From within your new administrative account, uncheck this box for
your other user accounts to prevent them from running as admin.
Posted on 11/04/2014 7:32:21 PM PST by Swordmaker
A relatively long-standing vulnerability in OS X has been uncovered by a Swedish hacker, Emil Kvarnhammar, who has dubbed it “rootpipe” by the so-far undisclosed method in which it can be used to take control of your Mac. In this vulnerability, a flaw allows a hacker to gain administrative access of a system without supplying a password, and then be able to interact with your Mac as an administrator.
In an interview with MacWorld, Kvarnhammar describes this bug as having been present in OS X 10.8.5, but he was not able to replicate it in 10.9; however, Apple has shuffled around its code in OS X 10.10 so the bug again allows access.
In contacting Apple about the issue, Kvarnhammar did not get a response; however, Apple has agreed upon a date in January for full disclosure of the vulnerability’s details, suggesting Apple has indirectly acknowledged the issue and is developing a fix to be out by then.
In the mean time, this and other privilege-escalation vulnerabilities can be managed by taking two important security steps with your Mac:
Use a standard user account
When you set up your Mac, the first user account created will be an administrative one so you can fully configure your system; however, Apple leaves you with this as your main account, instead of requiring you create a separate user account with more limited privileges for daily use. By working in an admin account, you chance encountering vulnerabilities that could give access to your system under this account’s privilege level, and by limiting yourself to a standard account you can help stem such vulnerabilities.
The process for switching to a standard account for daily use is easy and painless:
Setting admin privileges in OS X
When finished, you can log out and back into your main account, and be able to use it as if there is no difference. Now whenever you need to administer your system by installing programs or changing settings that require admin access, you will supply the username and password of your new admin account, instead of that for your current account. This is a trivial difference in function, but does allow your Mac to run with added security.
Use FileVault
In addition to running as a standard user, consider enabling FileVault on your Mac. This is another recommendation by Kvarnhammar for preventing the “rootpipe” vulnerability from being used. In general, it is also a good idea, especially for portable systems, to have the entire contents of the drive encrypted. This will prevent a system from being rebooted in alternative modes to bypass the operating system’s security features and access data on the drive. Without the encryption password, the data on your Mac’s drive will be completely inaccessible.
FileVault in OS X
FileVault can be enabled by authenticating in the Security & Privacy system preferences, and then clicking the “Turn On FileVault” feature in the FileVault tab. Follow the on-screen instructions for managing your encryption key and enabling specific user accounts for unlocking the drive, and after your drive encrypts (it may take a few hours) your Mac’s drive will be fully encrypted.
If you want on or off the Mac Ping List, Freepmail me.
Thanks, I’ll change it when I’m not so tired. I don’t want to change my admin name and pw but I guess I will have to.
Good advice, much of it general practice in IT where it can be done.
Make your admin password something easy to remember but hard to guess. Use a pass phrase with numbers and a symbol. Something like
15$Tw0m1dn1ght
Oh please lol. Not tonight. But you made me think of something. I'll just add stuff to my current one that will be mnenomic. Haven't seen that word for awhile.
Best way is to get Windows 10 when it arrives : )
Good, glad I greased the creative skids. As long as you can remember it and not say "Oh, now what did I make that password????" you'll do OK. Just write it down somewhere safe, as well. it helps to make the Admin user name something unusual as well. Name it after that great Aunt who nobody knows you have. . . that you really don't have. You know, the one that won't leave you billions in her non-existtent will. LOL!
Also, those websites that want you to answer "security questions" such as "Where were you born?" and "What was your mother's maiden name?", there is no law in the world that says you have to answer them truthfully. That was how all those celebrities got their nude pictures stolen: they used truthful answers on their security questions which could be learned by someone researching their bios. All you have to do is remember HOW you answered them! For example, "Where were you born?" could be answered "heaven" or "in a cab" and "Your mother's maiden name?" could be answered "fred" or "1776" and no one will ever know, except you. Just don't forget what you answered. Again, write your answers down. The key is to enter them exactly the same way when they ask again. Make it a practice to always answer those in lower case letters, then you won't ask yourself whether it is capitalized or not.
bump
When I was setting up this computer, my son jumped in and started all that preliminary stuff, think he asked me what I wanted for a pw. Well, something came up I downloaded something and could not remember my user name or password and didn't know how to find it anywhere.
Anyway finally I remembered.
Yes, I have been using that trick about lying to the questions and it's almost as easy to remember them as when I gave real answers. I need to quit using my mom's maiden name because anybody could find it.
I'm going to knock it off for tonight. Thanks again for posting the article. It doesn't look too hard.
It isn't hard. Just follow the instructions and then log back into your usual account. Have a good night, Aliska.
I used to use difficult passwords… until I couldn't access something and spent weeks trying to figure out my own password! Use non-alphanumeric characters sparingly, especially "?" at the end - I kept forgetting to use the "?" at the end of a password, thinking I was just questioning whether the password was correct in my notes. (I never jot down the full password, just key characters to jog my memory.) A couple decades ago at a Microsoft course (I was a Windows admin) at a Microsoft facility, the instructor advised using no fewer than 28 characters of mixed characters in a password, and unique passwords for each need! Screw that. You can make it difficult with far fewer characters than 28.
Could you please add me to the ping list? Thanks! I’ve switched over to all Apple stuff and it has seriously de-stressed my life. :-)
Thanks!
Sword, are you using Safari or Firefox and why? Or other?
Your best passive defense against malware is always going to be running with the fewest privileges necessary.
. . . and thanks to your http://www.freerepublic.com/focus/f-chat/2716314/posts?page=11#11 I stopped running as admin in May, 2011. Thanks, SM! :-)
I notice that the article promotes file vault. But apparently you don’t use it?
Bookmarked.
I believe I am the one who is responsible for Microsoft not using 1s, Is, Lowercase Ls, Os, or 0s, in their serial numbers. Many years ago when Windows 95 just came out, I was trying to install both Windows 95 and then to install Microsoft Word on three new computersfor a client. The serial numbers that came with both software packages had numerous zeros, ones, lower case "Ls" and upper case "Os". . . and the font they had selected made determining what was what was impossible to tell the difference. I was extremely frustrated.
I called Microsoft Tech support and they tried to had to give me a new activation code for Windows, but I could not read the codes I had over the phone for them to validate. Finally, the guy on the phone had pity and went ahead and agreed we had indeed bought the product and gave us codes. After getting Windows installed and working, I then went on to the MS Word install and ran into the same damn thing. By this time I was really toasted. I called Microsoft Corporate headquarters and kept escalating my call until I was talking to someone with Senior VP in after his name, who said he worked right under Bill Gates. . . and explained the problem.
He got a fresh Windows 95 package and looked at it and said, "Good Grief! You know, you're right. I can't tell the difference either! We hadn't caught that! We've had an extraordinary number of people having trouble entering activation codes. You've figured out why!"
They had not tweaked to a simple issue. Within a month all new Microsoft products came out without those characters in their serial numbers or activation codes. I think they also dropped 5s and "Ss, anything that could be mistaken for another character, as well.
Did they pay me anything for my discovery? HAH! No way. But I know it was me. hehehehehehe.
I use Safari. I prefer it to Firefox. The font handling is Apple native and I prefer the interface. I keep both around because there are a few websites that are not ACID 3 compliant that for some reason Safari cannot handle which FireFox can.
One of the strangest is the website that handles garnishees for child support payments for the State of California. One of my employees at the office I manage has to pay child support payments through a garnishee of his wages. . . so I have to log on and pay the withheld amount electronically to the State Disbursement Unit of the State of California. However, when I try to log on in Safari, clicking the continue button just brings me back to the login screen. It works fine in Firefox.
The tech support page for the website claims to use the site one needs a "modern computer using either Windows with Internet Explorer, or an OS X Mac with Safari or Firefox. . . but they lie. I have attempted to lodge a complaint with the SDU web support, but their phone says complaints must be lodged with your county's Child Services Agency. . . and then disconnects. No email complaint form allowed. Calling the County Childrens' Service Agency results in them telling me I have to call the phone number on the web site for problems with the website. . . which tells me to call the County's . . . which tell me . . . you get the idea. I have complained to the Governor's office (you know, Governor Jerry "Moonbeam" Brown) every three months now for four years and have not gotten an answer. In California 30% of consumers who have to also use this website are Mac users. It is the ONLY state website that is not Mac compliant.
The one they had before some MSCE got his mitts on it looked like it was designed by an ex-kidnapper. Talk about RANSOM NOTE DESIGN. It did not align from top to bottom, had at least fifteen fonts, and action buttons were oddly named and randomly sprinkled all over the screen. You had to scroll around to find entry boxes, and action buttons were not related or located close to entries they were intended to effect. It was a mess. . . but it sort of worked. I had heard it was designed by a class of inmates at one of the prisons as a class project in HTML web design. LOL! The most you could say for it was it worked.
I don't, but I have some encrypted individual file folders.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.