Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: [Fed-Talk] Passware grabs Mac passwords over FireWire
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Passware grabs Mac passwords over FireWire



OK, my brain must have been playing tricks on me. From http://support.apple.com/kb/HT4790

---
When you've completed the process of turning on FileVault, you will be prompted to restart your Mac. After restarting, you will notice the login screen appears very quickly, then an Apple logo with spinning gear appears after typing in your password. With FileVault 2 enabled, you are now logging in at EFI which unlocks the drive and begins the normal OS X Lion start up process.

The user account that unlocked the drive will be logged into their own account after start up completes, without needing to log in again.
---

I added the PolicyBanner, which is actually a requirement before I log on (different issue), and after removing it and replacing it, it only has me log in once. I know I logged in twice before but can't reproduce it. Maybe it only happened the first time.

What this means is that we need to have the PolicyBanner placed in the EFI boot sequence instead of after it because DOE sites are required to read and acknowledge the banner BEFORE logging in, not after. 



On Jul 26, 2011, at 2:47 PM, Trouton, Rich R wrote:

Peter,

Do you have FileVault 1 enabled as well as FileVault 2? With just FileVault 2, you should get just one login screen (the pre-boot login.)

Thanks,
Rich

On Jul 26, 2011, at 5:45 PM, Link, Peter R. wrote:

Alan,

I guess we're talking semantics here but when I have FV2 turned on and startup from a power off condition, I get two login screens, not one. The first one is a booting logon (unlocks encryption), the second is the normal user logon. Maybe they use the same credentials (external drives use different credentials) but I still have to enter my credentials twice. 

I have it running and can show you a photo I took of the first screen and a screendump from the second.


On Jul 26, 2011, at 2:35 PM, Danziger, Alan D. wrote:

@David – FV2 won't prevent this because the disk is unlocked as the computer boots up.  By default.  (I've done it differently, with two partitions, only one of which unlocks on boot).

@Peter – FV2 doesn't require a double-login, it caches the unencryption credentials and uses them to log you in automatically.

Also: If you turn the computer off, RAM is emptied.  If you have "Automatic Login" enabled, when 'an adversary' tries to boot it, the computer logs you in automatically & thus has the passwords & keychain back in memory…  "Automatic Login" basically stores your password somewhere the OS can get to it on boot-up…

It requires BOTH – disabling autologin, and actually shutting down (vs. sleep) - to protect against their process.

Regards,
-=Alan


From: "Link, Peter R." <email@hidden>
Date: Tue, 26 Jul 2011 16:02:58 -0400
To: David Whitley <email@hidden>
Cc: Apple Fed-Talk <email@hidden>
Subject: Re: [Fed-Talk] Passware grabs Mac passwords over FireWire

FV2 requires an initial unlocking before the regular logon screen (double login).

As far as this product, what does "The security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered." mean? Does it mean if you turn off automatic login, the password isn't stored in RAM? Their statement doesn't make a lot of sense since turning the computer off empties RAM anyway (I know, someone "proved" it is still there for a short period of time) so why worry about the Automatic Login setting. If they actually mean either of these works, then I don't know of any government computer that is allowed to use automatic login so this problem is moot.


On Jul 26, 2011, at 12:47 PM, David Whitley wrote:

The website says that FV2 will not prevent this, but I wonder if it can still do it if the computer is on, but you aren't logged in.  Isn't FV2's decryption done post-login?


David R. Whitley Jr. 




On Jul 26, 2011, at 3:34 PM, Rex Sanders wrote:

FireWire has long been known as a back door into Mac OS RAM.  Now Passware
has a kit for extracting system passwords from Mac OS X over FireWire:

http://www.prnewswire.com/news-releases/passware-proves-mac-os-lion-insecure-revealing-login-passwords-in-minutes-126166663.html

The security risk is easy to overcome by simply turning off the computer
instead of putting it to sleep, and disabling the "Automatic Login"
setting. This way, passwords will not be present in memory and cannot be
recovered.

Note that www.lostpassword.com, Passware's web site, is blocked by DOI Web
filters as Malware, so be careful out there.

I wonder if Thunderbolt presents the same issues?

-- Rex
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden




Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden



_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

---
Rich Trouton

JFRC Help Desk
phone: x4030
email: email@hidden

The best way to get in touch with me is through email.


Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >Re: [Fed-Talk] Passware grabs Mac passwords over FireWire (From: "Danziger, Alan D." <email@hidden>)
 >Re: [Fed-Talk] Passware grabs Mac passwords over FireWire (From: "Link, Peter R." <email@hidden>)
 >Re: [Fed-Talk] Passware grabs Mac passwords over FireWire (From: "Trouton, Rich R" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.