Not long after a team of researchers discovered that FileVault encryption has a weakness, on of the researchers on that team has shown that Mac OS X account passwords suffer from a similar vulnerability. As reported by CNet, Jason Applebaum has found that account passwords remain in memory longer than necessary, opening them up to discovery if someone has physical access to a Mac. Apple has confirmed the bug, and has not specified when they will be addressing it.
The vulnerability requires both physical access to a Mac and special software, which scans the contents of the Mac’s memory and discovers what the user’s password is. Applebaum demonstrated this for a CNet journalist who had set up a Mac for a test. It only took a few minutes for Applebaum to find the password.
While this glitch is serious, and needs to be addressed, another weakness exists with Mac OS X: anyone with an installation disc can boot any Mac from that disc and reset the administrator’s password. It’s hard to say which is easier, but it seems that using a DVD, and avoiding the need for home-built software, would be the first choice for most hackers. Physical access is one of the weak links in Mac security, so if you need to protect especially sensitive files, you should use a program like Intego FileGuard, which uses virtual safes with unique passwords to protect your most confidential files.
Michael Barrett, PayPal’s chief information security officer, has come out and lambasted Safari’s security, as reported by Macworld UK. Barrett recommends that PayPal customers use other browsers because Safari has no built-in anti-phishing protection. “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it,” said Barrett, claiming that other browsers – notably Internet Explorer and Firefox – protect surfers more from phishing.
Interestingly, Barrett looks at browsers at being the problem, whereas phishing is more of an e-mail problem (though phishing sites may link from other web sites). Most users who get caught by phishing scams do so because of e-mails they receive purporting to be from such companies as PayPal, Amazon, eBay or banks. Intego Personal Antispam protects users against phishing e-mails by detecting those messages whose links contain one visible address and a different hidden URL. Personal Antispam files these messages into a user’s Spam folder, so they can know that the messages are suspect.
Nevertheless, users should always look at the URLs in their browser’s address bar when visiting sites that ask for personal information such as their credit card numbers, or even their user names and passwords.
You’ve been warned that visiting web sites can be dangerous, but have you ever wondered how serious the risk is? Google checks web pages, when cataloging them, to see if they contain malware – malicious code that can take advantage of vulnerabilities in web browsers or plug-ins, such as Flash and QuickTime. Their latest published results show that more than three million unique URLs on over 180,000 web sites attempt to install malware. That’s more than 1% of web sites they catalogue!
Naturally, you won’t encounter evil web pages on mainstream web sites – those of Google, Yahoo!, major news outlets, etc. – but you may find them on middle-of-the-road web sites, where malware can be injected into web pages by third-party content, including ads. When this occurs, the web sites themselves are generally unwitting vectors of this malware; they may be hacked, as Google found that more than 38% of Apache (popular web server software) and PHP (used to create dynamic pages) are out of date. Since these programs issue regular updates when security vulnerabilities are discovered, web hosts that don’t update them are putting their visitors at risk.
There’s not many “safe browsing” techniques you can use – unlike when you know not to go into a bad neighborhood in a city, dangerous web sites can be just a click away, and once you load a page it may be too late. So you need proactive security, such as Intego NetBarrier, which protects your Mac from the dangers of the Internet. You should also make sure that you apply all of Apple’s security updates, which can patch vulnerabilities in software such as QuickTime, which has seen many such issues in recent months.
A group of researchers at Princeton University has just published a novel way to defeat disk encryption such as Apple’s FileVault or Microsoft’s BitLocker. These systems encrypt entire discs or large sections thereof – FileVault encrypts a user’s home folder – and use special keys to allow the computers to read files.
The researchers discovered that, because of the way DRAM (dynamic random access memory) chips work, the data they read and write does not go away as soon as computers are turned off, but rather may linger for several minutes. Using canned air to cool the chips, the researchers were able to “freeze” their contents, and using software that they developed, they managed to find the keys used for disk encryption on the chips.
The danger arises only when a computer is asleep, or in screen saver mode with or without password protection. If the computer has been turned off completely, any action to defeat the encryption would have to be taken immediately. But when asleep or in screen saver mode, the computer’s RAM still contains the data needed to decrypt files.
This highlights that, even though the software is able to ensure security, there can still be unexpected weaknesses in the hardware used. Since people tend to take hardware for granted, security researchers tend to focus on the strength of software – in this case encryption keys – without considering that there may be other vulnerabilities.
Here is the abstract to their paper outlining this procedure:
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.
VirusBarrier X5 provides the ability to run scans at specified times, and also to have scans run automatically when certain events occur. Schedules are useful if you want to make sure your Mac, a specific volume, on a specific folder, are free of viruses.
Events are either when volumes are mounted (such as an external disks that travel among different users) or when you download and install new virus definitions with NetUpdate. In the first case, you want to make sure that volumes that have been connected to other Macs can’t infect yours, and in the second case, you should run a full scan every time you update your virus definitions, in case a file you got recently is infected with a newly discovered virus.
Control either of these automated scans from the Schedule & Events tab of VirusBarrier X5′s preferences.
For the Intego Mac Security Blog’s 100th post, we sat down with Laurent Marteau, CEO of Intego, to ask questions that readers of this blog have sent to us. Here’s what he has to say about Intego and Mac security issues.
When was Intego founded, and why did you decide to focus on Mac security?
Intego was founded in 1997 to provide Macs with reliable protection from all the dangers of the Internet and other security risks. With a full line of Mac security products, Intego is the only company solely focused on Macs, and the only company with a complete range of security software.
Why do Macs have fewer security issues than Windows PCs?
Computer security goes beyond what one reads about in the press. In addition to viruses and other forms of malware, computer security also includes such issues as data protection, network defense, content filtering, and spam and phishing protection. Macs have the same problems as Windows PCs in all these areas, and Intego offers software solutions that meet each of these needs.
For example, many people don’t realize how vulnerable their documents are when they’re traveling with a laptop. They may have confidential business documents, which are essentially unprotected. Intego FileGuard X5 lets them create virtual safes to protect their sensitive files so even if a laptop is lost or stolen, no one can get at them.
A common generalization has been that Macs have fewer security issues than Windows because of the smaller market share. Is this true? Do you see the security threats increasing with Apple selling more Macs?
Recent months have seen an increase in threats to Mac OS X, the most recent being the OSX.Rsplug Trojan Horse and a serious Leopard quarantine bug. These threats are serious, and show that the people behind malware are focusing on the Mac as a viable target. But things will not stop here; new security flaws in Mac OS X, such as a QuickTime streaming vulnerability, may allow for other types of attacks, and those who profit from malware are constantly on the lookout for new ways to attack Macs.
Read more…