This means that when a Mac has its screen locked or returns from a sleep state, the password will still be in memory. Furthermore, the password doesn’t get scrubbed from memory on reboot and is only shifted around to a different location within a fixed memory range, according to Frisk.
The only time the password is removed from memory is when the Mac is shut down because that’s when RAM contents are completely cleared. The researcher created a hardware device running his custom software that he dubbed PCILeech.
The device is capable of extracting FileVault passwords via DMA. “This makes it easy to just plug in the DMA attack hardware and reboot the Mac,” Frisk said. “Once the Mac is rebooted the DMA protections that macOS previously enabled are dropped.
The memory contents, including the password, is still there, though.
There is a time window of a few seconds before the memory containing the password is overwritten with new content.” Frisk presented DMA-based attacks against the Linux, Windows, and OS X kernel at the DEF CON security conference in August, but he discovered the implications for Apple’s disk encryption after his presentation. He kept his findings secret until now at Apple’s request. The researcher confirmed that the macOS Sierra 10.12.2 update released this week fixes the security issue, at least on his MacBook Air. “The solution Apple decided upon and rolled out is a complete one,” Frisk said. “At least to the extent that I have been able to confirm.
It is no longer possible to access memory prior to macOS boot.
The mac is now one of the most secure platforms with regards to this specific attack vector.”
But creating an exploit by overwriting memory wasn't necessary because FileVault passwords were stored in cleartext and were not evicted from memory once the disk was unlocked. Obtaining the disk password was simply a matter of connecting the PCILeech device to a Mac and rebooting it, Frisk explains. "Once the Mac is rebooted, the DMA protections that macOS previously enabled are dropped," said Frisk in a blog post on Thursday. "The memory contents, including the password, [are] still there though.
There is a time window of a few seconds before the memory containing the password is overwritten with new content." Frisk discovered the vulnerability in July and presented details in August at Def Con 24.
The presentation also described attacks on Linux and Window systems. Youtube Video Apple was subsequently notified and requested that Frisk delay public disclosure until it could deal with the issue, which it has done through its software update. Frisk says it is no longer possible to access memory prior to the boot process on an updated Mac, making it one of the most secure platforms against this specific type of attack, at least with regard to publicly disclosed vulnerabilities. ® Sponsored: Want to know more about PAM? Visit The Register's hub
If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home. This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities. This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance.
This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised.
And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices. These recommendations simply don't represent the absolute best in security and privacy—the Electronic Frontier Foundation (EFF) has excellent, more in-depth guides on security for activists and protesters that you can read if you want to get even further out into the weeds.
But these are all good, basic best practices you can use if, like so many of us, you want to protect yourself against security breaches and trolls.
Feel free to share it directly with those in your life who insist on doing the computer work themselves. Protecting your devices Install updates, especially for your operating system and your browser This ought to be self-evident, but: install updates for your phones, tablets, and computers as soon as you can when they’re made available.
The most important kinds of software updates are those for the operating system itself and for your browser, since Chrome, Firefox, Safari, Edge, and the rest are common points of entry for attackers. Updates for password managers and other apps on your system are also important, though, so don't ignore those update prompts when you see them. Waiting a day or two to make sure these updates don’t break anything major is fine, but don’t ignore update prompts for days or weeks at a time.
By the time an update exists for a security flaw, it is often already being used in attacks, which is why it’s important to install updates as quickly as possible. On this note, also be careful about using Android phones, which often run out-of-date software without current security patches.
Google’s Nexus and Pixel phones, which get software updates promptly and directly from Google, are the best way to make sure you’re up to date; while Samsung’s newer smartphones are also patched relatively promptly, everything else in the Android ecosystem is hit or miss. Use strong passwords and passcodes Having your accounts hacked is what you should be the most worried about—more on this later—but it’s also important to secure the devices you’re using to access those accounts. It goes without saying that you should use a good, strong password to protect every single user account on any PCs or Macs. On smartphones, you should use as strong a PIN or password as you reasonably can.
If your phone uses a fingerprint reader, take advantage of that added convenience by locking your phone with a strong alphanumeric password.
Target a 12- to 14-character minimum, since shorter passwords are more susceptible to brute force attacks. Encrypt your phones and computers If you need an oversimplified but easily understood way to explain "encryption" to someone, think of it as a massively complex decoder ring; when data is encrypted, it can only be accessed and read by a person or device that has the “key” needed to translate it back into its original form.
It’s important to encrypt your communications, and it’s also important to encrypt the devices you use to access any sensitive data since that data can be stored on them locally whether you realize it or not. The basic encryption guide we ran last year is still current; I’ll cover basic guidelines here, but refer to that for fuller details. iPhones and iPads are encrypted by default. Use a strong passcode and you’ll generally be fine. Macs are not encrypted by default, but FileVault disk encryption is fairly easy to enable in the Security section of the System Preferences. Some newer Android phones are encrypted by default, but go to the Settings and check under Security to confirm (this may differ depending on the phone you use).
If the phone isn’t encrypted, it’s fairly easy to turn it on in the Security settings; protect the phone with a strong passcode afterward. Older phones and tablets may suffer a performance hit, but anything made in the last two or so years should have no major problems. Windows PCs tend not to be encrypted by default, and it’s only easy to enable encryption on newer PCs with the more expensive “Pro” versions of Windows. Windows can be encrypted by default, but only by supporting an esoteric list of requirements that few PCs meet. Protecting your accounts Two-factor authentication The most significant thing you can do to protect your e-mail, bank, Apple, Facebook, Twitter, Google, Amazon, Dropbox, and other accounts is still to enable two-factor authentication (sometimes called two-step authentication or 2FA).
This means using a combination of multiple credentials to get into your account, usually a password and a six-digit code sent to your phone or generated by an authenticator app. There are three primary types of authentication: something you know (i.e. a password), something you have (i.e. your phone or a secure key), or something you are (i.e. your fingerprint or face).
To be considered “true” two-factor authentication, each factor needs to be from a different one of those three categories.
So, for instance, something that requires a password plus your phone is two-factor authentication.
Something that just asks you for two passwords is not, since they’re both something you know. SMS texts sent to your phone are relatively easy to hijack for determined attackers, so you should definitely use an authenticator app whenever possible.
I prefer Authy, but Google Authenticator is also widely used. When you enable two-factor authentication on an account, the first time you log in to an account on a new phone or computer, you’ll generally be asked to enter a special code after you enter your password.
Anyone who has your password but doesn’t have the code can’t get into your accounts. You may also need to sign back in on all of your other devices before you can use them with your account again. Here are instructions for setting up two-factor authentication for a variety of services; if you can’t find yours on this list, Google is your friend; twofactorauth.org is also a helpful resource. Apple Google Microsoft Twitter Facebook Dropbox Slack Amazon Paypal Venmo Stripe Using a password manager (and good password practices) Two-factor authentication is great, but it’s only extra protection on top of good, strong passwords and password practices.
Security researcher Brian Krebs has a good primer on password security here, but the most important things to remember are: Don’t use the same password for multiple sites/services, especially if you use those sites/services to store personal data. Change your password regularly, and change it immediately if you suspect that the service has been hacked or that someone else has tried to use your account. Use the strongest passwords you can. Using various characters (capital and lowercase letters, numbers, punctuation) is important, but password length is also important.
Consider a 12-to-14-character password to be a useful minimum, depending on the site’s password policies. Remembering passwords is annoying, especially if you’re changing them all the time. One solution to this problem is to use a password manager.
These are apps that generate long, random, complex passwords and store them for you in encrypted form either on your device or in the cloud. You have to set and remember one strong master password (we recommend perhaps writing this down and putting it in a safe and secure place), but the app does the rest. There are lots of password managers available, but 1Password is probably the best known and best supported.
It costs $2.99 a month for one person and $4.99 a month for a family of up to five people, and there’s a 30-day free trial available as well. LastPass is also an OK free alternative, though this sort of protection is worth the cost.
It’s also generally a good idea to support companies that do security- and privacy-related work going forward. Protecting your communications and Internet use Enlarge / WhatsApp is one messaging service that features end-to-end encryption, though it's no longer your best option. Andrew Cunningham Using Signal for SMS and voice calls Protecting your communications from being intercepted and read is one of the most important things you can do, but it’s also more difficult than other security measures we've discussed so far. Using an encrypted messaging service is the best way to protect your texts from prying eyes.
If you’re using Apple’s iMessage service (i.e. blue bubbles), you’re already using an encrypted service, but the downside is that it only works between two Apple devices and that Apple may still be able to hand out your data if asked. For communications between an iPhone and an Android phone or between two Android phones, your best option is Signal, a secure SMS app by Open Whisper Systems that provides encryption for both texting and voice calls.
Both you and your recipient will need to have Signal installed for it to work, but the app makes it easy to send out download links to your recipients and it’s easy to set up and use.
The EFF has detailed installation instructions for iOS and for Android. Another encrypted messaging service you may have heard of is WhatsApp, but the company’s acquisition by Facebook in early 2014 has given rise to some concerns among security and privacy advocates.
Still, depending on what the people you know already use, it could be better than just plain SMS or other chat services. Using VPNs, especially on public Wi-Fi You know those unsecured public networks that you log into when you’re at the cafe or coffee shop? Not only can anyone also get on that network and potentially exploit it, but attackers with relatively simple, inexpensive tools can see all of the data that travels between your phone or laptop and the wireless router.
Even networks with passwords (like those you’d use at work or in a hotel, for instance) can expose your data to other people who have the network password. The answer here is to use a Virtual Private Network, or VPN.
If you think of the streams of data going between a router and everything connected to it as an actual stream, then a VPN is a sort of straw or tube that keeps your stream separate from everyone else’s.
VPN services can also hide your browsing data from your Internet service provider, and they can give you some degree of protection from trackers used by websites and ad networks. (Again, like most measures, this is not a guaranteed way to achieve perfect security.) Subscribing to a VPN does cost money, but there are many options that will run $10 or less per month. Private Internet Access offers support for Windows, macOS, iOS, Android, and Linux; will let you use the service on up to five devices simultaneously; and costs a relatively inexpensive $6.95 a month or $39.95 a year (which breaks down to $3.33 a month).
If you use public wireless networks with any frequency at all, a VPN is a must-have and well worth the cost. VPNs aren't cure-alls, since some public networks are set up to keep them from working—sometimes on purpose so they can show you ads, sometimes by accident because they want to keep the networks from being used for anything other than basic Internet. Using a Mi-Fi hotspot or your phone's tethering features when you're in public can be expensive, but it can also provide some peace of mind when you're having trouble getting your VPN to work on a public network. E-mail security (is hard to do) E-mail security is difficult, and both of our security experts on staff have described it to me as a "lost cause" and "fundamentally broken." The primary problem is that even if you take precautions to protect your end of the conversation, you can do little to secure the servers and clients in between and on the receiving end.
Some services like Gmail offer enabled-by-default encryption between your computer and their servers, but sending a message from one server to another is still often unencrypted. Paid services like ProtonMail are promising—it promises enhanced security and privacy and they won't read your messages or scrape data from them so they can sell ads to you—but it hasn't been thoroughly audited, and it only really works as intended when sending mail between ProtonMail accounts. And longstanding e-mail encryption tools like PGP ("Pretty Good Privacy") are notoriously difficult to set up and use. You should definitely do what you can to secure your e-mail from casual snooping, and you should protect your account with the tools we've already mentioned—using an account from a major provider like Google, Microsoft, or Yahoo with a strong password and two-factor authentication enabled is a good way to start.
But for truly sensitive communications that you want to keep private, using Signal or WhatsApp or even Facebook Messenger's "Secret Conversations" feature is a better way to do it. Deleting old e-mails Another mitigating factor for the e-mail problem is message retention—someone with ten years' worth of data to dig through is naturally going to reveal more about themselves than someone who only has six months of messages. Even free e-mail providers often give you so much storage space that it can be tempting to be a digital packrat and just keep everything, both for nostalgic reasons and just in case you ever need it for something.
But the more communications you store, the more information that companies, law enforcement, and hackers have to track your wheelings and dealings. Consider how important or sensitive your communications are, and consider how often you actually need old e-mails.
Consider deleting e-mails at regular intervals—deleting things after one year or even six months can be a good way to start if this is something you’re worried about, and think about deleting unimportant messages even more frequently. Next steps If you’ve done all of these things and you’re looking to do more, the EFF’s Surveillance Self-Defense page is a good resource.
It has more in-depth technical explanations for many of the concepts discussed here, as well as further recommendations.
The EFF also offers Chrome and Firefox plugins like Privacy Badger and HTTPS Everywhere, which (respectively) attempt to keep ads from tracking you across multiple sties and load content over an encrypted HTTPS connection rather than a standard HTTP connection whenever HTTPS is available. You could also look into things like the Tor project, which goes to greater lengths to obstruct surveillance and ensure privacy.
It can redirect any unencrypted Internet traffic using only some code and a $5 Raspberry Pi Zero.
A sleeping Mac or PC, even if it's password protected, is no match for the Internet-hijacking PoisonTap.
Polish security blogger Samy Kamkar created the Raspberry Pi-based device, which hackers could theoretically plug into the USB port of a sleeping computer, intercept all unencrypted Web traffic, and send the data to his or her own server.
The technique relies on a browser loophole: even if your computer is asleep, Kamkar explains, any open browser window displaying a non-secure HTTP Web page will continue to send and receive data.
"As long as a Web browser is running the background, it is likely one of the open pages will perform an HTTP request in the background (for example to load a new ad, send data to an analytics platform, or simply continue to track your web movements)," Kamkar writes in a blog post.
A $5 Raspberry Pi Zero loaded with PoisonTap then tricks the computer into recognizing PoisonTap as a new Ethernet connection, allowing it to route all traffic to the hacker's server.
The major caveat, of course, is encryption. PoisonTap only works if the site isn't using HTTPS, the Internet's standard encryption protocol. Many mainstream commercial websites have adopted HTTPS.
Even Netflix, which accounts for more than 30 percent of all North American Internet traffic, figured out a way to encrypt its video streams without affecting their quality.
So Kamkar's PoisonTap is simply the latest reason why the entire Internet should be encrypted—indeed, Google's Chrome browser will soon display warnings when you visit any site that isn't. Kamkar notes that turning on whole-disk encryption, such as Apple's FileVault, can also thwart PoisonTap.
"Going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up," he writes.
The defendant can remain locked up until a judge lifts the contempt order. The government said Monday he should remain jailed indefinitely until he complies.
The authorities also said that it's not a violation of the man's Fifth Amendment right against compelled self incrimination because it's a "foregone conclusion" that illegal porn is on the drives, and that he is only being asked to unlock the drives, not divulge their passcodes. "This is not a fishing expedition on the part of the government," federal prosecutors told the 3rd US Circuit Court of Appeals of Philadelphia. The suspect has not been charged with any child-porn related crimes. Yet he is imprisoned in Philadelphia's Federal Detention Center for refusing to decrypt two drives encrypted with Apple's FileVault software in a case that highlights the federal government's war on encryption.
A federal magistrate has ordered him imprisoned "until such time that he fully complies" with the decryption order.
The man's attorney, Federal Public Defender Keith Donoghue, is demanding that the appeals court immediately release his client from prison because he is being "held without charges." (PDF) Investigators say they know child porn is on the drives. His sister saw some of it and the suspect is said to have shown his family an illicit video, too. The drives, the government said, (PDF) were connected to a Mac Pro. A subsequent forensic exam of his Mac Pro computer revealed that Doe had installed a virtual machine (software that emulates a separate computer within his computer). Within the virtual machine the examiner found one image of what appeared to be a 14-year-old child wearing a bathing suit and posed in a sexually suggestive position.
There were also log files that indicated that Doe had visited groups titled: “toddler_cp,” “lolicam,” “hussy,” “child models – girls,” “pedomom,” “tor- childporn,” and “pthc,” terms that are commonly used in child exploitation. The exam also found that Freenet, the peer-to-peer file sharing program used by Doe to obtain child pornography from other users, had been installed within the virtual machine.
The exam showed that Doe accessed or attempted to access more than 20,000 files with file names consistent with obvious child pornography...and that he used the external hard drives seized by Delaware County detectives to access and store the images. The defendant, who is referred to as "John Doe" in court papers, claims he forgot the passwords.
The suspect's identity is Francis Rawls, according to trial court papers. The government, however, countered. In fact, Doe had multiple layers of password protection on his devices, and he always entered his passcodes for all of his devices from memory.
Doe never had any trouble remembering his passcodes (other than when compelled to do so by the federal court), never hesitated when entering the passcodes, and never failed to gain entry on his first attempt. In winning the contempt-of-court order, the authorities cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt.
The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple, in which a magistrate ordered Apple to produce code to enable the FBI decrypt the an iPhone used by one of two shooters who killed 14 people at a San Bernardino County government building in December.
The case was dropped when the authorities paid a reported $1 million for a hack. The Supreme Court has never addressed the compelled decryption issue. However, in 2012, a federal appeals court ruled that a financial fraud suspect must decrypt her laptop.
The ruling wasn't enforced as the authorities got the password from a co-defendant. A child-porn investigation centered on Rawls in 2015 when Pennsylvania prosecutors were monitoring the online network Freenet, got a search warrant, and executed it at Rawls home, the authorities said. The court may rule on Rawls' plight at any time, or schedule oral arguments in a process that could take months or more.
He added that the big question for many will be about where a given cloud is hosted.
The NSA could potentially get a court order to view material hosted by a U.S. cloud provider. What Sprague sees happening is individual enterprises and large corporations running their own managed encryption services. It's a model for which Wave Systems is also prepared. "Our service already supports the concept that an enterprise can get started quickly in the cloud and then can migrate to an on-premises enterprise solution," Sprague said. That said, while there are some concerns about government snooping, Sprague argued that's not the primary driver for encryption overall. "For the vast majority of users, it's not about encryption for the purposes of protecting data from a nation-state," Sprague said. "It's about being able to prove that a device was encrypted when lost." Sprague added, "So when a machine is lost, you can assert that all the records that were on the device were actually encrypted." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.