MacInTouch Amazon link...

vulnerabilities and vectors

Channels
Security
Re Air Canada Breach:
The firm has also been criticised for its relatively weak password system. Although it is not clear how the breach occurred, one cyber-security specialist highlighted that Air Canada's website still says account passwords should contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols.
We all work very hard for security, and idiots at companies undo everything by their ill-advised policies. It appears from recent changes for suggested for password security that the failure is the 10-character limit. My understanding is that it does not matter about whether you include non-characters or not; the longer the password is, the probability of brute force success goes down very fast.
 


Ars Technica said:
Data vandal changes name of New York City... across multiple apps
20-day old change, long corrected by OpenStreetMap, was pushed out via Mapbox.
... According to Nelson A. de Oliveira of the OpenStreetMap data working group, the data being displayed by Mapbox-powered applications was very old data. "The problem that you are seeing was caused by a vandalism that happened 20 days ago," de Oliveira said in an email to Ars. "It was promptly reverted and fixed, but data consumers which, for some reason, are still using an old copy of OSM data, may still display the wrong result."
... Mapbox data comes from more than 130 sources, and the Mapbox spokesperson said that the company has "a strong double validation monitoring system."
 


Michael Tsai said:
HP Leaves Mac Users Vulnerable to Fax Hacks
CNBC said:
Hackers could use fax machines to take over entire networks, researchers warn
Researchers at Nasdaq-listed Check Point Software Technologies said that fax machines — which still reside in many offices — have serious security flaws. Those vulnerabilities could potentially allow an attacker to steal sensitive files through a company's network using just a phone line and a fax number. ...
They faxed over lines of malicious code disguised as an image file to the printer, relying on the fact that no one usually checks the contents received over a fax. The file was decoded and stored in the printer's memory, which allowed the researchers to take over the machine. From there, they were able to infiltrate the entire computer network to which the printer was connected.
intego said:
Intego Exclusive: HP Leaves Mac Users Vulnerable to Fax Hacks
Of the more than 150 affected models for which HP released firmware updates, approximately one quarter of them do not have a Mac-compatible firmware update installer available to download through HP's support site.
 


Ric Ford

MacInTouch
This kind of deep malware infection looks particularly pernicious:
Ars Technica said:
First UEFI malware discovered in wild is laptop security software hijacked by Russians
ESET Research has published a paper detailing the discovery of a malware campaign that used repurposed commercial software to create a backdoor in computers’ firmware—a “rootkit," active since at least early 2017 and capable of surviving the re-installation of the Windows operating system or even hard drive replacement.
... And based on the way the malware was spread, it is highly likely that it was authored by the Sednit/Fancy Bear/APT 28 threat group—the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.
... WikiLeaks’ Vault 7 files showed that the CIA apparently developed an implant for Apple's computers that used the Extensible Firmware Interface (the predecessor of UEFI) but required physical access to the targeted computer and a malicious Thunderbolt Ethernet adapter (called the “Sonic Screwdriver”). But LoJax is an entirely different animal—it was built to be deployed remotely, using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
 



Ric Ford

MacInTouch
Adobe Flash updater trojans are getting even more deceptive. While this example describes Windows malware, I doubt Macs are immune to similar compromises.
Palo Alto Networks said:
Fake Flash Updaters Push Cryptocurrency Miners
In most cases, fake Flash updates pushing malware are not very stealthy. In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware. If a victim runs such poorly-disguised malware on a vulnerable Windows host, no visible activity happens, unless the fake updater is pushing ransomware.

However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.

Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary. Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer.
 


Ric Ford

MacInTouch
Logitech's software had this vulnerability that's just recently been patched:
Sophos said:
Logitech flaw fixed after Project Zero disclosure
... In September, Project Zero researcher Tavis Ormandy installed Logitech’s Options application for Windows (available separately for Mac), used to customise buttons on the company’s keyboards, mice, and touchpads.

Pretty quickly, he noticed some problems with the application’s design, starting with the fact that it…
opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all.
... on 13 December, Logitech suddenly updated Options to version 7.00.564 (7.00.554 for Mac). The company also tweeted that the flaws had been fixed, confirmed by Ormandy on the same day.
Here's the update:
Logitech said:
Logitech Options
  • Software Version: 7.10.5
  • Post Date: Dec 18, 2018
  • OS: Mac OS X 10.14.x, Mac OS X 10.13.x, Mac OS X 10.12.x
... Further security improvements to origin check
 


Re Logitech "Unifying Receiver" vulnerability:

I'm using Logitech wireless keyboards and trackballs on some Linux NUCs. The newest Logitechs come with a "unifying receiver" - instead of having to plug in one receiver for the keyboard and another for the trackball (or mouse, or whatever), one receiver serves both. They're marked (as are compatible devices with an orange * (Logitech says it's a star). Available directly from Amazon, if you need one, for $9.70:

Ubuntu 18.10 identified the connected Unifying Receiver and tried to install a software update to fix an exploit. Error and time out, until I realized I had to boot the machine with the Unifying Receiver in place but no devices connected to it. Makes sense that the Logitech firmware couldn't be updated while in use.

Logitech statement about and links to anti-exploit updates for Windows and Mac at this link:
 


Ric Ford

MacInTouch
Logitech's software had this vulnerability that's just recently been patched:

Here's the update:
Logitech said:
Logitech Options
  • Software Version: 7.10.5
  • Post Date: Dec 18, 2018
  • OS: Mac OS X 10.14.x, Mac OS X 10.13.x, Mac OS X 10.12.x
... Further security improvements to origin check
And here's Logitech's other software, which is an installer program that includes a Logitech Unifying Software app that allows you to pair the Unifying Receiver with compatible devices (mice, keyboards, etc.). It also can update the firmware on the Unifying Receiver.

The installer also installs Logitech Updater apps with root and admin priviliges in Library/Application Support folders.
Logitech Support said:
Logitech Unifying Software

Logitech Unifying software lets you manage your devices that use a Unifying receiver. You can add or remove devices using the software's wizard or use advanced mode. Advanced mode also displays the status of your paired devices, battery level and firmware version.

Why Update?
  • Added 64-bit support
  • Updated logo

  • Software Version: 1.3.375
  • Last Update: 23-AUG-2018
  • OS: Mac OS X 10.11.x, Mac OS X 10.12.x, Mac OS X 10.13.x
  • File Size: 3.8 MB
 


I received a "Critical/Ongoing Security Advisory email from Synology this morning (12/21/2018) concerning CVE-2018-1160.
Synology said:
Critical Security Advisory
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
What's Netatalk? Traced that down to the Debian site (which, I presume, reveals that Synology, like Ubuntu, bases its OS on Debian Linux)
https://www.debian.org/security/2018/dsa-4356 said:
Debian Security AdvisoryDSA-4356-1 netatalk -- security update
Jacob Baines discovered a flaw in the handling of the DSI Opensession command in Netatalk, an implementation of the AppleTalk Protocol Suite, allowing an unauthenticated user to execute arbitrary code with root privileges.
For the stable distribution (stretch), this problem has been fixed in version 2.2.5-2+deb9u1.
We recommend that you upgrade your netatalk packages.
For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk
Just because Netatalk is an implementation of the AppleTalk protocol doesn't mean AppleTalk itself and Macs are vulnerable. Didn't I read that AppleTalk has been deprecated? Which doesn't mean it is gone from the latest OS version, and many of us are on older ones.

All I knew to do at the moment was disable AFP (Apple Filing Protocol) on my Synologies. I presume the patch that's already in Debian will be delivered soon by Synology.
 



Just because Netatalk is an implementation of the AppleTalk protocol doesn't mean AppleTalk itself and Macs are vulnerable. Didn't I read that AppleTalk has been deprecated? Which doesn't mean it is gone from the latest OS version, and many of us are on older ones.
You are absolutely correct on all counts.

Netatalk is an open source implementation of the AppleTalk protocols and related file server applications. Although there might be vulnerabilities in the protocol itself (which would affect all implementations) this bug is in the Netatalk implementation and would have nothing at all to do with Apple's implementation.

Apple has pretty much abandoned AppleTalk, but that only matters for people running current generation Apple software. There are a lot of people running old Macs or have old Apple peripherals and Netatalk allows the Unix/Linux world to be compatible with them.
 


Just because Netatalk is an implementation of the AppleTalk protocol doesn't mean AppleTalk itself and Macs are vulnerable. Didn't I read that AppleTalk has been deprecated? Which doesn't mean it is gone from the latest OS version, and many of us are on older ones.

All I knew to do at the moment was disable AFP (Apple Filing Protocol) on my Synologies. I presume the patch that's already in Debian will be delivered soon by Synology.
AppleTalk is a networking protocol, similar to TCP/IP. AppleTalk was deprecated in Mac OS X, and removed in Mac OS X 10.6.

