If I could, I would kick the guys responsible¹ for the disclosure in the ass. Why? We now have a youtube video with shitty music (proving essentially nothing), some scaremonger articles with a lot of prose around very few interesting bits, and most importantly, a friggin' hashtag. And of course, a name for the vuln.
But nothing, absolutely nothing, on how to protect myself as an ordinary user. The only thing I was able to infer from the craptastic video is that the user they're escalating from is member of the "admin" group, i.e. not a "Standard User" but an "Admin" in OS X lingo.
Among other things, the most obvious difference to regular Accounts is that "Admin" users can use sudo by default, but no clue whatsoever is exploited here. Some pipe-fu with sudo? Or a stupid setting by apple allowing "admin" group members doing dangerous things without (re-)authentication?
In closing, best make sure you're using OS X as a "Standard" User, not "Admin". In my experience, it's quite painless.
Edit:
> "Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password. However, rootpipe circumvents this," he says.
This at least hints at the possibility that said exploit does not work from a standard user. So there's that...
¹most likely not the researchers themselves, but some "CEO" or other suit-level.
This is rich. Instead of "kicking the guy in the ass" for disclosing his findings, I'd recommend kissing his ass for disclosing this responsibly. If he wouldn't have, you, me, and many other people would be in a lot of trouble now, wouldn't we? And while we're at it, you might be interested in finding out how things like "full disclosure" and "responsible disclosure" came about in the first place. Spoiler alert, you may not like the answer.
"[...] nothing, absolutely nothing, on how to protect myself as an ordinary user." Really? He gave you two tips, didn't he? Make sure your default account doesn't have admin rights and use FileVault. He obviously can't tell us why FileVault helps without risking our safety. That's clearly not nothing.
My critique was aimed at the form of the disclosure, not the act itself. This may have not gotten through for various reasons.
> Really? He gave you two tips, didn't he?
I do stand corrected. Either the last paragraph was edited into the article after I wrote my comment, or I did not see it the first time. Unfortunately, I can no longer edit my previous comment.
It was derided by everyone because for years, it was difficult to use Windows as an unprivileged user because so many consumer apps assumed every user account had admin permissions.
Microsoft broke this chain of bad decisions in Vista--which itself resulted in the much-derided flood of UAC warnings.
After this past year with all of its vulnerabilities, I feel so uncomfortable when I really consider it. I make online payments at least a few times a week using my credit card. I log into my web based email multiple times per day.
I feel so naked.
Has anyone who uses brew and other dev stuff tried running Mac OS as a user account? Does it work out well?
The real question is why don't credit cards and bank transactions have two factor auth, or one time tokens. Someone shouldn't be able to steal money just by hacking one account or getting one number.
In Sweden, all cards that are issued are forced to use that "Verified by" Visa and Mastercard "SecureCode" program for two-factor authentication. Merchants can turn it off, but then they're liable for misuse - so plenty of places have it on by default.
Some banks, require that you use the token generator you've gotten to log on and manage your bank account while most other use a seperate password for the Verified by Visa/Mastercard SecureCode thing.
I don't know if it's really fair to call Verified by Visa two-factor authentication as your card number is just another string (that can be replicated). With Verified by Visa you go from one to two "passwords".
It adds a "something you know" (password, PIN/Password to your token generator) factor to the "something I have" (The card, with numbers on front and back) factor, so I would say it's fair to call it two-factor authentication.
I beg to disagree. The credit card is "something you know" just as much as "something you have", because when used on the web it is just a (copyable) 23 digit number. Whether you remember the number or look it up in your wallet is no different than whether you remember your password or store it on a post-it.
Other things "you have" in popular 2FA solutions are quite different, for instance your mobile phone number identity (for SMS) or your Google Authenticator.
I generate a one-time card number for each online purchase. Only valid for a specific time and up to a specific account. Supporter by some banks. Pretty good solution in my opinion.
In Germany most of the banks use ChipTAN [1] for online banking. With that scheme it's impossible to make any transaction without having physical access to the card.
I really hate that. It means that I have to carry another wallet-sized thing around with me just to buy stuff online. Thankfully, my bank uses a password-based authentication system, so I can carry everything I need in my mind.
I prefer the good old paper sheet of TANs, which at least DKB still uses. I had that exact pictured chipTAN reader; the display failed after about a year, and it was incredible hassle to get a new one activated with the Berliner Volksbank. It wasn't very good at reading the flashing barcode either, usually took a few tries.
It's a good idea, certainly, just a partly lousy implementation. Some banks will offer the option of sending you a TAN via SMS instead (so your phone is the "something you have"), but usually for a fee.
edit: I'm talking about online banking and money transfers from there->
In Finland one bank (Nordea) uses one-time passwords so you get a pad with passwords in the mail (they automatically send new ones when you're about to run out) and you need to use them sequentially to log in, only the numeric "username" is static. Then when you try to transfer money you also need to input a challenge-response from the same pad.
IIRC another bank (Danske Bank) allows you to set a static username and password but you must also enter a challenge-response from a permanent pad to log in and to initiate transfers as well.
Can't speak about the others but they should be about the same.
Americans apparently just use a static username and password which is pretty mind boggling.
My wife is Finnish, and I've seen that pad of "words" used.
In the UK we tend to have a static username and password then either a hardware device, or a "Enter characters 1, 3, 8 from your secret information". (Where the secret information is 8-10 characters long and you're requested to enter from random offsets each time.)
I've used both systems, and entering three characters from the secret information is the least hassle, but not as reassuring as the hardware token.
Here in the Netherlands we have 2 factor authentication on all bank payments and most credit-card payments. The two-factor here works with a token-generating device in which you have insert your card and PIN. The only exceptions are unsafe US payment portals that don't support the two-factor triggers properly, but that is just for CCs.
I lived in the US for 6 months and was surprised to find that my American collegues found it less safe to use a bank card (with PIN) than a CC. Their arguments were that 'if someone gets your card AND PIN, they can do anything' as opposed to someone stealing JUST your CC and then he can do anything... Yes seems much safer.
All of my US credit cards have a verification number that is required as well as the CC number for any online transaction. It's not that much different from a PIN.
We also have zero liability for unauthorized CC charges. So even if someone were to do that, the bank would be on the hook, not the user. Banks rely on a lot of computer analysis to determine whether a charge should be allowed.
It's much more of a pain to get money back into your bank account after it's been withdrawn. So although it's technically true that a bank card with PIN is more secure, to the end user, it's not any better.
>All of my US credit cards have a verification number that is required as well as the CC number for any online transaction. It's not that much different from a PIN.
This depends on the bank. Ex-PostBank ING clients get a TAN via SMS for every transaction (or a paper list of TANs if you really want it). Recently, they added that when you log in from a different machine/location than usual, you get a similar code via SMS (or from a different but similar paper list, I guess), called a PAC.
This probably depends on the regulation of the country.
For example, in India, by LAW, all domestic online transactions go through two-factor authentication. For one of my cards, I need to enter a secondary password while for another I need to enter a pin texted to my mobile. The second option is a hassle though, especially when I am travelling abroad and my standard mobile number is not functional.
For international transactions, this does not apply and the card details are enough for the transaction to go through. I guess there is no standard agreement between countries which Visa, MasterCard or Amex can implement (these are the only payment networks I use).
3DSecure works internationally and can be used to implement 2FA or passwords. It's common in parts of Europe and Asia, but seems less so in the US. http://en.wikipedia.org/wiki/3-D_Secure
My Debit Card (VISA) is issued by a Greek bank (Piraeus Bank) and has two-factor authentication, for both sending money and making online payments.
When I make online payments, I get redirected to a page where I have to answer a question/answer I've set-up a priori.
The two-factor authentication is optional. I enable it to feel more secure. I don't make too many online payments, but I do at least 5-6 times per month.
It's possible that this will change in the near future with things like https://getfinal.com/. Their product video also happens to be one of my favorites made by Sandwich (http://sandwichvideo.com/).
Some do, my Swedish debit card does. It only works on stores that support 3DSecure though https://www.flickr.com/photos/kalleboo/2486214902 (looking at the date of my photo, this has been in place for 6 years now)
Yes. Everyone at Matasano runs from a standard user account. It's not a big deal at all. Nor is it a concession to insecurity on OS X; it's been Matasano's policy for almost a decade, and they inherited it from earlier companies, because not doing all your work from an admin account just makes sense.
Completely agree. Just saying that a vulnerability exists is a big thing, because it motivates hackers to search for it.
I seriously doubt it will take more than until january for another personn to find it.
Especially since he narrowed it down so much.
Gaining a root shell by piping something into sudo that causes it to skip asking for a password? That's what I took away from the article, and it certainly sounds like a plausible attack vector. Scary stuff!
So Apple have known about this for a few days, at least. If it's as serious as it sounds, they'll hopefully have a patch v. soon, if not already; when was the latest security patch for 10.10?
Welcome to the club? PrivEscs exploits are becoming more common as sandboxes increase in popularity. Windows had a few such bugs exploited by real attackers as zerodays in the last month (check CrowdStrike and FireEye blogs). I don't think this is news. It is simply a matter of effort whether an attacker will escalate privileges to root or kernel, it depends on the value of the data they are after.
I recently worked with a specialized team that assisted some high-profile, quasi-governmental entities in comprehensively assessing the current state of Mac OS security. Based upon that and other vectors, I've got some info that may or may not be of interest to yourself and others here.
If you're implying this new exploit and perhaps the other high-profile malware issues in more recents years is indicative of hacker interest due to surging Mac OS market share, I'm not sure that's entirely correct.
Outside of Apple iOS (mobile), Mac OS X (desktops and laptops) market share hasn't risen relatively that much over the past decade or so. And, in recent times, even the peak is only a few percentage points higher than it's been for many years.
When Mac OS market share was lower back in its Mac OS 9 days, there were far more widespread, problematic malware issues (viruses, trojans, etc.) that were propagating fairly well in the wild (by Apple's standards). That scenario proves that hackers were interested in Mac OS devices even when the Mac OS market share was lower than it is today.
Since the 90's, Macs have hovered around approximately 1 in 10 (give or take) of all computers in the United States with a customer base of a predominately higher income demographic. In other words, one may very well get more money out of a smaller subset of Mac users than a larger group of typical Windows users. Therefore, Macs have always been a target for a subset of hackers that, er... "specialize" in that kind of scenario.
In other words, while Mac OS market share may play some minor role in hacker interest in the platform overall in recent times, there hasn't been a huge surge in market share that would account for some radically increased hacker interest.
The reason malware was drastically reduced on the Mac platform since it switched from OS 9 to OS X (based upon a flavor of UNIX) was because of the superior security Mac OS X afforded the platform compared to Mac OS 9. That's why even as market share gradually climbed, overall Mac OS malware dropped dramatically for most of the past decade until more recent years.
I think the relatively small increase in malware (compared to Mac OS 9) for Mac OS X in the last few years is due to the fact that over time hackers are more likely to find exploits the longer they poke and prod at an OS. Also, over time, Apple programmers are increasingly likely to make mistakes here and there as time and piles of code goes on.
And, perhaps Apple is slipping in quality in regards to security for various reasons since their resources have been somewhat distracted with iOS devices in more recent years. Plus, over time, the amount of hackers, hacking skills, knowledge and tools have been increasing and improving quite drastically worldwide especially more so in recent years.
On top of those issues, there's been more attention brought to Apple via an iOS halo effect from iPads and iPhones that perhaps plays into more hacker interest in the Mac OS. I also suspect that the abundance of high-profile Apple commercials over the years has perhaps influenced some hacker perceptions that the Mac OS platform is more ubiquitous than it really is. And, the icing on the cake is perhaps more disgruntled hackers and hacktivists who are increasingly disillusioned or even hostile with the Apple brand for various reasons over the years.
But, as far as purely Mac OS X market share goes, there really hasn't been that large of an uptick to prod properly educated hackers to take much more interest than they did a few years ago or even a decade ago overall based upon market share alone.
I've always run as non-admin, what OS X calls a Standard user.
When I first started doing this (about 10 years ago) I ran into some problems if I attempted to authenticate from a standard user to an admin user when trying to do sys admin stuff. I'd get weird permission errors.
So now when I want to do admin stuff like install software, I don't attempt it as a standard user. I simply log in to the admin account and install from there. Also I always log in to admin account when doing software updates such as for Firefox.
If you adopt this mindset it's really very simple to stick to it, and it's hardly much of an inconvenience. At least not for me, I'm not installing software every day.
Also when I'm about to visit a dodgy website or run some suspect software I log in to the Guest user account. That doesn't protect against local root escalation, but at least it's something. Then when I log out, I hopefully leave my problems behind.
Finally I maintain yet another account solely for accessing my financial sites. That way if my day-to-day account gets compromised, I still have a modicum of protection.
I really should use a separate machine solely for financial transactions. But I don't. I doubt if even 1% of people do. Any old machine should work, no matter how slow, because it's not used very often.
> I really should use a separate machine solely for financial transactions. But I don't. I doubt if even 1% of people do. Any old machine should work, no matter how slow, because it's not used very often.
I think it has more potential for danger since it is not going to be used often, you would lack the security updates that might leave the computer vulnerable (e.g. shellshock). You might do all the updates before doing any transaction which is very troubling to wait for. But depending on the attack surface, there might be a window for attack between you connect to the internet and do the updates.
One example is you could have get attacked via shellshock from a malicious / infected router over DHCP.
> I've always run as non-admin, what OS X calls a Standard user.
Ditto. Only difficulties that come to mind are some installers failing to escalate, Adobe in particular.
Using separate accounts for dodgy and financial sites is a good idea, but I don't know if I'd stick to it. I fell out of the habit of using a separate account for building software.
If it's cumbersome, you could always edit the sudoers file to make things easier (although it's not a great idea if you're not using it often). If you do that, then you would have the best of both worlds - being able to sudo on terminal from your standard account (with or without password, as desired) while also using it with lower privileges for all GUI applications.
There are absolutely no problems with using a non-admin user account. Just better isolation, better security and a few inconveniences.
Using a standard user account was one of the things I started with on OS X after being used to the "user must be administrator" paradigm that's deeply entrenched in the Windows world for a very long time. Before Windows Vista came up with some way of UAC (User Access Control), being an administrator user on a Windows system was the least painful way to use the system. This style is still propagated even today in several companies with the latest versions of Windows.
The philosophy about being a non-admin user also ties into the UNIX-ness of OS X, and in all * NIX systems the recommendation is always to use a standard account and switch to a superuser/root account only when needed within a specific terminal for a specific task and exit out as soon as that work is done. When people on * NIX joke about "rm -rf /", there are people who remember the wounds of such experiences from real life when running as root (fortunately, I didn't have to learn from experience). :)
The "annoyances" for a standard user on OS X are that installing applications into /Applications or unlocking panels in System Preferences (if it has been configured to be that way) needs administrator credentials. And it's also required if one fancies getting into system (or protected) directories and wants to move/delete/rename/add files.
On the terminal, when needed, I switch from the standard user to the administrator account and then use sudo. It is indeed a little more cumbersome than providing sudo privileges to the standard user account, but it's not often that I need this and I don't find this inconvenience as a big waste of time.
On a lighter note, using a * NIX system as an administrator user all the time seems dirty, just like using a Windows system as a non-admin user does. :P
P.S.: Couldn't figure out a way to escape and type an asterisk followed by a non-whitespace character for the * NIX references.
I've run my OS X machines from a non-admin user for at least 5 years. I do developer-y type stuff like SSHing into Linux servers with key authentication, running a local web development environment (MAMP), installing brew applications from the command line, editing my /etc/hosts file, etc.
It all works fine. For most things, like software installs and updates, I just get prompted for admin account credentials. For a few things (brew and editing hosts file), I su to my admin account in Terminal, then run the command.
I can't remember the last time I actually logged into my admin account, though.
I do, routinely. I get occasional admin challenge dialog boxes that are easy to deal with. Once in a great while, I'll have an issue with something quite simple, like trying to save a Mail attachment to a folder in Documents, and I get a "can't do this because you don't have permission to write to etc.". Annoying, but happens rarely and so far has always been fixable with a reboot.
But nothing, absolutely nothing, on how to protect myself as an ordinary user. The only thing I was able to infer from the craptastic video is that the user they're escalating from is member of the "admin" group, i.e. not a "Standard User" but an "Admin" in OS X lingo.
Among other things, the most obvious difference to regular Accounts is that "Admin" users can use sudo by default, but no clue whatsoever is exploited here. Some pipe-fu with sudo? Or a stupid setting by apple allowing "admin" group members doing dangerous things without (re-)authentication?
In closing, best make sure you're using OS X as a "Standard" User, not "Admin". In my experience, it's quite painless.
Edit: > "Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password. However, rootpipe circumvents this," he says.
This at least hints at the possibility that said exploit does not work from a standard user. So there's that...
¹most likely not the researchers themselves, but some "CEO" or other suit-level.