Macs More Vulnerable Than Windows For Enterprise

sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."

NNNGGGHYAAA!!!!

Macs Good! Microsoft BAD! MACDOR THE BARBARIAN SMASH THE HEATHENS!!!!

--
Filter error: Don't use so many caps. It's like YELLING.
(really? you'd almost think that was the intent

Re:NNNGGGHYAAA!!!!

[obergfellja]

nyan cat's cousin... the mac cat

Re:NNNGGGHYAAA!!!!

[sacridias]

Mac is a evil pathetic dogmatic corporation. Mac BAD, Microsoft BAD. I also hate mate because they bastardized the greatest OS ever, Free BSD. Mac needs to stop child labor and labor camps associated with their company, and stop suing people because they are jealous of their success. They are a bunch of cry babies that need to be put down.

Re:NNNGGGHYAAA!!!!

[icebraining]

I think you mean Apple, not Mac...

Re:NNNGGGHYAAA!!!!

[d.the.duck]

Winner winner, chicken dinner. This is my favorite comment ever on /.

Re:NNNGGGHYAAA!!!!

[oh_my_080980980]

From the article:

"iSec's recommendation is premised on the assumption that a small percentage of employees in any large business or government organizations will be tricked into installing malicious software, no matter what platform they use"

Case closed. You can't protect from stupid.

Re:NNNGGGHYAAA!!!!

Yeah, funny how Mac users get a free pass on this, yet if it was a Windows box they were sitting in front of, it wouldn't matter that social engineering was used. You would just harp about how shitty Windows security is and then spout off about how Macs are magically more safe.

Re:NNNGGGHYAAA!!!!

[E+IS+mC(Square)]

But Steve Jesus Job said mac is the best. Remember those Mac vs PC ads? If apple says, it has to be true!

It's an indication of a capitalistic country when a salesman (however good he might be, it's still a salesman) is elevated to God status while real technology geniuses are pushed to the background. Or a salesman is elevated to God status while those ideological bearded geeks are constantly made fun of. By none other than the geeks themselves. Here on /. . All the time.

Re:NNNGGGHYAAA!!!!

Case closed. You can't protect from stupid.

Considering the fraction that "stupid" takes up amongst simpleton users of certain flashy products with limited functionality, this appears to be a valid concern.

Re:NNNGGGHYAAA!!!!

[Tarlus]

* Whoo-to-the-ooosh! *

Re:NNNGGGHYAAA!!!!

[mastermind7373]

Case closed. You can't protect from stupid.

Considering the fraction that "stupid" takes up amongst simpleton users of certain flashy products with limited functionality, this appears to be a valid concern.

This, this made my day.

Re:NNNGGGHYAAA!!!!

[The+Dawn+Of+Time]

I don't know anyone who elevated Steve Jobs to god status. I guess it's indicative of someone who's drastically out of touch when they get upset about something that doesn't really exist outside of their own head - while clearly dreaming of how wonderful everything would be if only he were worshipped.

I guess what I'm saying is that your comment says a lot more about you and your dreams than it does about the actual, real society we live in.

Re:NNNGGGHYAAA!!!!

[onefineline]

Hmm.... yeah..... if you can't even get the company's name right, I'm not really sure if you're gonna get any other information right.

Re:NNNGGGHYAAA!!!!

[E+IS+mC(Square)]

>> I don't know anyone who elevated Steve Jobs to god status

No? Really? Way to miss the point.

A virus? In my MAC?

[TheyTookOurJobs]

It's more likely than you think! Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Re:A virus? In my MAC?

[Samantha+Wright]

A Stuxnet? In my PLC?

It's more likely thank you think! Why would someone write a worm that is targeted at 0.00001% of the user base when they can target 90?

Unpatched vulnerabilities leave open doors for custom-tailored villainy. I would call it a pretty big deal.

Re:A virus? In my MAC?

[TheyTookOurJobs]

Now now, stux was extremely specific and with purpose. Most douchenozzles write virii for kicks. This is all from statistics I made up for the purpose of this post. Please ignore me, nothing to see here.

Re:A virus? In my MAC?

[u-235-sentinel]

It's more likely than you think!

Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Actually they are targeting the other 89.1%. I'm running linux :-)

Re:A virus? In my MAC?

[gatkinso]

>> Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Because they are an asshole?

Re:A virus? In my MAC?

[mark-t]

If it is so abnormal to find a virus for a minority platform, why would you propose that it is more common than people might expect for that platform?

Re:A virus? In my MAC?

[asdf7890]

Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

I'm assuming you are implementing sarcasm there, but in case you are not...

How about because you've got as large a chunk on the 90% as you are going to get any time soon in your botnet already, and you are having to fight every other botnet going to keep them? A chunk of that 10% could make a useful difference.

Or if you are installing a key logger to try purloin credit card details or authentication credentials, why not target the more-affluent-on-average users of that 10% who might actually take less effort to infect as they are complacent?

Or how about "just to prove you can". I'm guessing that in lieu of actually making money simple bragging rights still count for something in the hacker/cracker world.

Re:A virus? In my MAC?

[jellomizer]

Most likely because they want to wipe off the smug smile that the Mac users have. And 10% is a good number to target... Assuming that most viruses for windows are targeted to hit particular patches of Windows. So they may be targeting around the same percentage perhaps more or less.

So far OS X has had few targets that have gone wild, However they are the first that hacker conferences love to show they can break into.

Re:A virus? In my MAC?

[silanea]

Think applications for OS X: Why would someone write software that is targeted at 10% of the user base when they can target 90? Because those 10% are highly profitable and support issues are lower due to the limited amount of different hardware and software configurations. Looking around me I would argue that the more affluent a person, the higher the chance they own a Mac, and I do not know anyone in person who still is on a PowerPC Mac.

Re:A virus? In my MAC?

[BrokenHalo]

Most douchenozzles write virii for kicks.

And much worse, only a total and utter douchebag uses "virii" as a plural form of "virus".

Re:A virus? In my MAC?

Also, one can lodge malicious code in a Mac that would require physical replacement of components, such as the flash ROM of the keyboard, or even the battery of a Macbook.

This isn't new to Macs either. Back in the System 6 days, where the OS would read from the SCSI drive code to execute a hard disk driver, it would be trivial to hide a malicious payload there, and because it ran before anything else, there would be no way to stop it. Had a virus that did that been combined with WDEF (which infected machines the second a floppy disk was inserted), it would have caused extreme pain for a lot of users. Think bad MBR code is an issue with PCs, this was a glaring hole. Thankfully, nobody exploited it.

Thankfully's Apple's pants are shown down only at the cons. However it won't be long until stuff that lodges in a keyboard HID ROM or other places hard to dislodge goes to the wild.

Re:A virus? In my MAC?

[v1]

Why would someone write software that is targeted at 10% of the user base when they can target 90?

My favorite analogy to that is to say that if you set a sack of $2,000 and a sack of $200 in cash beside each other on the street, that only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.

Thieves will take everything that's not nailed down. Risk and effort matter more than payout when selecting targets. Most thieves prefer low risk easy marks over large payouts.

Re:A virus? In my MAC?

[toadlife]

Most douchenozzles write virii for kicks.

This was true well into the 90's, but today the vast majority of malware is written for monetary gain.

Re:A virus? In my MAC?

[wiedzmin]

This was true well into the 90's, but today the vast majority of malware is written for monetary gain.

+1

Re:A virus? In my MAC?

[HazE_nMe]

So we are still saying virii?

Re:A virus? In my MAC?

[couchslug]

Because they dislike that user base and would find it lulzworthy?

Never underestimate the combination of skill, malice, and boredom!

Re:A virus? In my MAC?

[danomac]

I'd say it's because of the people that use that 10% think they're unaffected by vulnerabilities. Eventually the tipping point will be reached where it's easier to distribute malware on other platforms than Windows. Perhaps it's starting now.

Re:A virus? In my MAC?

[JamesP]

+1BTC would be more appropriate

Re:A virus? In my MAC?

[WindBourne]

WHich is why you pick the EASY one. There is plenty of money to be had on Windows, Mac and Linux. In fact, considering that Linux is used on bigger badder servers for handling money, you should pursue them if oyu want the large score. But, when you want to get the money, you go for the EASY SURE bet. That is anything from MS. At least for today.

It will be interesting to see what happens if MS ever hires decent coders and lock down their systems. Thank god that so far that is not the case. But if they ever become more secure, then I will be curious to see what systems the black hats pursue. My guess is Linux.

Re:A virus? In my MAC?

[danbuter]

10% is still millions of users, many who have no antivirus of any kind because Apple has told them they don't need it.

Re:A virus? In my MAC?

[treeves]

No, we are not.

Re:A virus? In my MAC?

[sqrt(2)]

All those hacker conferences, I'm thinking of Pwn2Own, are exploits that: require user interaction such as visiting a hacked web page, require using the default and unchanged Safari browser. Running Firefox with noscript or even just a different browser would put an end to their "hacks". I'd be more impressed if they managed to root a machine without actually physically touching it, I'm not aware of that having happened yet--not to say it can't, but I don't think it has yet. I remember WinXP that could become infected simply by being connected to the internet and powered on. Is there anything even close to that for Linux/Mac?

Until I see a fully automated spreading worm, or viruses that can propagate through e-mail (bonus points if the user doesn't have to install anything, but requiring typing in your root pw is game over, I'd know something was up at that point) then I am going to remain convinced that the Unix security model is fundamentally superior to Windows, even if it has problems too.

Re:A virus? In my MAC?

[woolpert]

This was true well into the 90's, but today the vast majority of malware is written for monetary gain.

+1

+1BTC would be more appropriate

+5 BTC at current exchange rates, amIright?

Re:A virus? In my MAC?

[oldmac31310]

Well obviously you don't know me in person but I run several PPC Macs. Yes, you guessed it, I am not affluent!

Re:A virus? In my MAC?

[jackspenn]

>> Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Because they are an asshole?

By they I assume you mean the elitist 10% using Apple.

Re:A virus? In my MAC?

[said213]

Forward your email address, please?

Re:A virus? In my MAC?

[wiedzmin]

It's arguable, which one is EASY(er) at this point. Yes, historically Microsoft systems have been targeted more often, but they have also developed more protection over the years as a result. WSUS, SCCM, MBSA, UAC, myriads of antivirus solutions and hardening guides, ActiveSync, BES, IPS signatures - all of these have been developed to further secure Windows platforms out of necessity. Borderline next to nothing has been developed for Mac OS security at this point, and with Apple gaining market share and entering enterprise environment, the race of exploits versus protection, which has been going on for decades for Microsoft, is about to begin for Apple. It remains to be seen, how Apple will come out of this, and the myth they have perpetuated for years, that there is no malware for Apple, is going to haunt them through all the sales and executive staff blindly believing that they're safe, while clicking on the Mac Defender packages and spear-phishing email links and ordering more and more shiny new Apple computers for their staff.

Re:A virus? In my MAC?

[Creepy]

Actually, if you read through the slideshow at the end of TFA it points out that security is getting much better on macs in the past couple of releases. The main vulnerability, and where Windows is significantly better, seems to be network exploits from within the LAN, since kerberos can be bypassed in several ways to fall back to the default security and there are exploits to that. It should allow forcing kerberos only with no fallback, and if it did that would match it with Windows. Kerberos is a very good protocol and has been beaten on for many years (it is the required security model for IPv6 support because it is used by IPsec).

I like the bonjour hack best - Apple's "nice network" vulnerability exploit (if hostnames conflict, one will change itself allowing the other to spoof).

  Some of the exploits I have noticed from version 10.0 - like how easy it would be to spoof the credentials page (which they say is harder on Windows, but I think in some ways it is easier since all you need to do is get them to click a button).

Re:A virus? In my MAC?

Why would someone write a worm that is targeted at 0.00001% of the user base when they can target 90?

Because that 0.00001% of the computing market is 100% of what the attack was intended for, against the rest of the market it wouldn't achieve its goal...derrrrr!

Re:A virus? In my MAC?

[exomondo]

only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.