AppleShare (AFP) is a file sharing protocol (similar to SMB or NFS). It initially ran exclusively over an AppleTalk network, but TCP/IP support was added with AppleShare IP around the time of Mac OS 7.6. AppleShare over IP has persisted until today, even through it is currently deprecated.

Netatalk is an open-source implementation of both the AppleTalk protocol and an AFP server (and other services). The vulnerability cited is specific to netatalk's AppleTalk implementation. Disabling the AFP server on your Synologies did nothing to address the vulnerability in the AppleTalk network stack.

No one really runs AppleTalk networks anymore, right? It's been about 20 years since I've seen one. I can't imagine it's enabled by default, and if you do have it on, there's probably no reason to.
 


Also FYI:
Sophos Naked Security said:
More phishing attacks on Yahoo and Gmail SMS 2FA

The second report in a week has analysed phishing attacks that are attempting – and probably succeeding – in bypassing older forms of two-factor authentication (2FA).

... This appears to include references to phished OTP 2FA codes but with an interesting twist – once they’d gained access to the account, the attackers also set up a third-party app password to maintain persistence.

This would mean that even if a phished individual realised they’d been hacked and regained access to their account, the attackers would have created a sneaky backdoor that wouldn’t be immediately obvious to many users.

... encryption keys and OTP codes are no different from usernames and passwords – in principle they can be phished if the attackers are able to jump through a few extra hoops.

According to Amnesty, in the case of Tutanota the phishing campaign was able to use a similar-looking domain, tutanota.org (the correct domain being tutanota.com).

To boost verisimilitude, the attacks added baubles such as an HTTPS connection/padlock, and a carefully-cloned replica of the real site.
The OTP codes are phished by the fake site presenting a clone of the real site's OTP code request. The fake login screen sends credentials to the real server, causing the user to get a text message code, which he types into the fake code request page - which is then immediately sent to the real site.

The upshot of all this is that 2FA doesn't eliminate the need to make sure you have the correct URL and to check the owner of a site's security certificate.
 


The curious might want to trace further to the Netatalk - Networking Apple Macintosh through Open Source home page.
Glad to see it's still being maintained, both for users of older Mac OSes, and users of third-party networked storage. I hope the NAS vendors are keeping up to date with those changes.

Some years ago, at the outfit I used to work for, someone sent us a Buffalo NAS device, so we could fill it up with data (that was part of our business). Apple had just updated AppleTalk to remove a security hole, and in so doing, made AppleTalk incompatible with earlier versions. The the version of Netatalk on the Buffalo unit was about three years out of date. I kept looking on their site for updates, but they remained behind the curve. I ended up having to transfer the data using nfs, even though at the time, Buffalo had a fairly ancient version of nfs that kept the transfer rates pretty low.
 


Disabling the AFP server on your Synologies did nothing to address the vulnerability in the AppleTalk network stack.
Thanks, Todd, and apologies for not responding earlier when this was probably closer to the top of your mind.

Synology issued a Netatalk patch on December 21. Synology's statement about the vulnerability is Apple-esque in its brevity. iXsystems explains more.
iXsystems Inc. said:
Important Security Update for TrueNAS & FreeNAS
Netatalk is included in TrueNAS & FreeNAS. However, this vulnerability only impacts those who have the AFP service enabled in TrueNAS & FreeNAS.
 


Synology issued a Netatalk patch on December 21. Synology's statement about the vulnerability is Apple-esque in its brevity. iXsystems explains more.
iXsystems Inc. said:
Important Security Update for TrueNAS & FreeNAS
Netatalk is included in TrueNAS & FreeNAS. However, this vulnerability only impacts those who have the AFP service enabled in TrueNAS & FreeNAS.
That was my bad reading of the Debian security advisory. "AppleTalk Protocol Suite" is sometimes used to refer to the entire suite of protocols that Apple developed in the 80's, all the way from the physical (LocalTalk) to the service (AppleShare) level. So, the Debian advisory wasn't talking about the AppleTalk networking protocol.

Rather, looking at the proof of concept exploit code, it appears that the attack targets the authentication mechanism of the AFP service in Netatalk. So, yes, disabling the AFP service on old versions of Netatalk is the correct mitigation step.

