Apple may have built its most secure Mac operating system yet, but a prominent security consultancy is advising enterprise clients to steer clear of adopting large numbers of the machines. At a talk last week at the Black Hat security conference in Las Vegas, researchers from iSec Partners said large fleets of Macs are in many …
Oh my, so the non-existence of any security, like for example a proper package manager, might actually lead to insecurity? Oh my, that's a bold statement Captain Obvious.
..that all software registers with the package manager in the first place.
Guess what? Malware doesn't want to be found, noticed or recognised. So it won't.
And a package manager will stop the user from clicking "install software xxx using admin rights?" how, exactly?
What if no Mac Server?
Is the weakness specifically in Mac OS *Server?*
That is, will things be OK if you have hundreds, or thousands, of Macintosh machines but NO Macintosh servers?
It seems so.
It seems to be a OSX Server vulnerability specifically.
But I find it a bit of a swooping conclusion --- buying into a platform or not based on a specific vulnerability? Next week the same guy comes up with one of the many cross-site scripting windows vulnerabilities and suggests to avoid PCs?
XSS vulnerabilities are independent of the operating systems involved.
RE: What if no Mac Server?
"......That is, will things be OK if you have hundreds, or thousands, of Macintosh machines but NO Macintosh servers?" Well, you will have stopped this one vulnerability, but you will have left yourself with a massive admin task for updates. Most companies have standard builds for their desktops and servers, and tools to help them push out updates and additions (or removals) from those builds. Those tools usually provide significant savings over employing large numbers of PFYs to run around and manually update each machine. In the case you suggest, you would need to manually run around and update your hundreds or thousands of Macs.
But it's not anything to do with XSS, it's a problem in the DHX network authentication protocol.
FAIL yourself, idiot. RTFA.
You will note that my post is in reply to a previous post.
I was therefore addressing an issue with that commenter's post and not with the FA.
Maybe you should RTFC?
To say nothing of the fact that it's trivial ...
... to boot a Mac into single user mode, if you have access to the keyboard (no removable media or network access needed). Apple computers are NOT what I consider secure in an enterprise environment.
@ Jose Cardoso
Firmware passwords don't stop users from booting into single user.
Active Directory is an 'orrible, 'orrible, Redmondian kludge ...
For "keyboard" read "hardware". If I have physical access to your Apple computer, I can get into your porn stash. That isn't security.
Note: I am NOT trying to claim that Redmond is doing anything better than Cupertino ...
And you can't boot into Safe Mode on Windows?
Mucking Forons are not what I consider secure in any environment.
Just to clarify...
...the problem i in OS X server but corporations should avoid all OS X versions ?
That is like saying "The problem is really in Windows XP but you should avoid all versions of Windows."
btw. Google didn't change their Windows servers to OS X servers, all Google is run on Linux servers.
that explains it
That explains then why they have 960,00 servers, see earlier article in the register. May God bless them with a million.
So are they saying that if authentication was kerberos only everything would be OK? Not a big fix surely.
From the 4th paragraph in:
"Stamos and fellow iSec researchers Paul Youn, Tom Daniels, Aaron Grattafiori, and William "BJ" Orvis found it was trivial to force OS X server to resort back to Apple's insecure protocol."
So setting the server to use Kerberos is irrelevant because you can 'sploit it back to donkey mode.
... if there was a fix to stop reversion all would be well in the cupertinoverse?
Better, not fixed
"... if there was a fix to stop reversion all would be well in the cupertinoverse?"
A setting to disallow downgrade is a necessary but not sufficient step to securing against network escalation attacks against OS X. Another important step would be to implement "channel binding", which uses a cryptographic key derived by the authentication handshake to protect the integrity of the subsequent conversation. Without this protection, a MITM attacker merely relays the initial handshake and then manipulates the actual data. In some cases (like LDAP or binaries on AFP) this would allow the attack to take over the client machine.
Our suggestion to Apple was to break compatibility in 10.8 Server with downlevel clients and to create a single wrapper protocol for all of the various services offered by OS X server. A good option would be TLS with SRP password auth, and TLS with Kerb Auth in OpenDirectory environments. These protocols (AFP, ARD, Server Admin) could then be easily tunneled over TLS as long as a reasonable multiplexing system was put in place. This would reduce the complexity of fixing these problems one by one on each protocol.
Yeah, because Windows has the whole "security" thing down pat.
Those Apples who do not learn from Microsoft's history are doomed to repeat it.
Windows suffered from numerous auth downgrade attacks similar to this about ten years ago - NTLM could be made to fall back to lanman, NTLMv2 could be made to fall back to NTLMv1- and IIRC MS eventually fixed them by implementing schannel which IIUC is pretty much the technique being recommended here by Stamos and iSec.
This is not the first time that Apple have recreated an old Windows security fail, and it is fascinating to watch the late-90s/early-2000s being replayed as if nothing had been learnt from them. In fact, much has; just not by Apple, which, now that Macs are receiving significant market share and enterprise usage for the first time, is stepping on every rake and walking face-first into every custard pie that previously hit MS.
