Slashdot Mirror
Cracking OSX
A reader writes: "BusinessWeek is running an article about the new potential target for cracking - all those shiny new Mac OSXs, with their nice new Unix underbodies. Will crackers start to go after these machines too?" Well, to a certain extent, of course, yes. Anything that's easy - but will new tools be developed for these box? My only caveat is the use of the hack rather then crack - but that's a semantics thing.
pppsssssssssstttt: someone along the line forgot to tell you that the "worthy challenge" rating by nmap only means that guessing the packet sequence numbers is a worthy challenge, not that hacking the box is a worthy challenge :)
Never used C++, eh? STL's string class makes you try very hard indeed to create a buffer overrun.
What is it with idiots who know C and think that means they know C++ too?
There is an update checker which pops up to notify you of new patches from Apple when they are released, and you just click a button to install them. (I wonder what sort of authentication this has?) So when a major hole comes up it will be pretty easy to get a fix for it -- much easier than windows update on my NT box. I thought the article was a little harsh considering some of the major security flaws in products from Microsoft in the last few years.
A year ago I wrote what I still believe is the only widely-available documentation for buffer overflows on Mac OS X. I didn't think anyone cared, but after an Apple employee compared me to a locksmith helping thieves, I've been disseminating it widely, thus:
http://belgo.org/propeller/
-Chris
Thank you.
It's gets damned annoying hearing people constantly whine about how people use the word hacker when they really mean cracker. Languages evolve and change. You can't put up a resistance. Make up a new freaking word for coders if this bothers you so much. Because after the media's tainted the word "hacker", there's no going back.
I've done a quick survey of posted messasges, and I see quite a lot of FUD. I'm not a security expert by *any* stretch of the imagination, but I do read carefully what I can understand about security.
u se.html) that will help.
That said, let me outline what I believe are some salient points:
1) its' possible to install OSX *without* the BSD subsystem - no subsystem == no way to hack by command line.
2) Mac OS X has a firewall compiled in the kernel. While the firewall configuration hasn't been set (and realistically, how can Apple define the rules for everybody when they don't know how the machine is to be used?), you can use ipfw to configure, or there are GUI apps like BrickHouse (http://personalpages.tds.net/~brian_hill/brickho
3) Mac OS X ships with the root account *disabled* by default. That's right. If you have to do superuser-related actions, you have to log in as a user with administrator priviledges, and type in "sudo " at the terminal to do root-like things. This is only an extra step to 0wn the machine, true, but *everybody* knows the root's user name - not everybody knows which user also has admin priviledges. This ain't a magic bullet, but it makes things that much harder for the cracker without making it harder for the legit user as well.
4) when I did a portscan of my own system using the built in tools, there were only 2 ports open, both of which are in the 700's somewhere - I don't know what they're for, but all the typically 'hackable' ports, like telnet, aren't open. No ports == harder to access.
So what's left? One poster mentioned that hacks would be done through either exploiting bugs in apps like IE5, or by getting people to use trojan-horse style apps that open up access to the box without the user's knowledge.
This, I think, is where the real threat to typical Mac OS X users is. As a Mac user first, and a newbie Unix user, I would like to ask this community to help Mac users gain a better understanding of security and trust.
If I messed up on any details, please correct, not flame!
Solaris (on sparc, at least) requires the root password to boot into single user mode. You can boot from the Solaris install CD without it, and overwrite everything on the boot disk, but it won't let you mount filesystems. This is secure and reasonable, protecting your data from any yahoo who can hit the reset switch on the powerstrip.
HP-UX and AIX don't provide you with the same security. Neither does any of the Linux variant's I've dabbled in, or even the otherwise fort-knox-like OpenBSD.
I've heard the arguments, but I don't buy them. If you can't remember your root password and don't have your data and configuration backed up, give up on this unix stuff. It's too mentally challenging for you. End of story.
SoupIsGood Food
the intelligence of the people running OS X is going to be a big factor.
Of course, you've mischaracterized it as "intelligence", when what it really is, is the dedication, attention to detail, and desire to fiddle with the inner workings of what is essentially supposed to be just a tool. None of these are traits of your average Mac user. Lots of Mac users are very intelligent, even if they aren't kernel hackers, so you needn't go around characterizing them as "unintelligent".
that said, read the Mac message boards lately, and you'll see a HUGE gap between people who used to be comfortable with a userless system, that gave them the rights and capabilities to delete the System folder if they wanted to - to the present state, where root is not enabled on the machine by default because "the user is not to be trusted with such a powerful tool, lest they delete something they don't understand".
