The Mac Security Blog
A Dutch certificate authority, DigiNotar, has issued a fraudulent SSL certificate for google.com, which may lead to people attempting to use Google services being compromised. According to H Security, “The certificate was issued on 10 July to unknown persons in Iran.”
The Electronic Frontier Foundation even states that this has led to man-in-the-middle attacks that may have put Iranian activists in danger.
Mac utility company Coriolis has posted instructions on how to get rid of the certificate, if you do, indeed, have it on your Mac. We checked our Macs and didn’t find any, but it would be safe for all Mac users to do the same, especially if they use Google services such as Gmail or Google Docs.
Web browsers will be updated to block this certificate, and Safari users can use this technique to protect themselves.
Update: Gregg Keizer is reporting at Computerworld that, in some cases, certificates revoked manually still work.
You probably use Mac OS X’s keychain to store user names and passwords. This is an encrypted file that gets “unlocked” when you log in to your Mac, in normal circumstances, and allows software to access data belonging to you. For example, when your e-mail program wants to check for new messages, it needs to send a user name and password; it gets the password from the keychain and sends it to the mail server.
By default, Mac OS X creates a keychain for you called “login,” and this keychain gets unlocked as soon as you log into your Mac. This means that if you use automatic login, not only are your files accessible, but your keychain is unlocked, so anyone who accesses your Mac can get your e-mail, or even access web sites for which you have saved passwords in your keychain.
The first thing to change is to turn off automatic login, which we discussed in a recent Mac security tip. But another security precaution to take is to create a non-login keychain, so when you do log in, your keychain stays protected until you enter a password.
To do this, open Keychain Access (in your /Applications/Utilities folder), then choose File > New Keychain . The program will ask you to name the keychain – you could use your user name or any other name – and then a password. Don’t use the same password that is assigned to your user account; the point of creating a second keychain is to have a different password in case your account is compromised.
After you’ve done this and created the keychain, it will appear in the sidebar of the Keychain Access application. Next, click on the login keychain, select all the items in the right-hand section of the window, and drag them to the new keychain. You’ll have to enter your password to do this. Moving these items means that they won’t be unlocked when you log in, and that they’ll only be available from your new keychain.
When you next try to access an item in the keychain, you’ll have to enter your password; not your user account password, but the one for the keychain you just created. By default, the first request unlocks the keychain, and the keychain will lock again in 5 minutes. If this is too soon, you can change the amount of time before it locks; you could choose, say, 30 minutes, so you don’t have to enter your password too often.
To do this, choose Edit > Change Settings for Keychain
Creating a separate keychain is the best way to protect your passwords from being discovered. Since the keychain password is different from your login password, the protection is doubled, and as long as the password isn’t easy to figure out, no one will be able to access your passwords.
Many people use Dropbox to share and synchronize files, but few people know when updates to the program are available. The application itself has no updater, and no notification when new versions are released. So, in order to find out if you need a new version, you need to check in the program’s Account preferences to find which version you have, then go to the Dropbox site and find the page where you can download a new version. (In case you’re curious, it’s https://www.dropbox.com/install.)
Thing is, it turns out that security researches discovered some disturbing weaknesses in Dropbox, allowing them to access files without users’s knowledge, but Dropbox has corrected their system to adress these issues. These issues seem to involve the cloud side of Dropbox, not the client software, but there have been security issues involving the software as well. If users are never notified of new versions of the software, they may not think to go through the process to check for an update. (Several people pointed out that Dropbox is supposed to upgrade automatically, but we’ve not seen this, and many Mac users have not seen it either.)
We don’t know of very many Mac programs that do not at least alert users when updates are available – or have a preference allowing them to activate or deactivate such alerts. In addition, many Mac programs include the Sparkle framework, which checks for updates, downloads them, then installs them. Dropbox, because of the potential security risks involving files it stores, is remiss in not providing such a feature, meaning that users need to be proactive and check for updates regularly to ensure that their files are protected. It turns out that, after reading the article linked above about the Dropbox security issues, we checked our version of the program, and we were indeed out of date. FYI, the current version is 1.1.40.
The Mozilla Foundation has released Firefox 6, the latest version of their web browser. In addition to new browsing features, the latest version of Firefox includes a number of security fixes, several of which are critical. These include memory corruption problems, a JavaScript issue, a WebGL problem and more.
Firefox users can get the latest version of the web browser using the program’s built-in auto-updater, or download a copy here.
Adobe has released a number of critical updates for web browser plug-ins Flash, Air and Shockwave, for graphics program Photoshop, and for other programs.
The Flash Player update fixes 13 security flaws, some of them critical, bringing the latest version of Flash Player for Mac to 10.3.183.5. Users can download the new version of Flash Player here.
Adobe Air was updated for the same flaws, and the new version is 2.7.1, with downloads available here.
Shockwave Player saw 7 flaws patched, and the new version is 11.6.1.629. Shockwave Player can be downloaded here.
Photoshop CS was updated to fix one vulnerability which affects malicious .gif files. The update can be downloaded here.
It’s worth noting that there’s a bit of a tiff between Google and Adobe regarding the Flash update. A Google engineer said on Twitter that he had sent info to Adobe regarding some 400 vulnerabilities. An Adobe representative later replied via Twitter, but has since removed the tweet. Gregg Keizer on Infoworld has more on this feud. I suspect we’ll hear more about it later today.
The Electronic Frontier Foundation has funded the development of a new Firefox extension, HTTPS Everywhere, which is now available. This extension forces web browsers to try and use HTTPS addresses whenever possible. HTTPS is the secure version of HTTP, which means that data you send and receive is encrypted.
However, HTTPS Everywhere only works with websites that offer HTTPS connections, and only those for which rules are defined in the extension. This includes many major websites, such as Google search, Wikipedia, Twitter, Facebook, Paypal and more. In addition, you can add your own rules, following instructions available from the extension.
At a minimum, it is useful to have this extension to ensure security for many of these popular sites.