MacInTouch Amazon link...

vulnerabilities and vectors

Channels
Security
This is one reason I shun all VPN providers and use ZyXEL VPN routers.
Dan Goodin said:
NordVPN’s secret crypto keys posted online following serious server hack
Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.
Kenneth White said:
"I have recommended against most consumer VPN services for years, including NordVPN," he told me. "[The services'] incident response and attempted PR spin here has only enforced that opinion. They have recklessly put activists lives at risk in the process.
 


This is one reason I shun all VPN providers and use ZyXEL VPN routers.
If you don't have a router with built-in VPN capability, you can also roll your own by installing a VPN server on your LAN and opening a port in your firewall (or forward a port through your NAT) to access it.

Once connected to your LAN via the VPN, you can access your LAN resources and (via appropriate proxies) relay other traffic back to the Internet, so it all appears to be coming from your LAN.

A former employer of mine used OpenVPN for this. OpenVPN sells a variety of VPN-based products (including VPN appliances for your LAN, cloud-hosted VPN appliances and their own VPN Internet access service). They also have an open source community edition if you'd rather maintain everything yourself.

This employer used the community edition (including a self-signed certificate authority) to provide remote access to the company LAN. It worked very well for us.
 


This is one reason I shun all VPN providers and use ZyXEL VPN routers.
Let me suggest two components to consider:
  1. The security of the VPN server. Rolling your own works well, particularly if you simply purchase a high-end consumer/low-end enterprise router with VPN server service functionality (we employ Peplink equipment a lot) with the benefit of external support processes.
  2. Given (1), the quality of the ISP with respect to issues such as e.g. privacy, tracking and network parameters - even if your VPN is good, that all is undone if the next hop is bad (FWIW, we use Sonic fiber to the home 1Gbps non-tracking and UpCloud servers for virtual Peplink fusionhub VPN servers).
 


…A former employer of mine used OpenVPN for this. OpenVPN sells a variety of VPN-based products (including VPN appliances for your LAN, cloud-hosted VPN appliances and their own VPN Internet access service). They also have an open source community edition if you'd rather maintain everything yourself.

This employer used the community edition (including a self-signed certificate authority) to provide remote access to the company LAN. It worked very well for us.
A Raspberry Pi computer with OpenVPN is a nice little device that can be used for that. Does some 50 Mbit/s without optimisation, sufficient for a small business.
 



A common thread among recent NAS vulnerabilities has been weak passwords. Visiting the QNAP website yielded (your milage may vary) no info about QSnatch. The most recent notice was from October 4 about Muhstik ransomware, apparently identified attacking QNAPs on October 2.

Minimum NAS Security:
(1) be sure to disable any default admin log-ins;
(2) Restrict number of and access to admin accts;
(3) Use only strong passwords;
(4) Require Two-factor Authentication for any admin or Internet access, perhaps including even local-only "standard" users.

As a "personal computer user," as distinguished from a "network administrator," I've found that adding a set of Synologies to my computing environment is challenging. Yesterday, October 30, I received an email security advisory "Synology SA-19:35 Important: Samba" with notes that it is "Important" and "Ongoing."

What's below is pasted from Synology's email, and what seems most important is "Mitigation: None" It does seem to relate to "Active Directory Server", which, I believe, is Windows-specific. My networks are mixed Mac and Linux, so I turned off SMB access on the main Synology and, so far, can log in normally. Perhaps that's a kind of mitigation? Synology DSM 6.2 supports Apple AFP, but that's now deprecated technology as Apple itself is moving (has moved?) to SMB.
Synology said:
These vulnerabilities allow remote attackers to bypass security constraints via a susceptible version of DiskStation Manager (DSM), Synology Router Manager (SRM), and allow remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server.

Affected Products

ProductSeverityFixed Release Availability
DSM 6.2ImportantOngoing
SkyNASImportantOngoing
VS960HDNot affectedN/A
SRM 1.2Not affectedN/A
Active Directory ServerModerateOngoing

Mitigation
None
 


I'm seeking recommendations on a reputable company to perform pen-testing (attempts to penetrate our company's network and digital security in order to access our private data). We have 35 Macs, a Mac Server, a SonicWall NSA 2650, one Mac running Windows 10 via Fusion, and one lonely PC for occasional web testing. Thanks in advance!
 


I'm seeking recommendations on a reputable company to perform pen-testing (attempts to penetrate our company's network and digital security in order to access our private data). We have 35 Macs, a Mac Server, a SonicWall NSA 2650, one Mac running Windows 10 via Fusion, and one lonely PC for occasional web testing. Thanks in advance!
I've used ControlScan for several client projects and been very pleased with their work (disclaimer: satisfied customer only, no other connection to them). Very professional, though not specifically Apple-oriented. If the scope is "can they breach the firewall and get into my network," it shouldn't be hard to shop around and find a professional firm with reasonable costs.

As a general comment for anyone considering pen-testing, it's extremely helpful to identify the motivation for the test, its specific goal, and its scope before engaging a vendor. If the scope is too narrow, you don't necessarily learn much, and if it's too broad, you might spend a lot and potentially disrupt your operations in ways that outstrip likely security risks.

Implied in the above statement is that you have done some sort of risk assessment to know where your most sensitive/important data actually resides and how much you should invest in protecting it. For example, is a non-destructive firewall vulnerability scan enough for your purposes, or do you want someone to try to break into an internal server and find the crown jewels? Also, consider that as cloud services have expanded, many companies now keep more valuable data in front of their firewall (Office 365, Google, AWS) than behind it. How much should you invest in testing and securing cloud assets versus "internal" assets? There is no universal answer.

Back to the original question - since your company is so Apple-centric, it might be worth searching/asking for recommendations from folks on the MacEnterprise mailing list.
 


Holy photons, Batman!
Washington Post said:
Hackers can hijack your iPhone or smart speaker with a simple laser pointer — even from outside your home
... In one case, they took over a Google Home on the fourth floor of an office building from the top of a bell tower at the University of Michigan, more than 200 feet away. And they say the trick could theoretically be deployed to buy things online undetected, operate smart switches in homes and other unsettling applications.

... “Once an attacker gains control over a voice assistant a number of other systems could be open to their manipulation,” a breakdown of the study on the University of Michigan’s website says. “In the worst cases, this could mean dangerous access to e-commerce accounts, credit cards, and even any connected medical devices the user has linked to their assistant.”
Is this security vector as dramatically powerful as it appears?! Yet another reason I'm happy to live in a "dumb" home.
 


Here's a link to the actual report:

Of note: the Washington Post article points out that you would notice the light on your device unless it is infrared. But note that IR does not penetrate glass.

The article points out that the laser needs to shine directly into the microphone, which is usually mounted on the upper surface of the device. In their photos, they are shining the laser from a steep angle or they have the digital assistant device mounted horizontally in order to make this happen. Most people do not mount their devices this way.

I suppose there could be a problem if you have your device mounted under a skylight and somebody on the roof (or in a helicopter) is shining a laser down into it, but that doesn't seem very likely to me. Maybe if you keep your device on a window sill and you've got an attacker pointing his laser from a tall building next-door?

Finally, the laser is simply triggering the microphone. As an Amazon spokesperson said, if you configure your device to require a passcode, that will require the attacker to know it in order to get access.

In all, it's a very interesting bit of research, but I wouldn't be all in a panic over this. If you're really worried, just position it away from the window and/or enable a passcode.
 


Ric Ford

MacInTouch
FYI:
The Register said:
Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads
A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed.

The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they've discovered CVE-2019-14899, a security weakness they report to be present in "most" Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD. The upshot is, if exploited, encrypted VPN traffic can be potentially hijacked and disrupted by miscreants on the network.
 


Ric Ford

MacInTouch
A heads-up from the FBI:
BleepingComputer said:
FBI Warns of Risks Behind Using Free WiFi While Traveling
The U.S. Federal Bureau of Investigation recommends travelers to avoid connecting their phone, tablet, or computer to free wireless hotspots while traveling during the holiday season.

"This is an open invitation for bad actors to access your device," the FBI Portland field office said in its weekly Tech Tuesday press release.

"They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera."
Let me also note that people should avoid using others' USB chargers, which can also be malware vectors (if you don't have a power-only cable or protection device).

#WiFi #USB
 


...if you don't have a power-only cable or protection device
Speaking of said devices, where can you get either (and, more importantly, be absolutely certain that they are indeed what they claim to be?) What better way to hide a compromised device?
 



When I bought charge-only USB cables for travel use, this was my choice:
OWC said:
NewerTech 1.0 Meter (39") Sync Switch USB Extension
... An in-line switch allows you to conveniently choose between "charge only" and "sync and charge" modes...
Why? Because at the time I was looking at options, Amazon only offered cables made and sold by third-party sellers. I wanted to go with a known brand. Sure, OWC's cables could be compromised but I felt there was less risk in buying from a well established, first-party retailer.

In any case, I always try to use my own charger first. Plugging into an untrusted USB port or cable is a last resort for me.
 


When I bought charge-only USB cables for travel use, this was my choice:
Why? Because at the time I was looking at options, Amazon only offered cables made and sold by third-party sellers. I wanted to go with a known brand. Sure, OWC's cables could be compromised but I felt there was less risk in buying from a well established, first-party retailer.
In any case, I always try to use my own charger first. Plugging into an untrusted USB port or cable is a last resort for me.
I bought two SyncStop USB Condoms for my wife and myself. Seem to work well, and gives us a sense of security when charging any devices in public areas like airports and hotels.
 


Speaking of said devices, where can you get either (and, more importantly, be absolutely certain that they are indeed what they claim to be?) What better way to hide a compromised device?
I recommend highly the PortaPow adapter. Works like a champ and not only completely blocks the data lines (you can see the two traces don't exist on the plug end), but also has the smarts to tell the item you're charging to charge at full power. ("PortaPow's SmartCharge chip automatically switches between Apple, Universal and Samsung standards to ensure compatibility with your device and charge at up to 2.4A")

Comes in multiple colors; the MacInTouch link above is to a single red one.
 


Here is a disturbing, middle-America (Dublin, Ohio, not Dublin, Ireland), small business, security breach story. Unfortunately, details are few, because the FBI doesn't want them divulged while they investigate. The data was hosted by AWS, but so far, Amazon has in no way been blamed. I strongly urge any small business owner reading this to have multiple, independent, isolated backups of all their important information.
NBC4i said:
 



Ric Ford

MacInTouch
This nasty Dropbox zero-day vulnerability affects Windows but is probably worth noting regardless of which OSes you're running:
BleepingComputer said:
Dropbox Zero-Day Vulnerability Gets Temporary Fix
A zero-day vulnerability exists in Dropbox for Windows that allows attackers to gain permissions reserved to SYSTEM, the most privileged account on the operating system.

The unpatched security flaw affects standard Dropbox installations. It relates to the updater that runs as a service and is responsible for keeping the application up to date.

Dropbox has yet to release a new version that patches the flaw but a temporary solution is freely available in the form of a micropatch.

... Security researcher Decoder and Chris Danieli discovered the vulnerability and created proof-of-concept exploit code to validate the findings. They say that they informed Dropbox of the issue on September 18 and allowed a 90-day period before making a public disclosure.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts