Feedback & Followups
- More Details Emerge on the Solar Winds Attack
- As expected, the private sector was targeted too:
- A second hacking group has targeted SolarWinds systems — www.zdnet.com/…
- A second vulnerability has been found in SolarWinds Orion, so US CISA is ordered government agencies to update again before the end of the year or shut down their Orion systems — www.macobserver.com/…
Steve asked a question for Bart in our Slack podfeet.com/slack:
In your discussion of the SolarWinds attack in the latest Security Bits, you mentioned the attack only affected Windows domain networks, albeit that probably impacts a high percentage of businesses out there. I infer this means that the few organizations that are not using a Windows domain network are definitely not impacted by this attack, correct?
Bart answered:
Not quite, remember SolarWinds Orion is just one vector being used by this specific Advanced Persistent Threat (Fancy Bear), all-be-it the most prominent one. If you’re a valuable enough target to this APT you can’t assume all is grand just because you don’t run Orion/Windows. CISA would have told you what to look for in the Indicators of Compromise. Secondly, while SolarWinds can be tightly integrated into Windows, it doesn’t only manage Windows.
Bruce Wilson also answered in our Slack:
SolarWinds Orion often has high-level credentials, including Windows domain credentials, as well as ssh keys to log into privileged accounts on both Linux and network hardware. Orion runs on Windows but is used to monitor and manage servers (Windows and Linux), applications, and network gear. A lot depends on what accounts are given to Orion and what privileges are given to those accounts. Tailoring that access to give those accounts what’s needed and no more can be time-consuming. I’ve definitely seen people decide to just give the Orion accounts unrestricted sudo, rather than sort out exactly what commands it does need to run. And it matters a lot if someone is using Orion to just monitor or if they (were) using it to monitor and manage. So, the point here is that multiple adversaries compromised Orion and got the ability to run code as the Orion process, and (thereby) using any credential to which Orion had access.
- Discussion of Kernel Extensions (KEXTs)
- Audio Capture Engine (ACE) from Rogue Amoeba is being treated like a KEXT (even though it is not a KEXT) so on macOS Big Sur we have to do the extreme dance where you boot into Recovery and reduce your security level to where you would have been in Catalina. But Paul Kafasis says you can put it back up after the installation.
- is this true for other extensions
- Can you delete KEXTs – give Steve’s example, needing a driver for DJI Phantom?
- look at www.maketecheasier.com/… but these instructions are before the new Big Sur security levels
- Kernel extensions are in System/Library/Extensions look for .kext
- Might need to boot into recovery and use Terminal command
kext unload [full path to the kext]
- Audio Capture Engine (ACE) from Rogue Amoeba is being treated like a KEXT (even though it is not a KEXT) so on macOS Big Sur we have to do the extreme dance where you boot into Recovery and reduce your security level to where you would have been in Catalina. But Paul Kafasis says you can put it back up after the installation.
Worthy Warnings
- Bill & Melinda Gates Foundation’s Charity GetSchooled Breaches 900k Children’s Details — welpmagazine.com/…
- Latest T-Mobile Data Breach Exposes Customer Data — www.macobserver.com/…
- From Listener Lynda: FBI Warns Smart Devices Are Being Hacked to Live-Stream ‘Swatting’ Incidents — www.msn.com/…
Notable News
- Apple Hearing Study unintentionally collected historical data from users — www.imore.com/…
- Corellium notches partial victory in Apple iOS copyright case — arstechnica.com/…
Top Tips
Palate Cleansers
- The physics of cameras and lenses like you’ve never seen it before — it’s a long read, but the article is peppered with interactive ‘diagrams’ that really help you see what’s going on — ciechanow.ski/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |