Apple’s latest version of OS X has a major bug that can store your passwords in clear text, an 8 year old vulnerability has been found in PHP, and why the DHS is hoping for attacks on Gas pipelines.
Plus – We’ve got some sage advice for Adam, who’s just taken on the role of the company Sysadmin, and we share some of the essential lessons we’ve learned over the years.
All that and more, on this week’s TechSNAP!
Thanks to:
GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!
Limited time offer:
New customers 25% off your entire order, code: 25MAY7
Expires: May 31, 2012
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
 |
|
Show Notes:
Apple security blunder exposes Lion passwords in plain text
- Apparently by accident, an Apple programmer left some debugging options turned on in the final release version of Apple’s OS 10.7.3 Lion
- These debugging options cause the plaintext password for every users that logs in to the machine to be stored in a system wide log file
- “Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable”
- Vulnerability Discovery Announcement
- As you will recall from last week’s episode of TechSNAP, we discussed how you could compromise encrypted partitions by installing spyware on the machine to access the partition once it was mounted
- The other option is to attempt to use some kind of keylogger to learn the password to decrypt the partition
- This flaw in Apple OS X allows an attacker to boot into the recovery console, mount the unencrypted system partition, read the log file, and learn the password to login as the user and decrypt the partition
- Apple users who use the newer FileVault2 whole disk encryption, are not as vulnerable, since the partition where the log file is stored is also encrypted, however it is unclear if users who share a system could learn each other’s passwords
- The researcher that discovered this vulnerability also points out that the log file would also be backed up unencrypted, so even if you change your password now and resolve the issue, anyone able to gain access to your backups (which you assume store your encrypted partitions in an encrypted state), would be able to read the plaintext log file and access the backed up version of your encrypted partition
- The information disclosure vulnerability has existed since early February 2012 and has not yet been resolved
- “In my opinion, it should be impossible to turn such a feature on without patching code, and ideally shipped binaries should not contain even a disabled code path to log passwords in plain text.” – David Emery (Researcher who discovered the vulnerability)
- Does Apple have a QA problem?
DHS asked energy industry to not stop cyber attackers
- Starting in December 2011, a highly targeted spear-phishing campaign was launched against a number of companies that operate natural gas pipelines
- The emails were very well crafted to appear as if they were coming from trusted sources
- Analysis of the malware and other evidence left behind by the attacks confirms that the phishing attacks were successful, something that should have been prevented by standard security practices and proper training
- This threat underscores the need for cryptographically secure email, using PGP/GPG or S/MIME to authenticate the sender and the integrity of the message
- It seems the DHS asks the companies to avoid disrupting the attacks unless they began to threaten critical infrastructure, in order to collect more evidence and learn more about the attackers
- This is especially risky because an attack such as this can escalate extremely rapidly, if suddenly the attackers were able to escalate their privileges within the system, they could start doing serious harm immediately
- As we have seen with attacks like Duqu, the first phase of the attack is often about intelligence gathering, before the actual attack begins
- Additional Coverage
- CERT Monthly Monitor Alert from April 2012
Serious PHP flaw goes unnoticed for 8 years
- The flaw in PHP, with the way it implements section 7 of the CGI standard allowed an attacker to pass arbitrary command line parameters to PHP
- Specifically, an attack could pass the -s flag, which causes PHP to display the source code of the file
- If this were done on a configuration file, such as wordpress’ wp-config.php, it would disclose the MySQL username and password. It could also disclose other secret keys and the source code for proprietary applications
- The original fix released by the PHP group on May 3rd did not properly resolve the issue, a trivial work around allowed the attack to continue to be successful
- Later an additional attack vector was also discovered, and a newer fix for PHP was released on May 8th
- The vulnerability only affected servers that use PHP in CGI mode, and did not affect servers that use the standard Apache mod_php, or PHP-FPM (what ScaleEngine uses)
- Many large scale shared hosting providers such as DreamHost and BlueHost use PHP in CGI mode to allow each individual users’ PHP code to be executed as that user
- CGI mode has performance disadvantages, as PHP must be loaded separately from each request, resulting in a slower response
- FastCGI is a technique where a pool of CGI processors that have already been loaded listen on a TCP port or UNIX Socket and accept and process requests, removing the latency from the typical CGI configuration
- Details on the attack and mitigation strategies
- Additional Coverage
- Try exploiting Facebook
Feedback:
Q. Adam hits the ground running
Helpful Tips/Links:
- VMware vCenter Converter, Convert Physical Machines to Virtual Machines
- Backup everything. If there are not at least 3 copies of it, it doesn’t actually exist
- Don’t be tempted to always roll-your-own solution. Pay for things that have support. That support contract can be your lifeboat, your scapegoat, your ability to ever leave/vacation, and management loves to see an employee doing a great job with a vendor relationship
- Linux lives in its conf files. Back those up, keep revisions. You mess something up, restore the original
- Make one change at a time, that way when it breaks, you know which change caused the problem
- Keep benchmarks and performance graphs, the only way to know if the server is performance as it should, is to compare it to how it was before. Nagios+NagiosGraph is great for this
- Keep notes. Helps you back out, but it also is a log of your worth. Your non-sysadmin colleagues have no idea the amount of work you do, it’s hard for them to visualize it. Your log is your proof of your accomplishment. Having this will help you quantity to your boss why you are valuable to the company.
- Take it slow, and triage like a doctor in the ER. What does the business have to do every day to make money? Make sure that works, its redundant, backed up, and scalable. Then workout form there.
Round-Up:
- Osama bin Laden did not encrypt his files, 17 of 6000 documents released
- Symantec says religious sites pose larger risk of malware than porn sites
- Blueseed startup ship gains interest from 100s of entrepreneurs
- Twitter breach data public, 50,000 accounts may be affected
- FBI wants social networks and email providers to build in capabilities to simplify wiretapping
- Virgin Media attacked by opponents of The Pirate Bay block