Alongside the second beta of iOS 8, Apple has provided an update to the OS X Yosemite Developer Preview. Yosemite brings many new features to the Mac, including a new design, Continuity features, and enhanced applications. We’ll update this post with new discoveries in the new preview as they are found. You can let us know what you find at firstname.lastname@example.org.
FileVault Stories June 17, 2014
FileVault Stories May 7, 2012
Bug in Mac OS X 10.7.3 exposes passwords in plain text
Security researcher David Emery (via ZDNET) claimed to have discovered a bug in Mac OS X 10.7.3 that stores login passwords in plain text. In a recent newsletter, he claimed someone—we are guessing an Apple programmer— mistakenly “turned on a debug switch (DEBUGLOG)” that stores the passwords in a system-wide debug log file. Emery explained folders encrypted with Apple’s “legacy” Filevault prior to upgrading to Lion are at risk:
…anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012… This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.
It would also allow them to access any content those usernames and passwords are meant to protect. Fortunately, the file with stored passwords is only kept for “several weeks” by default. However, it extends to Time Machine backups, because the log file is also backed-up in plain text. Emery said the best method to protect yourself until Apple fixes the issue is to simply use FileVault 2:
FileVault Stories February 1, 2012
FileVault has been included in Macs by Apple since the release of Panther many years ago. In Apple’s most recent release, OS X Lion, the company included FileVault that brought new ways of encryption. FileVault lets you encrypt your entire drive with a master password to protect key-chain passwords, files, and more. FileVault 2 uses a separate partition to store the FileVault login information.
Cnet pointed us to a new report from password recovery company PassWare, who claimed it can decrypt Apple’s FileVault 2 in under 40 minutes. Obviously, this is a big concern because FileVault contains so much of users’ information.
PassWare decrypts FileVault by going in through the system’s firewire connection and using live-memory analysis to extract the encryption key from the FileVault partition (so the machine must assumedly be running?). From there, a user can uncover keychain files and login passwords that can be used to unlock the whole HDD/SSD.
PassWare conveniently makes PassWare 11.3 available to do this, but you will have to throw down a lofty $995 to get the software. PassWare makes this software primarily available for law enforcement.