How to protect your Mac from the ‘Dark Jedi’ firmware hack

BurnIconXA new exploit dubbed ‘Dark Jedi’ exists for MacBook systems created before mid-2014, where a hacker can issue a malicious program to overtake the system’s firmware by simply having the system be put in sleep mode. Upon waking from sleep, the firmware on these older Macs is unlocked, which leaves them open to access and modification from applications running in OS X. This contrasts with the recent Thunderstrike firmware vulnerability that allowed hackers to overtake firmware, but required physical access to the system. Since this current vulnerability is run by way of malicious software, systems can be attacked remotely by uses of trojan horse and other social engineering approaches, but this also provides an avenue for protection.

If your Mac is an older one and you are concerned about this vulnerability, keep in mind that for now this is a proof-of-concept attack that is not known to be in any active hacking attempts. In addition it has three key limitations:

These mean that to be compromised, you will have to specifically download the installer from a malicious site, and then purposefully open it and then supply your administrative password when prompted. As such, there are several approaches for avoiding these requirements and keeping your system safe:

Only download software from developer sites or reputable software distributors

If you see a notice about a software update required for your system, then consider closing it and going to an official and known source for obtaining the latest version of that software package. For instance, if you are notified about an Adobe Flash or Java update, then go to the corresponding system preferences pane and use the update features in there, or go to Adobe’s Oracle’s, or any other relevant developer’s Web site to download standalone installers. For other software, use similar built-in software updaters and services like Apple’s Mac App Store for getting updates.

Judging potentially malicious sites can sometimes be difficult, but legitimate developers will usually channel you directly to appropriate and desired updater, whereas malicious sites often show many popups (some of which may download unwanted installers to your system), numerous ads, free deals and other offers, and redirect you to sites you did not intend. If any of these occur when browsing the Web, close them down and avoid interacting with them.

Whenever you are asked for your password, OS X system is attempting to escalate privileges to modify system resources. Therefore, if you see any notice on your Mac that asks you to enter your password, then be wary of it.

By only supplying your password when you need to specifically modify a setting, or are running a software installer that you trust and know the source of, then you will almost guarantee that you will avoid malware packages such as this one. If you even slightly suspect a package or installer, then delete it from your system and re-download it from the developer’s site.

Even though this aspect of the Dark Jedi hack requires you have already installed the malicious software, this particular hack exploits the vulnerability where the firmware is left unlocked during sleep mode. This means that for now its mode of attack is when your Mac goes to sleep. While sleep mode is great for quick and convenient resuming of your workflow, OS X implements autosave and resume for resuming your workflow when your Mac boots. Therefore, in many cases you can similarly pick up where you left off by shutting your Mac down instead of sleeping it. To prevent system sleep, check the option to do so for each power profile in the Energy Saver system preferences pane.

The newly named "Dark Jedi" Firmware Hack, actually a vulnerability, is not as dangerous as some pundits might claim. 99.99% of all OS X Macs in the wild will not be at risk from this hack. It requires the Mac to have Root Access activated but OS X Macs are shipped without Root Access activated. For this vulnerability to be exploited, it requires the targeted Mac to experience two levels of privilege escalation from standard user to Admin user then to Root user, a very, very difficult thing to accomplish by a malicious application, in fact, something that has never been accomplished. Apple will most likely patch this vulnerability very quickly. It is already is fixed in all Macs post mid 2014. — PING!

Apple Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

I challenge the members of the Apple ping list to each donate at least $10 each to the latest Freepathon. I HAVE donated $100. Many members of the Apple Ping list are already rising to the challenge. Join them. Let's show the power of the Apple Ping list in supporting Freerepublic!

If you have ordered an Apple Watch,
MAKE A DONATION TO THE FREEPATHON!

How do you know if you are running as root user or standard user?

No OS X Mac runs as a Root user. . . that has to be activated and then even then you don't run in root. From OS X, Root is a one time command user that is used by the Terminal. If you are running your Mac by UNIX™ command line, you can be a permanent Root User, but that is so rare, only real Geeks might do it. . . and then they generally are not going to put their Macs to sleep.

Most Mac users are going to be either an Administrator user (default out-of-the-box user), or Standard user for those who know how to be safe computer user).

You should be running as a Standard user with a second user in reserve as the Administrator for installing software and doing system routines.

To find out what kind of user you are running as, go to the Black Apple Menu and select System Preferences. . . /Users and Groups and see if you are running as Standard or Admin.

If you are running as Admin, create a new user by following these steps:

Unlock the Users and Groups pane by clicking on the pad lock at the bottom left of the window. It may ask for your password.
Create the NEW user by clicking on the PLUS (+) button on the bottom of the user box.
Make that new user an Admin user by providing a name for the account you will remember (Freedom Admin), give it a hard password that you will NOT forget using both upper and lower case letters, numbers, and at least one keyboard symbol.
Depending on the version of OS X, it may allow you to establish a short name for the account. Don't call it "admin" or anything a hacker can figure out. Use something you will know but can't be figured out by knowing you.
When you have successfully created the new administrator account, change YOUR account to a Standard user from Administrator by either unchecking the "Allow this user to administer this computer" or changing the drop down menu selector from Administrator to Standard, depending on the Version of OS X. (You can still do everything from your standard account including install software, but you will have to invoke the admin account by entering the administrator's name and password to do it.).
Make sure you know your password in your account, if not, change IT to something you won't forget using the same criteria above.
click "Log in Options" at the bottom of the user list.
Set automatic log in to off.
Check the "Show Sleep, Restart, and Shut Down Buttons" Box.
Check the "Show fast menu switching as:" Box.
Set Fast Menu switching to: "Full name".
Click the lock to re-lock the preference pane.
Close the preference pane.
Under the black Apple Menu, log out of your current standard user.
Log onto the new Administrator account and provide your Apple ID and password to re-establish your computer's link to Apple. There is no need to import any data into this account. The less data here, the better.
Log out of the Administrator Account.
Log back into your personal, now standard account.

You will notice your user name is now on the menu bar just to the left of the Spotlight search icon and if you click on it, you can switch users rapidly to the Administrator Account (you'll have to enter the admin password) to do any housekeeping or install software. If you want to download or install software, the system will prompt you, as a standard user, to enter the admin's user name and password. You will not have to switch to the admin account to do it, but you will have to know the admin name and password to do it.

If you log onto your administrator account for any reason, ALWAYS log off when you are done. NEVER LEAVE IT RUNNING!

This is the safest way to use your Mac computer.

To activate Root, a user MUST be running as an Administrator and then open the Terminal and then deliberately activate Root and give it a Root user name and root user password.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.