Tag Archives: Cyber Security

Security – Adware with Java 8 Update 40 Installation

Java was developed by Sun Microsystems and first released in 1995. Since Oracle Corporation acquired Sun in 2010, the development of Java programming language has continued.  While Java can be freely
downloaded and installed on your Mac, it recently has begun to carry some undesirable baggage.

Beginning with Java 8 Update 40 for the Mac, Oracle has begun including a version of the Ask.com browser toolbar. This is generally considered Adware and has only been found on the Windows version of Java previously. Adware like this is considered by most to be a form of malware (malicious software).

The latest Java installer now adds the Ask toolbar to both Safari and Google Chrome by default. A user can opt out of the installation, but only if they are paying close attention while Java is being installed.

If the Ask toolbar gets installed, uninstalling Ask is straight forward. For Safari go to Safari >> Safari Extensions. For Chrome, the Ask toolbar can be removed directly from the toolbar’s help menu.

NOTE: This will only affect you if you have installed Oracle Java onto your Mac!


See my other Mac OS X and Security articles


Security – FREAK

FREAK is a newly discovered security flaw affecting both the iOS and OS X versions of Safari, as well as other web browsers. This vulnerability enables an attacker to force the browser to use a weakened, 512-bit form of encryption. FREAK is an acronym standing for ‘Factoring RSA-EXPORT
Keys’. This flaw has been around for years and was just exposed by security researchers March 2, 2015. Specifically this vulnerability is with TLS/SSL (i.e. HTTPS) servers and clients.

This flaw left iOS and other devices vulnerable to attack when visiting what were thought to be secure web sites. The flaw actually was caused by a cold war US government policy that forbade export of strong encryption. The export restriction was lifted in the late 1990s, but the browser code was never updated.

Once an attacker breaches the browser, they can then steal passwords and other personal information. Using this man-in-the-middle mode of attack, they can also attack the site being visited by taking over elements on the site’s pages. The researchers estimate that more than 35% of HTTPS sites world wide are vulnerable.

Apple has indicated that a fix for Safari will be available in the next week or so.

UPDATED 4/22/15 – See Security Now episode #498 for a more detailed description of FREAK.

UPDATED 3/10/15 – Apple Security Update 2015-002 1.0 applied patches that close this vulnerability. The vulnerability was resolved by removing support for ephemeral RSA keys.


See my other MAC OS X, iOS and Cyber Security articles


Security – Passwords

Security and data privacy are becoming increasingly important issues for everyone. Regrettably, one of the biggest security holes is the easiest to fix: poor passwords. We all have multiple applications needing passwords, and the use of passwords looks to be the most common authentication method for the foreseeable future. What can you do to be more secure?

Passwords not to use

First, do not use weak passwords. Users with weak passwords continue to be the single biggest security issue. Users simply rely too often on default passwords or choose to use passwords that are too
predictable.

Things to avoid

  • Do not reuse passwords, passwords should be unique for each
    App and web site.
  • Do not share your passwords with anyone
  • Do not write your passwords down

Security application and service provider SplashData once again
released its annual list of the 25 most common passwords found on the Internet. This list was compiled from more than 3.3 million passwords stolen during 2014, then publicly posted. Based on their study, many people are still using weak and easily guessable passwords. The worst passwords of 2014 are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football
  11. 1234567
  12. monkey
  13. letmein
  14. abc123
  15. 111111
  16. mustang
  17. access
  18. shadow
  19. master
  20. michael
  21. superman
  22. 696969
  23. 123123
  24. batman
  25. trustno1

Those are not the only common passwords that SplashData found. Common names such as “michael,” “jennifer,” “thomas,” “jordan,” “hunter,” “michelle,” “charlie,” “andrew,” and “daniel” are all in the top 50. Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.

Strong passwords

Unbreakable passwords may seem to be beyond reach, but they are
easily possible. Regardless, all security experts agree that ‘strong’ passwords should always be used. So what is a ‘strong’ password?

