Skip to main content

Mac security

Three 'Mac security' stories October 2013 - July 2014
See All Stories
Site default logo image

Security researchers say USB security ‘broken,’ can take over Macs or PCs

Avatar for Ben Lovejoy Jul 31 2014 - 5:55 am PT
15 Comments

usb

The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.

Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”

Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.

As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.

Site default logo image

Latest Mavericks Safari browser safer as Flash finally gets sandboxed

Avatar for Ben Lovejoy Oct 24 2013 - 4:53 am PT
4 Comments

sandbox

Safari 7, introduced with OS X Mavericks, is now better protected against malware and poorly-written Flash code as Flash is finally sandboxed.

Sandboxing means that OS X restricts what the code can do, stopping a badly-written app from crashing the entire browser and preventing malware from getting access to any other part of your Mac. Flash has been sandboxed for some time in Chrome, Firefox and even Internet Explorer.

In an Adobe blog post, Platform Security Strategist Peleus Uhley wrote:

For the technically minded, this means that there is a specific com.macromedia.Flash Player.plugin.sb file defining the security permissions for Flash Player when it runs within the sandboxed plugin process. As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly. The sandbox also limits Flash Player’s local connections to device resources and inter-process communication (IPC) channels. Finally, the sandbox limits Flash Player’s networking privileges to prevent unnecessary connection capabilities.

Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections. We’d like to thank the Apple security team for working with us to deliver this solution.

Via CNET

How to: Use a password manager to have strong, unique passwords for each website

Avatar for Ben Lovejoy Oct 10 2013 - 6:46 am PT
26 Comments
Site default logo image
Image: redorbit.com

Image: redorbit.com

Evernote, Adobe, even Apple … just a few of the companies who have found their user data compromised by hackers in recent times. The possibility of a hacker being able to access one of your web accounts is worrying enough – but if you use the same email address and password for almost all the websites you use, the risk becomes huge.

The first thing a hacker does when they get hold of a list of usernames and passwords is to use automated software to fire them at a whole bunch of popular websites. That means your online security is only as good as the most vulnerable of the websites you visit. Not good.

The answer, of course, is to use a unique – and strong – password for each website you access. But that creates its own hassles. Strong passwords aren’t easily memorised. Sure, we can ask our browsers to store logins for us, but when you might use several different computers, an iPhone and an iPad, you’d have to login once from each device as soon as you chose the password so it gets stored before you forget it. Not very convenient.

Which is where password managers come in. When you see the instructions, it’ll look like a long process, but it in fact takes only 10-20 mins if you have two or three devices … 
Expand
Expanding
Close