Apple Macs have gaping root hole – heres a superquick way to check and fix it

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
What’s the maddest, baddest, craziest, can-you-believe-it, how-did-that-happen security blunder of recent memory?
Companies contending for the top three spots in the past three months surely include:
Uber. Suffered a breach, paid the hackers off, pretended it never happened, got found out anyway.
Equifax. Permitted crooks to carry off personal data, including social security numbers, for about half of US adults .
Apple. Let you read off the actual password of an encrypted device simply by clicking [Show password hint].
Well, Apple just did it again, and this one is even zanier that before – so Cupertino may well be back in first place.
Sophos Home
Free home computer security software for all the family
Learn More
The default root login password is…
In High Sierra, the latest version of MacOS (currently at 10.13.1), you can easily guess the password for root, the all-powerful system administration account.

The average number of guesses you need is…
…ONE.
In fact, strictly speaking you need ZERO guesses, because you almost certainly KNOW the password already.
Just login as root with the password “”, by which we mean no password at all – just hit [Enter].
We’re guessing that Apple didn’t bother to set a password for root because you don’t usually login or authenticate as root.
Instead, you specify that one or more regular accounts have Administrator powers, and can perform root-like activities one-at-a-time, as needed, by putting in their own passwords.
In theory, this is good for security because: you aren’t logged in as an administratoer all the time; you don’t need to share a single root password amongst multiple administrators; and there’s accountability because admin activities are tied back to the user who initiated them.
In practice, of course, you need to have a password on the root account if it’s active, and ideally it should be randomly set when you configure the system, so no one knows it. (It’s much easier to stop someone using a password by mistake, or against policy, if they don’t have that password in the first place.)
If you have no login password on the root account, you need to configure the account so it can’t be used to login, no matter how many different sneaky ways an attacker finds to get at a login prompt.
This is an epic fail by Apple, and all the world knows about it now, because it was disclosed publicly on Twitter rather than privately to Apple.
What to do?
信息安全及保密知识在线
You can easily set a strong root password of your own, so no one else knows it or can guess it.
The good news is that there’s an easy and safe way to check and fix this problem.
Open a Terminal window and enter the command passwd root, which is how you set the root password in the first place.
西方投资者质疑我们上市公司的财报,我们的组织应该在公司治理的框架下聘请独立审计人员,并且成立业务安全委员会,通过业务影响分析、风险评估,风险应对等等步骤和措施来建立长久的业务持续性计划。
Don’t worry – you can’t set a new password this way unless you already know the old one, so just hit [Enter] three times:
$ passwd root
Old Password: [just hit enter to assume that it’s blank]
New Password: [hit enter again to leave it blank if it already is]
Retype New Password: [hit enter a third time]
Note that if the old password isn’t blank, you don’t get an error message until the end, so if you see an error like this…
passwd: authentication token failure
…then you don’t have a blank root password and you may stand down from high alert.
However, if you don’t see any message at all, then your password was, and still is, blank, so you need to change it.
Run the same command again, but this time put in [Enter] as the old password and choose a proper password for root:
$ passwd root
Old Password: [just hit enter]
New Password:
Retype New Password:
$
Job done.
Technically, you don’t even need to keep a record of the password you typed in (though you can’t just type random garbage because you need to put the same password in twice).
You’ll still administer your Mac with your regular Administrator-enabled account by typing in your regular password when needed, just like before.
Check your Mac, and fix this now!
Note. We think that the default setup of macOS prevents you using this trick remotely. You must have physical access to the computer. Also, if FileVault (full disk encyrption) is turned on and the Mac is shut down rather than logged off or locked, you have to enter the disk password before you can get at a login prompt at all.
加密标准的安全漏洞不断被发现,不过通常不伤大雅,破解者可以利用新漏洞获得更快的解密速度,不过照一般的计算能力,想成功破解,还是需要相当长的时间。尽管如此我们还是要选择强健的算法和复杂的密钥。

猜您喜欢

海康威视与思科开展网络信息安全合作:项目取得阶段性成果
信息安全意识试题
网络安全法宣传视频系列001《网络安全法》背景知识
曲高和寡?起价13万以上的热销小型SUV
NADYANA REVERENDKNOW-IT-ALL
云计算和移动应用给IT安全人员带来的职业发展启示