It's very lulzy to see that Jobs has feet of mud every bit as much as Gates.
If you want to be secure...
... steer clear from computers altogether. And pens and paper. And don't talk to anyone.
I sound like my IT department, I'm surprised they didn't take keyboards away from us yet as many problems originate from some keystrokes.
Classic ROTM scenario
Historically, all security / malware cases have been traced back to human activity. Therefore the simplest solution is to eliminate all humans.
Initiating wetware cleanse in 5... 4... 3...
Remove all humans from workplaces
Sounds like the last 20 years of taxation and economic policy from DC
Mine's the one with Road to Serfdom in the pocket
The problem isn't malware, then.
It's social engineering. No platform is safe from that. People have been "hacking" other people since the dawn of time. Read Macchiavelli's "The Prince" if you don't believe me. (Or your spouse.)
Ignorance, not operating systems, is by far the greatest security risk in any organisation.
OS X in the age of espionage malware
That makes Windows the most secure, safe and virus free option.
Black Hat is just scared because they know OS X could put them out of work if Apple continues to gain support.
iSec logic fart
"iSec's recommendation is premised on the assumption that a small percentage of employees in any large business or government organizations will be tricked into installing malicious software, no matter what platform they use"
What rules of logic make the underlying platform less secure merely because some employee don't know not to click on YES and enter the admin password.
even more dumb
their point doesn't make much sense to me as employees don't normally get admin rights on their computers anyway.
I'm not sure where the logical fallacy is, but the point here is that while we applaud Apple's efforts to increase the difficulty of exploiting client-side flaws to seed malware, our experience as well as the well-documented experience of many enterprises is that every large group has somebody that can be tricked into downloading a malicious .dmg/.msi and installing it without the need of an exploit. This is especially true in state-sponsored attacks that utilize human intelligence and professional operatives to improve their social engineering.
If you accept our premise, then it is critical that a corporate network be designed to reduce the methods by which an attacker can hop from machine to machine or escalate to an admin account. That is the basis for our analysis and recommendations.
For once a story about security that isn't pointing it's finger at the atrocity called Windows which our employers keep foisting upon us!
...a bunch of guys in the greyest of grey suits writing off the US's credit rating, merely because they extended the overdraft a wee bit...
..I mean it's only $13tn dollars...
The claim that if a single mac is compromised, then its easy to compromise them all is amusing... Not only does this require a particular configuration involving an OSX server configured to push updates to the clients... But it also seems to require exploitation of a specific bug, which i imagine Apple will be fixing in short order..
But it's also EXTREMELY easy to compromise a windows network in the same way, get onto one system and you can grab hashes, either of the local users (how many places build from images and all the local passwords are the same), or of logged in domain users... And then you can use these password hashes to access other machines without even having to crack them!
Get a semi competent pen test company to do an internal audit of your windows based network, give them an ethernet socket and nothing else... They will almost certainly have domain admin access before lunch.
While issues may exist in OSX, they look like fixable bugs whereas many of the holes in windows are serious design flaws that will break all manner of things if fixed.
Also another point, the assumption that at least one employee will fall victim to a social engineering attack and run a malicious binary... There is a simple solution to this, ensure that users don't have execute permissions for any device they can write to. Typical users have no business running anything that's not been preinstalled by the admin staff anyway.
And finally, even assuming that macs are just as insecure as windows, their presence still improves security because it creates diversity.. Sure, they may also have serious vulnerabilities but now the hackers need to have 2 sets of tools and 2 sets of skills instead of just 1.
"The claim that if a single mac is compromised, then its easy to compromise them all is amusing"
The process is: one mac server (with the vulnerability built in), steal credentials, get details of all the macs served by that server. So yes, if you "compromise" the server then all those others are game.
So what you're saying is, hacking OS X is simply done in three very easy steps:
Step 1: Find vulnerability in OS X Server.
Step 2: Compromise server.
Step 3: Get all client passwords.
Wow, that's easy indeed! I'd say it could be even easier. I bet I could even do it in one step:
Step 1: Hack server to get all passwords in system.
Oh god, you still didn't read.
1. Compromise one client Mac.
2. OSX Server pushes updates.
3. Compromised Mac steals credentials from stupid insecure update protocol.
4. Compromised Mac pushes compromised updates using stolen Server credentials.
5. All other Macs blithely accept this.
Just stop defending Apple no matter what. Everyone is wrong sometimes.
No-one is "defending Apple no matter what". What they are saying is that essentially iSec Partners claims are spurious and bordering FUD. Whilst this is obviously a problem, it is probably a bug that would be trivial to render correct; however iSec Partners are suggesting that it is a trivial "hack", when it isn't.
Now that you've had a chance to read the slides, please let me know which of our conclusions are not accurate so that I can correct the "FUD".
This has nothing to do with centralized patching. I'm not sure where you got this idea.
"But it's also EXTREMELY easy to compromise a windows network in the same way, get onto one system and you can grab hashes, either of the local users (how many places build from images and all the local passwords are the same), or of logged in domain users... And then you can use these password hashes to access other machines without even having to crack them!"
This is a significant risk on Windows networks, however, the majority of methods to escalate privilege via these types of attacks on Active Directory have been mitigated by default or can be mitigated via centralized configuration settings on Windows 2008R2 and Windows 7. You can build a Windows network with GPO that makes these attacks hard (Kerb-Only, IPSec required, IPAuth, NoLMHash, smartcard Kerb pre-auth) but it is impossible to do so with OS X. That's of little benefit to enterprises struggling with downlevel Windows servers and backwards compatibility concerns, but if you were building a new network today and were concerned about APT-like attacks, I would recommend Windows over OS X.
OS X clients with no servers and no management would probably be the most secure configuration. Obviously that doesn't work for most enterprise IT departments.
"......Whilst this is obviously a problem, it is probably a bug that would be trivial to render correct; however iSec Partners are suggesting that it is a trivial "hack", when it isn't." Really? All you have to do is get one compromised client, and that wouldn't be too hard with a bit of social engineering ("You mean all I have to do is click here to guarantee myself the first iPhone5 when they are released?" - <click>). I have a friend that does security testing and he says he still finds many companies where the WiFi network is not seperated from the Ethernet LAN, no internal firewalls, which means wardrivers in the carpark just have to crack access to the WiFi to be on the main corporate netwok. So this trick could even be done with a Mac laptop over WiFi wihtout the need to actually get inside and plug into the target's LAN if you can get onto the targets WiFi network.
Bob and Sally?
Shouldn't that be Bob and Alice?
Quite a bit of denial and lalala going on here
The problem is that even if the server starts with a "secure" session, it can be forced down to insecure with relative ease.
Instead of pointing at other OS's and engaging in general whatabout'ery maybe you should acknowledge this is a major screw up?
We all know Windows can have problems if incorrectly configured, but this article is about OSX and it's management in the enterprise.
It's because in most movies it is a mac that the bad guys manage to hack
..it's normally the other way round: Mac doing the hacking against non-descript PC box. Or in some films - against vasty technically superior aliens.
Give apple their due - they certainly know product placement; just about every ad/film has one in, even if it's just background scenery. Or maybe it's 'cos the designers love 'em?
Also see Nokia; very good at product placement too.
Sometimes the even hack the system using PC hardware running a Mac OS with a DOS prompt (aka Office space). Frequently even the Mac hardware doesn't appear to be running a Mac OS. The only thing I can think of for some of the "OS"s they display is some odd Linux GUI. I'm pretty sure in real life they just have an artist make up something to overlay onto the screen.
I had a tech guy ask me once about how cinematographers were able to take film of computer monitor screens without the moire pattern (slowly sweeping horizontal lines caused by the intersection between the projection device's scanning frequency and the recording device's scanning frequency). (This was before filters became available to do this.)
I replied that ... cinematographers did NOT shoot the monitor screens ... they shot the full frame, and then post-production filled in what ended up on the monitor using masking techniques, replacing whatever was on the screen with whatever the director/screenwriter needed.
He was incredulous. Simply could not believe that cinematographers were not shooting actual computer activity. So I asked him ... "Do you really think that Sandra Bullock was hacking The 'Net? Or that Hugh Jackman was actually breaking into DoD systems while cameras rolled?"
He still couldn't believe that those actors did NOT do the actual computing. Sheesh. I guess that explains the Republicans' success ...
Starts at the network, rather than the desktop. If someone walks into your organisation, plugs a computer into a wall socket and gets the same stuff everyone else does, your security is already broken, before we even ask what OS the box is running. You have properly segmented networks and you make damn sure that if an unauthorised computer pops up on your network it gets feck all access until it's somehow been validated. No update servers, no access to services, nothing. At best you get some sort of proxy which allows someone with network admin rights to validate the PC as being 'ok' from the PC and that's all.
Anyone letting unknown kit dance around on their network as much as they like is asking for trouble.
RE: Network security
You can turn off network ports so those vacant Ethernet sockets actually don't connect to anything, then a luser has to request a socket be activated and give a good reason why before a new system is connected. This is a major issue with company WiFi nets as they effectively give a "socket" to anyone unless you introduce MAC address access lists (and even the latter can be spoofed). But the article is not about a new device being added, it is about an existing Mac being first compromised by the luser by a bit of social engineering, then using that compromised system to mimic the server and compromise all the other Macs.
So a black hat organisation which depends upon OS insecurities in order to thrive suddenly tells us MacOS X's new security features are weak and we should all avoid Macs.
Hmmm... it couldn't be that the reason they are scared of orgs going Mac is precisely because it is now a lot more secure and the black arses can't hack it.
It is in their interests to push people away from the more secure platforms!
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- GCHQ protesters stick it to British spooks ... by drinking urine
- Page File Love XKCD? Love science? You'll love a book about science from Randall Munroe
- Facebook to let stalkers unearth buried posts with mobe search