macOS High Sierra Bug Lets Anyone Gain Root Access

 
Hi guys hope you are all keeping well, and if not I am yet again going to drain the brightness from your day. If you own a Mac computer and run the latest version of Apple's operating system, macOS High Sierra, then you need to be extra careful with your computer. Apparently anyone and I mean anyone from your two year old to your grandad can break into your mac device and become a superuser. Yes I said it, a superuser a god of elevated privileges a root to all evil, only the geeks in the room will get that one. So here's the thing Apple are calling this a bug when they should really just come out and say:

 "look guys we turned on root to do some shit, then we kinda forgot to turn it off, and, em, looks like that's the image we used to roll out 1,000s of machines on, our bad.....
PS the iPhone X is great you should go buy one it comes with enhanced features like stealing your key biometrics data for facial recognition so the CIA don't have to." - This may or may not have been a statement made by Apple T&C's apply.

Here's How to Login as Root User Without a Password

If you own a Mac and want to try this exploit, follow these steps from admin or guest account:

• Open System Preferences on the machine.
• Select Users & Groups.
• Click the lock icon to make changes.
• Enter "root" in the username field of a login window.
• Move the cursor into the Password field and hit enter button there few times, leaving it blank.

With that macOS High Sierra logs the unauthorized user in with root privileges, allowing the user to access your Mac as a "superuser" with permission to read and write to system files, including those in other macOS accounts as well.

This flaw can be exploited in several ways, depending on the setup of the targeted Mac. With full-disk encryption disabled, a rogue user can turn on a Mac that's entirely powered down and log in as root by doing the same trick.

At Mac's login screen, an untrusted user can also use the root trick to gain access to a Mac that has FileVault turned on to make unauthorized changes to the Mac System Preferences, like disabling FileVault.

All the untrusted user needs to do is click "Other" at the login screen, and then enter "root" again with no password. However, it is impossible to exploit this vulnerability when a Mac machine is turned on, and the screen is protected with a password.

I suppose there is no point in doing the scary dance without having a solution to hand and just as easy the potential to carry out this exploit the fix is similarly as simple to fix just follow the steps below.

Here's How to Temporarily Fix the macOS High Sierra Bug

To fix the vulnerability, you need to enable the root user with a password. Heres how to do that:

• Open System Preferences and Select Users & Groups
• Click on the lock icon and Enter your administrator name and password there
• Click on "Login Options" and select "Join" at the bottom of the screen
• Select "Open Directory Utility"
• Click on the lock icon to make changes and type your username and password there
• Click "Edit" at the top of the menu bar
• Select "Enable Root User" and set a password for the root user account

This password will prevent the account from being accessed with a blank password.

Just to be on the safer side, you can also disable Guest accounts on your Mac. for this, head on to System Preferences → Users & Groups, select Guest User after entering your admin password, and disable "Allow guests to log in to this computer."

Security Meets Cost

I was recently asked by a small business how could they secure their IT on a budget this made me stop to think about that tricky subject "security meets cost". It is in these terms that a business must be practical, you need to stand back and identify your actual financial loss were a cyber attack or unforeseen event to occur resulting in the loss of data. And to be quite honest if your spending thousands on perimeter controls and don't have anyone in your business who can properly configure, monitor and maintain these devices then your really just throwing money down the drain.

After going through the business I advised them to put in place a number of steps that would go a long way towards protecting them. It must be noted that the business in question did not deal with any payments card information (PCI), personally identifiable information (PII) or personal health information (PHI) if your business is dealing with the above then you will need to put more controls in place.

My plan for the business was pretty simple and I will lay it out below.

1) Education:
This is one of the fundamental roles that small businesses neglect, there are hundreds of services out there that will do training days on different areas in an easy to understand and education manner. If you can train staff to identify Phising, Smishing and other everyday threats then you are starting to win a war on the front line. Education helps get employees to think before opening an attachment or giving out "harmless" information over the phone. For the more adventures small business there are packages available for you to run harmless attacks that contain educational videos when clicked. PhishMe would be one such company that comes to mind in that regard.

2) Backups:
This one is quite simple but often forgotten, with the rise of ransomware every small business should keep daily or weekly backups. These backups should be occasionally tested to ensure that they can restore systems in the event of an emergency such as a ransomware infection.

3) Business Continuity Plan:
 Every business should have one and should test it, you can work on building this up over a period of time but you need to start somewhere. EG. if the building floods are our desktops on the floor? Maybe we should elevate them to mitigate this problem. During this flood do employee have the ability to work from home? Yes we have remote access to the building over our companies VPN.

The above are just suggestions but you get the drift if you start to disect your company and compare it to potential events you might be surprised what you come up with. Fail to prepare then prepare to fail.

4) Virus and Anti- malware protection:
Again this is simple but neglected in many small businesses, buy a good antivirus and anti-malware package and set the updates to times you know your employees wont shut them down eg lunch time or after working hours. A good antivirus and malware solution is like having a security guard in your network throwing out all the bad guys.


5) Enable Bit-locker or the equivalent:
Bit-locker encrypts your disk so if someone breaks in and robs your physical machine in theory bit-locker will keep that information safe, unless of course the thief is Homeland security or the equivalent in which case your data is the least of your worries.

6) Password Policy:
Put in place a robust password policy that includes the rotation of passwords regularly and password history check to prevent the re-use of passwords.

7) Third party checks:
If you are using a third party to store data or to provide remote support ask them to provide you with a list of controls that are in place to protect you from a security point of view. If they tell you they are super secure and you need to trust them get worried because this means they haven't got anything to give you and your cloud solution is some guy with a laptop and 15 housemates that use it to stream illegal movies.

8) Document everything!
You should document all of your procedures and workflows because if one guy has all this information and gets hit by a bus your knowledge is dead. Good documentation is key to smooth transition and helps aid security through clarity.



If you get all the above in order you will have made a decent move towards securing your business at a minimal cost, of course there is plenty of room to do more but the hardest part is always to make a start.

Protecting against phishing

Phishing (pronounced fishing) scams are among the most prevalent forms of cybercrime, targeting unsuspecting victims. Although phishing is widespread, it is possible to identify and prevent. Apart from ensuring you install security software, the best way to combat scams is to educate yourself to what these scams are and how to identify them. I found the below video from Meridian Banking that explains phishing very well, and even though its aimed at Meridian customers you should get the idea.

Now that you have an idea of what phishing is and what forms it can take lets go through some addition steps you can take to protect yourself. 

1) Be wary of emails asking for confidential information - especially information of a financial nature. Legitimate organisations never look for this information over email or the phone, if you get such a call or an email you should contact that organisation independently using know contact information from previous correspondence such as a statement or contract.

2) Make sure you when signing up to a new website's that you read there privacy policy. The majority of commercial websites have a privacy policy, which is usually accessible at the foot of the page. In this policy look for the website's policy on whether it will or will not sell its mailing list. If the site in question does sell its mailing list see do they have a policy that allows you to sign up and opt out of this feature if not you might want to consider do you really need to join the site in question. The majority of spam and potentially dangerous phishing emails you receive come from sites you have signed up to that have sold your mailing information to another company or companies.

3) Make sure you maintain effective software to combat phishing. Most Internet Security suites automatically detect and block fake websites. Some will also authenticate major banking and shopping sites. I have also stated in another blog how you can add security plugins to your browser that will help identify dodgy sites and links.

4) Never use links in an email to connect to a website unless you are absolutely sure they are authentic. It is very easy to add a fake link or hyperlink text that will bring you to a fake site or similar looking website. To avoid this open a new browsers and type in the url subtle differences could bring you to a fake site (eg) ww.aib.ie is the AIB banking site what if the link you received was www.aibbank.ie would you know the difference?

5) Never submit confidential information via forms embedded within email messages. This is not a secure practice and all reputable companies know this. If the form is part of a phishing attack the senders are often able to track all information entered.

6) Think twice about opening attachments from senders you are not familiar with eg. getting an email off an unknown address with an attachment labelled as "invoice". If you are not expecting an invoice and you don't recognize the sender chances are the attachment is carrying a malicious payload delete it!

7) I will end with my pet hate, clicking articles on social media that are clearly made up just so you will click on them. eg  BREAKING NEWS: Pamela Anderson shoots president Obama over views on healthcare! This is clearly a bullshit article don't click on it, you can be guaranteed you are entering a world of spam and malware.

I recently came across a bluebird care campaign surrounding cybercrime and the elderly. As part of that campaign they had an infograph that I think is a super informative and can be viewed by clicking here.

Protecting your children online

For parents the risks of the internet to your child can be over looked. Coming up to Christmas you may be tempted to buy the next great gadget for your child however with the Vtech cyber attack this week as one example, how safe is the data your children are inputting into these devices? I would always advise parents if they are giving their children access to tablets and smart phones at a young age they should always consider a number of factors.

1) Don't put your child's personal data into any device when setting it up! Use your own details if you have to otherwise create throw away credentials to enter in any applications that don't require factual information.

2) Set boundaries! balance is key, create times of use around their devices avoid your children becoming addicted to their devices.

3) Educate your children to the dangers of the internet and the fact that everything they do online is there for life! Snapchat is a popular example to use and I suggest you give this article a quick read.

4) Put safe guards in place to monitor your child's online activity, this will give your child the device they want and you can have the piece of mind that they are not putting themselves at danger online.

5) Keep you kids off social media until they are an appropriate age, most sites don't allow children until they are 13 years of age but this can be easily overcome by entering a fake date of birth.

6) Make sure you need to enter a password to download apps and games don't leave your credit card information signed in on the device they use. This will allow you greater control over what applications they are using, it may also stop a nasty credit card bill from unseen app charges.

The internet is a great place but the dangers it poses are very real, take a few minutes to watch the video below before disregarding this post.

Below are some tools for monitoring or limiting the amount of time your child's device is in use.

For Window's users: 

When you create an account designated as a child’s account, you get the option to enable Family Safety settings. Family Safety allows you to monitor and /or time the usage from your child’s account, block certain applications or sites, and get weekly reports reviewing the activity on the account.

For Mac users:
Log on as Administrator on your child’s Mac, go to the Sharing preferences and choose Screen Sharing. Continue to “Allow Access For” and choose Administrators. When you are on your Mac, go to the Finder and choose Go: Network to see your child’s Mac. Click on Share Screen to see the activity.

For Smartphones:
Backing up your child's phone’s content to your own PC or Mac is a good way of keeping tabs on things. This will allow you to see which apps are being used on the phone, and you’ll be able to see what calls and text messages your child is making. Be sure to activate the basic security features, as well as any further limitations on usage you want, I have already done a blog on securing iPhone's.

There are also many products on the market that will allow you to use GPS tracking and more in-depth monitoring of all your kids devices. One free option that allows some of this functionality is Norton Family Online. The free version lets you monitor every site your kids visit, examine a list of everything they search for, and track their activity across social media via any Internet connection. You can tell Norton to always allow (whitelist) or block (blacklist) certain sites, customize the settings for each child, and set time limits so you can boot them offline when it’s time for bed. A premier version lets you monitor their instant messages, video consumption and mobile devices. This is just one product that I am aware of but their are many similar software type packages out there.

I hope that you have found this post of some help and if you need advice on anything just pop a comment below and I will do my best to give you a constructive answer,

Securing your laptop

For most people laptops are a normal part of their daily lives, however how much thought do people actually put into how secure these devices are? We use laptops for work, banking, our personal data photographs etc so why don't we spend more time securing the devices that we spend so much of our lives on? The main reason is probably effort, it just takes to much effort to worry about all that crap. Whats the worst thing that could happen anyway? I suppose worst case scenario is identity theft followed by all your bank accounts reset to zero and an email to everyone in your contacts of that inappropriate picture you took on a late Saturday night and forgot to erase. But lets not think about what could happen as I am going to give you a list of 5 things you can do to hopefully prevent some of the above.

1) Patch your operating system/ applications

This one is pretty straight forward, Microsoft and Apple both send out regular patches for their operating systems you should take the time to install these and keep your operating system up to date. Most attackers will try and exploit weaknesses in an operating system so by keeping your system patched you are staying a step ahead of at least some attacks.

For information on how to do this on Windows click here

And for apple click here


Once you have your operating system all patched your focus should turn to your applications as the same applies here. A handy tool that I use for this is the free software vulnerability scanner Secunia PSI that can be downloaded here. I don't believe that this works with mac but the link above on apple explains how you can keep all of your iOS applications updated. You should also install an anti-virus software AVG is a good free one for malware you can also install malware bytes this is free for a trial period which should be long enough to get rid of any nasty malware on your system.

2) Create a backup

This is very important and with the flurry of ransomware attacks happening at the moment it may also save you losing a week or twos wages to get your data back. Creating a backup in Windows is actually pretty straight forward.

go to Control Panel - Backup and Restore - Create a system image

Once you get here you need to plug in a hard drive or multiple cds/dvds for your machine to backup to. It takes about 2 hours depending on your system but might save you a major headache long term!

Apple has a number of backup options that can be found here. 

3) Encrypt your hard drive

This is important it also takes a bit of time so do it last thing in the evening as it does effect the performance of your machine whilst running. Remember encrypting your hard drive will keep your data safe if your machine is ever lost or stolen. Windows uses BitLocker to encrypt drives and can be turned on by going to the search bar at the bottom of your screen and typing in "Manage Bitlocker"

this will open up the Bitlocker manager here you can turn bit locker on. If you get an error message about TPM you will need to do the following before you proceed:

1) Log on to Windows 10 computer with the account that has administrative privileges.

2) Click Start and at the bottom of the menu in search box type GPEDIT.MSC command and press enter key.

3) On the opened Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

4) From the right pane double-click “Require additional authentication” at startup.

5) On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.

6) Once done, click Ok button to allow the changes to take effect and close Local Group Policy Editor snap-in.

Once this is done return to the Bitlocker manager and turn Bitlocker on, it is very important that you keep the recovery password you are given in a safe place as you will need this if you ever forget your password.

Apple uses FileVault to do this and the instruction to do this can be found here.

4) Invest in a VPN

I know I have said this before but I can not stress it enough if you want to keep your online data away from prying eyes and protect yourself whilst using wireless networks a VPN is a must have!! There are tons of premium VPNs on the market so do some home work and find one that suits your budget and expectations. Like I said before I use AirVPN I haven't had any issues with it yet other than a few lingerings DNS issues that may be linked more so to Windows 10 than the VPN. My plan costs €30 for six months and I have unlimited bandwidth, but like I said do your own research and pick a VPN that suits your needs. Stay away from free services unless you really trust to provider even then be wary.

5) Lock-down Windows 10 

Microsoft has more or less given anyone who wants Windows 10 the operating system for free. Now when large multi-nations start giving their products away for free its only natural to ask why. I don't have the answer on this just yet but I am guessing it has something to do with the large amount of access and data their new operating system gives them if a load of options are not turned off. After researching Windows 10 I have altered my privacy settings from on to off as I do not want to share my location, microphone, camera or calendar with Microsoft or any third party applications. The fact that all of these settings are turned on by default is a bit worrying as many non-tech users are unknowingly sharing all of their private information with both Microsoft and third party applications. To turn all of these setting to off navigate to the bottom right of your screen and click on the notification manager. This is the little box that looks like a chat icon. From here select the all settings tab, you can now navigate to privacy and choose what setting you want turned on or off. I recommended turning everything off unless you rely on an application that requires some of these features left on. And next time you get something for free maybe consider what the motive is for such a generous giveaway in an age where data is the new gold.

If you want to read a bit more about Windows 10 and get more indepth advice on how to lock down certain features I suggest reading: How to secure Windows 10: The paranoid's guide

Securing your iPhone 5 +

As the title suggests for this post I am just focusing on the iPhone 5 and up. For the most part Apple are pretty slick when it comes to patching their devices and keeping things secure, however a lot of the features of the iPhone that may make your life a bit easier may also create an area of insecurity around your device. Lets take siri for example, shes great to have a chat with on cold nights when there is no one else around. The issue with siri is she's a bit of a gossip and will talk to anyone. Let's take the following scenario your phone is stolen, you have a lock code on it so even though your pissed your not going to panic just yet. Lets say who ever stole your device has been watching you and they want to find out where you live, they cant do that right? WRONG if you have spent a bit of time setting siri up chances are she can be accessed from the lock screen of your phone, so all our thief/stalker needs to do is ask siri a few simple questions.


Who am I?

Where do I live?

What are my upcoming appointments?


Try this yourself see what information you get back....


Am I starting to paint a picture of how this can all go wrong so fast..... Hold on just before we start to panic I have created a list of 10 things you can do to help protect yourself and your family. Of course you can completely ignore my list and keep living life on the edge if that's your thing :).

1) Disable Siri on a lock screen

Go to “Settings” –> “Passcode” (or “Touch ID and passcode”) –> “Allow access when locked” section –> “Siri: off” and “Settings” –> “General” –> “Siri” –> “Allow “Hey Siri”: off”.

2) Use a strong password instead of a 4 digit code

This is important I cant stress enough, how simple it has become to smash out your 4 digit passcode in a few hours. You might think who the hell would bother doing that I'm not some Government spy no your not but you do have lots of juicy personal data in their that can be used to steal your identity or exploits your friends and family. As an extra option, you can also turn the “erase data” feature on, so the device will wipe everything from its memory after 10 failed passcode attempts. But keep in mind that all the data will be erased forever and you won’t be able to recover it i.e DON'T FORGOT YOUR PASSWORD!!!!!

Where can you set these requirements? Go to “Settings” –> “Passcode” (or “Touch ID and passcode”) –> “Require passcode: immediately”; “Simple passcode: off”.

3) Turn off lock screen notifications

This is similar to the stalker/possible killer type scenario or just the nosy work colleague keep your shit private! The more information you allow to your screen the more exposed you are, you may not think that matters until you are sitting in the pub and your friend sends you a message to ask: "is that asshole Dave there?", and you can then respond saying "yup hes here and by the way he read the message cause I let my phone display everything to the screen.... sorry plus Dave said he wants the €50 he lent you back!".... Maybe that's exaggerated but don't take any chances.

Where can you set these requirements? Go to “Settings” –> “Passcode” (or “Touch ID and passcode”) –> “Allow access when locked” section.

4) Turn on two-step verification for Apple ID and iCloud

This is a big one, in my opinion it will only be a matter of time before every device that requires a log in will force people to use two-step verification, but just in case I'm wrong you should set it up anyway. Apple makes you wait a few days before you can actually set this up so if you start the process don't forget to log back in and finish it off after.. 3 days I think.

Where can you set these requirements? Go to https://appleid.apple.com –> “Manage your Apple ID” –> “Password and Security” –> “Two-Step Verification”.

5) Turn off automatic sync to iCloud

This is one of those things that could really come back and bite you in the ass literally! If you have iCloud set up you have 3G/4G or wifi and you take a picture boom its in the cloud... FOREVER!!! So I don't know but I'm guessing after a crazy night out you may want to review what picture leave your phone and head off to god knows where.

Where can you set these requirements? Go to “Settings” –> “iCloud”.

6) Turn off cookies in your browsers

Your now thinking "cookies" what the hell is this guy on about there is no "cookies" in my phone, I can't dip this thing in tea! No you cant and please don't try your phone won't taste great it will just stop working. Cookies are small files which almost any website generates and leaves on your device. They may contain some information about you, your computer or smartphone, and your preferences. It helps websites keep you logged in, or to show you some relevant content including ads, but in some cases they may be very helpful to cybercriminals as they can contain credentials and other sensitive data. The only issue here is some site just wont work when you disable this so its one of those catch 22 situations.

Where can you set these requirements? For Safari: Go to “Settings” –> “Safari” –> “Privacy & Security” section –> “Do Not Track: on”, “Block Cookies: Always Block”; For third party browsers: see similar browser settings.

7) Don’t let apps access your contacts, photos, messages and other private data

This is one of my pet hates, when I download an app for getting dinner recipes why the hell does it want access to my contacts, my camera and my microphone???? And secondly why would anyone allow it access to any of these things? This really is one that you should spend a bit of time looking into.

Where can you set these requirements? Go to “Settings” –> “Privacy”.

8) Turn off the AutoFill option in your browsers

This is another of those be less lazy common sense type things, if this feature is turned on and someone gets your phone chances are they will be able to log into a number of sites..As you!

Where can you set these requirements? For Safari: Go to “Settings” –> “Safari” –> “General” section –> “Passwords & AutoFill”; For third party browsers: see similar browser settings.

9)Discard automatic WiFi connections to known networks

I don't like this feature at all, and I'm going to tell you why. By having this enabled your phone will not only automatically connected to any wifi network that you logged onto before, but it will also log onto any network with the same SSID (name) of a network that you logged on before. This is dangerous, think of shopping areas that offer public wifi (which of course you wouldn't use because your smarter than that) most of these networks have the same name a common one in Ireland is "eircom". Therefore your phone will automatically connect to these networking if you ever connected to one of that name before, so I really shouldn't have to explain why this can be a fruitful play ground for a cybercriminal.

Where can you set these requirements? Go to “Settings” –> “Wi-Fi” –> “Ask to join networks: on”.

10) Get used to VPN

A VPN or virtual private network is the best way to go to really ensure some safety when browsing the web especially on those public wireless networks that you would never use. There is also no point going for a free VPN as the speeds and reliability and all that other stuff that you don't really understand wont be great. You can make up your own mind on who to go with for this I use AirVPN they charge around €30 for 6 months with unlimited bandwidth.






So guys, that's it for today if anyone has any questions post them below and I guarantee to get back to you within one working year.