A post to Cryptome is pointing the finger at Apple for logging plain-text passwords of users of “legacy” Filevault under Lion 10.7.3. According to David Emery, the February update of Lion turned on a debug switch which, as a result, logs in plain text the password of a user of an encrypted directory tree. “Thus anyone who can …
This is clearly a bug in the migration process but "Legacy" Filevault never felt very safe to start with, since it only encrypted home directories.
Anyone seriously concerned with security would have been using the commercial PGP Whole Disk, or the new Filevault 2 that came with OSX Lion, both of which offer much better whole disk encryption.
ps: before Microsoft fans get overly smug over this let me just say two words: "bitlocker vista"
More than just a "legacy"
OK, I will bite, apart from the wider question of why you would pay for a more expensive version of Windows when truecrypt does the same thing for free, what was specifically wrong with Bitlocker on Vista?
But I think you are missing the point of this problem. The problem is that user's just use the same password everywhere. Sure what's in some crude legacy filevault may not be an issue, but it may be the same password as their email, phone or bank account.
Not only should the password be hashed, but that hash should be salted to avoid rainbow table attacks.
Re: Re: More than just a "legacy"
He is probably on about the tools that were released a few years ago that could 'crack' bitlocker. What was needed for this, a copy of the drive and a full dump of the computers memory after the computer had booted into windows, to get the key stored in RAM. To get the memory dump you would either need to get the RAM out very quickly after cooling it and have special hardware read it. Be able to logon and bypass the windows security for memory access, or the computer has a firewire port.
You could dump all the RAM from the firewire port, no restriction, no accounts. As its a 'feature' of the firewire protocol, direct memory access, no authentication. Not a bug in microsofts implememtation, its an insecure protocol. This is the same for any system with firewire. Dump the RAM, get the key. The key is in RAM on all systems, unless they have a hardware encryption module.
what microsoft fans??
I think that non apple fanbois are often people who use tech as tool, and not as accessory or some sort of fashion statement. And maybe they cannot afford apple since their job can be done better with cheaper non apple product. Also they don't see the need to endlessly drool over how superior their kit is compare with any other brand. That sh1t is soo boring and dull to listen to. The key capability of non apple folks over apple fanbois is that they can shut the *uck up.
I like the old way
On an operating system which force developers and users to properly store data in a good place ($home), file vault made perfect sense.
What would one gain by whole disk thing? I mean unless you are a mad scientist and have custom "destroy the planet.app" in your /applications on root folder.
Win is a different thing and really needs whole disk encryption. Why? Ms refuses to discipline developers.
Re: what microsoft fans??
"The key capability of non apple folks over apple fanbois is that they can shut the *uck up."
<== You forgot to add the icon
Re: More than just a "legacy"
So we are now blaming Microsoft for lax security based upon a flawed protocol developed by Apple?
Truecrypt is every bit as vulnerable as Bitlocker on that attack vector as is any other piece of software. If you can see the RAM where the key is held, you can see (or derive) the key, if you can see the key, you can decrypt the drive.
> What would one gain by whole disk thing?
Many services tend to log passwords to log files. Not sure if PostgresSQL and Mysql still do, but not very long ago they did. You also get people typing the password in place of the login. All those cases usually get recorded in log files outside of the users' home directory.
> So we are now blaming Microsoft for lax security based upon a flawed protocol developed by Apple?
Yes, I was mentioning the issue where the Bitlocker password was left in an easy to read location in RAM. Firewire is just one way to reach it, you can also boot from a different disk or even read the data using a special PCI (or mini-PCI) card.
Also it's silly to blame Firewire for allowing remote DMA access. It's the implementation in some machines that makes it a security problem, a correct implementation can either leave the DMA disabled until properly authorised, or can filter remote DMA requests only for devices that need it and/or are approved. This is done in most modern systems.
Very trivial bug indeed.
And besides who really wants to break into an Apple?
All that will be there is somebodies music collection, somebodies holiday snaps, a few letters, and a few doodles. Maybe even next. Months Parish newsletter. If they're really lucky they might get the new Kylie single or the latest leaflet for the Green party.
The subscription details to Gay Times might come in handy though.
Um, Mac OS X is supposed to be a certified flavour of Unix.
Certified flavours of Unix shouldn't go logging passwords in clear-text to log files in /var.
This is not a "trivial bug indeed".
If you have Macs connected to your Active Directory domain then it's an appauling bug that exposes enterprise account passwords. Granted, the log file it's stored doesn't have world read permissions by default, but it still means that anyone who has local admin rights can harvest passwords from the organisation.
This incident should be getting more coverage and it serves as a reminder that Apple are a trinket company whose products should never be let near the enterprise.
They gave up getting certified when they became ito.. Iphone company. That is, as far as I followed.
Not the first..
> Certified flavours of Unix shouldn't go logging passwords in clear-text to log files in /var.
Yet I recall having to clear up many instances of cleartext passwords from logs, back in my HP-UX days.. Guess what, bugs happen especially when scenarios get more complex.
More recently I was finding Ubuntu Linux (Breezy) saving the cleartext password of the admin user under /var/log after installation.
As I said before, if you care about security the best is to encrypt the whole disk.
This bug only records passwords of users who logged in locally on the machine.
You're correct in saying you need local admin rights on the machine to read the log file.
But the clincher is if you have admin rights there are already more of ways of harvesting passwords entered locally (think trojans, key loggers...)
Re: Not the first..
>>More recently I was finding Ubuntu Linux (Breezy) saving the cleartext password of the admin user under /var/log after installation.
By recently you mean 6-7 years ago? Bug #34606 Fixed right away.
To dissuade all temptations no user password should be kept in clear text anywhere on the system, (multiple) hashes are there to use if need be.
Re: Macs connected to your Active Directory domain
Yech. Just... Yeck.
You're wrong - I've actually connected a Mac to an Active Directory domain using the AD plugin (dsconfigad from the command line) and it exposes AD passwords.
As a well known non Apple fanboi
it's nothing for me to get worked up 'bout either. I neither have nor desire/crave any Apple products, so for me just another reason not to waste any money on an unwanted unusable , it just doesn't work gadget.. Someone please give me a job in their marketing department, they obviously need a rocket under them or an injection of leather, I'm not a keen fan on bullshit, if you're not sure where that comes from.
I'll take all the down votes you can give me and some more when I post next,
This is a symptom of ...
... marketing-bods running supposedly "techy" companies.
Back in the day (1989), I was brought in as a conslutant for AOL to help setup their Stratus computer center in Georgia. The marketers in charge couldn't understand why passwords shouldn't be stored in the clear. Ever.
Their idiot reasoning? "We have to be able to tell the users what their forgotten passwords are".
It's all gone downhill since then ... Thankfully, I'm (mostly) out of that line of work.
Re: This is a symptom of ...
I worked for them for a while as well Jake.. their password policy was crazy.. nothing over 8 characters, a mix of letters and number only, no special characters, case sensitive turned off.. For some reason they thought this was MORE secure.
Back in the day ....
..... Steve Jobs would have turned this into a marketing triumph.
After trumpeting this must-have feature across all known media, he'd've sat back and watched lesser companies announce unconvincing plans to make it easier for passwords to be retrieved by non-specialists.
The fan bois would rejoice at the removal of yet another barrier to internet participation by the common hipster.
And, soon, private passwords would be a thing of the past. The new iPassword would potentially allow us all to financially benefit by selling our iPasses on iTunes and sharing in the profits made from our identify theft by the purchasers.
Other companies would learn from Apple's strategy and fire their IT QA departments and hire marketeers instead. All bugs would now be declared as unmissable features, and the more gullible of us would pay more for the bonus ones.
Sounds rather like someone passed the wrong options to configure, or shipped a test version of the binary.
Logging even just incorrect passwords is a security risk in production, because the chances are it's just one incorrect character causing the problem -- reducing the search space considerably. You might need such a feature for testing, for sure, but not out in the wild.
the idea to log password is plain dumb. in the worst case I can imagine #ifdef DEBUG or so but still.
With such an obvious rookie mistake I bet the password is well and alive in the memory, so a heap/memory dump will reveal it.
I prefer Truecrypt..
Filevault 2 is only OK until it develops a problem, and then you have a fight on your hands.
I may try again once I'm sure my backups are working 100%, the last time I tried to recover from a FV 2 failure it was a pain even getting the disk repartitioned (despite having the master password).
Sure, Truecrypt is more work as you need to manually mount the archive (and you're not secure by default), but it also allows me to move containers between machines and operating systems. AFAIK, a OSX Lion encrypted USB stick is inaccessible under Windows or Linux, which renders it useless to me - especially Linux I use a lot in parallel (no, not in Parallels - I like Virtualbox :) ).
I guess it's a matter of preference...
So... how did a debug version of a component with logging still enabled make its way into an Official Release? Don't they test these things before sending them out to the masses? How did something so simple and obvious get through?
May no shadow fall on the shining light of Apple
Oh, the warm, understanding and downplaying words of fanbois of this latest security cockup.
May no shadow fall on the shining light of Apple!
I don't have 10.5+ so wondering if they fixed the "system.log getting wrong permissions each time weekly script is run" bug which is a security issue itself.
Does that stop me from ever knowing what my family is doing with me internets? I sure hope so
Old-timer Mac Fan despairs
This perhaps is a rookie mistake and perhaps affects only a few, but Lion itself is full of odd design and rookie mistakes. From the dropping of scroll arrows and scrollbars from the UI, to features that don't work on the OS's still-supported still-built-in software raid system, to the VM system that swaps out active RAM pages to give the content indexing system a 7th gigabyte for disk buffers...
Some may be small issues but the floor is littered with them. It seems as if the good programmers have left, were dragged off to other projects and not replaced, or are just "sittin' fat & happy" on stock options and collecting paychecks.
I can only hope that this will spur improvements to regaining a strong core OS. (...though I'm reminded that hope was one of the things contained within Pandora's box).
Re: Old-timer Mac Fan despairs
Amen to that. The core OS, derived from BSD family, is probably pretty strong wrt to security. Much stronger than Windows, IMHO.
However... M$ has had a decade of justified user outrage about their crap security and has, to an extent, learned to take security seriously enough to mitigate the really sucky Windows underpinnings.
Fanbois who instinctively defend Apple miss the point that Apple's record is pretty lax when it comes to security, aside from what comes baked-in from BSD and Sudo. We had the LDAP goof a while back, the Flashback Trojans (2 acquaintances caught out), the MacDefender ("no don't support our infected users that would make it seem like we are not secure").
Apple will need to get its s**t together or non-fanbois will balk at paying extra $ for still-insecure computers. They need to recognize that pricey computers => juicy targets for malware writers, esp. when the prevailing attitude seems to be "antivirus? what antivirus, I am on a Mac". They need to stand by their users' security, period. Over convenience, when needed.
One of my primary reasons for being on a Mac is not trusting Windows to store any sensitive info. F*** this up enough and I'll move out again.
Re: Old-timer Mac Fan despairs
Doesn't it make your hear hurt a little when, as a Mac user, you type "Microsoft" with a dollar sign?
Re: Old-timer Mac Fan despairs
>>This perhaps is a rookie mistake and perhaps affects only a few, but Lion itself is full of odd design and rookie mistakes. From the dropping of scroll arrows and scrollbars from the UI<<
Yeah, Lion does seem pretty misguided. There was definitely no reason to get rid of scroll bars. Similar mistakes include hiding disks on the desktop by default (may have been SL?), that worthless new application launcher, all of the full screen app nonsense, flipping the default scroll direction, and the seemingly new and infuriating ability for apps to steal focus from each other instead of just bouncing in the dock.
Makes me think the people who really understand *WHY* OS X is designed the way it is have left. Very depressing thought.
I though that Mac OS X uses FreeBSD PAM mechanism. If so why would they temper with it?
Everyone knows the real problem is the users not holding the device properly..... :)
It pains me to see so much open animosity towards Apple customers, as if we are all hipster fanboys who bought Macs to hold as fashion accessories as we rush from one gay wedding to the next.
Almost without fail, the people I know who I respect the most for doing the most "hardcore" computing use Macs, including a bunch of Google engineers responsible for core infrastructure to biologists developing simulations of protein folding to developers of web sites/services that are now worth millions of dollars. I suppose it makes sense that these people aren't standing up for their computer choice in these online forums since they are probably busy doing useful, important work and don't need to hear about how they could have saved $300 by buying a different laptop two years ago from a nerd in a random IT department.
"developers of web sites/services that are now worth millions of dollars."
Yes. my brother-in-law used the excuse that the Mac was a superior web development platform to buy a G4. I looked long and hard at him and then gently said "but won't you need a PC as well since the websites you are building are graphically intense and intended to be viewed by the general public who mostly own PCs?"
Games built on Macs look great, but must be ported onto PCs to recoup costs. I venture to suggest the cost benefits of that development path themselves strongly suggest turning it upside down.
Use whatever you prefer to use, a computer is just a tool after all, but for God's sake stop living in the kitten-infested world where Apple do no wrong. iTunes *is* a piece of unmitigated junk with the most unhelpful user interface for music playback I've ever seen. There. The sky didn't split. The iPod should come with a dedicated volume control. Not having one is a design convergence error. Wow no lightning bolt. Storing the passwords in plain text is a stupid and dangerous mistake. If you read that last bit on a PC-related topic you'd agree.
The only major difference between PCs and Macs is that when things go wrong with Macs the user community tightens ranks and denies, and the PC user can read about an issue the next day on a milk carton. I was unpleasantly surprised at the sheer number of "known problems" with that bloody G4 once it began breaking down and yours truly had to go a-hunting in the forums (and even then could only turn up issues if I knew what they were before I went looking). What a piece of junk, and what a bunch of disingenuous users.
Plus, I never heard of anyone having to sign an NDA before a warranty replacement with a PC.
Oh look, yet another schoolboy-level error
Really, the bug affects any network share
At least if you're connecting to it on login. So in a Mac environment with (for example) xserve and Open Directory, you see the same behavior. Same with eDirectory and AFP with Novell's Open Enterprise server. It's not just disk encryption products, it's people relying on remote file systems.
There may be a behavior difference in accounts that are set up as "Mobile" on the Mac versus "Network" - if the account is set "Mobile" the password might not be logged, or might not be logged under as many conditions (a locally-cached password on a Mobile account could easily change that behavior).
Re: Really, the bug affects any network share
Finally, someone who understands the scale of this problem.
Sysadmins: Forget the comments about FileVault, HP, fanboi etc etc. - this is the worst, most careless bug Apple have ever released. If you care about domain password security then you need to make sure this version of the OS can't authenticate against your domain.
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes