Critical macOS High Sierra Root Flaw

This week, a critical and baffling vulnerability has been discovered lurking within macOS High Sierra that allows users to gain full access (root) to your Mac without a password or any type of verification. Fortunately, this vulnerability only affects the newest version of macOS High Sierra (10.13).

To exploit the weakness, any user with physical access can enter “root” in the username field at any password prompt and hit Enter a couple times to gain unfettered admin access. Behind the scenes, when a user presses Enter once the root account becomes enabled with a blank password, and the second Enter successfully authenticates you.

For more information concerning the vulnerability click here.

Example Video Link.

Prevention

Nearly a day after the vulnerability was released to the public, Apple announced that a patch was now available.

For users who are unable to update to the newest version for any reason, you can enable the root user with a password to prevent exploitation:

  • Open System Preferences and click Users & Groups
  • Click the lock icon and enter your username and password
  • Click Login Options and Join at the bottom of the screen
  • Select Open Directory Utility and click the lock icon.
  • Click Edit on the top of the menu bar and Enable Root User and set the password from there

This mitigation will not allow users to gain access with a blank password.

It is also a good idea to disable Guest accounts as well:

  • Open System Preferences and click Users & Groups
  • Click Guest User, enter your credentials, and uncheck Allow guests to log in to this computer

Sources:
https://thehackernews.com/2017/11/mac-os-password-hack.html
https://objective-see.com/blog/blog_0x24.html

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

How to Fix Improper Application of ASLR

Recently, it has been reported that Windows 8, 8.1 and 10 fail to properly implement ASLR. Address Space Layout Randomization (ASLR) is a security technique used to prevent the exploitation of memory corruption vulnerabilities. It does this by randomizing the memory address where application code is run.

In Windows 10, ASLR can be enabled in the Windows Defender Security Center (pictured below).

While researching the (Microsoft Equation Editor) vulnerability, analyst Will Dormann found that ASLR was not randomizing the memory address locations of application binaries in certain situations. Instead, Dormann discovered that programs were relocated, but to the same address every time. It basically means that ASLR is not enabled, leaving users vulnerable.

Workaround

Dorman stated that in order for ASLR to function correctly, users need to enable ASLR in a bottom-up configuration as opposed to the proper configuration.

While Microsoft is working on a patch for the issue, users can follow these steps to correctly implement ASLR:

  1. Create a blank text file and copy the following text: 

 2.  Save the file with a .reg extension.

 3.  Open the Windows Registry Editor by searching for “regedit” from the Start Menu.

 4.  Click File and import the .reg file previously created.

Sources:
https://www.bleepingcomputer.com/news/security/windows-8-and-later-fail-to-properly-apply-aslr-heres-how-to-fix/

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

Huge Flaw Discovered in Microsoft Office

In this month’s Patch Tuesday, Microsoft patched a massive vulnerability affecting all Microsoft Office versions released in the past 17 years that allows for malicious code execution. The vulnerability (CVE-2017-11882) affects the Microsoft Equation Editor (EQNEDT32.exe) and was discovered by the Embedi research team.

The Equation Editor is a tool that allows users to embed mathematical equations in Office documents.

The researchers also found that the original Equation Editor was replaced by a new version in Office 2007, but the old one remained as a part of Office to allow documents featuring equations created in older Office versions to be opened.

After noticing that the EQNEDT.exe file spawns its own process unaffected by security features implemented in the Office suite or Windows 10, the Embedi research team was able to use Microsoft’s Binscope to find two buffer overflow vulnerabilities.

You can find more information regarding this vulnerability in Embedi’s full report.

How to protect yourself

Microsoft Office users can do a few things to prevent themselves from being exploited by this attack:

  • Apply the most recent Microsoft Office and Windows Updates.
  • Open documents in Protected View Mode. Users will get a popup asking whether or not they would like to open the file in Protected View Mode if the file contains equations created by the Equation Editor. Protected View Mode prevents the execution of any active content within the document.
  • Users may also disable the execution of the EQNEDT32.exe file by running the following command: reg add “HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400
  • 32-bit Office packages running on 64-bit Windows OS can input the following command: reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

Sources:

https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/

 

New Windows 10 Standards for Secure Devices

Earlier this week, Microsoft published an article detailing the new Windows 10 standards consumers should follow to have a secure device, specifically for the Fall Creators Update. The standards include both hardware and firmware features. According to Windows, certain security features are enabled if you meet or exceed the standards.

Hardware

  • Processor: Intel and AMD 7th generation processors are needed to enable Mode Based Execution Control (MBEC), which increases kernel security.
  • Process Architecture: Systems must be able to support 64-bit instructions in order to take advantage of Virtualization-based security (VBS), which is required by the Windows Hypervisor.
  • Virtualization: The system’s processor must support Input-Output Memory Management Unit (IOMMU) device virtualization. For IOMMU, Intel VT-d, AMD-Vi, or ARM64 SMMUs are required.
  • TPM: Systems should have a Trusted Platform Module (TPM) that meets the latest Trusted Computing Group (TCG) specifications.
  • Platform Boot Verification: A feature that ensures the computer will only load firmware designed by the manufacturer. Can be achieved by using Boot Guard in Verified Boot Mode or AMD Hardware Verified Boot.
  • RAM: 8GB or more is required.

Firmware

After doing a little bit of research, I was able to find a few affordable laptops that meet all the specifications besides the TPM. However, a TPM can be purchased separately.  Here are a couple of the affordable options I found:

Sources:
https://www.bleepingcomputer.com/news/security/microsoft-releases-standards-for-highly-secure-windows-10-devices/
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

 

Cryptocurrency Mining

Recently, there have been reports of different websites leveraging their user’s browsers to mine cryptocurrencies. Researchers at AdGuard decided to try and evaluate the scale and impact of this issue. They looked for CoinHive and JSEcoin code, the most popular browser mining solutions, within the Alexa top one hundred thousand websites list and discovered that 220 of those sites were using mining scripts. Those sites have an audience of approximately 500 million people from all over the world.

Although 220 sites may not seem significant, CoinHive was only launched on September 14th.

The researchers also found that most of the websites were pirate TV and video, torrenting, and adult sites. Based on this discovery, it is important to decide in the future whether or not cryptocurrency mining should be illegal. However, websites can ethically mine if they offer the user the option to opt out.

All the raw data collected during their research can be found here.

How do I protect myself?

There are multiple options users can take to prevent websites from abusing their CPU to mine for cryptocurrency:

  • Install Adblockers: Ublock Origin, Adblock Plus, and AdGuard all now block cryptomining by default.
  • Antivirus: The major AV vendors blacklist known mining scripts, and may give users the option to prevent or allow hidden mining.
  • Install mining blocker browser extensions: AntiMiner, NoCoin, and MinerBlock can all be used to prevent browser mining.

Sources:
https://blog.adguard.com/en/crypto-mining-fever/

MS Office DDE Exploit/BadRabbit Ransomware

Over the past few weeks there have been reports of attackers exploiting a built-in Microsoft Office feature and leveraging it in several large malware campaigns. The feature being exploited is called Dynamic Data Exchange (DDE). It is one of several methods Microsoft uses to allow data sharing between two running applications.

Some of the widespread malware campaigns that leverage DDE include: DNSMessenger, the Necurs Botnet, and Hancitor.

Prevention

Most antivirus solutions will not flag or block MS Office documents with DDE fields because DDE is a legitimate feature.

Microsoft has no plans to release a patch for this issue, but you can prevent DDE attacks by disabling the “update automatic links at open” option in Office programs.

You can do this by following these steps:

  1. Open a MS Office program
  2. Select File → Options → Advanced
  3. Scroll down to General and uncheck the “Update automatic links at open” box.

However, with attacks like this, the best method of prevention is to be suspicious of documents sent via email and to verify the authenticity of the sender.

 

BadRabbit Ransomware

On Tuesday, yet another major ransomware campaign spread across Russia, Ukraine, and Eastern Europe. The organizations initially affected included the Ministry of Infrastructure, Kiev metro, Odessa International Airport, and a few Russian Federation state organizations.

The ransomware, dubbed BadRabbit, was initially spread via drive-by downloads from legitimate news sites masquerading as an Adobe Flash Player update.

Prevention

A vaccine was found relatively early in the community’s analysis of BadRabbit by security researcher Amit Serper.

You can apply the vaccination by following these steps:

  1. Create c:\windows\infpub.dat & c:\windows\cscc.dat files. Open an admin Command Prompt and enter the following commands:
    1. echo “” > c:\windows\cscc.dat
    2. echo “” > c:\windows\infpub.dat
  2. Remove all permissions:
    1. Right click each file and select Properties.
    2. Select the Security tab → Advanced Change Permissions.
    3. Uncheck the “Include inheritable permissions from this object’s parent” box and click Remove on the pop-up that appears.
    4. Windows 10 users need to click Disable inheritance instead of unchecking the “Include inheritable permissions from this object’s parent” box and then select “Remove all inherited permissions from this object”.

Sources:
https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html
https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/
https://www.helpnetsecurity.com/2017/10/25/bad-rabbit-ransomware/

KRACK/Lessen the chances of shoulder surfing

Earlier this week, a critical vulnerability in WPA2 was exposed to the public. Security researchers found that WPA2 can be abused to eavesdrop on traffic users believe to be encrypted. The attack, dubbed KRACK (Key Reinstallation Attack) affects all correct implementations of WPA2 because the flaw resides in the Wi-Fi standard itself. You can find more details concerning the vulnerabilities on KRACK attack’s website.

Mitigation

Here are some recommendations for mitigating this attack:

  • Patch your devices. U.S. CERT released a list of vendors that were affected, but keep in mind it is most likely not definitive. Also, here is a list of all the vendors that have released patches so far.
  • Enable Multi-Factor Authentication (MFA).
  • Use a VPN.
  • Make sure sites you visit are encrypted with HTTPS.
  • Smartphone users can switch to using mobile data instead of Wi-Fi when visiting sites that handle sensitive information.
  • Use a wired ethernet connection instead of Wi-Fi until patches are available for your devices.

 

Lessen the chances of shoulder surfing

According to researchers from the US Naval Academy and the University of Maryland Baltimore County, attackers are able to discern “swiping” unlock patterns implemented in Android devices significantly more easily than PIN combinations.  The researchers showed nearly 1200 people videos recorded from different angles of users unlocking their phones via patterns and PIN. What they found was that after only one viewing of users inputting their pattern, shoulder surfers were able to reproduce it 64% of the time. However, after removing feedback lines, only 35% of the attacks were successful. In comparison, only 10% of attackers were able to replicate a six-digit PIN after one observation. 

You can find more information regarding their research in their paper.

Increase your security

Below are some recommendations for increasing your defenses against shoulder surfing attacks:

  • 6-digit or longer PIN.
  • Biometrics (fingerprint or face).
  • Disable feedback lines (Settings > Lock screen and security > Secure lock settings) if you still prefer to use a pattern over PIN.

Sources:
https://www.helpnetsecurity.com/2017/10/16/wpa2-weakness/
https://www.helpnetsecurity.com/2017/09/25/android-unlock-patterns/
https://www.usna.edu/Users/cs/aviv/papers/avivACSAC2017.pdf

OnePlus Data Collection Practice/Apple ID Phishing

Earlier this week, security researcher Christopher Moore published a blog post detailing the questionable data collection practice of OnePlus. OnePlus is a smartphone manufacturer based in Shenzhen, China that runs OxygenOS, a custom version of the Android operating system.

The Shenzhen based company has been proven to be collecting user identification information in addition to the basic data most device manufacturers and software developers gather to improve the quality of their products.

After intercepting the data his OnePlus phone sends to its servers, Moore discovered that the company was collecting:

  • User’s phone number
  • MAC addresses
  • Device serial number
  • Mobile network(s) names
  • Wireless network ESSID and BSSID
  • IMEI and IMSI code
  • Time stamps when users lock and unlock their phone
  • Time stamps when users open and close apps on their phone
  • Time stamps when users complete activities in apps.

Moore contacted OnePlus support through Twitter about the situation, but was given no solution to the problem. Thankfully, an Android Developer named Jakub Czekanski provided a permanent fix to disable the data collection feature without having to root the device.

He stated on Twitter that a user can directly connect their OnePlus smartphone to a computer in USB debugging mode, open an adb shell, and enter: pm uninstall -k –user 0 net.oneplus.odm to permanently disable the data collection feature.    

Apple ID Phishing

iOS Developer Felix Krause demonstrated a hard-to-detect phishing attack that can steal your Apple ID password. In his blog post published earlier this week, Krause showed how malicious apps can use UIAlertController to present fake alert messages to the user and steal their Apple ID password. iOS prompts users for their passwords all the time and that has led to people entering their passwords without thinking. Although he states that it is very easy to replicate Apple’s alert message, he claims there is no record of this kind of attack appearing in the wild.

You can circumvent this type of phishing by pressing the home button whenever a sign-in alert pops up. If the app closes and the alert remains, the message is legitimate. If both the app and the dialogue box close, then that was a phishing attempt.

It is also wise for users to never enter their credentials into a system pop-up unless they go directly to the source and to enable multi-factor authentication.

Sources:
https://thehackernews.com/2017/10/apple-id-password-hacking.html
https://thehackernews.com/2017/10/oneplus-oxygenos-analytics-data.html
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/

EFI Firmware Vulnerabilities Present in Millions of Up-to-Date Macs

Researchers at Duo found that Mac users who have kept up with security updates may be much more vulnerable than they expect. During their research, Duo analyzed over 73,000 Macs and discovered that 4.2% of them did not have the correct EFI firmware version they expected. Intel-Designed Extensible Firmware Interface (EFI) is used by Apple for Macs and is responsible for controlling the boot process. EFI runs before the OS boots up and has high enough privileges to allow an attacker to take full control undetected. In addition to EFI attacks being hard to detect, removing the adversary is also very difficult. In fact, replacing the hard drive or installing a new OS will not dislodge the attacker.

More details concerning the vulnerability can be found in Duo’s blog post.

Takeaways

  1. It seems that Apple has been neglecting to push out EFI updates to some systems, or in some cases the firmware updates fail without presenting an error message, leaving the user unaware.
  2. If you are running any version prior to 10.12 Sierra, there is a possibility your EFI firmware has not been updated.
  3. According to Duo, if you are using one of the 16 Mac models listed below, your system has not received any firmware updates at all.  

 

What Should I Do?

  • Check if you have the latest version of EFI with a tool Duo created called EFIgy. It can be downloaded here.
  • Update to the latest version of macOS (10.12.6) to ensure you receive the latest EFI version and patch any known software vulnerabilities.
  • If you are running a Mac that is on the list above or you are not able to update to version 10.12.6 due to hardware or software reasons, unfortunately you will not be able to run the updated EFI firmware.
  • If you are not able to run up-to-date EFI firmware for any reason, you can still download EFIgy to determine if your version of EFI is vulnerable.

Threat Modeling

If you use a Mac for work or you’re a Mac sys admin and your systems are vulnerable to an EFI attack, it is important to determine how a compromised system could impact your environment. In situations like that, Duo recommends that you either shift those vulnerable Macs to a role where they are not exposed or retire them completely. However, this all depends on the value of your data and the nature of your work. It is up to your organization to decide whether or not you are willing to accept the risk of having vulnerable systems within your network.

So far, attacks against EFI have mainly been utilized by sophisticated attackers with high value targets in mind. Therefore, if you are a Mac home user there is not much to worry about according to Duo. As of today, there have been no reports of EFI exploits in the wild.

Sources:
https://www.helpnetsecurity.com/2017/09/29/mac-software-secure-firmware-vulnerable/
https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research
https://thehackernews.com/2017/09/apple-mac-efi-malware.html

Disaster Recovery Best Practices

TeraGo released a white paper detailing disaster recovery best practices. They performed a survey in partnership with IDC Canada of different Canadian organizations’ disaster recovery plans and found most were not prepared. In fact, 45% of the surveyed organizations admitted they could not identify the data crucial to running their business and the potential threats to their IT infrastructure.

They included seven steps for creating an effective disaster recovery plan:

  1. Perform a risk assessment and and business impact analysis to determine critical infrastructure, threats and potential consequences.
  2. Define RTOs (recovery time objectives) and RPOs (recovery point objectives) for crucial services. In the event of an outage or disaster, how much data loss is acceptable? How long can a service be down before impeding the production of the business?
  3. Develop an easy-to-use procedure that gives instructions for recovering damaged IT assets and returning them to normal performance.
  4. Simulate a disaster and plan for all scenarios. Teach suitable staff members the different processes and procedures needed in disaster recovery situations. Who does what, when, and how.
  5. Make sure there is at least one backup staff member with critical skills to pass on their knowledge.   
  6. Define policies and test frequently. Testing can be done on site, off site or with a vendor who can confirm the validity of your procedures.
  7. Document the time-to-remediation for all facets of your IT infrastructure to mitigate the negative impact of downtime.

You can download the white paper here and find more information regarding disaster recovery here.

Sources:
http://www.bitpipe.com/fulfillment/1505152587_272
https://www.ready.gov/business/implementation/IT