MacInTouch Amazon link...

vulnerabilities and vectors

Channels
Security
Just because Netatalk is an implementation of the AppleTalk protocol doesn't mean AppleTalk itself and Macs are vulnerable. Didn't I read that AppleTalk has been deprecated? Which doesn't mean it is gone from the latest OS version, and many of us are on older ones.

All I knew to do at the moment was disable AFP (Apple Filing Protocol) on my Synologies. I presume the patch that's already in Debian will be delivered soon by Synology.
AppleTalk is a networking protocol, similar to TCP/IP. AppleTalk was deprecated in Mac OS X, and removed in Mac OS X 10.6.

AppleShare (AFP) is a file sharing protocol (similar to SMB or NFS). It initially ran exclusively over an AppleTalk network, but TCP/IP support was added with AppleShare IP around the time of Mac OS 7.6. AppleShare over IP has persisted until today, even through it is currently deprecated.

Netatalk is an open-source implementation of both the AppleTalk protocol and an AFP server (and other services). The vulnerability cited is specific to netatalk's AppleTalk implementation. Disabling the AFP server on your Synologies did nothing to address the vulnerability in the AppleTalk network stack.

No one really runs AppleTalk networks anymore, right? It's been about 20 years since I've seen one. I can't imagine it's enabled by default, and if you do have it on, there's probably no reason to.
 


Also FYI:
Sophos Naked Security said:
More phishing attacks on Yahoo and Gmail SMS 2FA

The second report in a week has analysed phishing attacks that are attempting – and probably succeeding – in bypassing older forms of two-factor authentication (2FA).

... This appears to include references to phished OTP 2FA codes but with an interesting twist – once they’d gained access to the account, the attackers also set up a third-party app password to maintain persistence.

This would mean that even if a phished individual realised they’d been hacked and regained access to their account, the attackers would have created a sneaky backdoor that wouldn’t be immediately obvious to many users.

... encryption keys and OTP codes are no different from usernames and passwords – in principle they can be phished if the attackers are able to jump through a few extra hoops.

According to Amnesty, in the case of Tutanota the phishing campaign was able to use a similar-looking domain, tutanota.org (the correct domain being tutanota.com).

To boost verisimilitude, the attacks added baubles such as an HTTPS connection/padlock, and a carefully-cloned replica of the real site.
The OTP codes are phished by the fake site presenting a clone of the real site's OTP code request. The fake login screen sends credentials to the real server, causing the user to get a text message code, which he types into the fake code request page - which is then immediately sent to the real site.

The upshot of all this is that 2FA doesn't eliminate the need to make sure you have the correct URL and to check the owner of a site's security certificate.
 


The curious might want to trace further to the Netatalk - Networking Apple Macintosh through Open Source home page.
Glad to see it's still being maintained, both for users of older Mac OSes, and users of third-party networked storage. I hope the NAS vendors are keeping up to date with those changes.

Some years ago, at the outfit I used to work for, someone sent us a Buffalo NAS device, so we could fill it up with data (that was part of our business). Apple had just updated AppleTalk to remove a security hole, and in so doing, made AppleTalk incompatible with earlier versions. The the version of Netatalk on the Buffalo unit was about three years out of date. I kept looking on their site for updates, but they remained behind the curve. I ended up having to transfer the data using nfs, even though at the time, Buffalo had a fairly ancient version of nfs that kept the transfer rates pretty low.
 


Disabling the AFP server on your Synologies did nothing to address the vulnerability in the AppleTalk network stack.
Thanks, Todd, and apologies for not responding earlier when this was probably closer to the top of your mind.

Synology issued a Netatalk patch on December 21. Synology's statement about the vulnerability is Apple-esque in its brevity. iXsystems explains more.
iXsystems Inc. said:
Important Security Update for TrueNAS & FreeNAS
Netatalk is included in TrueNAS & FreeNAS. However, this vulnerability only impacts those who have the AFP service enabled in TrueNAS & FreeNAS.
 


Synology issued a Netatalk patch on December 21. Synology's statement about the vulnerability is Apple-esque in its brevity. iXsystems explains more.
iXsystems Inc. said:
Important Security Update for TrueNAS & FreeNAS
Netatalk is included in TrueNAS & FreeNAS. However, this vulnerability only impacts those who have the AFP service enabled in TrueNAS & FreeNAS.
That was my bad reading of the Debian security advisory. "AppleTalk Protocol Suite" is sometimes used to refer to the entire suite of protocols that Apple developed in the 80's, all the way from the physical (LocalTalk) to the service (AppleShare) level. So, the Debian advisory wasn't talking about the AppleTalk networking protocol.

Rather, looking at the proof of concept exploit code, it appears that the attack targets the authentication mechanism of the AFP service in Netatalk. So, yes, disabling the AFP service on old versions of Netatalk is the correct mitigation step.

And, devices like the Synology probably do not implement AppleTalk networking. In fact, looking closer at the Netatalk documentation, it appears that they dropped support for AppleTalk networking, as well as all non-AFP services (like printing and time services) as of Netatalk 3.0. So currently, Netatalk basically just serves as an open-source implementation of AFP over IP.
 


Ric Ford

MacInTouch
There are plenty of alternatives to this MacPaw software....
Threatpost said:
A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access
A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways.

CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package’s “helper protocol.”

“The application is able to scan the system and user directories, looking for unused and leftover files and applications,” explained Cisco in the advisory, issued Wednesday. “The application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.”

As such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation – thus giving those applications root access.
 




I've been using AppCleaner from FreeMacSoft.
I was about to send a +1 for this recommendation, but then realized that the name of your "AppCleaner"... and what I was using was App Cleaner & Uninstaller from Nektony. The latter used to have a free version for uninstalls (I'm at v.6.0), but with App Store rule changes, it is only available directly from the developer - $9.99 with a 7-day free trial (v. 6.4) and is able to do additional things now that it's outside Apple's sandbox.

I used App Cleaner & Uninstaller to prep my transition to a new laptop and Mojave, and found it to be excellent. It will also find orphan bits left over from previously-deleted applications (that was a big help on an 8-year old laptop), which I don't think AppCleaner can do. In addition to application uninstalls, it also provides capabilities for extensions and startup items. No affiliation, just a satisfied user.
 


Ric Ford

MacInTouch
These massive breaches of personal information databases seem to be an everyday occurence nowadays:
Ars Technica said:
Monster 773 million-record breach list contains plaintext passwords
Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever...

The 773 million email addresses and 21 million passwords easily beat Have I Been Pwned’s previous record breach notification that contained 711 million records. But there are other things that make this latest installment stand out. In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords. Also significant: the list—contained in 12,000 separate files that take up more than 87 gigabytes of disk space—has 2.69 billion rows, many of which contain duplicate entries that Hunt had to clean up.

About 663 million of the addresses have been listed in previous Have I Been Pwned notifications, meaning 140 million of the addresses have never been seen by the service before. Hunt said that some of his own credentials were included in Wednesday’s notification, although none were currently in use
 


Ric Ford

MacInTouch
Some serious stuff here:
Dan Goodin (Ars Technica) said:
DHS: Multiple US gov domains hit in serious DNS hijacking wave
The Department of Homeland Security has issued an emergency directive ordering administrators of most federal agencies to protect their Internet domains against a rash of attacks that have hit executive branch websites and email servers in recent weeks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued the directive on Tuesday, 12 days after security firm FireEye warned of an unprecedented wave of ongoing attacks that altered the domain name system records belonging to telecoms, ISPs, and government agencies.

... The attacks are serious because the attackers are able to obtain browser-trusted TLS certificates for the hijacked domains. That allows the interception to occur with no obvious signs that anything is amiss. For more on how the attacks work, see Ars’ previously mentioned coverage.
 


Ric Ford

MacInTouch
Howard Oakley looks at security problems in his series about PDF issues:
Eclectic Light Co. said:
PDF without Adobe: 8 Security, integrity and forensics
The PDF format has been designed to be rich in content, which can include:
  • Images, which can be in formats which have been used to exploit vulnerabilities, such as JPEG.
  • URIs, which can link to malicious sites.
  • Embedded files, which could be executable malicious code.
  • JavaScript objects, which can exploit vulnerabilities in the reader app in particular.
These make PDF a good vector for the transmission of malware, and its opaque format offers the malware developer effective ways of concealing a wide range of malicious components.
 


Ric Ford

MacInTouch
And more examples of PDF problems:
Dan Goodin said:
Hard-to-detect credential-theft malware has infected 1,200 and is still going
The latest Separ arrives in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types that are commonly used by system administrators. An inspection of the servers being used in the campaign show that it, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, which indicates that the spartan approach has been effective in helping it fly under the radar.

"Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective," Guy Propper, Deep Instinct's threat intelligence team leader, wrote in a blog post. "The use of scripts and legitimate binaries, in a 'living off the land' scenario, means the attacker successfully evades detection, despite the simplicity of the attack.
 




Just got the following notice from ‘Have I Been Pwned’:
You've been pwned!
You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:
Email found:xxxxxxx@xxx.com
Breach:Verifications.io
Date of breach:25 Feb 2019
Number of accounts:763,117,241
Compromised data:Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Description:In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.
 


Ric Ford

MacInTouch
Just got the following notice from ‘Have I Been Pwned’...
I got the same notice and followed up for a report on 27 compromised email addresses in my domain. Some observations:
  • The most concerning one is a personal address never used for anything but correspondence with friends and family and for one or two financial/medical institutions. This is reported as compromised in the "Apollo" breach. I wonder where/how it got harvested.
  • A spam-trap address is reported harvested by "Onliner Spambot" from my website, along with legitimate addresses also posted on the website.
  • Old, obsolete addresses were compromised by Verifications.io and B2B USA Businesses.
  • My decades-old original email address is compromised by Apollo, Exactis, Onliner Spambot, River City Media Spam List, and Verifications.io.
  • Postmaster is compromised by Apollo, B2B USA Businesses, Exactis, Onliner Spambot, and Verifications.io.
  • Several invalid addresses were listed under Apollo, Exactis, Verifications.io, and B2B USA Businesses.
 




Anyone know who or what verifications.io is?
Here's the original article:
Bob Diachenko/Security Discovery said:
800+ Million Emails Leaked Online by Email Verification Service

How this all works:
  1. Someone uploads a list of email addresses that they want to validate.
  2. Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address.
  3. They do this by literally sending the people an email. If it does not bounce, the email is validated.
  4. If it bounces, they put it in a bounce list so they can easily validate later on.
 


According to their former website, verifications.io provides “Email Validation and Verification, Data Enhancement, and Free Phone Lookup” to enterprise subscribers in order to "Remove harmful data and bounces from your list before you send."
So does this mean the data breach is of no consequence? It would seem to me that they would have your e-mail address (which is probably available through hundreds of vectors) but no passwords or credentials associated with them.

If you are a list manager using verifications.io to sanitize your lists, of course, then you probably need to change the credentials you were using to access their service.
 


So does this mean the data breach is of no consequence? It would seem to me that they would have your e-mail address (which is probably available through hundreds of vectors) but no passwords or credentials associated with them.
That's not what what was reported. Records also contained Dates of birth, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses.

I would have to say that's consequential enough to get a good start at identity theft in a number of places.
 


That's not what what was reported. Records also contained Dates of birth, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses.
That's all available in public records. A thief may have an easier time with this database (assuming all this is available for your record), but there's nothing that isn't already available from dozens of existing search services.
 


While we might complain about Apple's security updates partially munging some machines, Asus got hacked, and infected updates using its "Asus Live Updates" have been winging their merry way around cyberspace; the miscreants hacked Asus's update servers.

Apparently this may have been a narrowly targeted attack because if your Asus machine's MAC address wasn't in a select group, nothing bad would happen. Yesterday, Asus finally acknowledged the issue and issued an update to its Live Update app. However, if your machine didn't have the Live Update app installed (which could happen if you did a clean Windows installation, like I did), their tech support people are sending out a link to the complete app that results in an Error 404... yes, a bad link.

Repeated emails to their tech support folks pointing out this issue result in... nothing, no responses. If these were Apple support personnel, they'd be fired. And what of the webmaster who is {not} minding the store? sigh

Well, at least the original email they sent had a valid link to email their CEO. Oh, I unloaded on him...
 


... the miscreants hacked Asus's update servers...
And that is one vendor we know of.

I hate blindly being forced to hand over firmware-level access to Adobe, Intuit, Apple or Microsoft. It's the same as handing over keys to our bank accounts. Crazy.

Several years ago, 60 Minutes interviewed Kim DotCom from New Zeland - he voiced his biggest security fear: scheduled updates from manufacturers.

We are all susceptible. And how would we ever know if OS-level hacks are present?
 


Several years ago, 60 Minutes interviewed Kim DotCom from New Zeland - he voiced his biggest security fear: scheduled updates from manufacturers. We are all susceptible. And how would we ever know if OS-level hacks are present?
And this is far from the first time.

Many years ago, a PC of mine got infected by Microsoft's own update server. I was running McAfee antivirus. I had just scanned the system and it was clean. Then I did a "windows update" and immediately afterward, it started alerting me about infections. I wiped the computer and reinstalled everything (fortunately, this was a computer without anything important on it), and the same thing happened - infection immediately after installing updates.

I reported it to Microsoft. Their response was "that's not possible because we have virus scanners, so you must have gotten infected some other way" - flat-out denial of the problem.
 


Ric Ford

MacInTouch
Many years ago, a PC of mine got infected by Microsoft's own update server. I was running McAfee antivirus. I had just scanned the system and it was clean. Then I did a "windows update" and immediately afterward, it started alerting me about infections. I wiped the computer and reinstalled everything (fortunately, this was a computer without anything important on it), and the same thing happened - infection immediately after installing updates.
That sounds like it could potentially have been a man-in-the-middle attack or DNS spoofing and possibly not an infection in Microsoft's own servers.

Here are some related articles:
Sophos said:
Flame malware used man-in-the-middle attack against Windows Update
Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you’re retrieving the update that prevents you from being attacked....

The idea of someone with malicious intent impersonating Windows Update has been discussed for years in the security community. It is sort of a nightmare scenario and I suppose it is good news that it was being used in such a limited way.
ZDNet said:
Windows patches can be intercepted and injected with malware
Researchers say Windows machines that fetch updates from an enterprise update server not configured to use encryption are vulnerable to an injection attack.
 


And this is far from the first time.
Many years ago, a PC of mine got infected by Microsoft's own update server. I was running McAfee antivirus. I had just scanned the system and it was clean. Then I did a "windows update" and immediately afterward, it started alerting me about infections. I wiped the computer and reinstalled everything (fortunately, this was a computer without anything important on it), and the same thing happened - infection immediately after installing updates.
I reported it to Microsoft. Their response was "that's not possible because we have virus scanners, so you must have gotten infected some other way" - flat-out denial of the problem.
Another possibility could be opportunistic infection during the update process?

Years ago Windows had a number of vulnerabilities that could be exploited remotely, over the network. An unpatched PC, without an adequate firewall or anti-virus, could be compromised in a matter of minutes, if not seconds. In fact, it was a real problem just getting a new Windows PC updated; it would be infected faster than it could download the necessary patches.

So what if, during the update process, Windows had shut down the anti-virus but still had the vulnerable network ports exposed?

I don't think that could happen today, but we're talking about many years ago when security was less sophisticated.
 


Ric Ford

MacInTouch
FYI:
Bleeping Computer said:
Evernote Fixes Remote Code Execution Vulnerability in macOS App

A local file path traversal vulnerability which allows attackers to run arbitrary code on their targets' Macs remotely was fixed by Evernote after receiving a report from security researcher Dhiraj Mishra.

The security issue tracked as CVE-2019-10038 was found by Mishra in Evernote 7.9 for macOS and it is now patched in the 7.10 Beta 1 version. As detailed in a forum post on the company's forum, the fix is now also available in the stable 7.9.1 version which just got released.

As the researcher explained, the software flaw can be exploited to run arbitrary code remotely "Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks."
 


Ric Ford

MacInTouch
"Supply chain" attacks are super-dangerous and widespread, apparently:
Wired said:
A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree

A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

Over the past three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. They're known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.

The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.
 


"Supply chain" attacks are super-dangerous and widespread, apparently:
Although there have been similar attacks against macOS in the past (e.g. Creative Updater/fake OnyX, Proton B/fake Handbrake) and there certainly may be more in the future, I don't believe that this particular group (Axiom/APT17) was ever found to be the source. There has been some hardening of macOS since the examples noted, but it is still important for Mac users to recognize that such an attack is possible.
 


Ric Ford

MacInTouch
FYI:
BBC News said:
WhatsApp discovers 'targeted' surveillance attack
Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor".

A fix was rolled out on Friday.

On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.

The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times.
The Verge said:
Update WhatsApp now to avoid spyware installation from a single missed call
A vulnerability discovered in Facebook’s WhatsApp messaging app is being exploited to inject commercial spyware onto Android and iOS phones by simply calling the target, reports The Financial Times. The spyware, developed by Israel’s secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp.

Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole.
 





I'd add that the Bloomberg story didn't really make any technical sense. The cover for the magazine shows the equivalent of a TO23 chip with a grand total of 6 connectors to tie into the motherboard with. Presumably, two will be needed for power, leaving 4... to listen in on what? Oh, and transmit, too! Etc.

The article basically suggests that the Chinese modified the server boards to allow the insertion of these wonderchips to take over the Intelligent Platform Management Interface (IPMI), which is a set of dedicated chips and network infrastructure to manage a modern motherboard. IPMI governs (among other things) updates to the BIOS, fan settings, even shell access. Thus, successfully breaching the IPMI system seems like a great idea...

But, have a look at the multi-layer PCBs in use for the average server motherboard and find me a spot presumably close to the Baseboard Management Controller (BMC) at the heart of the IPMI system where I can place a wonderchip, find power, get the necessary communications lines in order, etc. It won't be easy. That chip will have to have all sorts of things on board, boot faster than the IPMI, and inject its payload at just the right time.

Even if this test is met, ServeTheHome.com points out how little that gains, as IPMIs are typically kept on networks that, by design, allow no connection to the outside world (air gap, etc.). So if the compromised IPMI/BMC can't reach the internet, it cannot download the various payloads that these wonderchips can command the BMC to allegedly implant itself with. FWIW, I simply disconnect the ethernet cable from the dedicated BMC ethernet port to my switch when I don't need the BMC to be accessible. It's hard to hack across a 3' air gap.

Instead of these wonderchips, a much more likely scenario would be for China or any other state actor to intercept server hardware shipments post-manufacturing and modify them via software/hardware to allow spying. The NSA (per Snowden) has allegedly been doing this for decades via "Tailored Access Operations" (TAO) and like programs. The exploits of this group are legendary.
 


Objective Development said:
Little Snitch 4.4

Security
This version fixes a vulnerability which allows privilege escalation to root for any local user. Please upgrade before details of the vulnerability are published!

The vulnerability has been assigned the number CVE-2019-13013. More information will be made available later, when most users have upgraded to the latest version.
 


Ric Ford

MacInTouch



Ric Ford

MacInTouch
Jonathan Leitschuh said:
I subsequently got another email about it, referencing this story:
Vice said:
Zoom Vulnerability Lets Hackers Hijack Your Webcam

... Another issue is that even if a user has uninstalled the app, Zoom still leaves a web server up and running on the users' computer, allowing Zoom to still download software onto the machine. This isn't some oversight, but a deliberate decision by Zoom—this is designed for Zoom to be able to swiftly, and it seems surreptitiously, re-install the app if a user visits a Zoom conference link.

"What I found out was that this web server can also re-install the Zoom app if a user has uninstalled it," Leitschuh wrote.

Leitschuh said he searched for several hours in both official and unofficial documentation for any mention of this desktop web server. "This webserver’s API is completely undocumented as far as I can tell," he wrote.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts