Securing your Mac against passwordless login

Last night a critical flaw in the latest version of macOS High Sierra was announced on Twitter. The flaw enables you to login to the Root (administrator) account on any Mac computer running High Sierra by merely entering "root" as the username and a blank password.

This security flaw is genuinely devastating and enables anyone with physical access to your machine full access to all of your files, passwords for online services, everything.
 

So what can you do to protect yourself while Apple releases an emergency patch?
 

Here's a step-by-step guide to getting you secured that will walk you through;

  1. Enabling FileVault, this will encrypt the contents of your hard disk drive, and so long as your machine is shut down, nobody will be able to access your system unless it is logged in - if your laptop got stolen for example.
     
  2. Settting a password on the Root account from the terminal, this will ultimately disable this vulnerability and combined with enabling FileVault put you in a much safer position should someone gain physical access to your machine.

Turn on and set up FileVault:


(If you already have FileVault enabled then skip ahead to 'Set a Root password')

When FileVault is turned on, your Mac always requires that you log in with your account password. 

  1. Choose Apple menu () > System Preferences, then click Security & Privacy.
  2. Click the FileVault tab.
  3. Click the Lock button, then enter an administrator name and password.
  4. Click Turn On FileVault.
  5. If other users have accounts on your Mac, you might see a message that each user must type in their password before they can unlock the disk.

For each user, click the Enable User button and enter the user's password. User accounts that you add after turning on FileVault are automatically enabled.

Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:  

You can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.

You can choose to use your iCloud account to unlock your disk and reset your password.

If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk. 
After your Mac starts up, encryption of your startup disk occurs in the background as you use your Mac. Encryption takes time, and it happens only while your Mac is awake and plugged in.

All done! - now we need to set a password on the Root account to entirely disable this vulnerability.

Set a Root password:

1. In Finder, click "Applications" in the left-hand favourites pane.
2. Scroll down to the "Utilities" folder and double-click
3. Double click "Terminal."
4. A small window will appear with a flashing text prompt, type the following:

sudo passwd root

5. Hit the enter key and you will be asked to type in your login password, hit enter and the following message will appear:

Changing password for root.
New password:

6. Enter a secure password that you will remember, hit enter and type the password again when prompted.

That's it! You are all done. You have now successfully enabled full disk encryption to secure your data at rest from physical theft, and you have enabled a Root password to stop people from being able to login to your device and access your data.

If you need help with this issue or would like to know more about how Cocidius Defence can help your organisation secure their systems, get in touch with us today, and we'll be more than happy to discuss your needs.

 

Skype "Baidu" attack

Users around the world have been reporting that either they themselves are receiving unwanted Baidu phishing links or are automatically sending out Baidu phishing links to all of their contacts. 

What makes this unusual is that the messages are being received from contacts that are not necessarily in the users Skype contact list, they are coming from people in their phones address book, or people that are in their facebook friends list - this could indicate that this is more than just a cyber criminal using passwords from a hacked websites data dump, but something exploiting the link between these various online services (you can link your Skype account to your Facebook account).

We have seen reports from users that haven't had Skype installed on any of their devices for years, getting messages from their contacts saying that they have been bombarding them with links to phishing sites on Baidu.

So what can you do if you have been affected by the Skype "Baidu" attack? - here is what we recommend:

  • Firstly, check out HaveIBeenPwned and pop in your Skype username and/or email address to see if your details may have been collected by cyber criminals from another hacked website, then change your passwords on any affected sites (or places where you have used the same password - naughty!).
  • Next, check out the Microsoft Account Activity page to see where your Skype account has been accessed from, this will let you know if anyone has logged into your account and where in the world they are from.
  • Now head over to the Microsoft Security Settings page and enable two-step verification.

Ok, so now you have tidied up your account security, lets unlink your Facebook and Skype accounts:

Skype

  1. Access the Skype Home screen. If you have this turned off by default, you can open the View menu and click Skype Home.
  2. Click on the small cog to the far right-hand side and click Disconnect from Facebook.

Facebook

  1. Login to your Facebook account in a browser.
  2. Click the down arrow menu in the top right-hand corner of the Web site near your name and click Account Settings.
  3. In the menu on the left-hand side, click Apps. Then click the X next to Skype and confirm the removal of Skype in the pop-up window and you are all done.

Your Skype contact list will now only show contacts that have been directly added through Skype.

This should prevent any of these phishing messages being sent out from your account, but don't forget to share this post with your colleagues and contacts to help secure their accounts too!

Skype is a business tool used by millions of people around the world, what with the large scale attack on DNS a couple of weeks ago, are we now moving into a age of CyberCrime 2.0? where cyber criminals have graduated from annoying 409 scams and phishing emails to launching complex global attacks on internet infrastructure?

Stay Safe
Ashley Adkins

Mac OS X Filevault Encryption

Top Tip:

If you have Apple's FileVault encryption activated on your computer and it slips into standby, it will automatically save the encryption keys in the RAM so that the system can quickly resume without having to unlock the entire volume again. Although this may seem like a convenient feature, you might want to stop this from happening in order to ensure maximum security for your system.

To disable the systems ability to store the keys, you need to make a small change to a setting in the system management controller (SMC), which can be done by running the following command in the OS X Terminal program:

sudo pmset -a destroyfvkeyonstandby 1

Once you have run this, it will ask you for your password, pop it in and then reboot your machine and the system will no longer store the FileVault encryption keys in memory when it enters standby.

If for some reason you nee to undo this change then simply repeat the command but switch the 1 for a 0 instead.