A strong password is one that contains enough separate information
to form a barrier to any hacker or the software they are using to break into your account. A ‘strong’ password will:

  • be at least eight characters in length, 12 or more is
    preferable
  • at least one uppercase character
  • at least one lowercase character
  • at least one digit
  • at least one one symbol (if allowed, such as !@#$%)
  • avoid dictionary words, even with substitutions, i.e. speed =
    5p33d
  • avoid repeated characters
  • no keyboard patterns or swipes

Brute force password cracking programs can use standard dictionaries to try and find a password, even with character substitutions. These programs simply take a list of common passwords and try them one by one until they find the one that works. When that fails, they go fall back to systematically creating every possible password and trying it. The more possible passwords there are, the longer the brute force attack will take to find the password. The best passwords are those made up of random characters, and the longer the better.

So how does that ‘strong’ password make a difference? Lets say you need a 6 character password.

  • If you only use the digits 0-9, then there are only 1×106
    possible combinations.
  • If you add the lower case letters, then that changes to
    36x36x36x36x36 = 366 = 2.17 x 10possible combinations.
  • Using digits, lowercase and uppercase that changes to 62= 5.68 x 1010
  • Adding symbols (20 to 30 are possible), then that goes to 82= 3.04 x 1011  at the low end

Now see what happens it you increase the entropy (see Password
Strength
) of the password by increasing the length (using only uppercase, lowercase and digit characters)

  • extended to 8 characters then the number of possible
    combinations goes to 628 = 2.18 x 1014
  • extended to 12 characters then the number of possible
    combinations goes to 6212 = 3.22 x 1021
  • extended to 16 characters then the number of possible
    combinations goes to 6216 = 4.76 x 1028

To give those numbers some perspective

  • The human body is estimated to have 34 Trillion cells 34 x 1012 [1]
  • The average hacker can brute force a 10 character password in a week, a 15 character password will take 1.49 centuries [2]

Generating strong passwords

If you are trying to set up a strong password that you are going to try and remember, then one option is using a ‘pass phrase’. You would want to pick a phrase you know you will not forget (or which you can easily look up if you do). Such a phrase might be the first line of a song or poem that you know by heart.

For instance you could use the first line of the Star Spangled Banner – “Oh, say can you see by the dawn’s early light”. From this you can pull the first letter of each word – oscysbtdel – to give yourself 10 characters. To add entropy, made a few characters uppercase, and substitute some digits – oscySbtd3l. This isn’t as good as a truly random password, but it is much, much better than using the name of your significant other or favorite pet.

Most password managers (see below) have a provision for generating strong passwords for you. If you are using Safari on your Mac with Keychain enabled, you will be given the option to let Keychain generate a strong password for you and store it when you are setting up a web account.

There are also many different strong password generators available
on the web. One I have used is the password generator page available from Web hosting provider Hostgator. Passwords from 8 to 40 characters in length can be generated, with or without special
characters.

Password managers

The problem with most passwords is not with technology, but with the limitations of human learning and memory. Unfortunately, most people are simply lazy and ease of use is inversely related to security. Even with the security of their data or computer at risk, most people seem to take the simple way out choosing simple passwords and/or using the same password for all of their logins. An easy way to make using strong passwords easier is with a password manager.

In simple terms, a password manager is an application that stores the user’s encrypted passwords. Some password managers store the data locally, while others use cloud storage. Passwords can be copied from the application and pasted as needed into other applications or web sites. Some password managers have browser plugins that allow them to work closely with the browser to auto-fill login screens with passwords and IDs. Some password managers also have sister Apps that work on iOS, Android or Windows systems allowing all of your passwords to be available on every platform you use.

Some of the most common password managers are:

Keep in mind that not all password managers equally protect their
data. The paper “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” presented at the 23rd USENIX Security Symposium in August of 2014 reviewed five popular password managers and found some level of fault with all.

I find that Keychain meets my needs because all of my devices are Apple. If I had an Android phone or tablet, I would want to choose one of the other password managers. like KeePass or LastPass listed above.

References

  1. http://phenomena.nationalgeographic.com/2013/10/23/how-many-cells-are-in-your-body/
  2. http://www.makeuseof.com/tag/create-safe-password-can-actually-remember/

    See my other Cyber Security and Mac OS X articles


The Threat of Thunderstrike

UPDATED 2/3/15 – When Apple released OS X 10.10.2 a week or so ago, the vulnerability to Thunderstrike was patched!

Those of us who use Macs have been more or less safe from Malware. However as the Mac has grown in popularity recently and the number of Macs in use has risen, we have finally become more of a target. Recently a new attack vector for the Mac has been discovered and it has been named Thunderstrike.

So far this is only a proof of concept discovered by security researcher Trammell Hudson. Apple is reported to be taking this threat seriously and is working on a fix. At present it DOES NOT offer much of a threat to most users.

The Bad – There are several features of Thunderstrike that are serious threats

  1. It is the first known OS X firmware bootkit, there is nothing currently scanning for its presence
  2. It controls the system from power up and can log every keystroke, including disk encryption keys
  3. It can open a backdoor directly into the kernel bypassing firmware passwords
  4. Once it is on your system it is very hard to remove
  5. It can infect subsequent Thunderbolt attached devices, spreading the Malware

The Good – So far this is only a prof of concept. To infect your Mac someone has to:

  1. Have Thunderstrike-enabled hardware — a modified Thunderbolt-to-Ethernet dongle was used in the proof of concept
  2. Have physical access to the Mac under attack
  3. Be able to reboot the Mac so as to modify the system firmware

Action You should take – even though the threat currently is low, you should keep in mind that if your Mac is left alone it could be subject to attack. The most common time this might happen is when traveling and your Mac is left in your hotel room. If you feel that you might be a target, take advantage of the safe in your room to store your Mac when you are out or keep it with you.

How it works – In simple terms when a Mac boots it starts
to run the EFI firmware code in the boot EEPROM. By design, FireWire and Thunderbolt interact with the Mac firmware at a very low level. In this case, if a Thunderbolt device is present with the Thunderstrike Malware at bootup, the system firmware will be overwritten and the system compromised.

References

  1. Macs vulnerable to virtually undetectable virus that “can’t be removed”
  2. Thunderstrike Proof-of-Concept Attack Serious, but Limited
  3. Thunderstrike – Trammell Hudson’s Projects

See my other Mac and Security posts


 


 

IEEE Rock Stars of Cyber security Event

IMG_0179I spent the day yesterday at the IEEE Rock Stars of Cyber Security event held in Austin, TX. It featured 7 notable speakers on Cyber Security, as well as a panel discussion.

I found the presentations to be very thought provoking. Computers are proliferating around us, yet we are having a difficult time protecting the data residing in those systems today. Action must be taken to strengthen the security barriers, and users must behave smarter if the data is to be protected.

Here are a few tidbits from the presentations:

  • All organizations need to pick a security framework and stick to it
  • Currently we are loosing the war on cyber attacks
  • By 2050 there are estimated to be 50 billion new devices making up the Internet of Things which will need to be protected
  • 90% of companies with 250 employees or more had malicious security events in 2012
  • Current security tools #1 job is preventing false positives
  • Biggest threat to cyber security is convenience
  • “You can’t patch stupid” – humans pose the largest vulnerability in computer security
  • Security = defense in depth
  • The top fear of the common man is that he will not be able to buy groceries or make other purchases without exposing his personal data
  • 56% of organizations have been the target of cyber attacks
  • 44% of breaches involved third party mistakes

The complete set of slides from the various presentations will soon be available on the IEEE web site.


Cyber Security