The number one complaint you see is someone who gets into a situation where they have to use the terminal and sudo to get out of it. The implication is that these people messed with things that they didn't understand, but that's not the case. The vast majority of these people are just trying to install software, or move an application to a place they feel is more convenient for them to access. but without root privileges, the system won't let them, so they're being forced to learn these things they previously didn't need to know to use "the computer for the rest of us".
These are the people that will be in charge of tens of thousands of OS X Unix systems a year from now. Be afraid. Be very afraid.
They aren't necessarily less intelligent, but you're right when you say they don't have a clue about the first thing in security. They never needed to before.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Your Mac has been hacked! (OK)
Hmmm.. prefer that sound over Sosumi..
--
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
In a sense, yes, but generally, not all that different.
it used to be that simple HyperCard stacks could contain trojan horses. The very first Mac virus was in fact a HyperCard stack.
Things moved on, and some started appearing as AppleScript applets or scripts. Nothing very serious, though, as AppleScript does a fairly good job at blocking potentially dangerous situations (eg, the Finder wont delete items when asked to, but simply move them to the trash).
Out of the box, Mac OS X is pretty safe, according nmap, which gives it a "worthy chalenge" rating.
Where things can get interesting, though, is when the user starts services without truly understanding what they are, like ftp and telnet. Most end-users have stupid passwords to begin with ( a friend of mine's bank card code used to be "12345"...you get the idea).
Still, with a Unix underpinning or not, the most vulnerable spot for user's machines (on Mac anyway) is launching an application which may be a trojan. Most other means of delivery (CD-ROM autoplay in QuickTime and desktop DB viruses) are now obsolete because the system no longer uses them.
We're still vulnerable to WDEF (Window Definition code resource) and CDEF (Control Definition code resources), but that's more or less ineviable. It's also not as bad as it used to be, since at least, the machine and the OS is protected. It's just the user's directory and files which may be at risk. It's easier to recover this way.
Karma karma karma karma karmeleon: it comes and goes, it comes and goes.
Root login may be disabled, but that doesn't mean much. Getting root on a box involves subverting a process running under UID 0 into doing your bidding, often through buffer overflows, much more often than getting the root password on the box. Once you've gotten you own code to run under UID 0 you can install all kinds of backdoors without ever bothering to find out the root password.
No well adminstered UN*X box has had non-shadowed passwords for years anyway, and exploits doesn't commonly concentrate on getting the passwd file these days - that's sooo 20th century :)
--
Niklas Nordebo | niklas at nordebo.com
There is a good thread on this topic at http://www.macintouch.com/websecurity.html
http://windows.scares.us
Will there be a deluge of cracking and virus-writing directed at Mac OS X? I'd suspect not. MacOS on the desktop accounts for less than 5% of what's out there, and on the server, it's far less than that. OS X will probably up their internet-connected server population a bit, but I wouldn't hold my breath waiting for Apple's overall market share to reach 7% any time soon.
Virus authors overwhelmingly target big targets, namely Windows. WordPerfect and Lotus Notes get hit by far fewer viruses than Word and Outlook. This isn't because they're better-written applications with good security features. It's because few people care about hitting the minority.
Until Apple's comeback a couple of years ago, there was so little interest in writing Mac trojans and viruses that months would go by without even the smallest update to Mac virus pattern files. Even now, it's an almost negligible trickle. The biggest problem lately hasn't been caused by an uptick in people targeting Macs; rather it's that MS Office 2001 for the Mac is so compatible with Windows Office that an increasing number of macro viruses now suddenly work cross-platform. This will become more pronounced in a few more months when the first new version of Mac Outlook in 4 years ships. Even so, I've seen an installation of 40 Macs go over a year without so much as detecting a Mac virus, much less getting hit by one.
Hacks/cracks/exploits/whatever are another story. Since Macs in sever roles will now be running Apache, sendmail, BIND and Unix-world FTP daemons, we should expect some Mac servers to be just as vulnerable to security holes that emerge in these services as their *BSD, Linux, Solaris and AIX cousins. Apple's auto-update functionality, similar to auto-updaters for Debian or things like AutoRPM and the Ximian updater should protect most, however, as long as Apple keeps its binaries up to date.
But targeting Mac OS X specifically? Who's going to bother?
Um, if i'm not mistaken, Linux and nearly every other unix based OS has single user mode as well. For most people, this is a GOOD option. The number of people who might lock themselves out of their machine is greater than the number of people who are likely to be hacked by someone with physical access to the machine. I'm sure those who see single user mode as a threat will find a way to turn it off.
Know what I like about atheists? I've yet to meet one that believes God is on their side.
The article was pretty uninformed but some of the points were valid. You CAN definitly (mis-) configure your OS X box to be as open as a two-dollar whore.
The point is that it doesn't ship that way and you don't know that unless you buy one and install it yourself. I am not sure that author had.
Without root, ssh, anonymous FTP, sendmail or the Developers toolkit (no compiler,) the box is as safe as you can get without pulling the plug.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Isn't OSX was based on *BSD and isn't *BSD supposed to be more secure out of the box? If cracks are found quickly, will that serve as a wakeup call to all admins of "out-of-the-box" Distros, be it RedHat, Mandrake, SuSE, Debian, BeOS, QNX, *BSD, WinNT, Win9x, etc. Maybe managers and hiring personnel will fianlly realize that all admins are not created equal.
I Don't Work Here
"a warning about a flaw in the Free BSD software kernel that was used to develop the operating system. ..". The FreeBSD kernel was not used for OSX, only the userworld. OSX uses a Mach kernel.
-- unix is for people without a social life - Patrick van Eijk
Face it Hemos, cracker is a *stupid* word and therefore not likely to be adopted. And no, I don't see any problem with a double meaning for hacker.
After all, when a newspaper runs a headline "police seize drugs" you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".
People are perfectly capable of determining the meaning of the word "drugs" from the context, and there's no reason why they can't do the same with "hacking". So stop moaning, please!
Just FYI, OS X does not support AppleTalk (networking protocol) for anything but printing. It does not support LocalTalk (network topology) at all.
File Sharing and other network services are all based on TCP/IP.
Well, you have to know the name of an administrator's account or its UID to do anything with it. UID 0, or root, is well known on most systems. However, the administrator of a random Mac OS X machine on the internet could be anything, and there's no easy way to find it without already being on the system.
Without going through NetInfo services or using a root account, you can't mess with a lot of things on the system. It's a good idea. Many security tips I've read suggest replacing the root account on your system with another superuser account. You should then delete the root account or set it up as a tripwire for people breaking into your system.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Pure FUD. /etc/passwd is ignored if NetInfo is running, which is pretty much always. I just checked two Macs, one running the retail OS X and one running the public beta, and neither has any passwords in /etc/passwd. Finally, in the retail OS X the root account is disabled by default; you have to either enable it or use sudo to become root.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
1. root access in Mac OS X is disabled by default. You can use sudo if you're an Administrator but that means knowing somebody's account/password, which is tougher, though certainly not impossible, to get if you have services turned off by default (which they are).
/etc/passwd is only accessed if the machine is booted into single-user mode (or if you futz with lookupd), and IIRC the password is shadowed in the release version of OS X.
2. There is an article up today on StepWise that describes how to update sudo to fix a potential buffer overflow (basically, you're just replacing the Apple-installed one with the current patched code).
3. EVERY copy of Mac OS X IMHO should come with a copy of BrickHouse, a kick-ass GUI for configuring the built-in firewalling capability in OS X. It's certainly more attractive to most Mac users than using ipf.
4.
5. Not trying to be combative, just pointing out some issues that slashdot readers might not be aware of if they haven't played much with OS X. Yes, we need to be more concerned over security than we were with OS 9, but to me, the benefits of the system -- like being able to fix/update it yourself instead of waiting for Apple to release patches -- far outweigh the increased need for vigilance.
--
I use Macs for work, Linux for education, and Windows for cardplaying.
Apple pushes their products ease of use, but good security practices on a *NIX OS are not easy sometimes. Well, they might be if you're a *NIX guru, but they certainly won't be if you're the average Apple user. I wonder how Apple is going to address these (potential, if not real at the moment) security issues with their customers and not scare them away from OSX. That would be unfortunate because OSX really is a nice piece of work, but, I feel, having the ease of use of a classic Mac and the power of UNIX are two goals that run counter to each other. Maybe Apple will make an effort to educate it's customers...
Chris
I'm not saying that consumer mentality is wrong, per se. Not everyone has the time or the inclination to learn all this stuff. However, the way the current network is built is not compatable with that mentality. There are things ISPs could do to make the network more tolerant of their users' mistakes but I don't see any ISPs taking those steps. Part of the problem on that front is that hiring people who are able to set that up would seriously affect the profit line and the margins are already razor thin in that industry.
Even if the ISPs did their part, there's still the issue of fraud on the net. People have this distrubing tendency to believe what you tell them (Do you believe that?) even if you're a complete stranger. Fraud on the net pays because it's easy to perpetrate, hard to catch and rarely punished severely enough to make it unprofitable. A healthy dose of skepticism would benefit most Americans, on and off the net.
The problems here are not limited to the Mac world.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Just because the media has decided to pervert a term that's been around since at least the fifties to their own use does not make it right. In fact most real publications with clued in writers will make the distinction. Also it's not Slashdot vs. the World. It's real hackers and people who are aware of the subculture vs joe sixpack.
I'm the big fish in the big pond bitch.
There was a long span of time between HyperCard and AppleScript.
During that time, the Mac world was afflicted with about (under) 40 different viruses. A free program Disinfectant was developed by Northwestern university.
Disinfectant was wonderful. It solved all four problems: (1) Detection [after infection] (2) Repair [after infection] (3) Prevention [hook system traps, alert when virus tries to insert itself] (4) Education [it's detailed documentation was absolutely first rate]
And it was freeware. You could expect an updated Disinfectant to appear online within 24-48 hours after an entirely new Mac virus was discovered. (And this is all prior to the WWW, and even Gopher. Back in the days when Mac users used dial up CompuServe/AOL, and AOL was a Mac-Only service.)
As a result of Disinfectant, after about 30-some-odd viruses were developed for Mac, no more appeared. It just wasn't any fun. Limited market share platform, and your virus can't spread very far with Disinfectant around and widely installed.
There were Word Macro viruses -- but these were cross-platform, not unique to Mac. An AppleScript virus, but wasn't this years later? Didn't AppleScript not appear until about 1992 ish -- years after the original Mac virus wars?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".
If journalists call such substances "illegal drugs," why can't they call cracking "illegal hacking"?
Will I retire or break 10K?
So quick you didn't bother to read any of them? The most recent is over 6 months old and has been fixed for some time. Most of them are also LOCAL exploits and as anyone who knows anything about security will tell you, If you have physical access to the box it CAN be cracked. Also a grand total of 9 since 1998 doesn't look too bad to me.
Here's another BIG problem in your logic. The Classic environment in OSX reqires 9.1 whaich already has patches for what has been patched (or is patchable)
MSRP - Tax, Title & Licence Extra Your Milage May Vary
Security fixes are easier for os X.
Mac users have the Software Update tool, which can be run manually, or automatically scheduled to run.
Unlike the windows update, there's no website involved, and it hits up apple's servers and mirrors. (Maybe this is more like the ximian updater or mandrake update tools.)
As long as Apple's software update server isn't cracked, the Mac user has a brainless way to automate software updates which can include security fixes.
Many Mac users are quick to jump and get the latest update, so propagating security fixes isn't a problem. The only problem is the unclear channel for reporting them.
A host is a host from coast to coast, but no one uses a host that's close
Sounds like a business plan to me.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.
Best thing is that with good multithreading the user will never notice that the box is hacked. Even if it is slow that will be nothing new to the user.
Evidence indicates the same is true of Red Hat Linux and Windows 2000 users, as well. But why should this matter?
After all, most people aren't going to be using the server features of OSX any more than they do the server features of Windows 95. Those who do will probably have a wealth of firewall and security programs at their disposal soon enough (Symantec already has 'em for Mac OS 9).
Most crackers still won't bother with OS X, though, for the simple reason that it's such a small target. A few will attack it because they can, but most will stick to Red Hat and Windows because they're more common and more likely to provide useful data.
It does come with Apache, telnetd and sshd all disabled. Probably the biggest risk for these is that they can be enabled with the click of a button, so the average user might not think of it as a big deal. Another security issue is that the root account is disabled by default. This is harder to enable though, so I would suspect that most users wouldn't know how to enable it and if they do, they probably are thinking about security.
"Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer
This is a little like asking if a brand new model of car is likely to be stolen.
Of course it will.
Why?
Why do mountain climbers insist on climbing the highest mountains? Simply because they're there.
It will be cracked at some point because it's a new target. Apple will then (hopefully) do the little dance that all OS makers do... patch it up and make it better.
If the crack exploits some flaw in Darwin, at least we can go look through the code to figure it out... a much greater luxury than what is allowed by most other OS manufacturers.
--
All opinions presented here aren't mine.
This isn't any different than just about every other system. If I can physically get at it, I can break into it.
If all else fails, I'll just take the damn thing with me.
--
All opinions presented here aren't mine.
It boots you into single user mode where root privledges are yours for the taking.
I suspect that this was implemented by Apple (tech support) as an emergency way to get into the system. But in the process it sure does make it a lot less secure.
Blue skies... Barthie burgers... girls.
Before anyone else posts a FUD message about OS X, please go to: Apple's Web Site
You might learn something. Unless, of course, you're afraid to learn new things.
There's something to be said for running a 20 year old unix with thousnds of patches and fixes.
I'd hope most of the things learned in those 20 years went into the development of MacOS X, but we shall soon see.
--
--Got Lists? | Top 95 Star Wars Line
Let's face it .. anything that is connected to the net is a potential target .. if only for DOS attacks.
.. "0wn3d by t045tM45t3r" whitegoods.attrition.org =) ?
In a year or so people will find their toaster cracked and toasts defaced by crackers
--
Jon - TheSpork
Will crackers start to go after these machines too?
An OS that a substantial percent of the population will be using and that ISPs will want to support! Of course these machines will be a target.
-... ---
As with any OS, it'll often be the apps that run on the machine that get cracked, not always just the OS itself. Now that apache, mysql, etc. run on OSX, the same vulnerabilities exist as for any other *nix running the same services. And lets not even get into the intelligence of who will be adminning the machine... almost all NT cracks are from extremely poor setups of the OS, ACLs, and services... OSX can suffer from bad adminning just like anything else.
That the majority of the Mac world is clueless about security can also be extended to the majority of the Windows, Linux and any other operating systems world.
Chris Kuivenhoven is a thief, beware
Whether MacOS X users choose to take advantage of the vast library of server code that they now, finally, have access to is for them to decide. If they don't, their machines will remain pretty much as secure as with earlier versions of MacOS.
Of course, given the strong support for Java that MacOS X supposedly has and the widespread availability of Java-based servers (web, ftp, smb, etc.), they may also choose to go with mostly Java-based services. Those aren't necessarily perfect either, but they avoid known UNIX bugs and they are intrinsically more robust against common problems like buffer overruns.
Altogether, I would expect the MacOS X security situation to be pretty good. What the article mostly shows is that there isn't much technical understanding at BusinessWeek. Reasoning that goes like "MacOS X is UNIX-like, therefore MacOS X will be susceptible to UNIX-like security problems" is simply not very informed.
I see a few possible reactions to this from the big Fruit. A: Release a firmware update that doesn't allow the system to run with altered files. So as soon as you actually install anything it stops running. B: Releases new 'Granny Smith' kernel that leads to loss of memory and preformance.
TODO: Something witty here...
If you look at it the right way Apple is at least headed in the right direction. In the days of voice activation and gesture diven computing they are going back to the basics. They are offering an OS with a little freedom for someone who wants to play. Try doing anything on earlier macOS versions and you will see that any form of *nix is better than what they had. IMHO this should be looked at as a chance for macOS to move ahead, however "crackable" it may seem. They will learn and develop as they go. I like to see them headed in the direction to offer users more control via the OS.
DocWatson
MessEdUp
#/var/www/v
I don't know for sure, but I doubt that OSX is shipping with Apache, Sendmail, etc, etc, installed and running by default, unlike some other operating systems I could mention. As far as vulnerabilites in the OS itself, there are generally fewer of those. As long as the default setup is reasonably sane, I can't see this ushering in a new era of l33t M4x0r h4x0rz.
People managing Mac OS Servers would be used to not giving security a second thought.
This is because no one would bother trying to break into Macs. I mean why so you gain access to 1% of the web servers in the world.
Hmm "Security by rarity?"
Of course the problem with Mac OS X is anything they creaks UNIX would probably work against Mac OS X.