Sécurité et contrôle de la cache!

Plusieurs attaques requièrent l’utilisation de la cache d’un fureteur. À sa plus simple expression, il est donc possible pour un malfaiteur d’accéder à ces données, si elles ne sont pas protégé correctement.

Pour adresser ce point de sécurité, il est donc critique de retirer toute forme de cache possible. Que celles-ci se trouvent dans votre fureteur ou par le fait même, dans votre serveur web et même vos autres outils de sécurité réseau.

Contrôler la cache dans sa solution avant tout

Depuis plusieurs années, je remarque dans les solutions observé l’utilisation de méta données dans les pages web, par exemple :

<meta http-equiv="cache-control" content="no-cache">

<meta http-equiv="expires" content="0">

<meta Http-Equiv="pragma" Content="no-cache">

À première vue ceci semble parfait, mais cette solution possède un grave manquement… Elle ne touche pas du tout vos équipements réseau!

Ceci veut donc dire que le fureteur pourra ultimement être rafraîchie, mais que des données pourront toujours se trouver dans vos gestionnaires de cache, balanceurs et autres équipement.

Aussi, il est fort possible que certaines de ces commandes ne fonctionne pas avec plusieurs fureteurs se trouvant dans le marché actuel.

Pour répondre à ces besoins, il faut donc descendre d’un niveau et adresser les fureteurs ainsi que les équipements.

Réduire la cache

Pour solutionner en profondeur, ma recommandation est simple; directement attaquer les entêtes HTTP.

L’utilisation d’entête garantie qu’au minimum, tous les équipements dans la chaîne répondant aux normes web devront suivre les clauses indiqué, par exemple celles-ci:

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: 0

Mais comme nous adressons les entêtes elles-mêmes, il faut donc travailler au niveau du protocole. Il est certain que pour différents langages il existe différentes solutions, mais voici deux bons exemples pour vous. Ceci devrait vous permettent de facilement solutionner vos enjeux dans le code de votre choix. Mon but est simple, vous mettre la puce à l’oreille! Voici donc pour PHP et java.

header("Cache-Control: no-cache, no-store, must-revalidate");

header("Pragma: no-cache");

header("Expires: 0");

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");

response.setHeader("Pragma", "no-cache");

response.setHeader("Expires", "0");

Idéalement, si vous voulez aller plus loin et “doubler” la protection, il ne faut pas se gêner et introduire le contrôle directement dans votre serveur web comme ceci dans Apache (fichier .htaccess) :

<IfModule mod_headers.c>

    Header set Cache-Control "no-cache, no-store, must-revalidate"

    Header set Pragma "no-cache"

    Header set Expires 0

</IfModule>

Métadonnées vs entêtes HTTP

La puissance des entêtes est fort simple : celles-ci sont présentées dès la connexion http, avant l’apparition de la page HTML elle-même; et ce à travers chacun des équipements dans votre réseau et vos solutions.

Cette approche nous permet donc de limiter les dommages potentiels et surtout, ne pas se limiter au fureteur en question! Surtout si c’est celui d’un malfaiteur…

De plus, utiliser les entêtes éliminent les différences que chacun des fureteurs possèdent. Comme les utilisateurs utilisent des mobiles, des laptop et autres équipements pour se connecter, les entêtes sont indifférentes  et donc renforce le tout devant les fureteurs.

Suivant mon expérience, il ne faut donc jamais faire confiance <meta http-equiv> tags et toujours renforcer via notre code et directement au niveau du serveur web.

iPhone out of warranty? Don’t call Apple!

 

With more than 1 Billion iPhone sold in the last 10 years, out of warranty repairs are a frequent discussion. I think it’s time to give a bit of perspective on the subject.

In a nutshell, before calling Apple for repairs, contact an UNauthorized repair shop around you for quotes!

You’d be surprised at the money you can save and the quality of repairs you can get for the price!

Basic Warranty

iPhones are under warranty for 1 year standard (2 full years with AppleCare+) but even under warranty, destroyed devices are not fully covered. If the repair you need is important call a repair shop and asked them for a quote – you’ll thank me!

Unless you have AppleCare+, take the time and shop around. Even then, after 2 years you’ll be out of AppleCare.

Apple’s contention

Simply, Apple doesn’t want “external” companies fixing their products. Call it control or whatever you want, this is a fact. In some cases, repairs made @Apple are ok, but many times, I’ve seen exaggeration, and we need to cover this.

Apple’s current price list can be found on Apple’s website*. Of course, prices can and do change, but it still gives us a good idea about the basics at Apple.

But why? Because many Apple repairs are done as a bunch (think of your microwave for a second). Apple won’t try to fix individual components or what’s broken per se; they’ll go and just change the whole module or board in a shot.

At a high level, repairing an iPhone screen will run around 200 CAN dollars. A bit less for smaller screens and a bit more for bigger modes such as the iPhone Plus families.

If potential repairs are more significant, bills can rapidly run into the 400 to 500 CAN dollar range. As your device may not be the most up-to-date model, you may want to think about those prices for a minute or two.

*Reference is the Canadian Apple store, and can be found using the link below:
https://support.apple.com/en-ca/iphone/repair/service/pricing

Audio jacks, Batteries, Home buttons, power switches and more!

I’ve seen people paying for a new iPhone, when Apple told them they couldn’t fix the headphone jack! As a note, this port can easily be changed – INDIVIDUALLY – for tens of dollars – no need to spend 200 or 300 hundred bucks for a new board.

Power button, batteries and more can be individually changed and will not affect your iPhones performance or do anything negative to it… really.

Don’t believe me? You can even do it yourself if you like. Get the tools and parts and you’re on your way to making it yourself.

Check out iFixit for some details; been there done that!

UNauthorized repair shops – good friends!

It’s critical to mention that if the repair shop is “Apple Certified” it can’t repair you iPhone or any other device you have from Apple.

“Most don’t know this, but Apple Certified shops are obliged to send the device to Apple for repair!”

As for the others, most of the time, they CAN fix what’s broken with brand new components is available and usually at a fraction of the price. They may even have used parts that are more than fine for you. So…

“Before calling or going to Apple for a repair on your iPhone, make sure you call an UNauthorized repair shop first!”

Call a repair shop and asked them for a quote – you’ll thank me! On top of that, most UNauthorized repair shop can do the work much faster than Apple. You’ll most usually get your phone back the same day or the day after.

So why pay 4-5-600 bucks for a repair, when let’s say, just your audio port is busted – boom 40 bucks!

MacOS – TimeMachine est lent!

Time Machine est le service de sauvegarde automatisé de MacOS depuis des années. Avec cette maturité, comment est-il possible que celui-ci soit si lent?

Et bien j’ai une solution pour vous. Celle-ci est simple et n’affecte pas négativement votre Mac!

Pour vous donner une idée, je viens de compléter une pleine sauvegarde de mon Mac (environ 30 GB) en 5 minutes. En temps normal, ceci aurait pris 4 heures…

Cette commande permet donc de faire une sauvegarde de plusieurs gigaoctets (GB) en quelques minutes; plutôt qu’en quelques heures!

Sans trop entrer dans les détails, Time Machine est configuré pour rouler en arrière-plan sur votre Mac pour ne pas impacter votre travail. Sur ce, quand vous voulez accélérer les choses, une simple commande dans votre terminal sera en mesure d’accélérer les choses pour faire une sauvegarde rapide; très rapide.

Il s’agit de donner une priorité supérieur à Time Machine. Pour ramener les choses telles qu’elles étaient, il s’agit de simplement redémarrer votre Mac et le tour est joué.

Pour entrer la commande, démarrer votre terminal trouvé dans /Applications/Utilities/ ou dans le répertoire Utilités dans vos applications si vous avez un Mac en Français ou dans tout autre langues.

sudo sysctl debug.lowpri_throttle_enabled=0

Cette commande indique à votre Mac de prendre les processus d’arrière plan et leurs donner une priorité comme les autres. Vous ne devriez pas remarquer de différence dans vos autres apps, mais croyez-moi, Time Machine va rouler comme un champion.

Pour remettre le tout à la normale faire la commande suivante:

sudo sysctl debug.lowpri_throttle_enabled=1

Et voilà tout est revenu à la normale!

Sinon, il est toujours possible de redémarrer votre Mac et le tour est joué!

When all fails: MacOS Time Machine

Don’t like macOS migration assistant? Want to do things manually and have full control? Well this section is technical, but may yield key results for people having significant problems with Time Machine backups and the dreaded ACLs!

But the most importantly…

  • Don’t change Time Machine ACLs!
  • Just strip the ACLs of files you copied from it!
  • So find, copy locally, and then change permissions.

UNIX Background

Added to UNIX file permissions such as user/group/everyone each having their own read/write/execute permissions, MacOS also uses ACLs (Access Control Lists). These ACLs allow much more granular file and folder permissions settings.

UNIX File ownership

File ownership provides a secure method for storing files. Every file in UNIX has these basic attributes.

  • Owner: controls actions the owner of the file can perform on the file.
  • Group: secures actions a user, who is a member of the group that a file belongs to, can perform on the file.
  • Other (world): what action all other users can perform on the file.

UNIX File Access Modes

The permissions of a file are the first line of defense in the security of a UNIX system.

  • Read: Grants the capability to read or view the contents of the file.
  • Write: Grants the capability to modify, or remove the content of the file.
  • Execute: User with execute permissions can run a file as a program.

UNIX Directory Access Modes

Directory access modes are listed and organized similarly as any other file.

  • Read: Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory.
  • Write: Access means that the user can add or delete files to the contents of the directory.
  • Execute: Executing a directory doesn’t really make a lot of sense so think of this as traverse permission.

Note: more details available on www.tutorialspoint.com/unix/

Back to Time Machine

Once we understand the basic of UNIX file security, we can now appreciate the fact that by default, Time Machine adds the following ACL to all files:

group:everyone denyadd_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,chown

This ACL simply means that all files and folders inside a Time Machine backup are locked for everyone (even the root user).

So if you restore your files manually from a Time Machine backup, all files and folders will keep those annoying Time Machine ACLs attached to them (good for security, but bad for portability).

Solving the problem

Once we understand the challenge, it is quite easy to remove the Time Machine ACLs. For all three options you need the Terminal which you will find in /Applications/Utilities.

Either way, the key is to access the Time Machine files directly from the Finder window, then copy the file or folder directly to the destination folder.

Option 1 – Swing the axe

If we know the files we want are in folder called “Documents”, let’s copy that folder on our local desktop. Once the copy is done, we can type the following into our Terminal window (make sure you follow the path of where you’re trying to run the command).

Note: If you don’t know the Terminal-way of specifying a path file or folder, simply drag and drop the file/folder you want onto the Terminal window and the Terminal will type the correct file/folder name for you.

chmod -R -N ~/Desktop/Documents/ Files

Option 2: Remove the first ACL entry

Same example as above. You have a folder called “Documents” on your Desktop. But in this case you have a few files with custom ACLs that you want to preserve. Type the following into the Terminal window:

chmod -R -a# 0 ~/Desktop/Documents/ Files

What makes the above solution “dangerous” is that it is not idempotent.

An idempotent operation is an operation that can be applied over and over without changing the result after it has been applied once. Kind of like multiplying a number by 1. You can keep doing it but the result is always the same.

Why does that matter? Well, let’s say that you have a file that already had an ACL before Time Machine prepended its own ACL entry.

If you run the above command twice then you will have removed both the Time Machine ACL as well as the ACL that you probably didn’t want to lose.

Plus the above solution is also not ideal for Time Machine files that are mixed in with other files. If any of these other (non-Time Machine) files have ACLs then the above command will remove those ACLs.

Option 3: Remove specific restrictions from an ACL

Aside from being able to specify which number entry of an ACL you want to remove you can also specify the specific restrictions you want to remove. So you could do this:

chmod -R -a "group:everyone deny add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,chown" ~

Note: “~” means “my home directory”, i.e. if your username is bob then “~” = “/Users/bob”)

The above command is also idempotent!

Finally

If we want to view the UNIX permissions as well as the ACLs of a particular file/folder you can pop open the Terminal and type

ls -led /path/to/file_or_folder

(again, just drag and drop the file/folder you want onto the Terminal window if you don’t know how to specify it the Terminal-way).

If you want to learn more about certain commands, you can start by typing them into the Terminal window and you’ll be on your way to becoming a deepgeek.

man ls
man chmod

(space bar to page forward, q to exit the man[ual] page)

 

Key sources:

http://galvanist.com/post/94558522941/strip-time-machine-acls

https://www.tutorialspoint.com/unix/unix-file-permission.htm

https://discussions.apple.com/

https://www.apple.com/

http://www.opengroup.org/unix