Skip to content

Posts tagged ‘encryption’

24
Feb

My Definitive List of Must-have Free Mac Applications and Best Paid-for Counterparts

These are the apps that I will install first on pretty much any new Mac that I get. I’m a huge fan of free and open source software, and no other platform has free software of the same quality and caliber as Mac OS X. Most of these are Mac-only apps (a couple are cross-platform). I’m listing free applications wherever possible, but if there is a paid-for app that I consider best-of-breed, I mention those too. Hopefully this list will help all of the techie switchers get the apps they need quickly. This list is a work-in-progress, so I’ll be adding to this it over time.

If you’re only interested in my recommended security apps, they’re at the bottom! Feel free to post in the comments if you have any you think are worth mentioning.

Last updated: 27/10/2012

Read moreRead more

24
Jul

OS X Lion Released, Brings Improved Security

As you will know by now, Apple has release Lion (OSX 10.7) to the orgasmic jubilation of Mac fans everywhere. Ok, perhaps I exaggerate, but Lion was probably the most anticipated release of OSX since Leopard. Critics will argue that the number of major new features are limited, but in my opinion it’s the refinements that make Lion a great update. And for what it’s worth, the Mac App Store update process went perfectly smoothly on my iMac.

Most importantly, however, are the security improvements that Apple have made to the OS. Leopard and Snow Leopard already had some of these features, but they were not fully developed. In Lion, it seems, many of those issues have been fixed. In fact Lion has been said by several security researchers to now offer superior security over competing operating systems. I’ve said for a while that Apple will wait until OSX is really stable before properly addressing security. It appears Lion is the start.

I’ll start off with the most user-visible security features:

  1. FileVault 2: Whereas FileVault on Snow Leopard only encrypted users’ home folders (using disk images), leaving the System and Applications vulnerable to attack, Lion now has true block-level Full Disk Encryption (XTS-AES 128 algorithm). FileVault 2 also supports full disk encryption of external USB and FireWire drives. One key new feature is Lion’s “Instant Wipe”, which will allow you to wipe the hard-drive should your computer fall into the wrong hands. Similar to iOS devices, this may tie in to the new Find My Mac functionality.
  2. Privacy Controls: Apple has sprinkled around some additional privacy controls, giving the user more say in how their data is stored or used. There’s now full control of which applications can make use of the Location Services features of OSX.
  3. Apple ID Authentication: This is an interesting feature that makes it easier for users to share content with others. Normally actions like Screen Sharing and File Sharing require the connecting user to have an account on the system. Now, you can simply add their Apple ID as an authorised account to give them selective access. It will be interesting to test how this actually works in practice.
  4. Application Sandboxing: Lion’s sandboxing capability has been greatly improved. Safari, for example, has been updated to include sandboxing, meaning that website content loads in a separate process with limited functionality. This help prevent malicious websites from gaining access to the underlying system. Apple is encouraging third party software developers to start sandboxing their applications.
  5. Full ASLR: This is a big one. Address Space Layout Randomization is a technique to make exploitation of vulnerabilities more difficult by not using fixed memory addresses for key data areas. In Snow Leopard, ASLR was half-baked and essentially broken. In Lion, it appears that Apple have finally implemented full ASLR (covering 32 and 64-bit application), although how well is yet to be fully determined. Either way this will present an additional barrier to exploits.
All in all, some significant improvements over Snow Leopard. The security push isn’t over yet, however, and I’m sure we’ll be seeing a bit more from Apple as OSX develops. This doesn’t mean vulnerabilities won’t be found in OSX, but it will make it that much harder for workable exploits to be developed. I anticipate we’ll start seeing a lot more vulndev attention being committed to OSX this year.
21
Jan

GPGTools Release Unified Installer for MacGPG/GPGMail

The guys at GPGTools have taken control of the MacGPG2, GPGMail, GPG Keychain Access and GPG Services projects, and have released a single unified installer that installs all of these apps. They are maintaining these tools, which are all 64-bit and Snow Leopard compatible. The package also include Enigmail, a GPG-compatible plugin for Thunderbird (Mozilla’s free email client).

GPG is an open source alternative to PGP’s suite of public key encryption software (PGP Desktop), which allows you to encrypt/decrypt files and emails and create/validate digital signatures.

For more information, check out my tutorial on using GPGMail to send encrypted emails on Mac OS X.

1
Dec

Creating a Secure Mac/PC Portable USB Drive

Ever since the release of the IronKey I’ve been drooling over the device (good thing it’s waterproof I guess). Due to not wanting to pay so much for a USB key, I decided to make my own. I grabbed myself a 32GB USB key, and got to work on making it as close to the IronKey as possible.

In this article I’m going to illustrate some of the things you can do to secure the information on your portable thumb drive, increase your privacy, and even install Mac OS X or Linux.
30
Nov

Using GPGMail to Encrypt Email

This post forms part of the series on Securing Leopard, and covers GPGMail, Mail.app plugin that allows you to digitally sign, encrypt and decrypt emails using PGP/GPG.

When Snow Leopard came around, it completely broke support for GPGMail, and there were no other solutions that enabled similar functionality. This caused a significant issue for Snow Leopard users needing GPG functionality. The original developer of GPGMail unfortunately did not have the time to update the plugin and restore support for Snow Leopard.

Since then the GPGMail project has been handed over to a new team of developers who have been working on restoring the full functionality of the plugin under 10.6. This tutorial shows you how to easily install GPGMail and start sending and receiving encrypted emails!

[Updated 21/01/2011] The team at GPGTools have now created a unified installer which consolidates MacGPG2, GPG Keychain Access, GPGMail and GPG Service. Their all-in-one installer simplifies the install process, and installs everything you need for encrypting/signing files and emails.

If you’ve used the GPGTools package, please post your experiences in the comments!

Read moreRead more

13
May

Apple Launches MobileMe Beta (adds persistent SSL)

After logging into my MobileMe account today I was greeted with a small banner in the left-hand menu announcing an upcoming Mail Beta. Although I haven’t yet been upgraded to the Beta, it appears that Apple have been hard at work on turning MobileMe Mail into a full blown web email client… it’s about time.

Additions include proper formatting capability, improved layout and display, e-mail rules, and persistent SSL. With regards to that last one, although MobileMe supports SSL at the login screen to protect your credentials, all subsequent information (read: all your emails are belong to us) is sent in cleartext – an issue I posted about a long time ago. Google enabled the option to use persistent SSL for its Gmail service back in mid-2008 (although it is an option you have to specifically set in your Gmail preferences).

From my initial impressions of the beta, it definitely looks much better to begin with. The ability to view your inbox in the three (classic, compact, widescreen) views will probably be quite popular. The search field also works better. They finally allow you to scroll fluidly through your mailbox folders, however it only loads a certain number of message at a time. Now, this wouldn’t be too bad except that in this case it takes a bit too long for that loading to happen. Apart from that the persistent SSL also works nicely, so once they fix any small bugs and improve performance, I’ll consider myself happy.

Oh… and there’s rumors that MobileMe might become free. THAT would make me happy too!

28
Feb

Compromising Disk Encryption Through Cold-boot Key Recovery

Note: This is a 2008 post I managed to recover from my archive of Securethoughts.net

A team of researchers at Princeton University have devised a way to compromise disk encryption mechanisms, and even other disk image encryption mechanisms, by recovering latent data such as encryption keys, that remain in RAM after a computer has been rebooted/turned off. They’ve tested their attacks against encryption mechanisms such as Microsoft’s BitLocker, TrueCrypt, Linux’s dm-crypt and Apple’s FileVault.

This technique is ingeniously simple, and they’ve written a tool from which they can boot a computer, and do a memory-dump of the latent memory data, which they then run through another utility which searches the memory dump for encryption keys, which can then be used to decrypt the encrypted drive/images.

With regards to Mac OS X 10.4 and 10.5, the group discovered that the system stores multiple copies of users’ login passwords in active memory, making them vulnerable to such imaging attacks. Those passwords are often used to protect the keychain, which stores many of users’ other passwords, including the FileVault password, and potentially other encrypted disk images. This is potentially something Apple should address, and they don’t really want to be storing passwords and keys in memory, if they don’t have to. Keeping as little sensitive data in active memory as possible would greatly reduce the chances of it being compromised in imaging attacks such as these.

Check out their great video below, and read more about it after the jump!

This research was performed by J. Alex Halderman , Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. A combined team from Princeton, the Electronic Frontier Foundation (EFF), and Wind River Systems (specialists in decide software optimisation).

Although their paper focuses on recovering encryption keys, naturally this technique can be applied to any other sensitive information that may be stored in RAM at the time. They’ve also used data reconstructions algorithms to recover data that has already decayed from RAM. According to their paper, keys with 10% of bits decayed can be reconstructed to nearly any 128-bit AES key within a few seconds. On average, they found that memory was legible for up to 20 seconds on some hardware, but this number could extend into several minutes. By drastically reducing the temperature of the memory modules, they were able to reliably recover data up to 10 minutes after removing the RAM chip. Particularly interesting is their research with ECC memory, where they found that machines that support ECC memory tended to wipe RAM upon boot, which is done to avoid errors in the case of uninitialised reads of the memory. Unfortunately this is a characteristic of ECC-enabled machines, and not the memory modules themselves, meaning that ECC memory inserted into non-ECC hardware was still recoverable.

The software developed by the team, presumably with the particular help of Wind River Systems, allowed them to recover the memory dumps in several ways including: over a PXE network boot, which would send the data in UDP packets over the network; using a USB drive to run a small memory-dumping program; or using an EFI bootloader, such as those used on Intel Macs, which also allowed data transfer over netboot.

I highly recommend their paper, particularly the first and last thirds of it, as they are quite legibly written (the middle is mainly about recovering different encryption algorithm keys). It will be interesting to see what kind of innovation will come about in attempts to defend against such attacks. No doubt we will be seeing some papers on that subject soon.

css.php
WordPress Blog
WordPress Themes