Thieves will take everything that's not nailed down.

ay? so the $2000 sack will get stolen even though it's chained down but the $200 sack won't get stolen yet isn't chained down but thieves will take everything that isn't nailed down. Is there some key difference between being chained down and nailed down? if the $2000 sack was nailed down it wouldn't get stolen? but because it's chained down but not nailed down it will get stolen? if the $200 sack isn't chained down then why wouldn't the thieves steal it if they steal everything that isn't nailed down? or is it nailed down but not chained down?

Re:A virus? In my MAC?

[v1]

What it means is everything eventually gets stolen. But what's not chained down properly gets stolen first, regardless of its value.

So if there's a $2000 sack sitting next to the $200 sack, and the $2000 sack gets stolen immediately (and perhaps the $200 sack remains there for quite some time, or even never gets taken) you must assume the former has much poorer security. It's foolish to try to blame the disparity on the value of the contents. (if they had the same security, they'd both disappear at about the same time)

Re:A virus? In my MAC?

[ynp7]

Did we ever? Pretty sure that was always reserved for douchebags and morons.

Re:A virus? In my MAC?

[exomondo]

What it means is everything eventually gets stolen. But what's not chained down properly gets stolen first, regardless of its value.

Huh? But you said only the one of larger value gets stolen even if it is chained down:
My favorite analogy to that is to say that if you set a sack of $2,000 and a sack of $200 in cash beside each other on the street, that only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.

So if there's a $2000 sack sitting next to the $200 sack, and the $2000 sack gets stolen immediately (and perhaps the $200 sack remains there for quite some time, or even never gets taken) you must assume the former has much poorer security. It's foolish to try to blame the disparity on the value of the contents.

Why? If the security to profit ratio is better on the $2000 than the $200 then regardless of the actual security you'd go for the bigger score.

Re:A virus? In my MAC?

Market share has NOTHING to do with what platforms virus writers will target. That was already shown above. If nothing else, go meet some writers. You write to what is easiest. The fact is, that you can get much more money by targeting *nix Servers. Fewer of them, but far far more money. Why not go after them? Less chance of breaking into them. You go after Windows because it is easiest.

Re:A virus? In my MAC?

[toadlife]

Would you care to point out the architectural differences between Windows and Unix-type OS's that, in your opinion, make latter so much more secure?

Re:A virus? In my MAC?

[toadlife]

Market share has NOTHING to do with what platforms virus writers will target. That was already shown above.

Where was that shown above?

All computers are less secure

[improfane]

...when you hook them up.

I have no love for Apple but even this article smells like astroturfing.

Re:All computers are less secure

[gcnaddict]

Have you seen any recent networked exploits on Windows which compromise an entire bank of passwords?

No? That's what I thought.

Re:All computers are less secure

[ByOhTek]

More a reply to your sig, in particular, the last book... You like alien pornos?

You may be the one who referenced him last week or the week before, but if not, I'd recommend Alistair Reynods, since your other books suggest you can live with sci-fi lacking porn.

Re:All computers are less secure

[WrongSizeGlass]

All computers are less secure ... when you hook them up.

If that were true then hooking my computer up to the internet could end is disaster! It's a good thing I'm using a Siemen's SCADA firewall.

Re:All computers are less secure

[ThisIsSaei]

I'd say it's sensationalist, but my bigger issue is that Apple doesn't make a secure OS, even with stand-alone setups.

Re:All computers are less secure

[improfane]

Oh I should have read the article. It's a genuine exploit for Apple computers. It's also the Black Hat conference and not a media release. Apologies Slashdot crowd.

Just goes to show that all software has bugs and it is highly likely that those bugs include security bugs. Nobody is immune from making mistakes.

One thing I find amusing is that Apple deploys malware detection called XProtect based on string matching. It is irresponsible to say that Macs are completely immune from malware. Security on Macs can only go downhill as it becomes less obscure.

Re:All computers are less secure

[TWX]

I have no love for Apple but even this article smells like astroturfing.

To me it sounds like there's two flaws that compound a problem. I don't know much about Apple's auth scheme, but I wouldn't be surprised if either the machines share credential information to such an extent that one infected machine ends up with a bunch of tasty data, or if there's a remote vulnerability that is normally not accessible when an Apple is behind a firewall and not on a direct network segment with another Apple. It's quite plausible that minimal firewalling like most cheap home broadband routers do is enough to block such a worm, but with a bunch of Apples on a LAN or overly generously routing WAN that there's nothing to stop such a spread.

Re:All computers are less secure

[improfane]

Uhhh...well. I cannot say I am massively into alien pornos, I don't really know for sure since I have not tried them. I don't mind romance or naughty bits in science fiction but as long as it does not distract from the science or depiction of the future.

Wait a minute, you tricked me!

Re:All computers are less secure

[somersault]

Isn't that just because it isn't news when it happens on Windows?

Re:All computers are less secure

...when you hook them up.

I have no love for Apple but even this article smells like astroturfing.

Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing. The article is sensationalist (duh, it's The Register!) but these are security researches presenting at the Black Hat conference, check out other sources and the actual basis for their claim before immidiately jumping to the astroturfing cop-out.

I've seen people with posting histories long as a mile proving they are Linux users and supporters getting called M$ astroturfers because they tried to be nuanced about facts and opinions in a discussion.

Re:All computers are less secure

[NatasRevol]

You might want to go read the actual presentation.

It starts out with an exploit called Aurora, which compromises AD.

Whoops.

Re:All computers are less secure

Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing.

Of course, YOU'D say that. You're astroturfing.

Re:All computers are less secure

[NatasRevol]

And the Mac exploit STILL REQUIRES AN ADMIN PASSWORD. Which is not typically given to users in a corporate setting - at least by sane sysadmins.

Re:All computers are less secure

Sure, whatever you say, Mr. M$ Employee.

:)

Seriously though, Slashdot discussions generally have all the thought and reasoning of a barroom brawl. It's been that way as long as I've been hanging around here (about 10 years or so).

Re:All computers are less secure

[Dishevel]

But that is what astroturfing is!
The ability to instantly discount something you do not agree with by calling it names.

Re:All computers are less secure

Human beings also tend to get viruses when you hook them up...

Re:All computers are less secure

[hansraj]

The whole point of TFA is that if even one computer gets infected on the network then it can be used to infect other machines without requiring the admin password on the remote machine. All it would take is one malicious person with physical access to one mac, or one careless click from someone who does has admin access to their own mac in the building.

Re:All computers are less secure

[NatasRevol]

Yeah. And how is that not having the admin password?

Tell you what, give me the admin password to an active directory forest. See if I can fuck things up a bit. Want to bet I can?

Re:All computers are less secure

Yeah. And how is that not having the admin password?

Tell you what, give me the admin password to an active directory forest. See if I can fuck things up a bit. Want to bet I can?

I believe the GP is referring to the fact that a single *local* admin password on a networked Mac can lead to a compromise of all Macs on the network through this exploit, which is not quite the same as having an AD administrator password.

Re:All computers are less secure

[NatasRevol]

That's not the case though. Otherwise, it can't authenticate to another network Mac. Unless all the local admin passwords are the same, in which case they're effectively the network admin password.

It's always going to need the network admin password. Now lazy sysadmins often make them the same as the local admin passwords, but they're not actually the same thing.

Re:All computers are less secure

[DrgnDancer]

It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.

They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".

A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.

Re:All computers are less secure

[DesScorp]

You might want to go read the actual presentation.

It starts out with an exploit called Aurora, which compromises AD.

Whoops.

So the questions is, if it's AD, are Macs using AD somehow more vulnerable than Windows boxes? Or is the threat equal and the article misrepresenting things?

Either way, is AD the real problem?

Re:All computers are less secure

"Siemen's"? Wow.

Re:All computers are less secure

It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins.

As are the majority of all network type exploits, Apple or non Apple. What's your point?

Re:All computers are less secure

[MacGyver2210]

If you configure Windows or *nix right, it requires an admin password as well...

Re:All computers are less secure

[MacGyver2210]

It's no more 'amateur' than the way these sites that keep getting hacked are setup, and they're supposedly enterprise-level business as well.

Re:All computers are less secure

[DrgnDancer]

That kinda is my point. If you do a bad job of building your network, it's going to be vulnerable, regardless of OS. If you do a good job (and MacOS has the tools to do a good job, the presentation points them out indirectly), you will be less vulnerable, regardless of OS. These guys are focusing on: "Don't use Macs in the enterprise" rather than the more obviously lesson: "Treat Macs in the enterprise with the same degree of care as any other machine with any other OS"

Re:All computers are less secure

[NeutronCowboy]

Maybe. But I've heard too often that "Macs are more secure than Windows, so we don't need safety stuff." Mind you, this came from the guy who wanted to install an AV on all their Powerbooks, but handed out same Powerbooks without proper passwords, no password policy, no automatic lockdown and admin accounts to everyone.

I think these stories are valuable because you can show them to the twits in power who think that Macs are magically more secure, and drop every security practice there is.

Re:All computers are less secure

[thoromyr]

Yeah, the whole thing is kinda... stupid. Admittedly I only skimmed the "article", but: so... if you can put arbitrary code on the update server you can infect every mac that gets updates from it? Really? Color me shocked and surprised, news at 11

Some good quotes, like "With a large enterprise, you have to assume that people are going to get tricked into installing malware." which is another way of saying "if you can get someone to run arbitrary code then you can do arbitrary things on their computer". Duh. And applies equally to Windows.

Though I will note that, at least for Windows, a software key logger does *not* require special privileges (it is all in the approach). And even ignoring that there are usually multiple local privilege escalation attacks on Windows so the drive-by malware can get system privileges and then start stealing credentials. Hope desktop support/infrastructure don't do anything that causes an interactive login against the machine... I guess, with all of those problems, Windows just isn't ready for the enterprise...

Re:All computers are less secure

[sl4shd0rk]

It starts out with an exploit called Aurora, which compromises AD.

Whoops.

Actually, on page 6 (and 20) of the pdf, the exploit starts by tricking the user into clicking a malicious link in Safari; but yeah, the Windows Domain Controller gets the second bullet.

Re:All computers are less secure

[DrgnDancer]

Admittedly there is one semi-serious problem. DHX is apparently vulnerable to false credential attacks, and I believe that it is the default way that Macs servers handle AD type user management. It *shouldn't* be a problem: default user accounts shouldn't be able to escalate privileges to allow the attack, and admins should set up the more secure Kerberos ticketing scheme anyway. That said, Apple should fix it. Even offering an option this vulnerable, even if other, better, alternatives exist is a bad idea. Let alone making it the default. It's nowhere near as serious as the article indicates though, becasue a good admin shouldn't be allowing the things they exploit.

Re:All computers are less secure

Obviously, it DOESN'T need the network password. That is why it is an EXPLOIT!!!!

Re:All computers are less secure

[NatasRevol]

No, the AD hack doesn't rely on Safari. It just says click on malicious link - no browser mentioned.

Safari is mentioned as a route for compromise on the Mac side though. One that still requires you to type in an admin password to get admin privs.

Re:All computers are less secure

[Stalks]

Did you read the article? Obviously not. Only local admin access is required.

From the conference, regarding Windows vs Mac network exploitations...
    - "Conclusion: OS X networks are significantly more vulnerable to network privilege escalation. Almost every OS X Server service offers weak or broken authentication methods."

Re:All computers are less secure

[NatasRevol]

You might want to go actually read the presentation. It does need an admin password in order to get privilege escalation. See pages 32-34 in the presentation.

There is no exploit here on getting the local admin or network admin password. It requires an admin password to ... wait for it ... do admin type things on the network.

Re:All computers are less secure

[Anomalyst]

A competently administered Mac network

A rare and exotic animal. Turtleneck computers weasel their way into school districts and the IT savvy of network admins in your average school district is woefully inadequate, even if they have the savvy the teachers unions will force them to allow trivial passwords and universal access to all resources (by hardcoded P address of course, because neither side of the IT gap really grasp the enterprise utility of DNS or DHCP and rarely have the skills to administrate it) which includes admin passwords. Welcome to the real world of supporting Cyberdiots.

Re:All computers are less secure

[NatasRevol]

From page 32:

Privileged credentials in the keychain can be used to spread and explore

ie network admin login credentials.

Or all the local admin logins are the same - which is essentially a network admin password. Often, computers are set up with the same local admin account across all/most machines - Mac or PC.

Re:All computers are less secure

[recoiledsnake]

Erm. it's ALWAYS big news on Slashdot when the news is anything anti-MS, regardless of it being true or not.

Remember this story(and countless others)? http://tech.slashdot.org/article.pl?sid=09/02/16/2259257

Re:All computers are less secure

Very few corporations set up the dedicated OS X servers needed to maintain Admin/User separation in OSX, assuming that even works, which it doesn't. Apple has chosen to randomly break authentication in OS X server so doing what you suggest basically means you're randomly locking users out of their systems, assuming you actually secured them and disallowed local login. And OS X Server has been discontinued, which means that there is no central management of OS X systems at all anymore (unless you use Active Directory).

As a practical matter you can't do much on a Mac without the Admin password, and most Macs are laptops, which might need maintenance in the field, and that means the users probably need admin access.

I've only seen a handful of companies (and no university) where users did not have Admin rights to OS X systems.

Re:All computers are less secure

[Zemplar]

... you're an idiot, not "Enterprise IT".

You obviously don't work for my company.

Re:All computers are less secure

[Stalks]

Out of context quote?

"" - User password can be used to decrypt "Login Keychain"
  - Privileged credentials *in the keychain* can be used to spread and explore ""

Re:All computers are less secure

[NatasRevol]

Two things.

1. *How* to decrypt the keychain would be an important detail
2. Still doesn't mean that it's not using network/admin passwords.

Re:All computers are less secure

[CalTrumpet]

I am the researcher quoted in the article.

This would be easier if the story linked to the real presentation.

Yes, Apple services generally support Kerberos as an authentication scheme. The problem is that it's almost always possible to downgrade from Kerberos to unsigned Diffie-Hellman and retrieve the plaintext password trivially. This requires an active MITM attack on the network. Traditional ways attackers have done this include ARP spoofing, DHCP spoofing and DNS poisoning attacks. Our talk also discussed a Mac-specific MITM which uses Bonjour to temporarily take over the identity of OS X servers and relay or downgrade authentication.

Even if OS X allowed itself to be limited to Kerberos auth (and it doesn't) most Apple protocols do not perform channel binding, meaning there is no cryptographic integrity protection tied to the initial handshake. This allows an attacker to relay the Kerberos handshake and then modify the resultant communication, which can be disastrous if the communication is security critical, such as LDAP or an AFP mounted home directory.

A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other

That is incorrect. Our research has shown that it is currently impossible to secure a network using OS X services. The only secure Mac network is one that runs the machines as separate "islands" without directory services, file sharing, or remote server administration. There are a lot of insecure Windows networks, due to the use of downlevel versions as well as configuration mistakes, but in theory you can build a new Windows 2008R2/7 Active Directory network that is hardened against network privilege escalation using GPO (KerbOnly, NoLMHash, RPC privacy/integrity, AD integrated IPSec, smartcard auth, etc...)

Re:All computers are less secure

Sooooo many levels of wrong here, it's unbelievable.

1. "dedicated OS X servers needed to maintain Admin/User separation in OSX" - what the fuck are you talking about?
2. "Apple has chosen to randomly break authentication in OS X server" - what the fuck are you talking about?
3. "And OS X Server has been discontinued" - clearly showing that you have NO clue about OS X Server.
4. "As a practical matter you can't do much on a Mac without the Admin password" - clearly showing that you have NO clue about OS X.
5. "I've only seen a handful of companies (and no university) where users did not have Admin rights to OS X systems." - because of lazy sysadmins.

It's like you've read Gizmodo for all your indepth knowledge of Apple & Mac OS X.

Re:All computers are less secure

Oh snap.

fsck -fy
mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
dscl . -passwd /Users/ newpassword

Re:All computers are less secure

[NatasRevol]

Yeah, that's not really a remote exploit now is it?

And you don't need the fsck at all, showing that you don't really understand it but just copy & pasted.

It's not any different than booting from a linux cd that can crack the passwords on a Windows machine.

Re:All computers are less secure

If you configure Windows or *nix right, it requires an admin password as well...

By default, the Root account password is locked in Ubuntu
https://help.ubuntu.com/community/RootSudo

Re:All computers are less secure

[CalTrumpet]

Admins can't fix this. There is no way to restrict OS X clients (and it's the clients we care about in auth downgrade attacks) from using DH.

Re:All computers are less secure

[E+IS+mC(Square)]

Then where were you when apple fanbois continue to blabber "windoze is insecure, linux is insecure"? Why not apply the same rules while criticizing others? Oh I see. When it comes to Apple discussion, wisdom such as yours ( All computers are less secure...when you hook them up.) suddenly become clear?

Re:All computers are less secure

[recoiledsnake]

Watch out, once they lose the forced and convoluted arguments to support Apple and discredit MS, this what they will degenerate to:

http://www.computerworld.com.au/article/188807/mac_worm_author_receives_death_threats/

After all ,it's a religion.

http://www.businessinsider.com/apple-is-a-religion-neuroscientists-find-it-triggers-the-same-reaction-in-your-brain-2011-5

Re:All computers are less secure

PASSWORD

Re:All computers are less secure

[rgviza]

the "exploits" for Macs these guys found require an amazing amount of stupidity
---
Out in the real world, there's an amazing amount of stupidity.

Re:All computers are less secure

This would be an example of EMC fail not Apple fail but its a known issue if your Celerra is running 5.6.45-5 code, connecting to an SMB share from 10.7 will panic the data mover.

This was pretty fun to watch one admin with a Mac connect to share and take out all the Vmware servers INSTANTLY.

Re:All computers are less secure

[DrgnDancer]

Excellent of you to comment. I did in fact find and read your slides before commenting, but I did not see where you pointed out that clients could force a downgrade of the auth protocols. That is indeed far more concerning. Typically when I've used any significant number of Macs on a network I link just them into the infrastructure I use for my Linux clients (usually OpenLDAP over TLS) so I've not really ever tried to use the Apple services. I still stand by my assertion that a well configured Mac network should never have allowed a normal user to install the exploit software in the first place though.

Re:All computers are less secure

Hey guys! I just discovered a super sekret exploit I can use to take control of a Linux box in seconds, not minutes! All I need is the root password. The exploit is called "passwd."

Re:All computers are less secure

I thought Diffie-Hellman establised a secrue communications channel without reveling a password.

Re:All computers are less secure

[DrgnDancer]

Or maybe I'll thank him for replying and admit the correction. Nice troll though. I'm neither an Apple lover nor a hater (I used their products, but mainly work with Linux and have Windows on my desktop system), but I really find that the anti-Apple zealots are far more trollish than the Apple zealots.

Re:All computers are less secure

[Bengie]

"That's not the case though. Otherwise, it can't authenticate to another network Mac"

If you RTFA, you would see that the infected Mac sits on the network and waits for the administrator account to connect. When the Admin account tries to authenticate, the infected machine "steals" a copy of the admin authentication. It can then use the credentials to connect as Admin to the entire network.

So yes, a local admin account can take over the network admin account.

Re:All computers are less secure

[JamesP]

Well,

1 - break into Windows Server XX with LM hash support
2 - get the hashes and bruteforce them (with LM hash this is trivial and fast today)
3 - enjoy your list of passwords

Re:All computers are less secure

[CalTrumpet]

The details of the networks attacks aren't clear in our slides without the associated commentary. One day that will be available online, but only after BlackHat makes it's killing off of DVD sales.

I still stand by my assertion that a well configured Mac network should never have allowed a normal user to install the exploit software in the first place though.

This would be our hope, and it is important to build in technical and procedural controls to reduce the chance that attackers get a foothold on your network. However, our experience dealing with state-sponsored attackers has demonstrated that it's impractical to make local execution your first and last line of defense. These folks are backed up by human intelligence and experienced humint operatives, and their social engineering attacks are quite effective, especially against remote, non-native-English employees. When our clients ask for advice on preventing APT, we do give them tips on preventing the initial infection, but a lot of our recommendations are around preventing and detecting control channels, exfiltration and network privilege escalation.

Re:All computers are less secure

[DarkOx]

Right its all about defense in depth. Ideally you should not be able to root a client on my network. If you can root a client on my network then I want to make that have as little utility as possible, when it comes to rooting my servers.

Re:All computers are less secure

Then where were you when apple fanbois continue to blabber "windoze is insecure, linux is insecure"? Why not apply the same rules while criticizing others? Oh I see. When it comes to Apple discussion, wisdom such as yours ( All computers are less secure...when you hook them up.) suddenly become clear?

Your Apple hate is over flowing.

It is very true, all computers are less secure when you give out the Administrator/root password which is required for this "attack"

Give me your Admin passwords, and I bet no matter what OS you run, I can login and get root!

Re:All computers are less secure

[Miseph]

Apparently you've been hiding under a rock since time immemorial, but that's the way everything is done. Try to have a nuanced political view? Nope, you're clearly a freedom-hating fascist with no moral fiber according to anyone with whom you disagree even slightly. Try to keep an open mind about art or entertainment? Nope, you have shitty taste and clearly know nothing. Hell, you can't even root for a sports team based on anything other than blind nativism and geography without being a "fairweather fan."

Basically any opinion which can't be summed up in five words or less is stupid and wrong, and just makes you some kind of elitist snob or "flip-flopper." Intellectualism is out, chest-beating tribalism is in. Welcome to the party.

Re:All computers are less secure

[santiagoanders]

You have much vitriol for someone with so little reading comprehension.

Re:All computers are less secure

Somehow telling the truth is now trolling.

Re:All computers are less secure

On the other hand, from someone who actually uses OS X, it's pretty trivial to get around the lack of admin privileges on OS X if you've got physical access to the machine. All you need to do is boot up in either single user mode or target disk mode and remove one file that makes OS X believe it hasn't run the initial user creation dialog. Then the next time you reboot, OS X happily creates an admin user for you. Adding an EFI password can prevent booting into single user or target disk mode, but there are ways of getting past that as well..one online source claims that booting the computer with the RAM removed will do it and another claims there's a local utility you can run when logged in to a non-admin account that will recover the firmware password. I've never had to get past a firmware password, but I've known people who've done it successfully based on what they've found online.

So for your number 5...no matter how un-lazy the admins are, a properly motivated user can have admin access if he or she wants it.

Re:All computers are less secure

[NatasRevol]

If you've got physical access to the machine, all bets are off. I can read /etc/shadow, I can read /windows/Windows/System32/config.

So how is that any different than any other system?

Re:All computers are less secure

[NatasRevol]

Same on OS X.

Re:All computers are less secure

I'd like you to explain to everyone how a server (that is, in any secure environment, on a separate subnet) is supposed to be compromised by bonjour (a broadcast protocal).

This is the anatomy of your attack:

1) infect user computer (by the way, your supposed mac-specific exploit here is utter crap. No enterprise concerned with security allows running trusted files)
2) get admin credentials from that user (which for some reason you assume they have?)
3) do a bunch of things with admin credentials, one of which is

and step A (because it has nothing to do with the rest of the presentation) is
A) use bonjour to trick the infected system into sending information against your fake server to gain yet more credentials they wouldn't have

Now, aside from the fact that 2,3, and A are all impossible since *users don't have admin credentials* we'll continue anyways:
You're presuming a lot of access to the infected system, admin access specifically (in order to setup all the different bits to your exploit). With admin access I can edit the hosts file (hell, I don't even need it on many windows systems) and *do exactly what you've done with bonjour*

I can also get admin access to a system if I ask the admin for his password and he's dumb enough to give it to me... that isn't a security exploit that's incompetence and has no place at a security conference.

If you could trick the servers into giving up vital info via bonjour, then we'd be talking. But by the very nature of bonjour it is confined to the subnet unless specifically bridged. If you have user machines on your server subnet you've already lost the security war; if a server is compromised then you've already lost the security war.

Basically your entire presentation boils down to "bonjour is insecure". DUH.

Re:All computers are less secure

[NatasRevol]

To be clear, in your outlined attack, is there a password crack here or is it only a social attack to get hopefully access to a local admin account, and from there a network admin account?

ie how do you decrypt admin privileges in the Login Keychain if the user isn't an admin?

Re:All computers are less secure

[Gilmoure]

MS kicked my dog and stole my girlfriend!

Re:All computers are less secure

[CalTrumpet]

There are a couple of different issues here. Escalating locally (even from inside the sandbox) can be done via impersonating an escalation prompt or by an offline brute-force of the keychain. Our criticism of the keychain is that it provides a decryption oracle that can be moved off of the machine and cracked at the leisure of the attackers. Even though it's relatively strong (1000 round MD5) state-sponsored attackers will definitely recover poor passwords.

There are also often local privilege escalation bugs that are regularly patched, but we didn't discuss these since we were most interested in the architectural issues that are difficult to correct.

On the network there is no cracking necessary. Via a downgrade a user's network password can be recovered with trivial computation resources.

Re:All computers are less secure

"STILL REQUIRES AN ADMIN PASSWORD"

Which is usually, "administration" , or "admin", or "sysadmin".

Re:All computers are less secure

[NatasRevol]

impersonating an escalation prompt

This assumes the user has admin login info. So how is this different from any other OS? sudoer is sudoer.

the keychain ... provides a decryption oracle that can be moved off of the machine and cracked at the leisure of the attackers

How is this any different than any other hash storage mechanism - /etc/shadow, /windows/Windows/System32/config

I'm not trying to criticize, just trying to understand if this is really a unique attack or a variant of typical attacks on other platforms.

Re:All computers are less secure

[catmistake]

Our research has shown that it is currently impossible to secure a network using OS X services.

I think you mean to say that it is impossible to secure a Mac network using Active-Directory services.

but in theory you can build a new Windows ... Active Directory...

Yes, but in practice, you are contradicting yourself. You're saying Macs can't be secured through AD services because of AD exploits... but Windows can be regardless of AD exploits? Show me this secure Windows network and I'll show you a unicorn that shits glitter.

Re:All computers are less secure

The problem is that it's almost always possible to downgrade from Kerberos to unsigned Diffie-Hellman and retrieve the plaintext password trivially.

The problem is that it's almost always possible to downgrade from Kerberos to NTLM and retrive the plaintext password trivially.

Re:All computers are less secure

[CalTrumpet]

So how is this different from any other OS? sudoer is sudoer.

The escalation prompt impersonation is in no way unique to OS X. We never said it was, although it's a bit easier on OS X than on Windows.

There seems to be some misunderstanding on Slashdot of the purpose of this research. Our goal was to apply our experience with advanced attacks against corporate Windows networks against equivalent Apple technologies so that the defenders could stay one step ahead. We have a lot of clients that are now 40, 50, even 80% Macs on desktops, and it's important that we understand what these networks look like to somebody who has been given a year and a staff to penetrate and completely own the enterprise. Not everything we mention in the slides should be a criticism of OS X, in fact the majority of steps in this attack tree are pretty much identical on either platform. Understanding the details of each of those steps is important when designing countermeasures to prevent or detect each part of the attack tree.

How is this any different than any other hash storage mechanism - /etc/shadow, /windows/Windows/System32/config

These password stores are not accessible to a non-root/admin user. The section of the talk you are referencing is about local privilege escalation. We were trying to come up with ways we could escape after exploiting something like the low-rights Quicktime rendering process, and offline brute-forcing the Keychain is one option. BTW, those passwords stores aren't really equivalent to the Keychain, a better example would be Windows DPAPI, which provides a key that also mixes in a pre-machine secret to prevent this type of attack.

Re:All computers are less secure

[hansraj]

Do you have a link to the presentation? The linked article doesn't really get into any technical details and the language made me think that what you said was the case.

Re:All computers are less secure

[CalTrumpet]

I think you mean to say that it is impossible to secure a Mac network using Active-Directory services.

No, we mean using the Apple services that are equivalent to the Windows services in most enterprises. Specifically OpenDirectory, AFP, mDNS, Server Admin and Remote Desktop.

Show me this secure Windows network and I'll show you a unicorn that shits glitter.

Windows 2008R2 x64 with all Windows 7 x64 member workstations. 2008R2 functional level. GPO: KerbOnly, NoLMHash, Require RPC Privacy and Integrity, Require SMB signing (Server and Client), Require LDAP signing (Server and Client), Require AD-enabled IPSec with IPAuth on Windows subnet, use smartcards for Kerb Pre-Auth.

As perfect and magical as your fantastical horned equus that defecates metal flakes? No, but much harder and noisier to penetrate than the best you can do with 10.7 Client and Server.

Re:All computers are less secure

That's not tongue-in-cheek sarcastic bitterness, not at all.

Re:All computers are less secure

[arkane1234]

Nope, just slackjawed "truth".

Re:All computers are less secure

[said213]

well, satan lover; you missed the part where the admin account credential is pilfered by the exploit... wait for it... making your rant misplaced.
react to this trolling post instead... you'll be right; i am trolling!

Re:All computers are less secure

The fact that I don't have the admin password for my desktop at work is the reason that most of my real work gets done on my laptop. When I need to get something done, and need some program or library to do it, I apt-get a couple of likely candidates and try them until one of them works. The packages are coming from the Debian servers: they're not a security risk. But if I used my desktop for it, there'd be a turn-around time of hours to days for IT to respond to a request to install a new package, rather than seconds.

Re:All computers are less secure

[catmistake]

No, but much harder and noisier to penetrate than the best you can do with 10.7 Client and Server.

Ah, so... according to your research, if you already have the admin pw and physical access, infiltrating the Mac network would be easier than infiltrating the dream Windows system you envision without having the admin pw or physical access. Truly outstanding and brilliant work.

Re:All computers are less secure

[exomondo]

So how is that any different than any other system?

It isn't, but the exploit is being able to extract the admin credentials from the server when it connects to the compromised system and use those credentials to connect to other macs on the network.

Re:All computers are less secure

[Thing+1]

Basically any opinion which can't be summed up in five words or less is stupid and wrong, and just makes you some kind of elitist snob or "flip-flopper." Intellectualism is out, chest-beating tribalism is in. Welcome to the party.

Thankfully, I heard on NPR today that will.i.am disagrees: his quote was that "genius is recession-proof." (He was telling kids to stay in school.)

Re:All computers are less secure

[CalTrumpet]

That is incorrect.

1) On Windows 2008R2/7 it is possible to prevent downgrade to NTLM using GPO. This is a significant improvement and one we would like to see Apple replicate.
2) Even if you downgrade, it requires an extensive offline attack to recover a strong password from an NTLM handshake. NTLMv2 also has the benefit of being impervious to pre-computed dictionary attacks and contains better protections against relay attacks. DHX2 can be decoded in real-time on a laptop.

NTLM attacks are the bread-n-butter of APT attackers so it's important to limit their usefulness via appropriate GPO.

Re:All computers are less secure

[CalTrumpet]

Ah, so... according to your research, if you already have the admin pw and physical access, infiltrating the Mac network would be easier than infiltrating the dream Windows system you envision without having the admin pw or physical access. Truly outstanding and brilliant work.

I have no idea what you are talking about.

The point was that Apple has done a good job preventing initial exploitation and trying to contain exploitation to a low-rights process. If the attacker is able to defeat those protections, which is plausible on both platforms at the skill level we are discussing, then the next step is using network exploits to become other users, possibly administrators. It is this step that is much easier on managed OS X networks.

Re:All computers are less secure

Have they tried this on a network of OSX Lion machines that don't use any "downlevel" OS support... I mean when you say the solution is only use Windows 2008R2/7 you might as well compare that to something fair like a Snow Leopard only or Lion only solution, right? Obviously the weakness is caused because Apple has to reverse engineer the Microsoft compatibility, so they can't use ALL the same security settings a "current patch level only" windows setup can use.

Re:All computers are less secure

[smash]

Lion with its move towards full sandboxing is certainly a step in the right direction.

Re:All computers are less secure

Full disclosure please. It looks like your company does a fair amount of work for Microsoft and none for Apple.

Re:All computers are less secure

[ThisIsSaei]

Also finally getting ASLR... somewhat working. That was a huge step. So yes, Lion is good work from Apple.

Re:All computers are less secure

[thoromyr]

Apple should of course fix vulnerabilities. But according to the *article* DHX is *disabled* by *default* and it is secure using Kerberos. AD uses kerberos, I don't know why you think that OSX would use DHX for that. DHX is *legacy* for outdated Apple stuff.

And?

[Bert64]

Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

Finally this just seems to be a stupid bug in a service used for pushing updates, and should therefore be relatively easy to fix.

Re:And?

[Baloroth]

Read TFA. It is possible (trivially, supposedly) to force Macs to use DHX (the insecure protocol). So, essentially, even if you use the secure system, it doesn't matter. That is a bit troubling for OS X enterprise users, to say the least.

I suppose the lesson here is that after 15 years of being the #1 target, M$ might finally be starting to get its shit in a respectable state, while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.

Re:And?

[WaffleMonster]

Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

Just because a windows computer has joined a domain does not mean the domain now has root or for that matter *any* access to the local computer. It is still determined by local policy.

Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

Windows of today uses kerberos.

Re:And?

[NatasRevol]

It's not a bug, it's a design difference. On Mac Server, it does fall back to simpler protocols because that's how it was often set up - no real sysadmins means no consistent use of strong authentication.

However, it would all go away if Apple required and ONLY allowed kerberos for authentication of any service from OS X Server. In other words, just like AD.

Having said that, this exploit still requires an admin password to escalate privileges - which isn't typically given in a corporate setting. In other words, admin passwords can do admin things.

Re:And?

actually the default behavior when you join a domain is to place the domain admin group in the local administrators group, thereby giving domain admins local admin privileges by default. Also, by being in the domain, the domain can automatically enforce computer policy which can basically do anything to a windows PC.

Re:And?

[Bert64]

But it doesn't *require* DHX, therefore it should be a relatively easy patch to make it possible to force DHX off at all times.

Re:And?

[Bert64]

AD doesn't require and exclusively make use of kerberos, it can (and by default does, although which ones depend on the version) use weaker authentication schemes (ntlm, ntlmv2, lanman)... Apparently the hash passing vulnerabilities also exist when using kerberos only, its just that tools to exploit this are not publicly available to do this yet.

Re:And?

[Revotron]

I do have modpoints, but unfortunately there is no "-1, Wrong" rating. And unlike other people, I will not substitute Troll, Overrated or Flamebait.

But anyway, back to the topic at hand... uh, where the hell do you work? I work in a very Windows-heavy environment, and every time we add any Windows boxen to the domain, the domain admins get automatic admin rights. There's nothing we can do to stop it. This is a 10,000+ workstation university, though, so at least they're distant and maybe (only maybe) competent enough to not abuse it.

Re:And?

[Bert64]

Under a typical/default configuration, a domain has full control over a local machine once it has been joined to the domain... Buy that's not the point, the fact that having compromised the *server* you can take control of the *clients* is a given in any distributed authentication scheme, be it nis, kerberos, ldap or whatever...

The problem discussed in the article is that having compromised a single *client* you can take control of the server or other clients. Windows has such problems too, for instance once a domain user is logged in their password hash is stored on the system where it can be retrieved and then used. Also since most machines are built from images, local admin passwords are often the same and thanks to hash passing vulnerabilities can be used immediately without having to crack them (and as such irrespective of how strong the password is).

Windows of today still has NTLM and NTLMv2 enabled by default... It also still supports LANMAN although that is disabled by default in the latest versions. It is also apparently possible to do hash passing attacks even with only kerberos enabled, although i'm not aware of tools for doing that being widely available yet.

Ideally compromising a single client should get you nowhere (and many admins incorrectly assume this to be true)... But as some recent high profile attacks show, a serious attack can easily start from a single unimportant workstation, and there are many ways to compromise a single workstation (social engineering, browser exploit, malicious document exploiting whatever app they open it with etc)...

What is really needed, is a complete rethink of the old perimeter defence model... Although you can (and should) take steps to reduce the chances of the perimeter being breached in the above ways, if you don't pay attention to internal security then once a single small breach has happened its game over for you.

Re:And?

The bigger issue is why the hell is ANYONE using a full domain administrator account and why does anyone except for maybe two people and a locked safe have the password? The problem is not the MS implementation, it is your administrators.

Oh, and you can block domain administrator rights (or anyones rights) from propagating to places you don't want them. We do this on purpose for many reasons in our AD structure.

Re:And?

[sl4shd0rk]

...while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.

Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop (Sorry Linux. Your awesome, but slaying the n00bs will never get you on the Desktop). Hopefully Apple will do a better job at fixing vulnerabilities than Microsoft did. The user's are (As usual) going to be key howerver because (FTFA - pdf link):

    * Apple users feel safe because they have no history of exploitation
    * Apple users tend to be just as ignorant as anyone else
          - Go ahead and run this unsigned binary
          - Who needs AV ?
    * 14% of all publicly disclosed OS exploits in 2008 affected OSX
    * 1,151 CVEs in past 3 years affected Apple (Windows was 1,325)
    * Mac users not paranoid like Win users so may be easier to socially engineer

       

Re:And?

[Mister+Whirly]

And if any sysadmin doesn't turn all those weak protocols off as one of the very first things in setting up the server, he needs to turn in his pocket protector. In our AD policies turn those protocols off on the client machines before joining to AD. Using Kerberos is a requirement to join.

Re:And?

[rgviza]

Having said that, this exploit still requires an admin password to escalate privileges
--
Or a privilege escalation exploit...

Re:And?

[rgviza]

Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop

--
not at those prices...

Re:And?

[necrogram]

Domain admins having admin on windows client isn't that big of a deal. A domain admin wielding GPO or Configuration Manager can do more harm then with local box admin privs. Plus, those guys own the directory service, there's a lot of power that just with that.

Re:And?

[LordLimecat]

Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

More accurately, they are only as secure as the Group Policies that force them to the same standard that is set on the server.

You dont have weak workstations on an AD network, just weak policies.

Re:And?

[LordLimecat]

That is a bit troubling for OS X enterprise users

Which is why that term is a misnomer, and the only "OSX enterprise users" are the ones who have forced their subordinates to hook an OSX system into the rest of the system (at least in my experience, apologies if youve actually built a secure and productive "enterprise" on macs).

Re:And?

Do you know how many POS software has to have LANMAN style used to function? (Lots!) It's the only reason we still use WINS

Re:And?

Probably lucky you don't have mod points as you would be INCORRECTLY modding him down. domain admins do NOT need to be a member of the local admin group, that is simply the default and the most desirable setting in a AD environment as you usually want your domain admins to have easy control of member machines, but it is certainly not unstoppable nor required.

Re:And?

Anything you said is automatically disregarded as you used boxen. Seriously? What the fuck are you thinking trying to get yourself taken well when you use that?

One morning

[AHuxley]

I found 10.7 with Airport turned on and little snitch (software outgoing firewall for Mac OS X) needing to be reinstalled....
Could it be?

Re:One morning

[catmistake]

Try paying for software. If you want to rob developers, just break into their houses like honest thieves.

Lalalalalalala

[JustAnotherIdiot]

I'm not listening! My Mac is perfect in every shape, form, and fashon, Steve Jobs said so! Clearly you hackers are lying, and put windows in those machines!

Re:Lalalalalalala

[whiteboy86]

Happy times! Macs are perfect, protected by the genius design of OSX and blessed by SJ himself. Windows nerds are just spreading lies and fearmongering. I've never got any virus or got hac

Re:Lalalalalalala

Clearly, these users are using Their(tm) Macs wrong! Of course you're not supposed to place these precious, precious creatures — each of them one of Steve's own creations, no less — in such a hostile, Jobs-less environment! How could anyone be so cruel?

Mac's lacking Enterprise tools that windows has

[Joe_Dragon]

Mac's lacking are Enterprise tools that windows has.

At least apple should yet you run mac os X sever on ANY VM on any hardware.

Re:Mac's lacking Enterprise tools that windows has

I find it really hard to call Apple a hardware company with respect to their Mac offerings, when 99% of their hardware is off the shelf parts.

Re:Mac's lacking Enterprise tools that windows has

[futuresheep]

With Lion and VMWare ESX 5.0 you'll be able to do this. The license terms were changed in Lion to allow you to run in a VM, and ESX 5.0 will come with UEFI as a boot option.

http://www.ntpro.nl/blog/archives/1786-vSphere-5-Video-EFI-the-Extensible-Firmware-Interface.html

Re:Mac's lacking Enterprise tools that windows has

[mikael_j]

Apple isn't a hardware company, they're a systems company. An easy mistake to make these days though since there really aren't a lot of those left. Apple's thing is integration, to make sure everything fits together nicely (not saying it's ever 100% but it sure tends to beat the average Wintel OEM box).

Re:Mac's lacking Enterprise tools that windows has

[Anomalyst]

Unfortunately there are no affordable/commodity hardware platforms that will allow you to use more than 4GB of memory in your host to support multiple IOS Guest VM.

Re:Mac's lacking Enterprise tools that windows has

[Bill_the_Engineer]

At least apple should yet you run mac os X sever on ANY VM on any hardware.

Nice cut-n-paste job. If it's a genuine comment then I apologize for the error of mistaking a word-for-word comment used in what seems every damn Apple in the enterprise article submitted on slashdot.

The problem with the "any hardware" theory is that (1) Apple would not allow a stupid thing like that to occur again because they are a hardware company and the clone experiment didn't work out and (2) it's not even close to being required for enterprise. Get a Mac Pro and run a VM and do all your configuration tests in a virtual machine as supported by the new EULA included with OS X Lion. Can't afford a Mac Pro or even a Mac Mini? Well maybe you don't actually work for an enterprise.

Re:Mac's lacking Enterprise tools that windows has

Mac mini Lion server supports 8 GB. I just bought one configured that way.

Re:Mac's lacking Enterprise tools that windows has

With Lion and VMWare ESX 5.0 you'll be able to do this. The license terms were changed in Lion to allow you to run in a VM hosted on Apple hardware [...]

FTFY. The Lion license terms still do not allow what the OP wants, which is an OS X Server VM hosted on any hardware. Apple is truly a hardware company which uses its software as one of the tools for selling its hardware, so they're being very reluctant to open a VM backdoor in their OS licensing.

Re:Mac's lacking Enterprise tools that windows has

[toddestan]

If Apple expects people to take OS X server seriously, they need some serious server hardware to run it on. If Apple doesn't want to build that hardware, that's fine, but disallowing OS X server to be installed on anything else makes it a bit of a joke.

Is DHX enterprise grade?

[Midnight+Thunder]

Reading the tech note (marked archived) it makes it appear that DHX is an optional install and it is not clear. Also, doesn't MacOS X also provide enterprise grade solutions for authentication? Kerberos is available out of the box if I understand, for example.

BTW With the description "The DHX (Diffie-Hellman Exchange) UAM provides a relatively secure way to transport cleartext passwords..." (emphasis mine),
I am not sure you would want to use this for anything serious.

Re:Is DHX enterprise grade?

Any problems would be in the implementation rather than the actual Diffie–Hellman key exchange method as it's used in so many cryptographically secure protocols it's a joke.

Re:Is DHX enterprise grade?

It's not like Diffie-Hellman is the foundation of public key cryptography or anything. Their implementation is what it says on the tin. Why don't you go read about cryptography; then you can actually make informed comments about their algorithms instead of fearmongering.

Re:Is DHX enterprise grade?

To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials. Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable data.

There's nothing wrong with the Diffie-Hellman Key Exchange as long as you know what it's meant for, and it's not meant for authentication it's used for sharing a secret over an insecure channel. It's vulnerable to man-in-the-middle attacks and this is exactly what is happening here. It's a problem with their protocol not the cryptography.

Re:Is DHX enterprise grade?

[Midnight+Thunder]

I'll admit I don't have much experience in the realm of crypto, but the on the tin it did have labelled "relatively secure" as opposed to "secure". Sure I am may be misreading the label and it may be Apple's way of saying "it is secure, but we won't guarantee it legally"?

Also, if the tech note is marked "archived", what is the current status of DHX in Lion?

Re:Is DHX enterprise grade?

[MachineShedFred]

The DHX UAM was introduced to Mac OS X 10.0. That should tell you something about how secure (or not) it is. It's over 10 years old, and deals in clear text.

Apple really should give you a way to disable this, and have it disabled by default; allowing a sysadmin to turn it on only if absolutely necessary.

Re:Is DHX enterprise grade?

[Tomato42]

I learned that DH key exchange is insecure unless you know the attacker can't MITM-you if school! During my first year at university. Any cryptographer that thought that bare DH is a good idea isn't worth the paper his resume was written on. They could at least use a pre-shared secret to authenticate parties in the key exchange if they couldn't be bothered with a full-blown PKI.

Easy fix, for lazy administrators

[schmidt349]

defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO

There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.

To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.

Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?

Re:Easy fix, for lazy administrators

[CalTrumpet]

You can turn off plaintext auth, but you cannot disable unsigned DH.

Even if you could restrict to kerberos, there is no channel binding protecting the contents of these protocols, so auth relay attacks are pretty easy to pull off.

The mDNS MITM attack can be carried out across Layer-3 routing in some circumstances. In situations where this does not work, an attack against clients on the same broadcast domain is just as effective.

I would love for these issues to be fixed in 10.7.1, but that is extremely unlikely as truly hardening OS X against network privilege escalation would require significant architectural and cryptographic changes that would break backwards compatibility. These are equivalent issues to those faced by NT4 networks, although I have faith that if Apple was interested in correcting these issues they could do so much more quickly than Microsoft took to go from NT4->2008R2.

The slides are available here. Please let me know if you have any substantive feedback.

Re:Easy fix, for lazy administrators

[schmidt349]

Thanks so much for linking the slides! Just some initial thoughts:

On Slide 17, the CVE percentages are meaningless without some breakdown of installed base. If "Mac OS Server" includes everything from Rhapsody DR2 on up, then the numbers are flawed. If not, Apple might have some security issues.

Slide 28 -- I'm not particularly clear on why you would want ASLR or DEP to be configurable -- that just opens another avenue of attack. It should be always on every process all the time to be meaningfully effective.

Slide 34 -- UAC can be and frequently is turned off by stupid people, even some software vendors demand that it be disabled due to "incompatibilities". Escalation dialogs in Mac OS can't be.

Slide 38 -- you keep calling the attack on the Keychain credential store a "brute force," but it isn't -- it's a simple social engineering attack to get a password. Unfortunately the Keychain keeps (encrypted) passwords in the clear rather than hashes only, but this is so users don't forget their passwords.

Slide 53 -- "Modify existing binaries and services, which breaks signing but is generally not noticed" -- maybe in your shop, pal, not mine.

Slide 76 -- "Run your computers as little islands on a hostile network" -- FTFY

The Bonjoof hack is very clever, and demonstrates a real hole in the way Bonjour handles computer identification. In a well-managed enterprise situation I would expect it to be turned off though. I don't precisely know what it means by a "centralized" way to turn it off. That would be done in the imaging phase of deployment.

On balance the presentation seems to be just an "Apple is vulnerable too" talk, given the countless comparisons with Windows. All the clever people already knew that. The presentation seems to have been excellent in terms of breadth and thoroughness, though, and I would call it a must-read for network ITs in Mac-friendly environments.

Moral of the story? Every one of your attacks here can be mitigated structurally. In a secure environment, don't let your end users be sudoers, filter Bonjour traffic across layers, and always keep your server on a different subnet. We've been doing all that for years; combined with administrator vigilance, people should still be OK.

Re:Easy fix, for lazy administrators

[greed]

The keychain has to keep recoverable plaintexts for passwords: it works by supplying the password to an arbitrary authentication mechanism.

If it stored hashes instead, those would simply become equivalent to plaintext; you'd need only that hash to authenticate. You couldn't, for example, store a hash from a challenge-response system--you have to compute the response for each challenge.

If you really need that kind of protection, Kerberos 5 very quickly seems to be the "done already" answer. (And yes, I know what it takes to run a krb5 server group; though only enough to get OpenAFS happy.)

Re:Easy fix, for lazy administrators

[schmidt349]

Oops! Brain fart. Yeah, of course hashing means nothing to a credential store. Of course, my solution to all this malarkey would be to hire a million monkeys on keyboards to try all the different Kerberos configurations, so we're in agreement there!

Re:Easy fix, for lazy administrators

[CalTrumpet]

Slide 28 -- I'm not particularly clear on why you would want ASLR or DEP to be configurable -- that just opens another avenue of attack. It should be always on every process all the time to be meaningfully effective.

It's unlikely that any consumer OS will ship with these protections on all of the time. By default, both OS X and Windows 7 apply ASLR and NX protections to binaries that "opt-in". The difference is that on Windows you can force these protections on binaries from legacy compilers and linkers. This will often result in the process crashing, but in an enterprise environment you might prefer to crash old programs than to allow somebody to run Firefox 2, for example. This would be a simple fix for OS X and I wouldn't be shocked if they slipped it into a future patch quietly as a sysctl.

Slide 38 -- you keep calling the attack on the Keychain credential store a "brute force," but it isn't -- it's a simple social engineering attack to get a password. Unfortunately the Keychain keeps (encrypted) passwords in the clear rather than hashes only, but this is so users don't forget their passwords.

There are a couple of issues getting mixed together here. One way that you might escalate your privilege from a sandboxed, low-rights process would be a social engineering attack using an escalation prompt, as we showed. The keychain offers another option, because the encryption key used to protect it is solely derived from the user's password. The keychain file is available from the sandbox, so an attacker could pull the keychain file and send it off-site for a brute-force attack. The algorithm is definitely non-trivial to brute-force (1000 rounds of seeded MD5) but is not out of bounds for state-sponsored attackers, especially if the user is using a weak password. So the keychain isn't only useful to us as a repository of network passwords, but as a decryption oracle that can be cracked off-site (like in a basement in Beijing, cough...).

Our recommendation to Apple was to provide the user keying material that is partially derived from the user as well as from a machine-specific key stored somewhere only available to root. This would at least prevent low-rights and sandboxed processes from using the keychain as an oracle, although it would likely impact compatibility with downlevel versions of migration assistant.

Slide 53 -- "Modify existing binaries and services, which breaks signing but is generally not noticed" -- maybe in your shop, pal, not mine.

How do you regularly check for system binaries being modified? Do you use Tripwire? There seems to be no equivalent technology built into OS X, so we pointed out that one way to persist malware would be to modify parts of the system that are already running. This is, in no way, an OS X specific issue, although the lack of kernel extension signing makes it a bit more problematic than on Windows. (That being said, state hackers have already demonstrated a propensity for stealing Authenticode certificates from hardware makers, so driver signing isn't super helpful on Windows).

Slide 76 -- "Run your computers as little islands on a hostile network" -- FTFY

I disagree with this correction and your summary of our work. Our conclusion is that Apple has evened the score with Windows on anti-exploit technologies and has made it much easier for their ISVs to use the OS's sandboxing capabilities. We also concluded that it is possible to build a secure, managed Windows network that uses integrated authentication mechanisms to provide access to network services, although most organizations will not be ready to take the back-compat hit it takes to do so correctly. We concluded that it is currently impossible to build a secure network using OS X and OS X Server, and that any use of Apple-proprietary protocols makes credential stealing and network escalation attacks easier than it should be.

The Tl;DR is that Apple machines are more secure alone, and Windows machines are more secure when connected and managed.

Re:Easy fix, for lazy administrators

[gad_zuki!]

>Slide 34 -- UAC can be and frequently is turned off by stupid people, even some software vendors demand that it be disabled due to "incompatibilities". Escalation dialogs in Mac OS can't be.

Frequent? The only time I've seen it off or recommended it off is with the computer "enthusiast" crowd who hate anything different or security related and tell each other they're better off without it, circa the release of Vista.

Jane User has no idea how to shut it off and Jane WorkerBee doesn't have admin rights to shut it off anyway.

No Way...

This "exploit" only works when users do stupid things. OSX isn't perfect or secure by any stretch of the imagination, but it's no more vulnerable than any other OS when users install malware.

Thanks

Hey Doodz! You 1337 hax0r5. I appreciate the heads up. Now I expect Apple to improve their encryption and secure this protocol in the next update. Suddenly, Macs will be more secure than Windows, again.

Frankly, this reminds me of the weak sauce that is LANMAN which still haunts us to this day.

wtf?

[mark-t]

FTA:

To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials. Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable data.

Why is the server transmitting any authentication credentials to a machine that it hasn't actually confirmed is supposed to be receiving them in the first place?

I understand the point of DHX... it's ideal for secure communication on an otherwise open channel, but it's just plain stupid to use it to talk between strangers... you have to use another protocol along side it to really verify the identity of the listener and sender.

Re:wtf?

[Chuckstar]

The article got it wrong. There's a PowerPoint linked at the bottom that explains it better. The infected machine spoofs the server. A client looking for the OS X server instead authenticates to the infected machine. The infected machine now has one user's credentials, so can do whatever that user can (including, I guess, act as man-in-the-middle passing legitimate requests to/from the server so that the user perceives not problem with the network).

In the PowerPoint, they show the infected machine getting admin credentials through this transaction, but that might just be the worst-case scenario. Or, they could mean that a clever hacker might program the infected machine to wait until it received admin credentials before doing anything (else) out of the ordinary. In the PowerPoint, the infected machine uses the admin credentials to fix the original spoof, at which point it has free rein of the network without having to keep up its man-in-the-middle role.

Because of the way Apple's server protocols work, spoofing is very easy, it's fixing the spoof that's hard. A well-behaved Bonjour machine will give up it's name if another computer claims it. So all the infected machine has to do is claim it already has the server's name (maybe "OS X Server", as an example). Then the server will dutifully change it's name to "OS X Server-2". Now any computer looking for "OS X Server" finds the infected machine instead of the real server. When the infected machine wants out of its man-in-the-middle position (maybe fearing discovery if too much network activity is routed through it), it uses its newly acquired admin credentials to ask the server to change its name back from "OS X Server-2" to "OS X Server". If it doesn't change the name back, it could still stop announcing itself as "OS X Server", but the real server would then be unavailable and that might cause network admins to start poking around.

Which raises a potential issue: what if the infected computer never receives admin credentials? At what point does it become noticeable that all the Mac network traffic that should be going to "OS X Server" is instead going to this random workstation? And if that workstation periodically stops spoofing the server (for fear of the traffic being noticed), without the ability to force the server to change its name back, would anyone become suspicious that "OS X Server" occasionally (and seemingly spontaneously) changes its name to "OS X Server-2"?

But at that point, even if it has never been able to get admin credentials, the infected machine may have had access to all kinds of data/services on the network.

Re:wtf?

[mark-t]

MitM has always been a well known vulnerability of DHX... the point of DHX is for secure communication on an open channel... such as radio, or even broadcast LAN packets, not point to point or relayed communication.

Sounds Like Windows95

We're not moving backwards here, are we?

Re:Sounds Like Windows95

How about you STFU while the grown-ups talk, OK?

Re:Sounds Like Windows95

[JustAnotherIdiot]

Because clearly the adult thing to do is to tell a child to shut the fuck up, real good adult right here.

Re:Sounds Like Windows95

[arkane1234]

Your new here, aren't you?

Users with admin rights?

[Udo+Schmitz]

Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

Re:Users with admin rights?

"Users in said Enterprise have admin privileges?"

Lt Cdr Data
Lt Cdr LaForge
Lt Worf
Cdr Riker
Capt Jean Luc Picard

I don't think that Ens Wesley Crusher should have admin privileges, but he's probably hacked the system anyway

Re:Users with admin rights?

[NatasRevol]

Yeah, which is not the case most of the time.

Users with admin passwords can do admin things. Duh.

Meaning this 'exploit' isn't much of an exploit.

Re:Users with admin rights?

[BradleyUffner]

Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

Yes, and typically the admin of the system has admin privileges. It may not be good practice to run a normal account with admin rights, but every company I've worked for has done it. Typically more than just that user have admin rights too, other tech support people, and even some of the higher level programmers seem to get admin rights to the domain (not just the local system).

Re:Users with admin rights?

[CapuchinSeven]

No, you got it, this is a load of rubbish and is being presented as some sort of reason to bash Macs. If you're a Admin and you let your users have admin rights, you shouldn't be in your job. Interestingly, as I understand it, the same vulnerability used on Microsofts AD, doesn't need an admin password. So... how does that make any sense that Macs in enterprise are more vulnerable...?

Re:Users with admin rights?

the same vulnerability used on Microsofts AD, doesn't need an admin password

Citation needed

Re:Users with admin rights?

[NatasRevol]

I didn't see the actual presentation, but the exploit at the beginning of the presentation shows an AD hack, and doesn't mention needing passwords - just clicking on a malicious link.

Re:Users with admin rights?

Are there any actual software administration type systems that call for multiple admins to enter credentials for sensitive processes (ie blowing up the ship)?

Re:Users with admin rights?

Nope. Captain == root

Re:Users with admin rights?

[snemarch]

Admin passwords or admin privileges?

Taking local privilege escalation exploits into consideration, there's a damn big difference between the two.

Re:Users with admin rights?

There is only one account in my entire Open Directory structure that has admin privileges: the directory administrator account. Nope, I don't even have admin privileges on my own account. If I need to administer a computer, I log in as admin. Ya, there's still the local admin account, but I don't use it and I don't give the password to any users. Same with the Windows machines.

Even with the software that's designed to only run with admin privileges, you can make it do without. Just give user rights to its registry keys and its program folder. There's been only one program that I've ever seen that this does not work with, and that was the one that had the stupidity to check for write privileges to the C:\system32 directory (even though the program didn't have anything to do with that folder) and refuse to run if it didn't have it. That vendor got a massive tongue-lashing from me through email, and we moved on to a different vendor.

So no, this isn't a real expoit, and it isn't news. "Hey, you can get hacked if you don't configure your network properly!!!!!" Wow, no kidding?! The Windows fanbois are trying soooooo hard to make it look like OSX is just as vulnerable as their pet OS. I almost feel sorry for them. Almost. :)

Seriously, though, you know what Microsoft could do that would help Windows security more than anything else? Make it so that Office refuses to run as admin. Then all of the CEOs and CFOs out there that demand admin privileges would be forced to run without ("Sorry, boss, it just won't work. It really IS Microsoft's fault this time!"). Plus, all of the vendors would be forced to design their software properly instead of demanding admin privileges for their app ("But now I have to relog just to use your software! I'm buying something else.") Okay, maybe it's not a perfect solution, but it's worth thinking about. The admin user gap is the biggest gap in Windows security. I think the difference is that MacOS makes it easy to run without, and makes it quite a lot harder to circumvent. Any secondary user on OSX is automatically given limited privileges, and software works just fine without it. No registry-hacking or permission-juggling required. Same with Linux, so no, it's not that OSX is so great, it's just that Windows is so bad.

With non-exploits like this being "reported" all the time, it just blows the "bigger target" theory out of the water. Yes, they ARE trying to hack OSX and Linux - just as much as they're trying to hack Windows. Look at the numbers, and you'll see where they're more successful.

Re:Users with admin rights?

[benjymouse]

Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

No. The point is that *any* device which gets access to a network with OS X server can:

1) Wait to be contacted by OS X server. The server will stupidly identify itself with network-wide credentials (can be used for other hosts)
2) Device under attacker'c control turns around and starts contacting *other* machines using the credentials it has just learned from the server.
3) Other OSX machines will stupidly answer the request and will previde their *own* credentials since you are "obviously" a trusted server.
4) Harvest the acquired credentials
5) Profit.

The "any device" may be a compromised client or a prepared device (notebook?) hooked on to the network through physical or WiFi breach. How is not the point of TFA, it is the potential consequences. A single client/device under an attackers control allows him to harvest the password set.

Indeed this is a braindead design flaw.

Re:Users with admin rights?

[NatasRevol]

Well, per the presentation, they need to get the admin passwords to use the 'exploit'.

Mac is not for the enterprise

[erroneus]

This should be no surprise to anyone. MacBook, MacBook Pro, iMac, Macmini, and Mac Pro are not enterprise machines. The service and support offered by Apple to Enterprise customers is below the needs of an enterprise environment. Mac OS X is increasingly more consumer oriented as well. And I think it is no secret that Apple has been pulling anything that resembles Enterprise -anything and focusing more on consumer-side things.

So... is this a surprise?

Re:Mac is not for the enterprise

[CapuchinSeven]

As I said above, there is no surprise, but not for the reasons you've suggested. To make this work, a user is required to enter an admin password, If you're a Admin and you let your users have admin rights, you shouldn't be in your job and as I understand it, the same vulnerability used on Microsofts AD, doesn't need an admin password. So, how does that make any sense that Macs in enterprise are more vulnerable?

Re:Mac is not for the enterprise

[jedidiah]

Having a smart attacker anywhere inside your network is a problem. In a corporate environment, your weakest link is the person sitting in the chair and the biggest problem is social engineering. This is more of an internal threat posed by a determined and dedicated attacker rather than the usual sorts of browse by infections you get from visiting the wrong web site.

Whether or not MacOS is "sturdy" under these conditions seems to be the least important aspect of the entire situation.

The version of Windows you are running already gave away the corporate family jewels remotely already.

Re:Mac is not for the enterprise

If Macs, being UNIX machines, aren't enterprise then neither are Linux and Windoze machines.

Re:Mac is not for the enterprise

[Caste11an]

I couldn't agree more. I've been using a MacBook Pro in my enterprise DBA job for the last year. In that time, the Enterprise-grade AD has suffered numerous outages and fallen to two viruses. During that time, my consumer-grade laptop has powered through the darkest hours, providing me with quick access to our data centers and generally outperforming the Windows-based machine on my desk. Furthermore, our corporate wi-fi has been nearly unusable for the past two years, and because our overlords are cheapskates, our meeting rooms have four-port Ethernet hubs at best. I walk into a meeting room and set up a wireless hub via my laptop in seconds and everyone in our group is connected and working quickly. I can't even imagine the corporate nirvana that would exist if we qdid away with much of our Enterprise setup and instead replaced all 10000+ employees' machines with Macs. Long live the Mac's non-Enterprisiness!!!

Re:Mac is not for the enterprise

The problem is that enterprise use iphone, ipad and sometimes Mac on their network... If those machine are insecure at any point they could carry virus malware for windows machine too ... so even if your windows machine is more secure than your macs, you give access to virus malware via apple machine ...

Re:Mac is not for the enterprise

[Osgeld]

yea but its like a neutered unix that been beaten for years now

Re:Mac is not for the enterprise

It's funny that the second largest company in the world runs on Macs, yet people will say the platform is not suitable for enterprise use.

Whats even more amazing, is said company doesn't have an IT department per se. True, there is a department that maintains the IS/IT infrastructure so far as servers, routers, corporate accounting, purchasing, information, etc. But individual desktop machines? Nope. Whether the highest VP or the lowliest admin, every single Mac user at this company sets up their own machine. They install their own software. They hook up their own backup software. They get updates automatically pushed to them via the regular Mac Software Updater. Nary an IT professional in sight.

Why? Because the traditional corporate IT structure is not needed. Traditional IT corporate structure is a parasitic conglomeration of middle-management muddle necessitated by Windows and legacy IT systems. It's in the IT sector's best interests to point at Mac and say "not enterprise ready" because should their be more widespread use of the platform, there would be far less need for a widespread IT department. No enterprise support? Very little is needed.

Sure, there's a help line that is useful for things like build servers not being up. Or a password needs reset. And there is an onsite service center that employees may take their machines when the hardware cooks.

So what is this gigantic company that manages to run almost exclusively with Macs on its desktops?

It's Apple.

Re:Mac is not for the enterprise

[CompMD]

Oh I don't know about that. I'm an engineer for a large, multinational aerospace and electronics company. For what I do, I need several computers running different operating systems. Out of the 8 machines I have, two are macs, an imac and a 2011 macbook pro. The macbook pro is seriously the best machine I've ever used for work. I really despise Steve Jobs, but I cannot fault a good product, I really like my macbook pro for work.

Re:Mac is not for the enterprise

[erroneus]

Yes and they don't have the problem of "enterprise level support" as they are their own enterprise support. As I indicated, Apple does not offer any enterprise level support for Apple products. If you want it fixed, you either fix it yourself or you take it to an Apple store at their convenience. Warranty and replacement is also not up to enterprise levels as there are no "sorry, we don't have those parts any more, so we will upgrade you to the current version of the hardware" offers and there is no accidental damage coverage for computers either.

So, using Apple as an example of a successful company using Mac in the enterprise is probably not a good one. They are probably the ONLY one of any size. Sure, there are publishing shops and the like which are Mac exclusive, but when something goes wrong, that's when you know what is and isn't "enterprise ready" because when it is, things get handled well.

Re:Mac is not for the enterprise

[erroneus]

I think you're not getting it at all.

All you have shown is that a heterogenus environment has its advantages and most IT people will agree with you. We already know what happens when Christian missionaries visit pygmy villages -- "god's judgement" kills them all with the common cold. Same is true for heterogenus environments.

But you know, instead of talking about software -- you know, MacOSX can be made to run on any PC after all, let's talk about the thing that actually differentiates the two -- the thing I care about -- hardware support. Software can be loaded and reloaded all day long without the need for another company to support them in that effort. Hardware, on the other hand, is another matter.

So let's compare your MacBook Pro with a garden variety Dell Latitude suffering a similar hardware problem.

Dell Latitude is often purchased with next-business-day, on-site, accidental damage coverage. Apple doesn't offer ANY of that and only warrant manufacturing defects.

So let's say a machine is dropped to the ground... say, at a TSA checkpoint where the carelfulness of the owner is irrelevant -- you can't touch your stuff until it is screened. If it was an Apple MacBook Pro, my experience on the matter is that you would be SOL. You would have to pay for the repairs needed in both parts and labor and it would be at Apple's convenience with no guarantees about parts on hand or estimated time of completion.

And so I ask you, under that circumstance, can you still hold that Apple is "better than Enterprise ready"? And if so, I would really like to know why.

Because in the end, yes, you can file a claim with the TSA who was responsible for the damage, but "enterprise ready" recognizes that it is the BUSINESS continuity which is "the thing" and not the tools themselves.

Re:Mac is not for the enterprise

Kinda of like how Ubuntu is a neutered Linux machine.

Re:Mac is not for the enterprise

My thoughts exactly.

But also, I'm not even really sure what kind of Mac setup they are talking about here. They talk about Mac Servers. So if I'm running an Apache web server on my Mac powerbook and hook it up to my Corporate Lan (just plug in the Ethernet cable), is that a Mac server? WTF? No, I think they are talking about some other configuration (maybe file sharing or something from a central server, but not a web server or not just a regular MacBook plugged into ethernet).

Maybe someone can explain in more detail what this is all about, cause nothing in the article or the comments so far is getting at the roots of it.

Obviously I'm no network guy. But I do use my MacBook Pro at work, even though the rest of the company is largely PC based. Is that a security risk???

Re:Mac is not for the enterprise

[arkane1234]

Someone hasn't used it beyond the GUI in the last 5 years, apparently.

Re:Mac is not for the enterprise

[arkane1234]

Funny, every enterprise I've worked in (like 8+) has just replaced the laptop if it broke.
The I.T. department takes care of the issuance/replacement/repairs/etc.

So that pretty much nullifies the worry about a Dell Latitude next-business-day on-site accidental damage coverage.

now small businesses on the other hand, that's a different story.

Re:Mac is not for the enterprise

[arkane1234]

Most enterprises have certificates, and only systems that they have issued as clear are allowed onto their networks.
Most enterprises have a guest network for the rest.

Re:Mac is not for the enterprise

[Osgeld]

I have better things to do than wait for apple to catch up to the world

Easy bug to fix

DHX is an obsolete authentication system that has been replaced by Kerberos. It is virtually unused these days - especially not in an Enterprise setting. I'm surprised to find that it's still installed.

There are several trivial fixes for the problem that Apple can implement. Heck, simply disabling DHX would fix the problem - only ancient networks would be affected.

It seems to be a total over-reaction to recommend not installing Mac because someone found an easily fixable bug. If that was the case with other systems, nothing would ever be installed.

Re:Easy bug to fix

[Vokkyt]

I agree that while it's a simple fix, it's not something to call an over-reaction. The results of the methodology used here are pretty heavy, and definitely something to be aware of. Is it going to affect many people? Probably not, but you don't just ignore it.

I will say that the article is a bit dramatic, something which the exploit developer even commented on.

Re:Easy bug to fix

[MachineShedFred]

Here's your fix:

Server Admin > AFP > Settings > Access

Authentication: Change from "Any Method" to "Kerberos"

That was hard.

So... practical linux attacks next?

[mark-t]

It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.

Re:So... practical linux attacks next?

[Registered+Coward+v2]

It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

While Linux has a strong following in several critical areas of the enterprise, such a servers, this really wasn't about server exploits. Sure, it needed a server to work, but it really was about individual desktops and laptops being used to compromise others from an non-server machine. Since Linux has very low desktop / laptop adoption compared to even Macs I'd say it's doubtful anyone would even try to exploit it. Even if they did, someone would have to be actively looking to detect it - I doubt they'd simply submit a kernal patch to spread the exploit.

How many people are actively looking at ways to exploit Linux on the desktop? Very few I'd guess because it simply isn't a worthwhile target yet.

Re:So... practical linux attacks next?

And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.

Attentive admins? Patching things in hours? In the "enterprise"? Hahaha... The *vast* majority of "enterprise" IT departments are overflowing with incompetents. We conduct penetration tests in large companies and routinely are able to find and exploit vulnerabilities that were publicly documented years ago. We spend days or weeks on reports, conference calls, emails, meetings getting them to understand the vulnerabilities let alone fix them, if they do so at all.

Re:So... practical linux attacks next?

[Rich0]

Depends - if the exploit works on android phones then I'd expect the patch to be deployed in anywhere from six months to never...

Re:So... practical linux attacks next?

[rgviza]

The major area of linux penetration in the enterprise is server OS. There are few "enterprise" networks running linux on the desktop. Apple has distanced itself from the enterprise server market. So it could be said that the linux and Apple markets are complementary and they don't really compete. As well, at least in my world, users aren't permitted on the servers and admins typically use key authentication (either managed or not) which isn't vulnerable to AD exploits.

Of course, like any machine, you can easily root the box with physical access, I don't care if it's windows, linux or mac. From there all sorts of nasty stuff becomes possible, like root access. All you need is a set of install disks and a recovery console.

Then there's another issue of people depending on packages from the distro maintainer for critical services. You can't patch until the distro releases the packages in this case, or you uninstall the packages and build it from source. When the last SSL worm happened (September, 2002 OpenSSL 0.9.6d), distros and vendors were ugly slow to released patched packages. It took months, and during that time, everyone was vulnerable. From then on any sane admin started compiling their LAMP setups from source so they can patch as soon as possible. The OpenSSL folks released a patch the _next day_ after the advisory(kudos!). Calls to our "Secure" apache vendor were met with "we're working on it" for weeks on end. We weren't authorized to use any other vendor or distro (it was at a bank).

I was issued an ultimatum by our CISO, patch it by 5PM tomorrow or we are shutting down your server farm. I had no choice but to build from source. Luckily I had extensive experience building from source (I am a developer) so was able to cope and get the job done (30 servers, that was a very long day). At the time our administrator had been fired and I was filling in for him.

So while you are right, OSS projects patch fast, distros don't release patched binaries with any speed resembling fast, and actually _getting_ the patch can take weeks unless you compile the service from source or use a distro like Gentoo (most enterprise use package distros like SuSE, Ubuntu, Debian, Red Hat etc). All is not as rosy as people claim it is... unless your game is upped to the point where you are self sufficient and not dependent on packages. If you call yourself an administrator it goes without saying that you need to be here. If you run exposed services on binaries from distro packages you are playing professional russian roulette. You should at least familiarize yourself with compiling from source in case you need to compile a service in an emergency.

It could save your servers and live data and help you avoid having a really bad week. It can mean the difference between pulling the plug or continued operation.

Re:So... practical linux attacks next?

[davros74]

If you consider corporations that employ hundreds or thousands of engineers (hardware, software, ASIC, etc), it is quite conceivable that the engineer's primary desktop is a workstation running Linux (what used to be running HPUX or Solaris a decade ago). This would classify as 1,000s of linux clients in an Enterprise environment, and is such the case at my company. We also have Windows PCs, but I have never seen a Mac here, ever.

Re:So... practical linux attacks next?

[Tomato42]

Linux doesn't need any local ports open to be able to authenticate to LDAP, the only service that (partially) does is CUPS and it can be configured by a one liner to contact the server directly and don't listen to broadcasts.

Re:So... practical linux attacks next?

[owlstead]

There certainly isn't too much reason why Linux would not be vulnerable to various kinds of attacks. Currently applications gets loads upon loads of permissions. I always find it funny when people talk about the root password on linux systems. Just think of what you can do *without* that password. Access all of the data of the user, create network connections, use any amount of CPU, memory, disk etc. etc. ect. We need much tighter control to those resources. There are some inroads on this (SELinux and other application specific access controls) but much more is still needed. And of course it needs to be integrated and used at a much bigger level. I'm not fooled for a second when people think that Linux is inherently safer than the latest Windows versions. Windows is even ahead on some parts (e.g. use of managed code) - but of course still pretty behind on others.

Re:So... practical linux attacks next?

Of course, like any machine, you can easily root the box with physical access, I don't care if it's windows, linux or mac. From there all sorts of nasty stuff becomes possible, like root access. All you need is a set of install disks and a recovery console.

And a way to brute force the keys to the filesystem encryption.... good luck.

Re:So... practical linux attacks next?

[mark-t]

How many people are actively looking at ways to exploit Linux on the desktop? Very few I'd guess because it simply isn't a worthwhile target yet.

And yet here people are looking to attack Macs in the enterprise market, which is an even smaller target than Linux is in that sector. It just strikes me as odd, that if the only real protection that Linux has enjoyed is obscurity, then why is something that is even *MORE* obscure (enterprise Macintosh installations) targeted?

Re:So... practical linux attacks next?

[Registered+Coward+v2]

How many people are actively looking at ways to exploit Linux on the desktop? Very few I'd guess because it simply isn't a worthwhile target yet.

And yet here people are looking to attack Macs in the enterprise market, which is an even smaller target than Linux is in that sector. It just strikes me as odd, that if the only real protection that Linux has enjoyed is obscurity, then why is something that is even *MORE* obscure (enterprise Macintosh installations) targeted?

First, since the Mac has more name recognition than Linux it makes sense for a security researcher to focus on it rather than Linux in order to make the mainstream press.

Second, numbers put Apple's enterprise market share at around 5%, Windows at around 94%, leaving about 1% for Linux (and others). While Linux is strong in server markets, outside of specialty workstation areas it's still not a very popular desktop OS; which was what the exploit targeted.

Re:So... practical linux attacks next?

[mark-t]

Actually, the exploit targets *enterprise* Mac installations... it said it was generally ineffective in home installations.

Re:So... practical linux attacks next?

Monocultures make all attacks easier. Learn from ecology, mixed cultures of systems may make sys admins life a bit more difficult in support but they fundamentally improve security overall.
There can be no completely secure system, exploits will be found if the rewards are sufficient, so don't have a single target.

Not surprised

Windows has been more secure than Mac.

WE ARE PC.

Oh Uncle Jesse...

[ahow628]

Have mercy!

Always need more info

[joshhibschman]

Does this hack still work if people have all remote access disabled on their machines? Is there / will there be a response from Apple on the issue?

Client/Server

It's my understanding that Linux has even more widespread enterprise adoption than Mac does.

Linux has vastly more enterprise adoption in the server room.
Mac OS has more enterprise adoption on the desktop.

This was a desktop/workgroup attack.

propostureous

Steve Jobs is always right

Physical Access

They have to have physical access. All bets are off with physical access, as quite simply, you can even install a new OS, (if they know what they are doing, the data and OS will be on separate drives). All bets are off if they have physical access to the machine.

Apple's ignoring it

This vulnerability was discussed on a call with our Apple representatives today, and their response to me was that "Apple does not respond to or comment on articles from small websites like such as this."

I guess ostrich syndrome is alive and well in Cupertino.

This just in

The consumer toy maker's computers are not good in serious situations

NO FUCKING DUH, if apple didn't suck in the enterprise, don't you think they would have moved in over the last 40 years? Outside of the art department the time you see mac "servers" is when some noob gets a budget and is too stupid to install linux on a real box

Re:This just in

[wzinc]

They're not toys, but you can have fun using them.

Why Macs are hacked less than PCs

[rclandrum]

Macs are hacked less than PCs because Mac owners can afford the lawyers and researchers to come after your ass, while the trailer trash that use PC's can barely scrape up enough money to pay for their porn downloads.

Re:Why Macs are hacked less than PCs

[recoiledsnake]

Not just that... if you offend the Mac faithful, this is what you get! http://apple.slashdot.org/story/07/07/19/1231216/Mac-Worm-Author-Gets-Death-Threats

Re:Why Macs are hacked less than PCs

[Osgeld]

I find this funny, PC users know there is free porn out there, and the mac users are instantly willing to pay extra for it. says a lot about which world each lives in

PEBKAC

[Code+Yanker]

The greatest problems in security exist between the keyboard and the chair. If your sysadmin thinks "lol we're secure we bought Macs" then sure you are in for a world of hurt. Windows has a big sign across it saying "Beware: People Will Try To Hack This." Ironically, that is the kind of environment that leads to more security on the side of both the developers of the OS and the end users.

NOT MACS!

[d.the.duck]

But Macs are so pretty! And so counter-culture! All the cool people have iPods, iPhones, iLives and iCars. You will be iAssimilated!!!!!! The smugness of Mac people drives me crazy.

oh no

[Andrewkov]

My turtleneck is feeling a bit uncomfortable today.

Re:oh no

[arkane1234]

It's probably your chain... it's too thin and getting between the fibers.

DHX not supported on Lion

DHX has been replaced by DHX2 in Lion. So is the story about Mac OS X.6?

DHX already deprecated in 10.7

[vijayiyer]

DHX is already deprecated in Lion, and people have been bitching about that. Typical Apple hater bait story.

Re:DHX already deprecated in 10.7

[CalTrumpet]

Slide 41 of the presentation shows the hierarchy of available authentication protocols and the best known attack against each. DHX has technically been deprecated, but it was replaced by DHX2 which has the exact same problem. The MITM tool we demonstrated works just fine on 10.7.

Re:DHX already deprecated in 10.7

[recoiledsnake]

Even if it was fully deprecated, I don't know see how it makes the news invalid a typical Apple hater bait story. After all, there are a lot of Macs that haven't been upgraded to Lion. And we see stories about exploits in XP and Vista.

Re:DHX already deprecated in 10.7

Even if it was fully deprecated, I don't know see how it makes the news invalid a typical Apple hater bait story. After all, there are a lot of Macs that haven't been upgraded to Lion. And we see stories about exploits in XP and Vista.

Every criticism against anything Apple is immediately labeled as Apple hate by those inside of the RDF. That way thing are in order again and nobody has to deal with it.

DHX was replaced by DHX2 with Lion

[magbottle]

because it was less secure.

Just sayin.....

Sane Admins....

No sane admin would allow an OS on their system that allows recovery of any user's password...even with an admin password.

AppleShare (afpd)

[bussdriver]

DHX is used in AppleShare; don't use filesharing then that service is not open.
SMB is a mess... NFS is not secure... its no wonder AppleShare would be preferred... The ports are not open for clients, just servers. The network browser doesn't use DHX its not likely the problem...

Getting the user's file server password by spoofing the fileserver is a DNS poisoning style attack; the ad-hoc nature is what is causing the problem. If you don't use file sharing, no problem. If you use a DIFFERENT password to connect to the fileserver your mac is not compromised; your data on the fileserver is.

Sounds like ServerAdmin has a similar design-- get into server admin and if they use other management servers you could get into the whole group! (not just the fileserver) If you run a REAL server with afpd on freebsd for example, the ability to do harm will be reduced to shared files. A fancy network setup could prevent peer to peer connections over afpd. This would prevent spoofing and adhoc discovery of this 1 service. ServerAdmin features would be more difficult to protect using the network hardware.

Any adhoc network is going to pose similar problems -- this means Bonjour discovered services from MANY apps (servers) are at risk of similar attacks as those services are designed with authentication security in mind but are not thinking about identity security. An open wifi could spoof DNS and other services causing similar issues; identity is a big problem gone unnoticed a lot of the time.

Bonjour ad-hoc is a wonderful thing; its surprising somebody didn't think about how poisoning it would be a problem.... its highly likely this was known from the beginning but the issues not made clear to the people who were coding network services who didn't think about identity issues outside of basic authentication; identity is often only thought in terms of authentication and nothing deeper than that.

This likely means a solution will be SSH style logging of servers -- but passive as they are detected and notifications when a connection involves a mismatched identity-- and bitching again because of apple devices recording every service they discover over wifi... Just like SSH, this will pose a risk when somebody connects the 1st time and that happens to be the spoof and not the real server (I don't know if a spoofed SSHD can compromise your password... it must be a risk if they put in the server signature system; sure, if you use keys instead of a password its a moot point, but that is a mess to setup account keys for everybody.)

This revisits the identity issues with SSL online which is similar; trusting 1 3rd party business to identify/verify websites because SSL encryption is not enough if you are talking to a spoof. (hopefully apple doesn't address this the same way because they'd make themselves a 'free' monopoly signer.)

Nazis!

Has anyone said Nazi's yet?!!!

What's the hold up?

Good story, used for evil

[pbjones]

A good story, the detail was reasonable, and there was careful choice of wording. As was pointed out in other comments, it may apply to 10.6 or older, which may still be running in larger numbers, but as there are estimates that just under half of the window machines are still running security poor XP, I'll remain smug, but cautious.

and the mac's lack dual psu and hot swap HDD's

[Joe_Dragon]

and the mac's lack dual psu and hot swap HDD's

Re:and the mac's lack dual psu and hot swap HDD's

[Bill_the_Engineer]

I can get hot swap HDD's for the mac pro, and thunderbolt allows for a PCIex4 external chasis on the rest of the models (there are hints of a product being available in the near future). Dual PSU is an issue, but I have linux servers for that stuff anyway (ie. stuff that needs maximum availability). I have yet to lose a PSU on a Mac Pro and it's 24/7 number crunching (Mac Pro beats my linux servers in number crunching) and the scientists like working with it more.

You do realize that Macs in the enterprise mentioned in the article is referring to desktop computers and not servers right?

As someone who has been working with Macs in the workplace for a very long time, I can assure you that Macs do have a place in the enterprise. I prefer administering OSX and Linux more than Windows. Though my colleague insists that Windows is more secure due to all the anti-malware and security programs on the market to counter the OS' weaknesses.

first good mac vs. pc post!

[hesaigo999ca]

first time, got to mark my calendar!

Old news?

[nurbles]

I thought this theory had been explored and exploited quite well when the moral of "Independence Day" http://www.imdb.com/title/tt0116629/ was:

Connect a Mac to any network (even advanced alien invaders) and it WILL crash.