Month: August 2015

Categories
Security

Kernel Panic after applying OS X 10.10.5

Last night before going to sleep, I kicked off the update process on my family of Macs (and iOS devices).

Several security issues were addressed yesterday by Apple across multiple platforms (OS X Server, OS X, and iOS). While normally this is good news, the hangover that follows is cause for concern. I’m not clear on exactly what’s causing the problem, but 2 of the 3 Macs I applied the new 10.10.5 update to woke up to this today…

YourComputerRestarted

 

Woke up grumpy:

  • 27 5k iMac (Late 2014)
  • 13″ MBP Retina (Late 2013)

Bright-eyed and bushy-tailed:

  • 15″ MBP (Mid 2012)
  • iPhone 6 Plus
  • iPad Air

If any other problems pop up, I’ll update. Have one more MacBook Pro to update so I’ll report how that does as well.

Anybody else seeing this?

UPDATE 12:29CDT: No problems after updating the other 15″ MacBook, and the update for the iMac had actually failed to apply… so after applying it, no ill effects so far.

Categories
Leadership Security

Oracle, your disdain is showing.

.oracle showing its true colors

In case you missed it, Oracle CSO Mary Ann Davidson provided those of us in the InfoSec world yet another reminder that Security is not a priority – not even for the person to whom it should matter above all else. That evidence was provided by way of a meandering, condescending, and frankly (as an Oracle customer) disturbing rant published on Oracle’s corporate blog. It has since been removed. At least somebody there is thinking.

The text of her rant goes from her apparently lamenting her career choice (interestingly, writing appears to be her passion) to expressing her disdain for security researchers (and chastising them for violating the End User License Agreement), to a mock-FAQ expressing her endless frustration with those pesky customers, to a bizarre discussion about her bookshelf complete with not-at-all-witty stabs at innuendo.

I mean, she actually refers to people who report security flaws (which Oracle determines couldn’t have been found through means other than reverse engineering) as sinners. Seriously?

.let he who is without sin cast the first stone

Anyone who writes in a public forum understands that not everything you write is taken in the way it is intended. And I am not one of those people who calls for someone to be fired when they make a mistake, but this is not about a mistake. It’s about a Chief Security Officer who has provided ample evidence that she has no business being any kind of “Security” anything.

.greener pastures

Hopefully Oracle sees this, and Davidson will be able to pursue writing novels full-time; today’s environment has no room for a security officer who leans on EULAs as a security measure and treats people who work to research (driving improvements in security) with utter disgust.

I won’t say too much about this situation. There’s a fantastic breakdown over at ZDNet. If you’re interested — in a train wreck kind of way — the text of the rant has been preserved on scribd. (Because the internet is forever, kids.)

Categories
Hacks Security

Dancing Pandas & China Hacks Pretty Much Everything

.not quite as cute as it sounds

A dancing panda sounds delightful. It doesn’t sound dangerous. Maybe that has something to do with why the codename was later changed to Legion Amethyst, which personally, I think sounds far more nefarious.

According to an NBC report, Dancing Panda/Legion Amethyst were codenames for a coordinated email attack campaign by China. It was initially discovered in 2010. According to the report, it’s still going on. 

The scope of the campaign is staggering.

The senior official says the private emails of “all top national security and trade officials” were targeted.

The Chinese also harvested the email address books of targeted officials, according to the document, reconstructing and then “exploiting the(ir) social networks” by sending malware to their friends and colleagues.

And if you’re wondering, yes, it coincided with the timeframe a certain presidential candidate is in hot water for over the use of a personal account being used in official government business.

.at least it’s just email, right?

No. Another gem available at the link above is a report that claims that that China has been hacking into pretty much everything. Ok, maybe not everything, but a lot. Apparently, China has engaged in hundreds of attacks across (at least) dozens of different industries. They’ve been looking to steal details around aerospace engineering, defense, autos (for hybrid car specifications), pharmaceutical companies (formulae for successful drugs), and (and this really bothers me) details around civilian and military air traffic control systems. They have apparently been targeting power and telecom.

.so what’s the worst that could happen?

I mean… why would anyone worry about this? I only know of maybe one instance where a ragtag group of ‘rebels’ found the technical design specifications of a battle station and they were able to somehow target it with a well-placed hit that caused a massive chain-reaction leading to the destruction of the battle station. But the odds of that had to be 1:1000000. Seriously, what could China possibly do with information about our aerospace, defense, manufacturing, transportation, power, and telecom?

.set attitude.sarcasm = off

Seriously though. People in the security world have known for some time that there are massive attacks originating there. Protecting against these types of attacks is near impossible as long as people are careless. And people, generally, are careless.

Categories
Hacks Security

Facebook Security Hole Allows Bulk Discovery of Personal Information

There’s a nasty little security hole (not a vulnerability according to Facebook – in case you were wondering exactly how important your privacy is) that was discovered recently. The original work seems to belong to Salt Agency, an SEO agency.

.about the hack

The flaw allows an attacker to essentially grab all of the public data about users who share their cellphone number if the attacker knows/guesses that number. Now this might not seem like a big deal on the surface, but as described in the post linked above, it allows a hacker to create a list of all possible phone numbers, and then get lots of data about the owners of those phone numbers.

By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).

.fixing the hack

To fix, select Settings from the padlock menu

FBFind_by_phone_Settings

Then click Privacy on the menu on the left.

The screenshot below shows the default setting:

FBFind_by_phone_default

This is why the flaw allows an attacker to get your personal information. By limiting the audience here, you can change who can see your data. While allowing only Friends to look you up by phone number is kind of silly – you can still have the benefit of allowing people you are likely to know to find you if you use the Friends of Friends setting.

FBFind_by_phone_preferred

.warning

Note that if you share your phone number, Friends, is the most restrictive setting available.