Archive for category: Security

Apple has pushed some changes to XProtect.  Rich Trouton has the details over on his blog.

As usual with all things FileVault related, Rich Trouton has the details on a new .app for setting up FileVault 2.  FileVault Setup.app is a standalone app that provides a pretty interface for end users to configure File Vault 2 with during first login.  This is a interesting way to [...]

Oracle has released a security patch for Java 7 on OS X which can be found here and Apple has released updates for Java 6 which can be found via Software Updates.  For more details on this release, check out Oracle’s security bulletin.

If you have decided to disable the automatic update function of XProtect, then you will need a method for deploying the configuration files yourself.  These configuration files tell XProtect what the minimum allowed version is for the given plugins.  If the version of the installed plugin is less than this [...]

Graham Gilbert has an official post declaring Crypt to be in beta status.  Crypt is a great alternative to many of the paid solutions for FileVaule 2 escrow.  Rich Trouton gave us an early look at Crypt when it was more alpha-ish and it was looking really good.  It has [...]

Rich Trouton has a writeup on how to re-enable the Java 6 plugin after the recent Software Update.  This update disables the Web Plug-in piece while leaving the actual Java 6 framework intact.  Many apps still require Java 6 (Crashplan for instance), so for many of us it may be [...]

FileVault 2 was a great advancement for encryption on Mac OS X.  It allowed for full disk encryption without the use of a third party product, as well as management using the system keychain or via a tool such as cauliflower vest. One might ask “So how exactly do you [...]

In order for an app to run on an iOS device, it needs to be code signed. This proves to iOS that the app has been approved to run on iOS devices. This is true of any apps in the App store, ad-hoc, or enterprise apps. The App store apps [...]

Introduction It comes as part of an amazing revolution that the devices we carry are increasingly smaller and lighter. For the first time in history, we have truly mobile devices, including laptops. This also means that they’re more likely to be misplaced or be carried with us in hostile environments, [...]

Go directly to step-by-step instructions. 

On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes. 

Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable. 

Microsoft IE, Google Chrome, and Mozilla Firefox already have or have announced plans to very shortly blacklist all DigiNotar.nl certificates. If you are running IE (any version) on Vista, Windows 7, Server 2008, or Server 2008 R2; or an up to date version of Firefox or Chrome, you'll be OK in the near future. This is pretty much a death penalty for the DigiNotar CA. I would have been a bit more forgiving, perhaps, but the actions of the security teams at Microsoft, Google, and Mozilla have convinced me that revoking the trust of the DigiNotar CA is necessary. 

Apple has not yet updated Mac OS X and Safari as of this writing or made any announcements about its plans.  Until Apple releases a security update for this issue, you can protect yourself on an individual Mac computer by following the steps in this article, which includes steps for managing the process via MCX and shell scripting for mass deployment.  

NOTE: Unfortunately there is no equivalent process available for iOS at this point. You can add your own trusted CA certificates via the iPhone Config Utility and Configuration Profiles, but you cannot remove or modify the trust levels for pre-installed system certificates.