Slashdot Mirror
Cracking OSX
A reader writes: "BusinessWeek is running an article about the new potential target for cracking - all those shiny new Mac OSXs, with their nice new Unix underbodies. Will crackers start to go after these machines too?" Well, to a certain extent, of course, yes. Anything that's easy - but will new tools be developed for these box? My only caveat is the use of the hack rather then crack - but that's a semantics thing.
There is an update checker which pops up to notify you of new patches from Apple when they are released, and you just click a button to install them. (I wonder what sort of authentication this has?) So when a major hole comes up it will be pretty easy to get a fix for it -- much easier than windows update on my NT box. I thought the article was a little harsh considering some of the major security flaws in products from Microsoft in the last few years.
A year ago I wrote what I still believe is the only widely-available documentation for buffer overflows on Mac OS X. I didn't think anyone cared, but after an Apple employee compared me to a locksmith helping thieves, I've been disseminating it widely, thus:
http://belgo.org/propeller/
-Chris
Thank you.
It's gets damned annoying hearing people constantly whine about how people use the word hacker when they really mean cracker. Languages evolve and change. You can't put up a resistance. Make up a new freaking word for coders if this bothers you so much. Because after the media's tainted the word "hacker", there's no going back.
I've done a quick survey of posted messasges, and I see quite a lot of FUD. I'm not a security expert by *any* stretch of the imagination, but I do read carefully what I can understand about security.
u se.html) that will help.
That said, let me outline what I believe are some salient points:
1) its' possible to install OSX *without* the BSD subsystem - no subsystem == no way to hack by command line.
2) Mac OS X has a firewall compiled in the kernel. While the firewall configuration hasn't been set (and realistically, how can Apple define the rules for everybody when they don't know how the machine is to be used?), you can use ipfw to configure, or there are GUI apps like BrickHouse (http://personalpages.tds.net/~brian_hill/brickho
3) Mac OS X ships with the root account *disabled* by default. That's right. If you have to do superuser-related actions, you have to log in as a user with administrator priviledges, and type in "sudo " at the terminal to do root-like things. This is only an extra step to 0wn the machine, true, but *everybody* knows the root's user name - not everybody knows which user also has admin priviledges. This ain't a magic bullet, but it makes things that much harder for the cracker without making it harder for the legit user as well.
4) when I did a portscan of my own system using the built in tools, there were only 2 ports open, both of which are in the 700's somewhere - I don't know what they're for, but all the typically 'hackable' ports, like telnet, aren't open. No ports == harder to access.
So what's left? One poster mentioned that hacks would be done through either exploiting bugs in apps like IE5, or by getting people to use trojan-horse style apps that open up access to the box without the user's knowledge.
This, I think, is where the real threat to typical Mac OS X users is. As a Mac user first, and a newbie Unix user, I would like to ask this community to help Mac users gain a better understanding of security and trust.
If I messed up on any details, please correct, not flame!
Your Mac has been hacked! (OK)
Hmmm.. prefer that sound over Sosumi..
--
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
In a sense, yes, but generally, not all that different.
it used to be that simple HyperCard stacks could contain trojan horses. The very first Mac virus was in fact a HyperCard stack.
Things moved on, and some started appearing as AppleScript applets or scripts. Nothing very serious, though, as AppleScript does a fairly good job at blocking potentially dangerous situations (eg, the Finder wont delete items when asked to, but simply move them to the trash).
Out of the box, Mac OS X is pretty safe, according nmap, which gives it a "worthy chalenge" rating.
Where things can get interesting, though, is when the user starts services without truly understanding what they are, like ftp and telnet. Most end-users have stupid passwords to begin with ( a friend of mine's bank card code used to be "12345"...you get the idea).
Still, with a Unix underpinning or not, the most vulnerable spot for user's machines (on Mac anyway) is launching an application which may be a trojan. Most other means of delivery (CD-ROM autoplay in QuickTime and desktop DB viruses) are now obsolete because the system no longer uses them.
We're still vulnerable to WDEF (Window Definition code resource) and CDEF (Control Definition code resources), but that's more or less ineviable. It's also not as bad as it used to be, since at least, the machine and the OS is protected. It's just the user's directory and files which may be at risk. It's easier to recover this way.
Karma karma karma karma karmeleon: it comes and goes, it comes and goes.
There is a good thread on this topic at http://www.macintouch.com/websecurity.html
http://windows.scares.us
Um, if i'm not mistaken, Linux and nearly every other unix based OS has single user mode as well. For most people, this is a GOOD option. The number of people who might lock themselves out of their machine is greater than the number of people who are likely to be hacked by someone with physical access to the machine. I'm sure those who see single user mode as a threat will find a way to turn it off.
Know what I like about atheists? I've yet to meet one that believes God is on their side.
Face it Hemos, cracker is a *stupid* word and therefore not likely to be adopted. And no, I don't see any problem with a double meaning for hacker.
After all, when a newspaper runs a headline "police seize drugs" you don't see drug store owners writing angry letters to the editor explaining that this sort of thing gives them a bad name and that the journalist should have used "substances of an illicit nature".
People are perfectly capable of determining the meaning of the word "drugs" from the context, and there's no reason why they can't do the same with "hacking". So stop moaning, please!
Pure FUD. /etc/passwd is ignored if NetInfo is running, which is pretty much always. I just checked two Macs, one running the retail OS X and one running the public beta, and neither has any passwords in /etc/passwd. Finally, in the retail OS X the root account is disabled by default; you have to either enable it or use sudo to become root.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
1. root access in Mac OS X is disabled by default. You can use sudo if you're an Administrator but that means knowing somebody's account/password, which is tougher, though certainly not impossible, to get if you have services turned off by default (which they are).
/etc/passwd is only accessed if the machine is booted into single-user mode (or if you futz with lookupd), and IIRC the password is shadowed in the release version of OS X.
2. There is an article up today on StepWise that describes how to update sudo to fix a potential buffer overflow (basically, you're just replacing the Apple-installed one with the current patched code).
3. EVERY copy of Mac OS X IMHO should come with a copy of BrickHouse, a kick-ass GUI for configuring the built-in firewalling capability in OS X. It's certainly more attractive to most Mac users than using ipf.
4.
5. Not trying to be combative, just pointing out some issues that slashdot readers might not be aware of if they haven't played much with OS X. Yes, we need to be more concerned over security than we were with OS 9, but to me, the benefits of the system -- like being able to fix/update it yourself instead of waiting for Apple to release patches -- far outweigh the increased need for vigilance.
--
I use Macs for work, Linux for education, and Windows for cardplaying.
I'm not saying that consumer mentality is wrong, per se. Not everyone has the time or the inclination to learn all this stuff. However, the way the current network is built is not compatable with that mentality. There are things ISPs could do to make the network more tolerant of their users' mistakes but I don't see any ISPs taking those steps. Part of the problem on that front is that hiring people who are able to set that up would seriously affect the profit line and the margins are already razor thin in that industry.
Even if the ISPs did their part, there's still the issue of fraud on the net. People have this distrubing tendency to believe what you tell them (Do you believe that?) even if you're a complete stranger. Fraud on the net pays because it's easy to perpetrate, hard to catch and rarely punished severely enough to make it unprofitable. A healthy dose of skepticism would benefit most Americans, on and off the net.
The problems here are not limited to the Mac world.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
So quick you didn't bother to read any of them? The most recent is over 6 months old and has been fixed for some time. Most of them are also LOCAL exploits and as anyone who knows anything about security will tell you, If you have physical access to the box it CAN be cracked. Also a grand total of 9 since 1998 doesn't look too bad to me.
Here's another BIG problem in your logic. The Classic environment in OSX reqires 9.1 whaich already has patches for what has been patched (or is patchable)
MSRP - Tax, Title & Licence Extra Your Milage May Vary
Security fixes are easier for os X.
Mac users have the Software Update tool, which can be run manually, or automatically scheduled to run.
Unlike the windows update, there's no website involved, and it hits up apple's servers and mirrors. (Maybe this is more like the ximian updater or mandrake update tools.)
As long as Apple's software update server isn't cracked, the Mac user has a brainless way to automate software updates which can include security fixes.
Many Mac users are quick to jump and get the latest update, so propagating security fixes isn't a problem. The only problem is the unclear channel for reporting them.
A host is a host from coast to coast, but no one uses a host that's close
Evidence indicates the same is true of Red Hat Linux and Windows 2000 users, as well. But why should this matter?
After all, most people aren't going to be using the server features of OSX any more than they do the server features of Windows 95. Those who do will probably have a wealth of firewall and security programs at their disposal soon enough (Symantec already has 'em for Mac OS 9).
Most crackers still won't bother with OS X, though, for the simple reason that it's such a small target. A few will attack it because they can, but most will stick to Red Hat and Windows because they're more common and more likely to provide useful data.
It does come with Apache, telnetd and sshd all disabled. Probably the biggest risk for these is that they can be enabled with the click of a button, so the average user might not think of it as a big deal. Another security issue is that the root account is disabled by default. This is harder to enable though, so I would suspect that most users wouldn't know how to enable it and if they do, they probably are thinking about security.
"Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer
This is a little like asking if a brand new model of car is likely to be stolen.
Of course it will.
Why?
Why do mountain climbers insist on climbing the highest mountains? Simply because they're there.
It will be cracked at some point because it's a new target. Apple will then (hopefully) do the little dance that all OS makers do... patch it up and make it better.
If the crack exploits some flaw in Darwin, at least we can go look through the code to figure it out... a much greater luxury than what is allowed by most other OS manufacturers.
--
All opinions presented here aren't mine.
This isn't any different than just about every other system. If I can physically get at it, I can break into it.
If all else fails, I'll just take the damn thing with me.
--
All opinions presented here aren't mine.
Before anyone else posts a FUD message about OS X, please go to: Apple's Web Site
You might learn something. Unless, of course, you're afraid to learn new things.
Let's face it .. anything that is connected to the net is a potential target .. if only for DOS attacks.
.. "0wn3d by t045tM45t3r" whitegoods.attrition.org =) ?
In a year or so people will find their toaster cracked and toasts defaced by crackers
--
Jon - TheSpork
As with any OS, it'll often be the apps that run on the machine that get cracked, not always just the OS itself. Now that apache, mysql, etc. run on OSX, the same vulnerabilities exist as for any other *nix running the same services. And lets not even get into the intelligence of who will be adminning the machine... almost all NT cracks are from extremely poor setups of the OS, ACLs, and services... OSX can suffer from bad adminning just like anything else.
That the majority of the Mac world is clueless about security can also be extended to the majority of the Windows, Linux and any other operating systems world.
Chris Kuivenhoven is a thief, beware
You know, a lot of this thread really exposes a lot of the ignorance about Mac OS X. Have many of you who post comments actually bothered to install and play with this?
Whether MacOS X users choose to take advantage of the vast library of server code that they now, finally, have access to is for them to decide. If they don't, their machines will remain pretty much as secure as with earlier versions of MacOS.
Of course, given the strong support for Java that MacOS X supposedly has and the widespread availability of Java-based servers (web, ftp, smb, etc.), they may also choose to go with mostly Java-based services. Those aren't necessarily perfect either, but they avoid known UNIX bugs and they are intrinsically more robust against common problems like buffer overruns.
Altogether, I would expect the MacOS X security situation to be pretty good. What the article mostly shows is that there isn't much technical understanding at BusinessWeek. Reasoning that goes like "MacOS X is UNIX-like, therefore MacOS X will be susceptible to UNIX-like security problems" is simply not very informed.
You are thinking of one specific fork of BSD (OpenBSD), where it's maintainers place a great emphasis on no out-of-the-box security flaws. No OS is more secure than the person setting up and maintaining makes it.
I'm not sure why cracks found in MacOS 10 will serve as a wakeup call to people using or administering any other Operating System.
If you look at it the right way Apple is at least headed in the right direction. In the days of voice activation and gesture diven computing they are going back to the basics. They are offering an OS with a little freedom for someone who wants to play. Try doing anything on earlier macOS versions and you will see that any form of *nix is better than what they had. IMHO this should be looked at as a chance for macOS to move ahead, however "crackable" it may seem. They will learn and develop as they go. I like to see them headed in the direction to offer users more control via the OS.
DocWatson
MessEdUp
#/var/www/v
I don't know for sure, but I doubt that OSX is shipping with Apache, Sendmail, etc, etc, installed and running by default, unlike some other operating systems I could mention. As far as vulnerabilites in the OS itself, there are generally fewer of those. As long as the default setup is reasonably sane, I can't see this ushering in a new era of l33t M4x0r h4x0rz.