[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200407231008.00531.adi@cg.tuwien.ac.at>
Date: Fri, 23 Jul 2004 10:08:00 +0200
From: Adi Kriegisch <adi@...tuwien.ac.at>
To: bugtraq@...urityfocus.com
Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on disk
17.07.2004 23:00
There is one thing about this which makes more than just "lost notebook" or
"accessible data" out of this:
If you have the login password you have access to the "login keychain" -- the
keychain which is unlocked with the users pasword at login time.
[ For those who have no idea what keychain is:
(taken from http://www.apple.com/macosx/features/security/)
"A Secure Keychain
To make it easy to manage the daunting number of passwords and permissions
intrinsic to network computing, Mac OS X includes a Keychain. The Keychain
stores all your information to log onto file servers, ftp servers and Web
servers and to use encrypted disk images." (and so on)
]
You might create different keychains as well but the problem is your login
keychain contains -- at least for most users -- all your webform data,
passwords (online banking, ...), access credentials for file servers, your
encrypted disk images' passwords and even vpn-passwords if any is used for
accessing some private net.
I would not mind if anyone could get just some data; even enabling firmware
protection is of _NO_ use: just take the hard disk out of the
computer/notebook.
The problem here is that it is easy to get information which seems to be
protected within an encrypted file -- or as apple puts it: "a secure
keychain".
What I suggest as a temporary solution is to put no information into your
login keychain, create another keychain with different password and remove
all vital information from your login keychain. (please comment on this --
I'm not sure if I didn't forget anything)
Deleting or overwriting swapfiles is no feasible way because one can never be
sure if the password still is on disk somewhere. "Secure deleting" would only
be possible with overwriting a complete swap partition; MacOSX is dynamically
allocating disk space for swapping. So even if this bug is fixed you cannot be
sure that your password is not on disk any more after updating. Only solution
to this might be to completely fill the free space on root partition and
whipe it then... -- check with a grep for your password over the whole
partition to be really sure, or (simpler) choose a different password ;-)
Adding more ram is no solution to this problem as well because the login
application is started very early and then not used for quite some time and
MacOSX starts swapping it long before the end of ram is reached... (these are
at least my experiences)
ad apple: pls fix asap... btw: this was reported on June 21st by Matt Johnston
first and is a critical bug!
Adi
Powered by blists - more mailing lists