|
|
researchers find several critical security problems: passwords stored in memory
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
I've changed the title to reflect that it's not just FileVault, but similar disk encryption systems are susceptible to this attack, too. The problem is actually not FileVault's mechanism, but rather that the cryptographic key remains in memory and that they've succeeded to extract the contents of DRAM even after the computer has been shut off.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2005
Location: Minnesota
Status:
Offline
|
|
|
2010 Mac Mini, 32GB iPod Touch, 2 Apple TV (1)
Home built 12 core 2.93 Westmere PC (almost half the cost of MP) Win7 64.
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Sep 2005
Location: Canada... be nice, eh?
Status:
Offline
|
|
Looks pretty bad to me. I probably won't be the first here to say that if someone has physical access to your computer, the game is up...Hey, I am the first one
I just hope my encrypted sparse images are safe...
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Mar 2000
Location: New York, NY, USA
Status:
Offline
|
|
Physical access always compromises 99% of security measures.
|
The era of anthropomorphizing hardware is over.
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Since most Mac users have auto-login enabled, this is moot really. However, as Don points out, if you can touch the machine, it's compromised no matter what. Not a big deal really, but a nice way to get sensational headlines.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
The big deal is that this decrypts the keychain and circumvents FileVault. Both should not be possible, even with physical access. Laptops get stolen.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
By refusing to get a fix out quickly, Apple doesn't seem to have taken a very responsible position in response to this exploit.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by Big Mac
By refusing to get a fix out quickly, Apple doesn't seem to have taken a very responsible position in response to this exploit.
I'd rather Apple take the time necessary to properly test the fix to make sure it doesn't break anything.
Originally Posted by From the original article
Appelbaum reported the problem to Apple on February 5, but Apple didn't fix it in the security update released on February 11.
Um, 6 days is NOT enough time to develop a fix and properly test it before releasing it. This will probably be fixed in the next Security Update, whenever that is.
It hasn't even been a month since Apple was notified. Give them time. If it's not fixed within 6 weeks of being reported to them, THEN your complaint is valid. (IMO)
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
This was covered a week ago and first posted by TETENAL. Please use his thread for discussion.
It wasn't a security issue just for OS X, but in the demo video, they've actually cracked a Vista laptop.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
The same group of researchers found another, OS X-specific flaw that allows to extract passwords from memory in the same manner. I've decided the merge the threads as the idea behind the attack is exactly the same in both cases.
I should add that while the group and the method are the same, the flaw that bearcaprt has pointed out is a different one that is indeed OS X-specific. I didn't realize that at first, because both, the method and the group were the same.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by ghporter
Since most Mac users have auto-login enabled, this is moot really. However, as Don points out, if you can touch the machine, it's compromised no matter what. Not a big deal really, but a nice way to get sensational headlines.
I don't. I feel special
-t
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Originally Posted by TETENAL
The big deal is that this decrypts the keychain and circumvents FileVault. Both should not be possible, even with physical access. Laptops get stolen.
...and FileVault is dicey at best-it may keep YOU from your data for no apparent reason. If you depend on FileVault for protecting your sensitive data, then IMO you're living pretty close to the edge anyway.
It is relatively easy to attack encrypted files if you have the drive-which is of course what the intruder would have if he got his hands on your computer to begin with-so if he knows about the keychain vulnerability he simply gets his access sooner rather than later. Yes, this vulnerability is sort of like forcing you to keep the key to your house under the doormat in exactly the same place, but if you have a locked gate outside your door to keep the baddies away from your doormat, then it's not as big a problem.
Also, how many laptop thieves go for the data on the drive? It's my understanding that such thefts are done by non-technical people who sell the computers quickly for a quick buck. It is not "trivial" to take advantage of this vulnerability (though not as difficult as trying to break an encrypted storage system without it), so odds are IF your computer is stolen and IF it's stolen by or given to someone who wants the data on it, then IF that person knows about the vulnerability and IF he can take advantage of it then you have a problem. Better to keep your sensitive data on portable media that you keep on your person, especially if you travel with your laptop.
It's an excellent idea to do this for a lot of reasons. ALL of my written assignments are on a USB drive that goes with me everywhere. This not only makes it easy for me to work on my assignments either on my MBP at school or on my iMac at home, it means that a crash, a robbery, or any other catastrophic problem won't impact my school work.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by ghporter
Also, how many laptop thieves go for the data on the drive?
Governmental laptops have already been stolen for the apparent reason to get to the data. I guess in the corporate environment this happens as well (without the media attention). FileVault is the best Apple offers to protect against this. It's in Apple's interest to make this a safe as possible.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by ghporter
ALL of my written assignments are on a USB drive that goes with me everywhere. This not only makes it easy for me to work on my assignments either on my MBP at school or on my iMac at home, it means that a crash, a robbery, or any other catastrophic problem won't impact my school work.
I disagree that this is more secure.
A missing USB stick might not be noticed missing for a while, unlike a WHOLE missing computer.
Plus, a USB stick by itself is worth almost nothing. So immediately, a thief would go for what MIGHT be worth a buck: the data.
-t
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
My process with the USB stick makes it VERY unlikely that I'd not notice it missing-if it isn't in the computer it's tethered in my pack; there are no other states. But on the whole, you make a good point: NOTHING is fool proof (fools are so inventive) and any method you use to secure your data needs to be well thought out and practiced to the point of reflex. Otherwise, as turtle says, you'd be putting yourself in a position to definitely lose your data to someone who would know that's what he had.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
Would I be right in thinking that the Secure virtual memory option in the Security preferences is not going to be any help here - does it only encrypt memory once it is written to disk as swapfiles, or does it do it on the fly in RAM as well?
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
There would be some pros and cons either way in respect to whether the data in RAM is encrypted-it could speed the actual writing of caches, but it would slow the whole process down immensely, while waiting until it's time to write the cache would slow that down but allow normal RAM access to be at full hardware speed. My money would be on the latter strategy.
I'm also interested in this issue: Does Secure Virtual Memory use a standard keychain-entry key?
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|