The latest Apple encryption blunder shows why digital data security is always risky, why it works despite the ever-present risk, and why you need to go with vetted products (which is why the centrally managed encryption from AlertBoot uses FIPS-validated Sophos SafeGuard).
Update 10.7.3 Turns On Debug Log — There’s Always Risk
According to zdnet.com, an Apple programmer accidentally left on a system-wide debug log file that records the login information of all who logged in since the installation of Max OSX update 10.7.3. Not surprisingly, the debut log stores all the information in plaintext, including the passwords.
However, it only affects “anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable.”
It has expressly been noted that users of FileVault2 are not affected. But then, FileVault2 is a true full disk encryption implementation and was designed with security in mind. It’s a weird thing to say, isn’t it? After all, encryption is encryption: FileVault (the first), one assumes, would also have been designed with security in mind.
But, Apple’s first foray that was FileVault included a litany of problems, including software applications that stopped working after turning on FileVault and sensitive data not being protected (because it lied outside of the encrypted image). It was, to say the least, not a particularly popular security feature. Hence the birth of FileVault 2.
As you can see, encryption is not a holy grail when it comes to security: sometimes, it just doesn’t work as expected.
But, It Still Works
That being said, the beauty of computer data security is that there are people who are constantly looking into the issue (i.e., attacking the encryption to see if it truly does what it claims it does). Take the Apple bug above:
The flaw was first reported by a security researcher David Emery, who posted his findings to the Cryptome mailing list. The bug has not been corrected by any subsequent updates.
In fact, as zdnet.com points out, a lot of people had been commenting on the bug since OSX 10.7.3 was released on February 1, 2012. So, there are people who are constantly poking and prodding to make sure encryption is working the way it’s supposed to.
This might feel like a bad thing, but in the end it works towards achieving an encryption product that stands up to attacks. (In a way, that’s what encryption vetting processes do — it attacks the submitted encryption product to see if there are any known vulnerabilities.)
Plus, keep in mind that this flaw affects a particular niche: it doesn’t affect FileVault prior to the 10.7.3 update, and it doesn’t affect FileVault2. Those two are still working as expected. (In fact, it’s enough to make one wonder why Apple hasn’t released an update or a patch since 10.7.3. I mean, one would assume that the fix to this issue is to “turn off” the system-wide debug log file.)
The point to the story: encryption works. Once in a while, you’ll see a vulnerability crop up that might affect one product or an entire encryption algorithm (for example, right now AES-128 is a tad bit more secure than AES-256). The occurrence and severity of such a vulnerability will depend on how well the encryption software is created. However, it will literally take the skills of a security researcher to figure it out.
What about the time lag in issuing a fix? Well, I can’t speak for Apple, but I can tell you that if an issue were affecting a product that was offered by a company focused on data security only, a fix would be offered ASAP.
Incidentally, this is why you should be using a data encryption product that has a stamp of approval (like FIPS validation) as opposed to any product that features “encryption” in its title. There are plenty of encryption tools out there that do encrypt data but don’t really provide much in terms of security, either because it has vulnerabilities like Apple’s last update to FileVault, because it uses weak encryption algorithms, or other reasons.
Related Articles and Sites: