Any malware on your computers can access the metadata
- If you publish your keychain on the public internet ANYONE can read your metadata (DON’T DO THIS!)
- Publishing your keychain is not common practice. If you use DropBox or iCloud to sync, and have encryption enabled on all your devices, you have very little to worry about.
- If you feel very brave, you can convert your keychain from the old and vulnerable format to the new and not vulnerable format now. This involves terminal hackery, and it not for the faint of heart. Here’s the instructions AgileBits sent Allison on how to do the change if you have more than one device:
- Please make a backup of all your vaults before going forward. 1Password makes automatic backups but you can never have too many of them.
- Next disable sync on all your devices. On the Macs, select the option to remove the data from Dropbox (don’t worry, your data is stored locally as well.)
- Now fully quit 1Password using the ⌘⌃Q ( Command-Control-Q ) on your Macs.
- Run the Terminal command listed in the support article https://support.1password.com/switch-to-opvault/ Run this command on each of your Macs. (This will ensure that each Mac defaults to .opvault when creating vaults.)
- On each Mac, open 1Password and set up sync for each of your vaults. For the shared vault use the same folder that you have shared in Dropbox.
- Once Dropbox has fully synced, you can set up sync on your other Macs and iOS devices.
- Once everything looks good, delete any remaining .agilekeychain files in Dropbox – there shouldn’t be any there as you selected the option to remove data from Dropbox, but just in case.
Editorial by Bart:
The actual damage to users here is very limited. Most 1Password users will not have had their metadata compromised at all, and for most of the few who did, they will have suffered no harm. But that does not make this OK.
As I see it, Agile Bits made two mistakes, one that reasonable people can argue about, and one that is indefensible IMO.
The first of these is the initial design of the keychain many years ago. I think Agile Bits were wrong to accept a design that compromised security. 1Password is a security product, NOTHING is more important than security, so deciding to trade off security for performance was wrong. The argument that this compromise was technically required does not hold water. The Microsoft engineer who highlighted this issue gives a very simple solution that would have avoided all this with minimal extra processing overhead. As a programmer myself, I believe the Microsoft engineer is correct. While I strongly believe it was very bad decision, I can see how reasonable people could argue about whether or not it is OK to compromise a little security for a speed boost in the mobile apps.
The second bad decision by Agile Bits is their failure to follow through on the new keychain format. The format has been available for use since 2012, but it was never pushed out. Instead of putting their energies into securing their users by making the needed app upgrades to use this new format, Agile Bits chose to focus on feature enhancements instead. Clearly, Agile understood they had a problem, why else would they design a new format? Why then, did they not follow through and actually protect their users? I have no idea what their excuse is, but what ever it is, it’s not good enough. IMO, there is no excusing this failure.
- Dale Myers original blog post – http://myers.io/2015/10/22/1password-leaks-your-data/
- Agile Bits response (including instructions for upgrading to the new version now) – https://blog.agilebits.com/2015/10/19/when-a-leak-isnt-a-leak/
Important Security Updates:
- Patch Tuesday has been and gone with security updates from Adobe & Microsoft – http://krebsonsecurity.com/2015/10/adobe-microsoft-push-critical-security-fixes-8/
- Adobe patch Java & Flash – http://krebsonsecurity.com/2015/10/flash-java-patches-fix-critical-holes/
- Adobe then rush out an out-of-band patch to fix a zero-day – http://www.macobserver.com/tmo/article/flash-releases-latest-zero-day-exploit-patch-early
- Apple have release OS X 10.11.1 which includes 37 security fixes – http://tidbits.com/article/16031
- Apple have released Security Update 2015-007 for OS X 10.9 Mavericks and 10.10 Yosemite – http://tidbits.com/article/16034
- Apple have released Safari 9.0.1 to fix a number of security issues – http://tidbits.com/article/16035
- Apple has released a firmware fix for Macs running OS X 10.9 Mavericks that addresses the EFI problem that was patched for later versions of the OS a few months ago – http://tidbits.com/article/16036
- Apple releases security updates for Keynote Pages & Numbers – https://www.us-cert.gov/ncas/current-activity/2015/10/15/Apple-Releases-Security-Updates-Keynote-Pages-and-Numbers
- Microsoft release patch for Office 14 for Mac to patch remote execution flaws – http://www.intego.com/mac-security-blog/microsoft-office-for-mac-14-5-7-update-patches-remote-code-execution-flaws/
Important Security News:
- A good FAQ from iMore on the much over-hyped Siri/Google Now distance activation ‘hack’ (short version – don’t panic!) – http://www.imore.com/siri-silent-control-hack-what-you-need-know
- Apple has removed over 250 apps from the app store for using an ad library that uses private APIs to collect data not permitted by Apple’s developer agreements – http://www.imore.com/over-250-apps-removed-app-store-over-private-api-use
- Android 6 (Marshmallow) will require encryption by default – https://nakedsecurity.sophos.com/2015/10/21/new-android-marshmallow-devices-must-have-default-encryption-google-says/
- Security researchers find critical flaws in Western Digital self-encrypting hard drives – http://arstechnica.com/security/2015/10/western-digital-self-encrypting-hard-drives-riddled-with-security-flaws/
- Support scams come to iOS & OS X – http://arstechnica.com/security/2015/10/support-scams-that-plagued-windows-users-for-years-now-target-mac-customers/
- Let’s Encrypt pass another major milestone en route to it’s mid-November launch – now trusted by all major browsers – http://arstechnica.com/security/2015/10/with-goal-of-universal-https-lets-encrypt-reaches-important-milestone/
- FaceBook will notify users if they suspect they are being targeted by nation states – https://nakedsecurity.sophos.com/2015/10/20/facebook-to-warn-you-of-targeted-attacks-check-this-security-setting-anyway/
- The Mail Online becomes the latest high-profile site to host malicious ads – https://nakedsecurity.sophos.com/2015/10/19/malvertising-meets-the-daily-mail/
- Facebook allows users to search all public posts – check your settings! – https://nakedsecurity.sophos.com/2015/10/23/check-your-facebook-settings-to-make-sure-your-posts-arent-searchable/
- An appeal from a German police department – stop posting pictures of your kids on social media! – https://nakedsecurity.sophos.com/2015/10/16/police-stop-posting-pictures-of-your-kids-on-social-media/
- California has signed a land-mark privacy legislation into law – banning warranties searches of digital data – https://nakedsecurity.sophos.com/2015/10/13/california-nixes-warrantless-search-of-digital-data/
- A University of Cambridge study finds that 87% of Android devices are insecure – http://arstechnica.com/security/2015/10/university-of-cambridge-study-finds-87-of-android-devices-are-insecure/
- Verizon combines it’s controversial and highly invasive tracking super-cookie with AOL’s ad network to tie real-world identities to people’s browsing history – https://www.propublica.org/article/verizons-zombie-cookie-gets-new-life
- Google Chrome removes the confusing mixed-content warning – http://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/
- A mistake by Uber leaves hundreds of driver’s personal information exposed – https://nakedsecurity.sophos.com/2015/10/14/uber-mistake-leaves-hundreds-of-drivers-personal-information-exposed/
- A great article from Microsoft’s Chief Legal Officer on the collapse of the US-EU safe harbour agreement we discussed in the previous security lite – http://blogs.microsoft.com/on-the-issues/2015/10/20/the-collapse-of-the-us-eu-safe-harbor-solving-the-new-privacy-rubiks-cube/
- OS X El Cap license translated into plain English by an attorney – http://robb.weblaws.org/2015/10/17/os-x-el-capitan-license-in-plain-english/
- A nice article from Ars Technica explaining Zero-day exploits – http://arstechnica.com/security/2015/10/the-rise-of-the-zero-day-market/
- “How a law making car hacking illegal could make us all less safe” – https://nakedsecurity.sophos.com/2015/10/23/how-a-law-making-car-hacking-illegal-could-make-us-all-less-safe/
- Apples comes out against the proposed Cybersecurity Information Sharing Act which is due for a vote next week – http://www.imore.com/apple-comes-out-opposition-proposed-cybersecurity-information-sharing-act (so do Google, Facebook Amaon & others – https://nakedsecurity.sophos.com/2015/10/16/google-facebook-amazon-et-al-join-forces-against-incoming-cybersecurity-law/)
- Apple again tells law enforcement it can’t access locked iPhones – http://www.imore.com/apple-again-says-it-cant-access-locked-iphones-running-ios-8-or-higher
- Tim Cook speaks strongly against encryption back doors at WSJDLive – http://arstechnica.com/tech-policy/2015/10/apple-ceo-tim-cook-blasts-encryption-backdoors/
- “How a few legitimate app developers threaten the entire Android userbase” – http://arstechnica.com/security/2015/10/how-a-few-legitimate-app-developers-threaten-the-entire-android-userbase/
- Reporting by Brian Krebs reveals that the world’s worst spam-hosting ISP is run by IBM – http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/
- The NSA’s mysterious about-turn in it’s advice on the use of Eliptic Curve Crypto sparks concern (and conspiracy theories) – http://arstechnica.com/security/2015/10/nsa-advisory-sparks-concern-of-secret-advance-ushering-in-cryptoapocalypse/
- Australia could harvest Facebook photos for inclusion in their national biometrics DataBase – https://nakedsecurity.sophos.com/2015/10/22/your-face-could-be-sucked-off-facebook-and-on-to-a-national-biometric-database/
- Brian Krebs describes how a European gang used custom hardware to defeat Chip and Pin security – http://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring-defeated-the-secure-chip-and-pin-credit-cards/
- How the NSA can break trillions of encrypted web and VPN connections – http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/
- In the US, and independent executive branch board finds that the NSA phone program is illegal and should end – https://www.washingtonpost.com/world/national-security/independent-review-board-says-nsa-phone-data-program-is-illegal-and-should-end/2014/01/22/4cebd470-83dd-11e3-bbe5-6a2a3141e3a9_story.html
A Quick Pallet Cleanser
Smartphone battery myths explained – http://lifehacker.com/smartphone-battery-myths-explained-1735327089?utm_source=loopinsight.com&utm_medium=referral&utm_campaign=Feed: loopinsight/KqJb (The Loop)&utm_content=FeedBurner
CCATP – Programming by Stealth 2
An Introduction to HTML – https://www.bartbusschots.ie/s/2015/10/23/programming-by-stealth-2-of-x-basic-html/
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.