A nasty bug was found in macOS 10.13 High Sierra — it was possible to cause the root account to become enabled, and to do so with a blank password.
To trigger this bug all you had to do was go into the control panel, click the padlock to un-lock the sensitive settings, change the username to root, enter no password, then hit enter. At this point the authentication would fail, but, the root account would have been made active. Hit enter again, and root with a blank password will be accepted as valid. At this point you can do anything in the control panel, no matter how restricted your account is in theory, and, anything you can get full terminal access as root.
Security Medium 1 — No, FaceID isn’t Broken, but it Does Have Limits
A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.
What the hackers really found was that it’s bloody difficult to trick FaceID — it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.
Before we look at canvas finger printing, I just want to set the scene with a reminder of one of the most fundamental truths about how the web was designed – each web page load is an independent event. Because that meant websites had no memory of anything that went before, i.e. no concept of state the original web could not cope with concepts like logging in, or shopping baskets. Something had to be bolted on to allow web servers connect individual requests into related groups of requests.
The official mechanism added to the HTTP protocol for retaining state between requests is the humble cookie. Cookies gave us the ability to log in, and basically, the modern web. But, they came with a dark side — as well as enabling all the cool things we like about the modern web, they also enabled tracking.
Security Medium 1 – WPA WiFi Encryption Develops KRACKs
This week started with a big security news announcement (responsibly disclosed, which is nice). Security researchers at the Belgian university KU Leuven revealed a collection of related attacks against the WPA2 protocol (WiFi Protected Access version 2). The problem at the root of these attacks was not related to any specific implementation of the spec, but with the spec itself, so every manufacturer who implemented the spec correctly would have introduced these vulnerabilities into their WiFi drivers. Because you have to give a bug a fancy name to get any media attention these days, it was given the somewhat strained pseudo-acronym KRACKs, from key reinstallation attacks.
We’re not going to go into the technical minutia here, but I have included links to some good explanations below. I do want to give a high-level overview of the problem though.
Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only
A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.
Here is a nice article showing how to control the feature in the two OSes that do support it: www.macobserver.com/….
From Allison: I’ve just decided that it might be a nice enhancement to the podcast and blog if you could see Security Bits as a stand-alone blog post. Makes it easier to find and more importantly easier to reference when sharing with others. Bart will be shown as the author (since he IS the author) but I’ll write the excerpt for each post.
In this week’s action-packed Security Bits, Bart brings some follow-up on the Equifax breach and more details about Apple’s Face ID. We have three security mediums this week. We cover the CCleaner compromise which infected over 2 million machines. Then we talk about the macOS Keychain vulnerability that was announced this week for macOS (something for everyone). In the third “medium” Bart explains cookies from inception and why they’re needed, through their evolution to help us into something that can track us. He walks us through all of this so we can understand how the changes Apple made in Safari 11 are reducing the tracking and why it’s making some types of advertisers cranky at Apple. Finally, Bart goes through Notable Security Updates, Notable News, Suggested Reading and has a couple of nice palette cleansers. Continue reading “Security Bits – 30 September 2017”
The problem to be solved is that I regularly need to charge multiple things at the same time in my kitchen, and I don’t want to waste too many wall outlets, or, be constantly plugging things in and out.
I need the ability to charge Apple devices like my iPhone and my iPad, and, to be able to charge my Bluetooth speaker, my Bluetooth headphones, and my wide array of bike lights from CatEye. The iDevices all have lighting connectors, and the speaker, headphones and the bike lights are all Micro-USB.