Feedback & Followups
- Anker admits that Eufy cameras were never encrypted — appleinsider.com/…
- Apple have released their support for hardware Fido tokens for iCloud 2FA — sixcolors.com/…
- Editorial by Bart: remember that this feature comes with a loss of convenience, and is not intended for universal use, but for those who are especially at risk. You need at least 2 hardware tokens, you need all your devices on the latest OSes, and you can’t use iCloud for Windows at the moment
- If you want to go ahead anyway, these might be useful: How to protect your Apple ID account with Security Keys on iPhone, iPad, or Mac – The Mac Security Blog — www.intego.com/… & Five best security keys for iOS 16.3 — appleinsider.com/…
- GitHub have added the ability to add social media links to your profile, and if you add Mastodon links here, then links to your GitHub on Mastodon will validate 😀 — @[email protected] on Mastodon
Deep Dive — A Vulnerability in KeePass? It’s Complicated
Officially, there is a vulnerability in KeePass (it has a CVE number), but the open source project team are disputing this classification, they literally say it’s a feature not a bug!
If you can write to a user’s KeePass settings file, you can add an event handler that can silently do anything with the data in a vault when the user unlocks it, including automatically stealing the entire contents!
Security researchers argue this is a vulnerability in something like a password manager, but the KeePass team argue that if baddies have write access to your files, you’re in bigger trouble anyway, so this is not actually a bug, and besides, event handlers are a cool feature that let geekier users do fun things.
The feature can be disabled globally on a computer by editing a master XML file in the applications installation directory, which is the kind of thing corporations might want to roll out with MDM/Group Policy Objects.
5 years ago I think I’d have sided with the KeePass developers — on traditional desktop OSes, once an attacker got to run code as you they could do anything, so all bets were off, so this wouldn’t really give them anything they couldn’t get with a key logger. The security perimeter was the user account, so if baddies got in they got in, and that was that.
That’s still true on many desktop OSes in use today, but it’s not true anymore on modern versions of macOS, where a new layered approach is taken, it’s not so much a castle and a moat as a security onion. There isn’t one security perimeter, but many — getting your code to execute doesn’t get you automatic access to a whole load of important information anymore on the Mac — each of those security prompts apps need to ask you for when you first run them reveal these new perimeters, they include:
- Permission to access the Documents and Desktop folders
- Permission to access Contacts
- Permission to access Photos
- And most importantly for this discussion — permission for assistive technologies, which includes access to keyboard events.
This means that on a Mac, baddies can’t just install a key logger the moment they get into your account, they need to bypass additional controls before they can do that. This means that on a Mac, by default, anything you save in KeePass is more exposed that items saved in other password managers and the KeyChain.
It is true that you really don’t want baddies accessing your user account on your Mac, but it’s also true that when bad stuff happens, every layer of defence limits the damage, so if I were a KeePass user I would be disabling this feature, and to be honest, the lax attitude the developers are showing to security would give me real pause. I think I would probably be looking at alternatives before something terrible happened. The attitude from the KeePass team would be entirely appropriate for other container-like apps such as EverNote, but secure vaults need to meet a higher bar IMO, their default configuration should be as secure as possible, and this kind of power feature used by only a tiny percentage of users should be opt-in, with appropriate warnings about the security implications, not on-by-default.
Links
A clear and appropriately nuanced description of the issue: [Password-stealing “vulnerability” reported in KeePass – bug or feature? — nakedsecurity.sophos.com/…]https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability-reported-in-keypass-bug-or-feature/)
❗ Action Alerts
- 🧯OpenSSH fixes double-free memory bug that’s pokable over the network — nakedsecurity.sophos.com/… (Patched, and, at least for now, not actually exploitable)
- Apple have patched just about all their OSes — nakedsecurity.sophos.com/…
Worthy Warnings
- 🧯GoTo admits: Customer cloud backups stolen together with decryption key — nakedsecurity.sophos.com/…
- The announcement was again missing important details, so again, we have to assume the worst 🙁
- Naked Security recommend: change passwords, re-set 2FA (including generating new backup codes), if using SMS-based 2FA, switch to app-based.
- GitHub code-signing certificates stolen (but will be revoked this week) — nakedsecurity.sophos.com/…
- The keys were encrypted, so it’s not nearly as bad as it sounds
- These are the keys used to sign the GitHub app, this has nothing to do with GitHub accounts!
- If you didn’t get the app update update before the keys were revoked, auto-update will fail, so you’ll need to re-install the app.
- This is evidence of GitHub’s defences working as intended, not evidence of any kind of negligence!
- Don’t put AirTags on your pets, it could literally kill them — Here’s why you don’t put an AirTag on your dog’s collar — appleinsider.com/…
Notable News
- 🇺🇸 US sues Google over digital ad market monopoly — appleinsider.com/…
- 🇺🇸 🇳🇱 🇩🇪 Hive ransomware servers shut down at last, says FBI — nakedsecurity.sophos.com/… (International operation in cooperation with Dutch & German law enforcement)
Top Tips
- Apple Offers Educational Resources for Data Privacy Day — www.macstories.net/… (The video is particularly nice — short and fun, yet information rich)
Interesting Insights
- 🎩 a simply superb pair of articles by Glenn Fleishman:
Just Because it’s Cool 😎
- Google has quietly been rolling out a 15 year old idea for improving DNS security, using randomised case to add entropy and make cache poisoning much more difficult — nakedsecurity.sophos.com/… (Note this is a stop-gap measure until all authoritative DNS servers support at least on secure protocol like DNSSEC or DNS-over-HTTPS)
Palate Cleansers
- A pair of related web-APIs designed to be accessed from the Terminal with the
curlcommand (makes HTTP requests from the terminal):- From Allison: Examples showing the use of the free wttr.in web API to weather data in the terminal nixCraft 🐧 on Mastodon (mastodon.social/…)
- Bonus Tip: Follow @[email protected], they post great nerdy stuff!
- Extra Bonus Tip: We used this API from JavaScript in Programming by Stealth: PBS 80 of X – JavaScript Promise Chains — pbs.bartificer.net/…
- From Bart: How to use cheat.sh in macOS Terminal — appleinsider.com/…
- From Allison: Examples showing the use of the free wttr.in web API to weather data in the terminal nixCraft 🐧 on Mastodon (mastodon.social/…)
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |