Slashdot Mirror
FBI Agent Talks Crime, Macs
hype7 writes "There's an article at SecurityFocus describing a visit an FBI agent to Washington University. His visit was ostensibly about computer security and the general public's complete lack of any idea on computer security whatsoever: 'I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are.' His talk ranged from some of the pranks he's seen played on unsuspecting users, to Eastern European extortion of big banks." WeakGeek added, "FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.' Another good quote: 'If you're a bad guy and you want to frustrate law enforcement, use a Mac.'"
"If you're a bad guy and you want to frustrate law enforcement, use a Mac."
Hmm. Not *precisely* the kind of publicity the Mac folks were probably looking for, but with their marketshare almost any publicity is good publicity. I just think it's cool that all the FBI Infosec guys are on OS X. Makes me feel good about my migration to the platform as well (as soon as Apple posts the much-awaited G5 price adjustment).
I don't quite understand how people are good at mining data off of *nix but not off of a Mac though -- that part didn't make too much sense. I find it hard to believe that the people they were referring to were on OS9, and if they were on OSX then the boxes basically *are* *nix machines...
dmiessler.com -- grep understanding knowledge
I am not really surprised that the FBI security guys use OS X boxes. Years ago I remember another government agency with a three letter acronym that used NeXT boxes it seemed almost exclusively from the situation rooms right down to the secretaries (at least in Langley).
Visit Jonesblog and say hello.
It's always been my experience that the guys are hot on Windows, pretty good on *nix, but very very few know anything about Macs -- my guess because of their law enforcement background, where they used and were trained on PCs.
A predominant amount of their work seems to be recreating or capturing MS Outlook mailboxes (looking for the smoking guns). They aren't as cluey on Eudora (presumably because most corporate enterprises don't use it).
Small market share means that the majority of people focus on the system(s) that form the majority of OS/apps used -- a trait which appears to extend to law enforcement and makers of forensic programs. But the really good professionals are always interested in asking "so just how does this work on a mac" and discussing the similarities/differences...
Brainwashing... heh heh heh. Um, don't you have a Windows security patch to go download? Or possibly a trip to Symantec's web site to grab a copy of the MyDoom virus removal tool?
Music - www.richardmac.com
But how many of the holes were nt for services that come disabled by default? How many Mail.app exploits? How many required physical access to the computer to exploit?
One of the nice things about the Mac is that most of the services are shipped off by default - like SSHD. So even if a hole is discovered in a service, not EVERYONE is going to be vulnerable by default without taking specific action.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
... to that PC World bonehead who wrote an article about OS X being "just as insecure as Windows" because somebody discovered a remote exploit (where "remote" meant "on the same lan as your machine").
I don't recall his name, but I remember the sensationalist tone of his article, the minimal facts, and the gloating that Windows was no longer alone in being vulnerable. It's probably asking a bit much for him to read the article without his "I Love Windows Blindly" hat on, but maybe he (and others whose love of bashing the Mac seems to exceed anyone else's love of anything, including the so-called "Mac zealots") might be begin to accept reality.
I'm a senior admin with a big company, specializing in Windows based systems. My day to day PC is a 15" Powerbook. I can use the Microsoft RDP client to log into any of the Win servers, SSH to log into the Unix stuff and can pretty much do my job with no hiccups or workarounds. The only exception is that Entourage has weak MS Exchange support, so I'm typically using webmail. With Fink installed I have basic tools like nmap and ethereal at my disposal. My only real gripe is that Apple and Broadcam don't open up access to the network hardware.. Being able to put my NICs into promiscuous mode would be a big help. There's a workaround - I could get an Orinoco or Aironet PCMCIA card.. but I'd prefer to use the integrated hardware.
As far as Linux distros go, Yellow Dog Linux runs very nicely on most older Macs.. but as of yet there is no support for the Radeon 9600 in my book. Text is fine for most stuff but I'd love to run KDE or Gnome in Yellow Dog.
Anyway, I think Apple's got a real opportunity. The Virginia Tech cluster shows their potential and this article is good PR, despite the "frustrate law enforcement" comment. Seeing a room full of Powerbooks at NASA was pretty cool, too.
But you forget that when a file comes in as executable, every other OS recognises it as such, and in fact most mailers on other operating systems do NOT automatically execute code. In fact some CANNOT.
I have heard it said by MS lackeys that removing the ability for Outlook to execute a file when it's received is crippling the app. In an age when viruses worms and trojans are all too common, this is the equivalent of people all around the country receiving letterbombs in their mail weekly, and not putting in place some simple provision that would allow them to check if the letter was something they wanted, or a dangerous bomb, just because you want the convenience of opening a parcel willy nilly.
MOST EXECUTABLES SENT IN EMAIL ARE VIRUSES. thats just fact. This week 40% of email traffic was a virus! hundreds of millions of copies of MyDoom spread around. The simple fix is DON'T EXECUTE MAILED FILES!.
Another MS problem is the backwards compatibility crap that MS leave in mailers. Did you know Fonts are STILL exempt from security zones in mailers and browsers on Windows. Did you know Windows supports executable fonts as a legacy from Win 3.0? Several keylogger trojans have snuck into people's Windows machines by this method alone. The only conclusion is MS don't know what they're doing, by allowing a type of executable (executable fonts) exclusion from security.
Tsk MS, before you start talking security, switch your collective brain on.
I live in Canada. I'm surprised that the mounties are any good at forensics for a simple reason.. I would've liked to work for them, yet the only way of ever working in the IT field is to be a cop for like 10 years and hope you get a promotion. Yeah right I'll waste 10 years of my life being a freaking highway cop. So most of them there were never that interested with IT in the beginning.
Back when I was a youngster and I did things that were in a legal "gray area", I almost always used a Mac. FWB's Hard Disk Toolkit included transparent HD encryption.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Powerbooks start at $1599. iBooks start at $1099. Go to the Apple Store before you run your mouth off again.
Damn thing took 13 Critical Updates/Service Packs before it was done. (WinXP) Then she proceeded to check her email, which she had not checked for 4 days becuase she was on the road. Her email in box had 126 copies of MyDoom.A in it.
She had only had the computer for less than 3 hours since purchase, not even finished setting the fucking thing up, and she had to update the OS 13 times and had 126 viruses in her email. And this without any doing on her part.
Thats pretty fucking sad. I'm glad I got my G5. Everything a bit more relaxed. :)
Hmm. Not *precisely* the kind of publicity the Mac folks were probably looking for, but with their marketshare almost any publicity is good publicity.
Years ago, British Leyland ran a full page ad in the Times, apologizing for the efficiency of the Land Rover, and how it was supposedly enabling poachers in Africa to stay one step ahead of the law. Rovers still rule, and Macs will continue as well.
Just remember, the best way to live outside the law is to stay within it.
First, I read this article when it came out and was noted on macintouch. It is obvious that the author has respect for the FBI agent. And if you read articles posted on securityfocus, this is not always the case when it comes to people in the government.
Macs are shipped with a relatively high level of security in that things (servers/daemons) are turned off by default.
The most significant security hole in OS X (IMHO) for a non-server perspective was the DHCP hijacking. This was a local subnet potential exploit that one should take very seriously, but not one to affect most people.
It is very likely that the FBI agent computers that run MacOS X are used for things like e-mail, web browsing, generating documents (Word and Acrobat), PowerPoint presentations, and other normal business applications. There is also the probability that they are used to run more specialized Window and Unix based applications.
Duh, the agent said that MacOS X was used because they can run these types of programs. One computer, many applications. Side-note: I use OS X because I have to use MS Office, Acrobat, Illustrator, X11, Motif, OpenGL, write programs in C/C++ using X11, OpenGL, and X11, perl, Tkl, as well as others. I want one computer to use, not two or three.
Going back to security, the last significant Mac based problem was the Autostart worm that went around some years ago. This flaw was due to QuickTime automatically starting an application when a CD was inserted in one's computer. This is no longer a problem, AFAIK.
I work in a heterogeneous computer environment. Windows (95 to XP), UNIX (IRIX, Solaris, HP-UX), Mac (OS 9 to X), and VMS (sob). Except for VMS, the Mac OS based systems are the easiest to maintain with regard to network security.
Finally, the FBI needs to get more experience with HFS+ file systems. If they the requisit experience and knowledge, then says to me that the FBI agents using OS X are using their systems to do more mundane things like generating documents, reading e-mail, etc... Then again, this might be a lesson that others should consider.
Well, to actually implement a semi-global keylogger in OS X is trivial. You simply put an appropriate .bundle in ~/Library/InputManagers . No root required. Every subsequent program opened will (attempt) to link and run this code. Since .bundles can be versioned, you can even make a platform-specific version.
:)
But then, it's not hard on Windows either.
The trick is in somehow getting the user to install it (usually by running a helper program). In this, OS X mail clients are extremely uncooperative. Pretty much every mail client (including Mail.app), is very clear about what you are getting (and doesn't hide extensions, that's a big one!). Further, when you try and take an attachment it gives you a clear warning of what you are about to do, and makes the default action to save.
So, you don't need root to do it, but fooling your users (especially without some kind of macro in the mail) is much harder on the mac side, because the users get more prompting on the proper response to untrusted email attachments.
It's amazing how far a dialog box will go, eh?
Slashdot. It's Not For Common Sense
Same experience here, when the company I worked for got raided by the FBI they asked me to join a couple of times. I have found out I would work as as a generic investigator for a few years - not in my field - then with some luck within 3-5yrs after joining I could be back in my field. I asked them what do they expect of poeple being outside of their field for so long. I did not get a deffinite answare. Also it is worth to mention I have never seen such a bunch of unproffessional, undertrained poeple with full of themselves. I have to confess, I did think about it a few times, but the idea of having to work with monkeys like them cooled me down. Sorry for the typos...
There is no evidence the MacOS is fundamentally significantly more secure than Windows. I understand that people will now post some anacdotal evidence about it coming from a BSD base, and so on and so forth, but it has been developed seperately long enough that, without an audit, it doesn't matter much anymore. It also branched in the days of NeXT, at which time, security was not much of an issue yet. The early versions of Unix and BSD were horrendously insecure (remember all the ping-of-death type attacks in the Windows 95 era that came from the BSD-derived TCP/IP stack?). The only way to demonstrate security is to have a significant number of competent people try to break it and fail (which is what an audit consists of). That hasn't happened to MacOS-X, and until it does, we know nothing about its security (except for default settings, which while very important for normal end-users, if you're a security-conscious power user, you will reconfigure under Windows and GNU/Linux anyways).
:)
It is, however, more obscure, so less people look for and find security holes. Of the people who exploit holes, fewer target Macs, since it's a smaller market. Criminals generally go after the lowest-hanging fruit/easiest target, and if you run a Mac, you're not it.
Security through obscurity has been completely debunked from an acadamic perspective, but from a practical/risk-management perspective, it still often makes good sense. You don't want obscurity on encryption, but on software, it is not a bad way to go. If you run BeOS, or OS/2, VMS, or Plan9, the odds of anyone knowing how to attack you are miniscule. Better yet, if you use a variety of OSes, the odds of compromises being found in all of them simultaniously go down astronomically. If your goal is to not lose data (as opposed to maintaining privacy), a very heterogenous computing environment is the way to go. Protecting privacy? Set up multiple firewalls, each running a different OS. Use custom software to communicate through the firewalls.
If you want to avoid data forensics, combination of obscure OS and encryption is the way to go. Mainstream OSes have presumably been analyzed to death by foresnics companies. They can pull your data out of the Linux swap partition or Windows swap file, if it sat around in memory decrypted, and wasn't wiped yet. BeOS swap file? You'd have to spend hundreds of thousands of dollars reverse-engineering something new.
Last time I posted a negative article (admittedly somewhat provocative/aggressive) on the Mac, I was not only marked troll, but someone went through my past articles, and modded one or two of those down. Gotta love the Mac community. Wonder what'll happen this time
My question; If the Computer Security team at the FBI uses alot of Macs, wouldn't you think they know them well enough to hack them??
Ernie Dambach
"It is no small thing to celebrate a simple life -Tolkien
Ok, so looking at those links, almost everything (I won't say everything since I haven't read each and every one...and if nothing else the Safair cookie access bug was definitely not out-of-box secure, since I'll optimistically assume everyone uses Safari) was not remotely exploitable, was a problem with a service that was disabled by default (not much is turned on out of the box), was a problem with third party software over which Apple has little control, or in the case of the DHCP problem requires a rather unlikely scenario to be exploited (most people yawned when they heard this problem, but I will grant that it is theoretically possible to exploit in some circumstances).
Many of the problems were problems in standard UNIX applications, and any computer using those apps would have been at least as vulnerable as OS X, except that the services that might be used exploit those problems are turned off by default on X (at least as far as I could see in a very quick glance through the list). Others, now fixed, would require a person's physical presence at the machine, and might still be rather difficult to take advantage of in practice -- but I really don't think there's too much I can do to prevent access if an FBI agent has physical posession of my computer.
If you know of a genuine remotely exploitable vulnerability in OS X's default configuration, I encourage you to let us know. I'm confident such holes exist, but I have no evidence that they've been identified.
OS X is not as out-of-box secure as OS 9, but it's still better than almost any other common consumer OS out there.
You sir are a troll, and yet some how still get modded up to +4 insightful.
These issues have been covered to death here on slashdot and other places as they arose. In short:
The DHCP issue: DHCP is inherently insecure, it's just a convenience. Apple's auto-discovery of DHCP server is a convenience feature to allow new boxes to be added to a network with minimal configuration. To exploit this your network would already need to be compromised. Which means you've got bigger problems.
The other issues have been local exploits only, buffer overruns being used to elevate priviledges to a machine you must already have access to. Useful techniques, but you've got to get in first.
The last real security flaw to worry about with Mac OS X that I know of was with SSH.
The only thing wrong with the original quote was the use of the word secure as an absolute. There is no such thing. The addition of a relative term and a reference is needed such as far more secure out of the box than Windows XP.
Don't blame me - this
Gee, I use Linux...Gentoo as a matter of fact. I can't remember the last time I screwed around with libraries or configs or stuff like that.
OSX is fine, but please, don't get bogged down in the "this is better than that" nonsense...that's so old and outdated. I'm tired of hearing it.
I install things all the time...play games/openGL etc etc...I STILL don't mess around with configuring the system. The only time I do anything like that is when I upgrade my kernel...like going from 2.6.0 to 2.6.1 took me all of 5 minutes INCLUDING rebooting.
No "under the hood" stuff for me...and I keep everything nice and up-to-date.
"emerge sync && emerge -Up world" is like a few minutes out of my life. No wasted time.
So, on an average day around 5 minutes (if that) of maintenence and then that leaves what? 23 hours, 55 minutes for "real work".
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
Theoretical security aside, the practical security of macs is obviously higher. There aren't as many people who know how to crack macintosh boxes and there aren't as many who write viruses for them. If the system itself is more secure is really an academic question - in practice, they are more secure.
It's better. However, it ain't there yet.
Case in point. I dual boot my laptop. I just added a wireless router to my network. I purchased a Wavebuddy PCMCIA card. It came with a CD with both Windows and Linux drivers. Booted into windows, installed the driver, rebooted, inserted the card and I'm browsing the 'net. Total time expended - 15 minutes.
Booted into Linux, and copied the driver to the laptop. It's source code. Run make and then make install. No errors but no card either. Spend two hours going through the readme and trying various things. No card. Get on the net. The Wavebuddy uses an Atmel chip. Find a different driver that's supposed to work. No dice. More research. The 2.6 kernel supports the Atmel chip directly! Well, been wanting to upgrade the kernel anyway. Download the kernel source. Go through the config script. Compile the kernel. Add the new kernel to LILO and reboot. Under the 2.4 kernel, the card does not work but the power light comes on, indicating the card is power up. Under the 2.6 kernel, no power light. Must have missed a configuration there. Maybe the PCMCIA subsystem isn't loading? Will look into that when I get time to get back into it. So far, have invested about fifteen hours over three days and still have no wireless network under Linux.
The install of Linux has gotten much better, as has the hardware detection. System maintenance, however, is still woefully inadequate. And systems do need maintenance. They get updated, hardware gets changed, files get corrupted.
Linux is getting there. But it ain't there yet.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
"emerge sync && emerge -Up world" is like a few minutes out of my life. No wasted time.
I don't even do THAT anymore -- I just make a little shell script and put an icon on the desktop or stick it in a Cron job. EVERYTHING's automated now... such is the power of Linux. I have COMPLETE control. Proprietary OS users can *never* say that (although most don't care).
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
Odd... see I can run my software updates from the command line too on my OS X box... but then, by default, it will also check automagicaly for me every week. Of course, I can change that setting in the system update preferences. And I can do all sorts of things, make it update every time I log in, every day, every hour, every 20 minutes. I can even set it to never update unless I explicitly tell it too. All on my "proprietary OS"
T Money
World Domination with a plastic spoon since 1984
Bzzzzt! Wrong! Look at the computer that's used to control Morpheus' Nebuchaneezer (in first movie, anyway)--logo is taped over, but it's definitely a Powerbook.
"Science is a tribute to what we can know although we are fallible" -Jacob Bronowski