And, devices like the Synology probably do not implement AppleTalk networking. In fact, looking closer at the Netatalk documentation, it appears that they dropped support for AppleTalk networking, as well as all non-AFP services (like printing and time services) as of Netatalk 3.0. So currently, Netatalk basically just serves as an open-source implementation of AFP over IP.
 


Ric Ford

MacInTouch
There are plenty of alternatives to this MacPaw software....
Threatpost said:
A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access
A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways.

CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package’s “helper protocol.”

“The application is able to scan the system and user directories, looking for unused and leftover files and applications,” explained Cisco in the advisory, issued Wednesday. “The application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.”

As such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation – thus giving those applications root access.
 




I've been using AppCleaner from FreeMacSoft.
I was about to send a +1 for this recommendation, but then realized that the name of your "AppCleaner"... and what I was using was App Cleaner & Uninstaller from Nektony. The latter used to have a free version for uninstalls (I'm at v.6.0), but with App Store rule changes, it is only available directly from the developer - $9.99 with a 7-day free trial (v. 6.4) and is able to do additional things now that it's outside Apple's sandbox.

I used App Cleaner & Uninstaller to prep my transition to a new laptop and Mojave, and found it to be excellent. It will also find orphan bits left over from previously-deleted applications (that was a big help on an 8-year old laptop), which I don't think AppCleaner can do. In addition to application uninstalls, it also provides capabilities for extensions and startup items. No affiliation, just a satisfied user.
 


Ric Ford

MacInTouch
These massive breaches of personal information databases seem to be an everyday occurence nowadays:
Ars Technica said:
Monster 773 million-record breach list contains plaintext passwords
Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever...

The 773 million email addresses and 21 million passwords easily beat Have I Been Pwned’s previous record breach notification that contained 711 million records. But there are other things that make this latest installment stand out. In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords. Also significant: the list—contained in 12,000 separate files that take up more than 87 gigabytes of disk space—has 2.69 billion rows, many of which contain duplicate entries that Hunt had to clean up.

About 663 million of the addresses have been listed in previous Have I Been Pwned notifications, meaning 140 million of the addresses have never been seen by the service before. Hunt said that some of his own credentials were included in Wednesday’s notification, although none were currently in use
 


Ric Ford

MacInTouch
Some serious stuff here:
Dan Goodin (Ars Technica) said:
DHS: Multiple US gov domains hit in serious DNS hijacking wave
The Department of Homeland Security has issued an emergency directive ordering administrators of most federal agencies to protect their Internet domains against a rash of attacks that have hit executive branch websites and email servers in recent weeks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued the directive on Tuesday, 12 days after security firm FireEye warned of an unprecedented wave of ongoing attacks that altered the domain name system records belonging to telecoms, ISPs, and government agencies.

... The attacks are serious because the attackers are able to obtain browser-trusted TLS certificates for the hijacked domains. That allows the interception to occur with no obvious signs that anything is amiss. For more on how the attacks work, see Ars’ previously mentioned coverage.
 


Ric Ford

MacInTouch
Howard Oakley looks at security problems in his series about PDF issues:
Eclectic Light Co. said:
PDF without Adobe: 8 Security, integrity and forensics
The PDF format has been designed to be rich in content, which can include:
  • Images, which can be in formats which have been used to exploit vulnerabilities, such as JPEG.
  • URIs, which can link to malicious sites.
  • Embedded files, which could be executable malicious code.
  • JavaScript objects, which can exploit vulnerabilities in the reader app in particular.
These make PDF a good vector for the transmission of malware, and its opaque format offers the malware developer effective ways of concealing a wide range of malicious components.
 


Ric Ford

MacInTouch
And more examples of PDF problems:
Dan Goodin said:
Hard-to-detect credential-theft malware has infected 1,200 and is still going
The latest Separ arrives in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types that are commonly used by system administrators. An inspection of the servers being used in the campaign show that it, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, which indicates that the spartan approach has been effective in helping it fly under the radar.

"Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective," Guy Propper, Deep Instinct's threat intelligence team leader, wrote in a blog post. "The use of scripts and legitimate binaries, in a 'living off the land' scenario, means the attacker successfully evades detection, despite the simplicity of the attack.
 




Just got the following notice from ‘Have I Been Pwned’:
You've been pwned!
You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:
Email found:xxxxxxx@xxx.com
Breach:Verifications.io
Date of breach:25 Feb 2019
Number of accounts:763,117,241
Compromised data:Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Description:In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts