iPhone app iPad app Android phone app Android tablet app More

Mac Security Error Exposes Encrypted Data

The Huffington Post  |  By Posted: 05/07/2012 11:42 am Updated: 05/07/2012 1:36 pm

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy
Mac Security

A security flaw rolled out with Apple's latest update to Mac OS X Lion, version 10.7.3, may expose file passwords thought to be protected via Apple's data encryption system.

Under the right conditions, users of Apple's first version of FileVault who update their Mac to OS X Lion version 10.7.3 will switch on a debug log file exposing in clear, unencrypted text the FileVault passwords of anyone who has logged in since the device was updated, reports ZDNet. Security researcher David Emery first unconvered the flaw with a May 5 post on a mailing list for Cryptome, a website featuring documents on cryptology, national security, intelligence and more.

According to InfoWorld, Apple's first version of FileVault allowed users to encrypt only the contents of their home folder, while the updated FileVault 2, released with OS X Lion, allowed the encryption of the contents of a user's entire hard drive. So far, it seems only those using the first version of FileVault who have applied the OS X Lion 10.7.3 update are at risk for this flaw, which, writes ZDNet, is the result of an Apple programmer's accidental mistake.

"A mistake like this exposes more or less the keys to the kingdom to someone with literally no access to a supposedly secured area on a machine, and maybe nothing more than chance physical access to a target's laptop for a few unguarded minutes," Emery told InfoWord.

Sophos senior security advisor Chester Wisniewski explained in a May 6 blog post that because the debug log file containing your FileVault passwords is stored outside of the encrypted area of your device, anyone who gains access to your disk drive -- whether through theft, malware, or physical access -- can open the file and, using the passwords, access the encrypted contents of your drive. This error should be particularly troubling to those who share one device with several other users and rely on data encryption to protect their sensitive information.

Wisniewski suggests that using Apple's FileVault 2 might protect the data that had previously been exposed by encrypting one's entire disk drive. And, as The Daily Mail points out, if you feel you might be at risk, you can change your FileVault passwords and delete the debug log file, named "/var/log/secure.log," from your disk drive as soon as possible; thankfully, by default, the file is only kept for several weeks.

However, those who haven't encrypted their backup files, too, may end up with the debug log file on their Mac's backup utility, Time Machine, making it even more difficult to permanently get rid of the file and the FileVault passwords it contains.

"Let's hope Apple is able to fix this problem quickly," writes Wisniewski. "However, the possibility that the plain text password has been backed up and the difficulty of ensuring both copies and the original plain text password are securely erased means retrieval could still be possible even after the fix is applied."

Do you have any tips to share with other Mac users on how they can protect their device? Let us know in the comments below!

Also on HuffPost:

Check out the slideshow (below) to see the 9 countries that relay most of the world's spam.
Loading Slideshow...

  • #9: Pakistan

    Pakistan relays <strong>3.3 percent</strong> of all spam.

  • #8: Poland

    Poland relays <strong>3.9 percent</strong> of all spam.

  • #7: Brazil

    Brazil relays <strong>4.3 percent</strong> of all spam.

  • #6: Italy

    Italy relays <strong>4.9 percent</strong> of all spam.

  • #4, Tied: Russia

    Russia is tied with Indonesia for fourth place, relaying <strong>5 percent</strong> of all spam.

  • #4, Tied: Indonesia

    Indonesia is tied with Russia for fourth place, relaying <strong>5 percent</strong> of all spam.

  • #3: South Korea

    South Korea relays <strong>5.7 percent</strong> of all spam.

  • #2: United States

    The United States relays <strong>8.3 percent</strong> of all spam.

  • #1: India

    India relays a whopping <strong>9.3 percent</strong> of all spam to computers across the world.

  • ALSO ON THE HUFFINGTON POST

    Spam. Depending on your tastes it's a a) delicious or b) vile canned meat product from Hormel. If you're a computer user there is no a) / b) proposition; spam sucks. Michael "Doctor File Finder" explains what exactly spam is and how to eradicate or, at least, lessen its impact on your inbox. Spam is the plague of the Internet and nearly 90% of all the email that's sent is spam. We'll show you some ways to reduce the amount of spam you have to deal with.

FOLLOW TECH

From our partners


A security flaw rolled out with Apple's latest update to Mac OS X Lion, version 10.7.3, may expose file passwords thought to be protected via Apple's data encryption system. Under the right conditi...
A security flaw rolled out with Apple's latest update to Mac OS X Lion, version 10.7.3, may expose file passwords thought to be protected via Apple's data encryption system. Under the right conditi...
Related News On Huffington Post:
 

 
 
  • Comments
  • 248
  • Pending Comments
  • 0
  • View FAQ
Post Comment Preview Comment
To reply to a Comment: Click "Reply" at the bottom of the comment; after being approved your comment will appear directly underneath the comment you replied to.
View All
Favorites
Recency  | 
Popularity
Page: 1 2 3 4 5  Next ›  Last »  (5 total)
photo
leoofborg
0 Fans
03:26 PM on 05/08/2012
Okay, I guess I should post some signal as opposed to all the NOISE I read here:

1/ All consumer Mac users, including Bradley Manning SHOULD have migrated to FileVault 2. The full disk encryption one.

2/ The whining about Time Machine is unfounded. Why? Because you can also encrypt THAT disk and tie it to a key indexed ONLY to authorized users.

3/ The only folks who are still using FileVault 1 (which some in the Mac community called "Vile Fault" are legacy users. In fact Apple encourages you in the UI to upgrade ASAP. If you want to be a holdout, or you're running a Hackintosh (where FV2 doesn't work) that's YOUR problem, not Apple's.

Yes, it is a bit bad that Apple leaves a log outside a secure area, and yes, they should have turned debugging off. But there's no 'mixed security' model here. You're either supersecure (running everything, including your backups fully encrypted), or 'somewhat secure' (where you run a mix of encrypted & not, and rely on physical security like locking up your Time Machine disk in a safe every night).

-Leo
Permalink  |
photo
ObamaLovesAll1
234 Fans
12:47 PM on 05/08/2012
It's always humorous to read stories such as these because I see so many mac owners say things like "HA! I don't even have an anti virus program because I'm smart and own a mac!"
Permalink  |
photo
HUFFPOST SUPER USER
Desolati0n
I am the freshest wizard ever.
34 Fans
 
07:57 AM on 05/08/2012
Everyone quick switch to Linux!!
Permalink  |
photo
PenguinLinux
got root ?
157 Fans
01:44 PM on 05/08/2012
Already did that years ago.
Permalink  |
photo
HUFFPOST SUPER USER
Desolati0n
I am the freshest wizard ever.
34 Fans
 
02:07 PM on 05/08/2012
You're ahead of the game then!  I did that too awhile back.
Permalink  |
photo
HUFFPOST SUPER USER
Fredday
Nyak Nyak Nyak
718 Fans
04:26 AM on 05/08/2012
haha Ohhhhh Mac Users. . . .When it rains it pours eh? lol
Permalink  |
photo
HUFFPOST SUPER USER
JohnTheMac
Now, why don't you go home and get your shine box?
223 Fans
10:46 AM on 05/08/2012
It's like we got a Brain Freeze from a Slurpee compared to the Windows Titanic hitting an iceberg.
But if it makes you happy, you can think of it as an equivalent.
Permalink  |
photo
HUFFPOST SUPER USER
Fredday
Nyak Nyak Nyak
718 Fans
05:33 PM on 05/08/2012
Thanks for the "Yes, yes it does". lol
Permalink  |
photo
Kevin30215
201 Fans
10:17 PM on 05/07/2012
Lion is a mess. If you haven't "upgraded" yet, DON'T!!!
Permalink  |
photo
DeathSquad
Founding member of A.R.L.A.
113 Fans
 
08:43 PM on 05/07/2012
And in swoops the cult of Windows & Linux to try and mock the cult of Apple. The endless war rages on...
Permalink  |
This user has chosen to opt out of the Badges program
photo
Midnight Son
153 Fans
12:46 AM on 05/08/2012
These type of oversights happen all the time on any major platform. The only people who deserve mockery are those who come in spouting corporate talking points or claiming it's not really a big deal.
Permalink  |
photo
HUFFPOST COMMUNITY MODERATOR
seehowtheyrun
Without music, life would be a mistake
3409 Fans
08:42 PM on 05/07/2012
I don't use FileVault.
Permalink  |
Ash G
36 Fans
08:36 PM on 05/07/2012
"an Apple programmer's accidental mistake"

Was she fired?
Permalink  |
postpostmodern
283 Fans
08:15 PM on 05/07/2012
This stream of "new" vulnerabilities has only begun, folks. Get used to it... and go buy some overpriced Apple security software for $300.
Permalink  |
photo
JBS
Part time misanthrope & full time curmudgeon
459 Fans
07:26 PM on 05/07/2012
Can you say schadenfreude boys 'n girls? I knew you could.
Permalink  |
photo
HUFFPOST SUPER USER
Ian OFull
Left Independent. Pro-Solutions/Anti-Fear.
355 Fans
 
07:23 PM on 05/07/2012
When my machine becomes self aware, it will defend itself.
Permalink  |
photo
HUFFPOST SUPER USER
mario andretti
I can't drive 55.
309 Fans
07:04 PM on 05/07/2012
I'd like to take this moment to welcome Mac to the real world.
Permalink  |
anpajo
31 Fans
06:33 PM on 05/07/2012
The good news is that, apparently one needs to have 'physical possession' of a Mac to make
this filevault problem work for them...the Bad News is I forgot to lock my door and my Mac is gone....and my I-pad ...and my guard dog. I could hear 'Siri' crying and screaming for help as the crooks ran down the alley with her. Pianist: A sad song please.
Permalink  |
This user has chosen to opt out of the Badges program
photo
Midnight Son
153 Fans
12:46 AM on 05/08/2012
Nope. Someone just needs to gain access. That can be done over the net as well.
Permalink  |
anpajo
31 Fans
12:47 PM on 05/08/2012
Thanks for that reply...seems like we NEVER get to know everything about our Mac's
unless were prepared to spend too much of our lives as continually practicing Macaholics.
Permalink  |
This user has chosen to opt out of the Badges program
Ackthpt
6 Fans
04:25 AM on 05/08/2012
wrong, and not funny at all. Double fail.
Permalink  |
anpajo
31 Fans
01:10 PM on 05/08/2012
Gee, you didn't even grin...once! Rats! Perhaps it was just too "Henny Youngman" for
you. (google him, you sound embryonic) However, I should not have expected
different from a person whose user name sounds like someone 'spitting up a loogie'.
Check definition of the word 'apparently' used in my first post and then perhaps, take a giggle pill. That goofy 'teacher sweater' looks great on you.
Permalink  |
This user has chosen to opt out of the Badges program
JackTheSkipper
251 Fans
06:32 PM on 05/07/2012
Stop the press!!!!!
Stop the press!!!!!
Stop the press!!!!!
Stop the press!!!!!

MacOS has a security flaw? It's a blaspheme. What will all the "Mac is God" fan boys do now? Ohh....the world is coming to an end. This is a clear sign that the end of time is not that far behind.
Permalink  |
GonzoFactor
Rationality and rationalization are not the same
616 Fans
06:39 PM on 05/07/2012
Troll.
Permalink  |
postpostmodern
283 Fans
08:16 PM on 05/07/2012
Proud Mac owner?
Permalink  |
photo
HUFFPOST SUPER USER
AbsoluteTruthiness
After the Rapture, can I have your car?
675 Fans
06:27 PM on 05/07/2012
Awwww...tell me it ain't so?

All the Mac-sters and their overpriced, underfeatured, underpowered machines are NOT infallible as they've touted for years????

He he
History  | Permalink  |
 
Page: 1 2 3 4 5  Next ›  Last »  (5 total)