Apple Mistake! You can log into macOS High Sierra as root with NO password

 

A simple-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

The security bug is triggered via the authentication dialog box in Apple’s operating system, which prompts you for an administrator’s username and password when you need to do stuff like configure privacy and network settings.

If you type in “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen.

The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world – it’s certainly far from a remote hole or a disk decryption technique – it’s just really, really sad to see megabucks Apple drop the ball like this.

Developer Lemi Orhan Ergan alerted the world to the flaw via Twitter in the past hour or so:

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs

View image on Twitter

It gets worse. You can use this programming blunder to disable FileVault…

But there is a workaround for now. If you have a root account enabled and a password for it set, the above blank password trick will not work. So, keep the account enabled and set a root password right now…

Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.

sudo passwd -u root

Enter your password then a new password for the root user.
Anyone got a better fix?@SwiftOnSecurity @rotophonic@pwnallthethings

How to Take More Time Off

Why are we all so busy anyways???

I don’t know about you, but as a business owner I find it really hard to take time off. The whole “making my own schedule” thing doesn’t mean I don’t prioritize our clients’ businesses over my own freedom. The trick to solving this, of course, is to have the right systems and team in place keep things running when I’m gone.

The funny thing is, even though I’ve got systems and teams now, I still noticed how anxious I get at the thought of going away.

So the last few months, I’ve been considering what it is that I ACTUALLY think will go wrong if I disconnect for a couple days or (gasp!) more. And I used what I learned to create a new checklist to thoroughly cover all the bases before I go.

Here’s an example:

You can see what I came up with below. Yours will vary depending on what you do and how you work, but anyone can use the same concept to create a little more space in their lives. And the anxious ones among us can have a little bit better time on their vacations 🙂

Scheduling & Logistics

  1. Follow the company’s time-off policies to request time off.
  2. Once approved, add to the staff time-off schedule wherever your company stores this info.

Communication and Auto-Responders

  1. Mark your entire days off as a “busy” calendar entry in Calendar.
    – This will mark you as busy for Calendar appointments, CRM scheduling, etc.
  2. Set your office phone number up to forward to whoever is covering for you (if people will actually get to your voicemail, rather than the cover persons’, change our greeting to a vacation message.
    1. Clear your voicemail so it doesn’t fill up!
  3. Change the greeting on your personal cell phone so people know you are gone.
    1. Clear your voicemail so it doesn’t fill up!
  4. Consider setting up an SMS auto-responder if you’re worried about texts lingering without reply.
  5. Setup an auto-responder in E-mail (see below for a sample you can use)

Ensure the Work gets done

  1. Is there someone your employees might need to get help for complex problems that you usually solve? Certain job functions no one else in your company can do? If so, let your potential replacement for that task know when you’ll be gone, so they’re prepared to hear from you team.
  2. Before you go, sit with your team and talk through each client, active project and open sales opportunity so staff have context on decision-making. Discuss things like who to get support from, how things are configured, next steps for pending or active items, and pricing details for anything that needs to be quoted or sold.
  3. Advise bookkeeping & accounting staff of travel to deal with issues of payroll, invoicing, A/R, A/P

 

Extra: Sample Out-of-Office Auto Responder

Hi!

I’ll be out of the office, actually disconnecting, with limited or no access to E-Mail and Phone from [start date to end date].

If you have a pressing issue, please contact our xyzabc at 123.345.7890

or

If you are a client and need to get ahold of xyz to assist with abc, please use the following contact info to get help:

Thanks!!

add current signature block!!

How to Auto-Post your Blog Posts to your Social Media!

Tonight I was wondering how to get the posts from this blog to automatically post on my social media pages. Since a pretty consistent theme for me is not remembering to do anything on Social Media that doesn’t happen on its own  these days 🙂

Since this is a WordPress blog, I looked for WordPress Auto-Posting plugins and came back with a pretty obvious winner: SNAP Auto-Poster.  This thing can log into Facebook, Twitter, Google+, Instagram, Tumblr, etc and syndicate your content so it looks like YOU actually posted it. The plugin is free, but you have to pay $49/year to use certain sites (Google+ for one) and get additional flexibility in posting. Since Google+ is really important for search rankings, I think this is worth it.

This thing is really easy to set up! I’ll walk you through it below:

  1. Log into the admin panel of your WordPress blog.
  2. Click “Plugins” on the left-hand side menu -> Click “Add New
  3. Search for “Snap Auto-Poster” and install the plugin when you find it.
  4. Click “Plugins” on the left-hand side menu -> Click “Installed Plugins
  5. Click Activate under Snap Auto-Poster
  6. Click Settings under Snap Auto-Poster
  7. Now you’ll be using the “Add Account” button to add your various accounts
    1. Facebook:  there’s a number of steps that involve making a “Facebook App”. This means that your posts will look like your company legitimately posted them, rather than seeming to be syndicated by a re-posting app (this is a good thing). Follow the guide here.

 

 

Netflix and Chill?

New Netflix branded scam to be aware of:

You got to be careful!

 

Heads-up! Bad guys are emailing you that your Netflix account has been suspended, and it looks just like the real thing. As usual, they are trying to get your login information and your credit card data.

Don’t fall for this scam! If you want to change the settings of any subscription services like this, never click on links in any email and just type the name of the site in your browser or use a bookmark that you set.

Whatever email about Netflix you see in the coming weeks… Think before you Click!

To learn even more about how to keep your office safe- Download our latest E-Book titled Cybersecurity Tips for Employees here:

Click E-book Below