Macs More Vulnerable Than Windows For Enterprise

sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."

All computers are less secure

[improfane]

...when you hook them up.

I have no love for Apple but even this article smells like astroturfing.

Re:All computers are less secure

...when you hook them up.

I have no love for Apple but even this article smells like astroturfing.

Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing. The article is sensationalist (duh, it's The Register!) but these are security researches presenting at the Black Hat conference, check out other sources and the actual basis for their claim before immidiately jumping to the astroturfing cop-out.

I've seen people with posting histories long as a mile proving they are Linux users and supporters getting called M$ astroturfers because they tried to be nuanced about facts and opinions in a discussion.

Re:All computers are less secure

[DrgnDancer]

It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.

They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".

A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.

Re:All computers are less secure

[recoiledsnake]

Watch out, once they lose the forced and convoluted arguments to support Apple and discredit MS, this what they will degenerate to:

http://www.computerworld.com.au/article/188807/mac_worm_author_receives_death_threats/

After all ,it's a religion.

http://www.businessinsider.com/apple-is-a-religion-neuroscientists-find-it-triggers-the-same-reaction-in-your-brain-2011-5

And?

[Bert64]

Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

Finally this just seems to be a stupid bug in a service used for pushing updates, and should therefore be relatively easy to fix.

Re:And?

[Bert64]

Under a typical/default configuration, a domain has full control over a local machine once it has been joined to the domain... Buy that's not the point, the fact that having compromised the *server* you can take control of the *clients* is a given in any distributed authentication scheme, be it nis, kerberos, ldap or whatever...

The problem discussed in the article is that having compromised a single *client* you can take control of the server or other clients. Windows has such problems too, for instance once a domain user is logged in their password hash is stored on the system where it can be retrieved and then used. Also since most machines are built from images, local admin passwords are often the same and thanks to hash passing vulnerabilities can be used immediately without having to crack them (and as such irrespective of how strong the password is).

Windows of today still has NTLM and NTLMv2 enabled by default... It also still supports LANMAN although that is disabled by default in the latest versions. It is also apparently possible to do hash passing attacks even with only kerberos enabled, although i'm not aware of tools for doing that being widely available yet.

Ideally compromising a single client should get you nowhere (and many admins incorrectly assume this to be true)... But as some recent high profile attacks show, a serious attack can easily start from a single unimportant workstation, and there are many ways to compromise a single workstation (social engineering, browser exploit, malicious document exploiting whatever app they open it with etc)...

What is really needed, is a complete rethink of the old perimeter defence model... Although you can (and should) take steps to reduce the chances of the perimeter being breached in the above ways, if you don't pay attention to internal security then once a single small breach has happened its game over for you.

Re:And?

[sl4shd0rk]

...while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.

Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop (Sorry Linux. Your awesome, but slaying the n00bs will never get you on the Desktop). Hopefully Apple will do a better job at fixing vulnerabilities than Microsoft did. The user's are (As usual) going to be key howerver because (FTFA - pdf link):

    * Apple users feel safe because they have no history of exploitation
    * Apple users tend to be just as ignorant as anyone else
          - Go ahead and run this unsigned binary
          - Who needs AV ?
    * 14% of all publicly disclosed OS exploits in 2008 affected OSX
    * 1,151 CVEs in past 3 years affected Apple (Windows was 1,325)
    * Mac users not paranoid like Win users so may be easier to socially engineer

       

Re:A virus? In my MAC?

[Samantha+Wright]

A Stuxnet? In my PLC?

It's more likely thank you think! Why would someone write a worm that is targeted at 0.00001% of the user base when they can target 90?

Unpatched vulnerabilities leave open doors for custom-tailored villainy. I would call it a pretty big deal.

Is DHX enterprise grade?

[Midnight+Thunder]

Reading the tech note (marked archived) it makes it appear that DHX is an optional install and it is not clear. Also, doesn't MacOS X also provide enterprise grade solutions for authentication? Kerberos is available out of the box if I understand, for example.

BTW With the description "The DHX (Diffie-Hellman Exchange) UAM provides a relatively secure way to transport cleartext passwords..." (emphasis mine),
I am not sure you would want to use this for anything serious.

Mac is not for the enterprise

[erroneus]

This should be no surprise to anyone. MacBook, MacBook Pro, iMac, Macmini, and Mac Pro are not enterprise machines. The service and support offered by Apple to Enterprise customers is below the needs of an enterprise environment. Mac OS X is increasingly more consumer oriented as well. And I think it is no secret that Apple has been pulling anything that resembles Enterprise -anything and focusing more on consumer-side things.

So... is this a surprise?

Re:Users with admin rights?

[NatasRevol]

Yeah, which is not the case most of the time.

Users with admin passwords can do admin things. Duh.

Meaning this 'exploit' isn't much of an exploit.

Re:Users with admin rights?

[CapuchinSeven]

No, you got it, this is a load of rubbish and is being presented as some sort of reason to bash Macs. If you're a Admin and you let your users have admin rights, you shouldn't be in your job. Interestingly, as I understand it, the same vulnerability used on Microsofts AD, doesn't need an admin password. So... how does that make any sense that Macs in enterprise are more vulnerable...?

So... practical linux attacks next?

[mark-t]

It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.

Re:A virus? In my MAC?

[asdf7890]

Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

I'm assuming you are implementing sarcasm there, but in case you are not...

How about because you've got as large a chunk on the 90% as you are going to get any time soon in your botnet already, and you are having to fight every other botnet going to keep them? A chunk of that 10% could make a useful difference.

Or if you are installing a key logger to try purloin credit card details or authentication credentials, why not target the more-affluent-on-average users of that 10% who might actually take less effort to infect as they are complacent?

Or how about "just to prove you can". I'm guessing that in lieu of actually making money simple bragging rights still count for something in the hacker/cracker world.