macOS High Sierra Security Bug

A serious security vulnerability was discovered with macOS High Sierra that can potentially allow anybody full administrative access without a password. Anyone running macOS High Sierra 10.13, 10.13.1, or 10.13.2 who has not previously enabled the root account or changed a root user account password on his or her Mac before may be affected.

To determine which version of macOS you are using, choose ‘About This Mac’ from the Apple Menu and click on the Overview tab.

It is vital that Mac users take immediate steps to secure their systems and prevent unauthorized access.

Apple has released Security Update 2017-001 to address the issue.  The update should be available through the Updates tab in the Mac App Store.

For detailed installation instructions, visit: https://support.apple.com/en-us/HT201541

How to Prevent Root Login Without a Password in macOS High Sierra

If you cannot immediatly patch your system, there are two other methods available to lock down the Root account. One option is to use the Directory Utility and the other is performed on the command line. Choose whichever you feel more comfortable doing, they both accomplish the same task.

Please contact the IT Service Desk at 978 934 4357 should you need assistance with this.

Using Directory Utility to Lock Down Root:
1. Open Spotlight on the Mac by hitting Command+Spacebar (or clicking the Spotlight icon in the upper right corner of the menubar) and type in “Directory Utility” and hit return to launch the appprevent root password less login bug

2. Click the little lock icon in the corner and authenticate with an admin account login (in most cases this is the same account you log into your mac with).

prevent root password less login bug

3. Now pull down the “Edit” menu and choose “Change Root Password…” (see note under step #5 if you don’t see ‘Change Root Password… in the menu’) ***

prevent root password less login bug

4. Enter a password for the root user account and confirm, then click “OK”

prevent root password less login bug

5. Close out of Directory Utility

*** If the root user account is not yet enabled, choose “Enable Root User” and then set a password instead.

Essentially all you are doing is assigning a password to the root account, meaning that logging in with root will then require a password as it should. Also, if the root account is disabled, it doesn’t mean it is secure. The root account must be enabled and have a set password.

Using the Command Line to Assign a Root Password:
Users who would prefer to use the command line in macOS can also set or assign a root password with sudo and the regular old passwd command.
1. Open the Terminal application, found in /Applications/Utilities/
2. Type the following syntax exactly into the terminal, then hit the return key:
sudo passwd root
3. Enter your admin password to authenticate and hit return
4. At “New password”, enter a password you won’t forget, hit return, and confirm it

Stop no password root login but in macOS High Sierra from command line

Be sure to set the root password to something you will remember, or perhaps even matching your admin password. UMass Lowell Information Security recommends a 16 character password for optimal security.

Source: http://osxdaily.com/2017/11/28/macos-high-sierra-root-login-without-password-bug/

You’ve Received a Data Breach Letter — Now What?

It seems every week we hear about a data breach on the news at a major company or government institution.  Recent breaches at Equifax, Yahoo, IRS, Target, and OPM are a few good examples.  So what should you do when a data breach notification letter arrives in your mailbox, or you simply hear about it in the news cycle?   My short answer is — don’t panic and pay close attention.

Faced with a breach notice, most people either ignore it, panic, or start closing accounts.   All of these are not helpful so we recommend these steps:

  1. Read the notice carefully to learn what information may have been exposed.  Keep this notice handy in case you need to prove your data was compromised through no fault of your own.
  2. If you are offered free credit monitoring, take it
  3. Pay close attention to your bank accounts and credit card transactions — at least weekly.  Look for any unusual activity.
  4. Visit a reputable website that summarizes additional steps to take.  My recommendation is www.ftc.gov/idtheft
  5. Know how to place a credit freeze on your credit file
    1.  www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
    2. www.freeze.equifax.com
    3. www.experian.com/ncaconline/freeze
    4. freeze.transunion.com/sf/securityFreeze/landingPage.jsp
  6. Enroll in a paid service for identity theft protection.  Each offer similar protection, but depending upon your financial situation, you may choose one over the other  My two recommendations are:
    1. Lifelock – more expensive
    2. Zander Insurance Group – less expensive; has a family plan
  7. If you are in the habit of storing credit card information on website (i.e Amazon), enroll in Mult-Factor Authentication if the website has it available

So What should I do moving forward?  Keep up good data-management habits by shredding sensitive documents before throwing them in the trash; use a locking mailbox; and take advantage of the Do Not Call registry.

Let’s face it, if you haven’t received a breach notification letter yet, you probably will in the future.  Not all breaches are created equal and some are worse than others.

If it involves your credit card or debit card, chances are your bank will issue you a new one if they think the risk is high (you can always request a new card if you’re concerned).  If your SSN, birth date, and address are compromised, they have a long shelf life and can be used by cyber-criminals next month, next year, or two years from now — you get the point.  For this reason, take the necessary precaution that’s proportional to your risk level.

 

 

Top 5 Multi-Factor Authentication Recommendations

  1. Use the Duo Mobile App to Accept “Push” Notifications
    For our employees that have a smartphone, download and install the Duo Mobile app from your device’s application store (iTunes App Store, Google Play Store, Windows App Store) and search for “Duo Mobile App”. This is the most secure option and the most cost efficient for you and the University.  If you need assistance, you can stop by any of the IT Service Desks at University Crossing, O’Leary Library or Lydon Library.  Refer to www.uml.edu/mfa to manage your settings.
  2. Make Sure Your Mobile Device Number is Your Primary MFA Device
    You can change the order of your MFA devices by visiting www.uml.edu/mfa
  3. Take Advantage of the “Remember me for 30 days” Feature
    When this box is checked, this means you are not challenged for a secondary authentication again when you log in to that application from that device for 30 days. Refer to www.uml.edu/mfa to manage this setting.
  4. Register Multiple Devices
    We strongly recommend registering at least two devices for MFA, such as your smart phone/cell phone and your office/home phone.    Why?  You may forget your primary device at home and you may need to get access to a protected application.  Refer to uml.edu/mfa to manage your settings
  5. Be Cautious
    Try not to blindly accept a “push” or request for a second authentication (sms code, phone call). If you receive a request, and it wasn’t you who generated it, that means someone has your primary password to your account.  Change your password immediately or contact the IT Service Desk (978-934-4357) for assistance.As always, you can check Out the Frequently Asked Questions Document for more useful information by visiting www.uml.edu/mfa .

VPN / Pulse Secure Client upgrade feature

Starting Tuesday October 11, the campus VPN will check to see if you have the latest version of the Pulse Secure client software on your MAC or Windows system, when you log into the VPN.

If you have a version older than the current (5.2.5), you will be prompted to upgrade it.  Once upgraded, you will need to connect to the VPN again.

To learn more, click here.

For assistance, please contact the IT Service Desk at 978 934 4357.