If you have a MacBook with an infrared receiver, did you know your Mac could be open to other people controlling your computer? By default, Mac OS will recognize the signal of any Apple Remote. Although the effect is relatively harmless (they will probably be able to randomly play some tracks on iTunes), it can range from being annoying if you were studying in the library and your friend happened to prank you, to embarrassing if you happened to be doing a presentation.
Most people do not need to allow any Apple Remote to control their computer. Why would you want other people’s Apple Remotes to control your computer? Here is a tutorial for securing your infrared port so that only your own Apple Remote can control your computer.
If you have an Apple Remote…
You can pair your remote with your computer by pressing and holding the Menu and Next (right) buttons for several seconds, while pointing the remote to the infrared receiver (on the MacBook Pro unibody models, the port is beside the power/sleep light on the front edge of the computer). The pairing logo will show up in the middle of your screen when the pairing is complete.
If you don’t have an Apple Remote…
You can disable the infrared port so that nobody with a random Remote can control your computer.
Open System Preferences → Security & Privacy.
If the preferences are locked, you will need to click on the lock at the bottom left and enter your password.
Click the Advanced… button at the bottom right.
Check “Disable remote control infrared receiver.”
Hopefully this tutorial will help you avoid annoying or embarrassing situations when people try to prank you with their own Apple Remote.
The Heartbleed vulnerability has been all over the news this past week. As usual, the media sometimes twists the facts, sometimes intentionally, other times inadvertently. For example, I’ve heard Heartbleed being called a virus, or being framed as something that was deliberately created to be malicious. Also, from reading people’s comments on the online news articles and blog posts, it seems that many people don’t really understand what Heartbleed is or does. From my point of view as a software developer, I would like to provide some information and resources that I believe are true and report the facts (but as I’m not an expert in the field of encryption/security, you may also want to take these with a grain of salt).
What Heartbleed is simply a software bug. Sure, there are bugs in nearly all, if not all, software out there (obviously we developers try not to introduce bugs, but we humans are unfortunately imperfect 🙁 ), but what makes this particular bug newsworthy?
This particular bug is a vulnerability, which allows a malicious attacker to gain information that should not be accessible.
The bug is in a library (called OpenSSL) that is used in a number of programs that in turn are run on a large number of computers worldwide.
The vulnerability has been out in the wild for two years.
There’s no trace left behind by a malicious attacker exploiting this vulnerability.
I came across this XKCD comic last night. I think it’s a pretty simple way to understand what the Heartbleed vulnerability allows a malicious attacker to do.
The comic illustrates the case where the victim is the “server” and the malicious attacker is the “client.” This is the case that most people are concerned with, as it is likely that servers running the exploitable software are easier to find and will probably have more “interesting” data in the memory. The data could potentially be usernames and passwords, credit card information, or encryption keys, but on the other hand it could also be just bogus data that happened to also be in memory. The data that the attacker could gain really depends on what happens to be in adjacent memory at that time.
However, the vulnerability exists both ways (if the software on the “client” is using a vulnerable version of OpenSSL). You could be owning a device or running a program on your computer that might allow a “server”, which has been maliciously programmed, to read memory off of your device using the same exploit. For example, Android 4.1.1 devices are susceptible to Heartbleed.
Although web servers are the most common targets being mentioned, there are other services that could possibly be affected by Heartbleed including FTP servers and mail servers.
If you are interested in the nitty gritty details behind how the exploit works, CloudFlare has an article on the low-level details (just disregard the fact that they say that private keys aren’t accessible because they were disproved on that point). For higher level information on Heartbleed, the heartbleed.com site has very clear information and a nice FAQ. Troy Hunt also has an informative FAQ about Heartbleed.
What to do about it
For end users
Since there is no trace when an attacker exploits Heartbleed compounded by the fact that Heartbleed has been vulnerable for over two years, it’s not possible to determine exactly what data has been compromised. In addition, if encryption keys were gleaned from Heartbleed, it is possible for even more data to be compromised by decrypting historic logs (if they exist in the hands of the attacker).
So for end users, the precautionary recommendation is to change your passwords after the services that were affected have been patched. Mashable has a running list of the status of popular web services that you can use to determine whether to change your password. In case you use a service that isn’t listed there, you can check it yourself on Filippo Valsorda’s test site. However, keep in mind that not only web services are affected. There are recommendations not to login to services that are still known to be vulnerable because when you login there is a chance that your credentials will be placed in memory, which is susceptible to be read. In addition, ensure that all the software and operating systems you are running are up to date.
For system administrators, developers and service providers
Obviously, ensuring that OpenSSL is up to date or patched is top priority. Troy Hunt provides some additional advice in his blog post.
Heartbleed and the goto fail and GnuTLS bugs
Heartbleed isn’t related to the Apple goto fail or the GnuTLS bug we’ve seen in the past couple months. The goto fail and GnuTLS bugs are susceptible to man-in-the-middle attacks where a malicious intruder can pretend to be the trusted service you’re communicating with and intercept messages between you and the service. Heartbleed on the other hand allows attackers to read parts of the computer’s memory that they should not have access to.
OpenSSL and open source projects
OpenSSL is an open-source project with eleven volunteer developers, maintaining one of if not the most used SSL/TLS libraries, probably on their own time. I think they should be respected for taking on the heavy responsibilities of this project.
Open-source projects allow external developers to read the source code and even submit improvements and contributions. Depending on the project, there are different procedures to getting contributions accepted, usually including a code review process where the core maintainers ensure that the contributions work as intended and meet the standards of the project (kind of like how a newspaper editor goes over the articles of his writers before they get published). Since humans aren’t 100% perfect, bugs and mistakes unfortunately happen, as much as we try not to allow them.
While it is possible to order security audits of software, for open-source projects that usually don’t generate any profit, it is difficult to come up with the money. I remember when we got a security audit for MyBB, it was in the order of thousands of dollars.
There is a lot of information about the Heartbleed vulnerability on the news and media, and from reading the comments on many of the blog posts and news articles I have read, many people don’t really understand what Heartbleed is and its implications. I hope that this article sheds a little bit of light on that, and provides more resources for those who want to dig a little deeper in understanding it.
This is an anecdote from when I was in elementary school and takes place around 1999-2000. Windows computers were just being installed in the classrooms. The mechanism that locked down the computers initially was system policies. You could screw around with a limited number of settings and applications on the system, but a lot of stuff was restricted.
However, one day in the school library, a new computer didn’t have such restrictions in place. Our 7th grade teacher (resident IT technician) had just finished setting up DeepFreeze on it, and challenged my friends and I to try to break it. We tried everything, like deleting all we could in C:\Windows, but it all came back magically after the reboot. I must admit DeepFreeze worked very well.
That was my first encounter with DeepFreeze, but that was definitely not the last. The computers in my high school had DeepFreeze installed. The public computers in the Vancouver Public Library are also locked down with DeepFreeze.
DeepFreeze works by redirecting all changes to the contents of a hard drive to another location, which is wiped upon a reboot. Obviously I didn’t fully understand how this worked back in 6th grade. But in any case, it’s very effective and very difficult to bypass!
These are just my thoughts about MyBB security updates. I’m not a security expert of any sort, but I just offer my opinion based on the knowledge I have. Over the last few weeks there have been two releases to MyBB to patch potential security vulnerabilities that have been discovered by various parties. I have seen some people who have found these seemingly miniscule updates too trivial to apply to their own boards, despite the fact that I and various other members of the MyBB staff have recommended these updates.
These people seem to believe that just because no harm has been done by people attempting to exploit the vulnerability, or just because no harm has been done when they try the exploit script by themselves, that the upgrade is not required. Personally I find this absurd.
First of all, I’d like to point out that not all proof-of-concept scripts are harmful; as their name suggests, these scripts prove the concept, but may not actually compromise the system. Wikipedia says: “In both computer security and encryption, proof of concept refers to a demonstration that in principle shows how a system may be protected or compromized, without the necessity of building a complete working vehicle for that purpose.”
Just because a board administrator cannot find a way to exploit the vulnerability, doesn’t mean that another malacious user won’t find a way. Just because nothing has been “done” to the board when an attempt has been made, doesn’t mean that eventually someone else won’t find a way to compromise the board. For example, the 1.1.3 release patched a serious security vulnerability where a malacious user could execute arbitrary PHP code at their own heart’s content (with a malaciously-formed username). As an administrator, you may not even detect any problems on the surface if you tried the proof-of-concept script, or seen usernames that have registered on your board, but nothing harmful has happened. In fact, much more serious and critical information may have been available to the hands of malacious users, if they indeed have compromised the board in this manner, and the patch released was not applied.
As well, once the security vulnerability has been patched, anyone with a malacious intent would be able to figure out how to exploit it, and may be able to compromise boards which have not patched the vulnerability.
Okay, so I may not be a security expert, however, I do use my common sense (and I do hope that you use yours). When a security vulnerability has been found, and has been identified to affect the particular version of MyBB (or any other software), we do not just release these patches to annoy our users with little upgrades every few weeks. No, we actually do want to improve our software by patching these holes and keeping our users safe. If a vulnerability has been reported, it is most likely that something harmful can be done to your board, and if a board administrator wishes to take that risk and not upgrade, it is his or her decision, and I cannot force anyone to apply the patch. Obviously it is possible that sometimes the malacious users will compromise boards before we can find the vulnerability and release the patch, but I assure you that security is at the highest priority with the MyBB Group, and we strive to keep our customers safe from these exploits in as a timely manner as possible.
However, once we have released a patch, it is up to each and every individual board administrator to update their board to keep them and their board safe from the exploit. Each security patch, no matter how small, should be considered as significant. I hope that you all take this into mind the next time you ponder whether or not to update your board.
After writing all this about security, I hope I won’t get hit on my behind by something that I have just fervently preached. 🙂
Sometime today a person found the WordPress install file that I accidentally left on the server and reinstalled WordPress for me without my permission. Fortunately nothing valuable was lost, and as you can see, the blog is back up and running as before. To whoever it was, thank you for reminding me to remove my WordPress install file.