A nasty bug was found in macOS 10.13 High Sierra — it was possible to cause the root account to become enabled, and to do so with a blank password.
To trigger this bug all you had to do was go into the control panel, click the padlock to un-lock the sensitive settings, change the username to root, enter no password, then hit enter. At this point the authentication would fail, but, the root account would have been made active. Hit enter again, and root with a blank password will be accepted as valid. At this point you can do anything in the control panel, no matter how restricted your account is in theory, and, anything you can get full terminal access as root.
Security Medium 1 — No, FaceID isn’t Broken, but it Does Have Limits
A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.
What the hackers really found was that it’s bloody difficult to trick FaceID — it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.
Security Medium 1 – WPA WiFi Encryption Develops KRACKs
This week started with a big security news announcement (responsibly disclosed, which is nice). Security researchers at the Belgian university KU Leuven revealed a collection of related attacks against the WPA2 protocol (WiFi Protected Access version 2). The problem at the root of these attacks was not related to any specific implementation of the spec, but with the spec itself, so every manufacturer who implemented the spec correctly would have introduced these vulnerabilities into their WiFi drivers. Because you have to give a bug a fancy name to get any media attention these days, it was given the somewhat strained pseudo-acronym KRACKs, from key reinstallation attacks.
We’re not going to go into the technical minutia here, but I have included links to some good explanations below. I do want to give a high-level overview of the problem though.
Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only
A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.
Here is a nice article showing how to control the feature in the two OSes that do support it: www.macobserver.com/….
From Allison: I’ve just decided that it might be a nice enhancement to the podcast and blog if you could see Security Bits as a stand-alone blog post. Makes it easier to find and more importantly easier to reference when sharing with others. Bart will be shown as the author (since he IS the author) but I’ll write the excerpt for each post.
In this week’s action-packed Security Bits, Bart brings some follow-up on the Equifax breach and more details about Apple’s Face ID. We have three security mediums this week. We cover the CCleaner compromise which infected over 2 million machines. Then we talk about the macOS Keychain vulnerability that was announced this week for macOS (something for everyone). In the third “medium” Bart explains cookies from inception and why they’re needed, through their evolution to help us into something that can track us. He walks us through all of this so we can understand how the changes Apple made in Safari 11 are reducing the tracking and why it’s making some types of advertisers cranky at Apple. Finally, Bart goes through Notable Security Updates, Notable News, Suggested Reading and has a couple of nice palette cleansers. Continue reading “Security Bits – 30 September 2017”
In this early show, I’ll give you an out brief on Macstock 2017. I’ll talk about the people and the presentations (and maybe a little bit about the parties). Then Sandy Foster joins us for a review of the Stump Stand for iPad and iPhone. Trevor Drover joins us with a fantastic tale of how he figured out how to hook an Apple IIe up to a current MacBook Pro to transfer disk images between the two for the National Library. Very cool story. Then Terry Austin tells us how he figured out that by using the collaboration feature of Apple’s Numbers application, he could help his mom keep track of her complex medication schedule as she arms for battle against cancer. We’ll wind up with another segment of Security Bits with Bart Busschots.
Update on Ring and they’re problematic app and website, Daniel Semro demonstrates how a blind person subscribes to a podcast. It’s surprising what things you can’t do without data (as I learned in the national parks last week). In response to Tim Jahr’s question, I’ll explain why I said during Chit Chat Across the Pond with Bruce Wilson that IT is waste. Claus Wolf asks for a change to the Amazon Affiliate Links and I grant that wish. Bart Busschots is back with another fabulous Security Bits segment.
We have a huge show today. Steve’s put out two more video interviews from NAB in Las Vegas, I’ve got a pretty big announcement about Chit Chat Across the Pond, and we’ve got another giant Security Bits with Bart Busschots. I told him maybe when there’s such a big security news week we should call it Security Blobs!
There are five Security Mediums in this episode. We’ll talk about a remote code execution built in Intel CPUs, Bart will explain what can go wrong with two-factor authentication through SMS, we’ll cover the Google Docs phishing worm and how Google could have prevented it, we’ll learn about how the beloved Handbrake servers got hacked causing distribution of malware, and as if that isn’t enough we’ll talk about the WannaCry worm that has indiscriminately taken down networks across the globe.
posted the photos of our Galápagos Islands and Machu Picchu hike in Peru on Google Photos with links to both here Photos from South America – Galápagos Islands and Machu Picchu. There’s no Chit Chat Across the Pond this week but Bart’s back next week to teach us Test Driven Development in Programming By Stealth. I was on Clockwise this week: relay.fm/clockwise episode #183 and on Let’s Talk Apple: lets-talk.ie Episode #43. I’ll regale you with tech stories from our travels in South America, Rally Barnard will give you a quick and very slick tip on how to get turn-by-turn directions without using any data while on international travel, in Dumb Question Corner I’ll answer Kurt’s question about how to automatically archive iTunes Podcasts. Bart was out ill this week so I did my first ever solo Security Bits.