Silicon Shecky

Infosec Practitioner

Connect

Net Neutrality Neutered?

By Leave a Comment

So the big deal this week is the FCC repealing the 2 year old Net Neutrality rules. There are things to be wary of, and thing to not be wary of from this move. First though, lets ask a question, what has/has not happened in the last 2 years under the Title II move? Truth be told, I haven’t seen much difference between pre-2015 and the last 2 years. That does not mean there is not a difference, just that I personally have not seen any.

Now what has bothered me is a lot of meme’s and bullcrap surrounding this. I am talking about things like this on ARS which talks about a change in Comcast’s Net Neutrality promise. Quick look you see 5 lines in the first screenshot and 3 in the second. Now take a moment to read, and I mean really read and understand the first line in the second screenshot. It encompasses the first 3 lines. the big difference is a change in wording to present tense compared to future. Outside of that, not a big deal, in fact most of it is the same basic premise, worded differently.

The real answer to it all is legislation that will prevent throttling and keep the net open. There is always a need for traffic shaping and control, if for no other reason than security issues (say blocking known Command and Control sites). Also how does this affect companies that have to deal with GDPR and other regulations outside of the country?

I will finish this like so. A few years ago we were all pissed off about the demise of unlimited data plans on the mobile networks. Forward to now, and you see most networks have some sort of unlimited data plan again. Net Neutrality is important, the question is how can we guarantee it without using a heavy handed, over-regulated approach.

Contradictions

By Leave a Comment

It really does amaze me how we hurt ourselves. Think about it, we want people to use Multi-Factor Authentication, but do not use SMS. Oh, use Google authenticator or Duo’s product. Better yet use a Yubikey or some other hardware MFA solution. All good ideas but let us get realistic.

With MFA you need to know what the site and login system will accept. Can you use a Yubikey or an authenticator app? Is SMS the only option available. Now think about this, is an app that much better? How easy is it to use? I know I use Google for some apps, and I have to go into the authenticator app which is an extra step as it is. With sites that only give me SMS as an option, it pops on my lock screen or smart watch. easy to see and quickly type in the code.

Duo’s App will show on a lock screen, but I still find I have to unlock my phone to actually get the app to work from the notification. Still an extra step, but not as awkward as Google’s authenticator where I have to flip between screens if I am using the phone for the site. Duo allows you to just say, yes allow, not always a code per se. Definitely a better solution in my book, but I do not see it used as much on public sites I go to.

Phone based solutions also have one other drawback. Your phone gets stolen, you have potentially lost control of the accounts. They now have your e-mail to reset passwords and the authenticator to confirm with.

Now Yubikey I only know of, and have not used, but there is one thing I hear people worry about with this hardware MFA solution. What happens if you lose the stick? I also have not seen how something like a Ubi Key works with tablets or phones, where you do not have a USB port to plug it in. If you use some special dongle, then you can have an awkward physical situation with holding both the phone and the Yubikey while trying to work on the tablet/phone.

Yes SMS has issues, but it is better than nothing, and it is easy for the everyday person to use without any real training. Yet we bash it in front of them. What does that do? Simple turns them away from even using any sort of MFA system. Now we have made them less secure.

There are other areas where we do this same sort of contradiction, and I plan on doing some more posts about them in the future. Right now though, I will let you all stew over this example.

Another bug disclosed

By Leave a Comment

By now we all know about the bug for MacOS that has been so cleverly referred to as #IamRoot on Twitter. So there are some thoughts I had about it.

First and foremost, this did not affect just root. If you actually read a breakdown of the bug like this one, you will see why. It all has to do with whether an account is disabled or not. Disabled accounts do not have  ‘shadowhash’ data. So when you type in root to log in, initially it looks for it, and the programming that does the checks winds up enabling the root account and setting a password, in these cases a password of blank because of mashing the enter key. You could actually type in a password, and it will enable and set the root password to whatever you want it to be. Once that has been set the next time round, it logs you in. Simple right? Think about it though, what other accounts are disabled? Service accounts? What other accounts have system level access. or near to it. All it would take is an account that has sudo rights that is disabled to allow a blackhat to access the system with sudo privileges and thereby root the box. All this from what is considered a good practice, disabling accounts that do not need to be enabled.

Now Apple has a patch out there (seems they knew about the bug before it was disclosed, and we will touch on that shortly), and that is the ultimate fix. I have heard that this bug has been around forever and was a way to get into a locked out Mac as far back as OSX 10.4 but have not been able to confirm that. Is this a case of a “feature” being a bug? It very well could be, and wo8uld bring us into the idea of backdoors. I do not understand how they could change the logic in the OS code to all of a sudden allow this in High Sierra and it not already being in place for prior versions, unless Apple had done a complete redesign of login and disabled accounts. There were ways of mitigating the problem before the patch, the best known being to enable root and give it a password (the patch from Apple undoes this). Another potential way would be to set a low lockout threshold on the the account (basically enable the root account, but have it set to lockout at the first attempt). The issue with the second method is how would that affect the system. Just thinking out loud here. The bigger concern was that everyone focused on root, and not on checking what disabled accounts there are on the system. As I said, this bypass technique could be used for ANY disabled account. Imagine having to enable all of them and set passwords on all of them. Now put that into an enterprise situation. That could amount to a ton of work.

Now let’s look at the fix/disclosure situation. It took Apple less than 24 hours to release an out of band patch for this problem. Seems they had a fix in the latest beta roll up, and just pulled it out of there. That is all good and dandy, but why wait? With how big a problem this was why not be ahead of the game? Again it leads me to go down the backdoor thought on this bug, and that it was a feature. They knew about it, so the disclosure was cool, right? That is debatable. First we do not know if the person who tweeted Apple Support had reported the bug privately. Either way, using twitter to tell a company about the bug is odd, and sets a bad example of responsible bug disclosure. I would think they would go through getting a CVE for the bug before announcing it. At least that would be the responsible way in my mind. Also why not mention in the tweet that you had found this say 30/60/90 days ago and have not heard back, showing that you gave Apple a chance to fix the problem? The fact that there was a patch basically waiting to be pushed out is not the point, and in fact may have been a lucky coincidence.

So there you have it. Apple screwed up. The disclosure seems a bit irresponsible, and now everything is fine as long as you apply the patch. It does scare me that we are seeing more of these “features” that are exploitable being found (look at Microsoft recently). It scares me even more when a company either has an immediate patch available or says that they will not patch said “feature”.