Slashdot Mirror
Macs More Vulnerable Than Windows For Enterprise
sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."
Macs Good! Microsoft BAD! MACDOR THE BARBARIAN SMASH THE HEATHENS!!!!
--
Filter error: Don't use so many caps. It's like YELLING.
(really? you'd almost think that was the intent
...when you hook them up.
I have no love for Apple but even this article smells like astroturfing.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...
Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).
Finally this just seems to be a stupid bug in a service used for pushing updates, and should therefore be relatively easy to fix.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
A Stuxnet? In my PLC?
It's more likely thank you think! Why would someone write a worm that is targeted at 0.00001% of the user base when they can target 90?
Unpatched vulnerabilities leave open doors for custom-tailored villainy. I would call it a pretty big deal.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
I found 10.7 with Airport turned on and little snitch (software outgoing firewall for Mac OS X) needing to be reinstalled....
Could it be?
Domestic spying is now "Benign Information Gathering"
Mac's lacking are Enterprise tools that windows has.
At least apple should yet you run mac os X sever on ANY VM on any hardware.
Reading the tech note (marked archived) it makes it appear that DHX is an optional install and it is not clear. Also, doesn't MacOS X also provide enterprise grade solutions for authentication? Kerberos is available out of the box if I understand, for example.
BTW With the description "The DHX (Diffie-Hellman Exchange) UAM provides a relatively secure way to transport cleartext passwords..." (emphasis mine),
I am not sure you would want to use this for anything serious.
Jumpstart the tartan drive.
defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO
There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.
To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.
Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?
FTA:
Why is the server transmitting any authentication credentials to a machine that it hasn't actually confirmed is supposed to be receiving them in the first place?
I understand the point of DHX... it's ideal for secure communication on an otherwise open channel, but it's just plain stupid to use it to talk between strangers... you have to use another protocol along side it to really verify the identity of the listener and sender.
File under 'M' for 'Manic ranting'
We're not moving backwards here, are we?
Do I understand their presentation correctly? Users in said Enterprise have admin privileges?
It's more likely than you think!
Why would someone write a virus that is targeted at 10% of the user base when they can target 90?
Actually they are targeting the other 89.1%. I'm running linux :-)
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
>> Why would someone write a virus that is targeted at 10% of the user base when they can target 90?
Because they are an asshole?
I am very small, utmostly microscopic.
This should be no surprise to anyone. MacBook, MacBook Pro, iMac, Macmini, and Mac Pro are not enterprise machines. The service and support offered by Apple to Enterprise customers is below the needs of an enterprise environment. Mac OS X is increasingly more consumer oriented as well. And I think it is no secret that Apple has been pulling anything that resembles Enterprise -anything and focusing more on consumer-side things.
So... is this a surprise?
If it is so abnormal to find a virus for a minority platform, why would you propose that it is more common than people might expect for that platform?
File under 'M' for 'Manic ranting'
It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?
And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.
File under 'M' for 'Manic ranting'
Have mercy!
Why would someone write a virus that is targeted at 10% of the user base when they can target 90?
I'm assuming you are implementing sarcasm there, but in case you are not...
How about because you've got as large a chunk on the 90% as you are going to get any time soon in your botnet already, and you are having to fight every other botnet going to keep them? A chunk of that 10% could make a useful difference.
Or if you are installing a key logger to try purloin credit card details or authentication credentials, why not target the more-affluent-on-average users of that 10% who might actually take less effort to infect as they are complacent?
Or how about "just to prove you can". I'm guessing that in lieu of actually making money simple bragging rights still count for something in the hacker/cracker world.
Does this hack still work if people have all remote access disabled on their machines? Is there / will there be a response from Apple on the issue?
Think applications for OS X: Why would someone write software that is targeted at 10% of the user base when they can target 90? Because those 10% are highly profitable and support issues are lower due to the limited amount of different hardware and software configurations. Looking around me I would argue that the more affluent a person, the higher the chance they own a Mac, and I do not know anyone in person who still is on a PowerPC Mac.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
Most douchenozzles write virii for kicks.
And much worse, only a total and utter douchebag uses "virii" as a plural form of "virus".
Also, one can lodge malicious code in a Mac that would require physical replacement of components, such as the flash ROM of the keyboard, or even the battery of a Macbook.
This isn't new to Macs either. Back in the System 6 days, where the OS would read from the SCSI drive code to execute a hard disk driver, it would be trivial to hide a malicious payload there, and because it ran before anything else, there would be no way to stop it. Had a virus that did that been combined with WDEF (which infected machines the second a floppy disk was inserted), it would have caused extreme pain for a lot of users. Think bad MBR code is an issue with PCs, this was a glaring hole. Thankfully, nobody exploited it.
Thankfully's Apple's pants are shown down only at the cons. However it won't be long until stuff that lodges in a keyboard HID ROM or other places hard to dislodge goes to the wild.
My favorite analogy to that is to say that if you set a sack of $2,000 and a sack of $200 in cash beside each other on the street, that only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.
Thieves will take everything that's not nailed down. Risk and effort matter more than payout when selecting targets. Most thieves prefer low risk easy marks over large payouts.
I work for the Department of Redundancy Department.
I agree that while it's a simple fix, it's not something to call an over-reaction. The results of the methodology used here are pretty heavy, and definitely something to be aware of. Is it going to affect many people? Probably not, but you don't just ignore it.
I will say that the article is a bit dramatic, something which the exploit developer even commented on.
The consumer toy maker's computers are not good in serious situations
NO FUCKING DUH, if apple didn't suck in the enterprise, don't you think they would have moved in over the last 40 years? Outside of the art department the time you see mac "servers" is when some noob gets a budget and is too stupid to install linux on a real box
Most douchenozzles write virii for kicks.
This was true well into the 90's, but today the vast majority of malware is written for monetary gain.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The greatest problems in security exist between the keyboard and the chair. If your sysadmin thinks "lol we're secure we bought Macs" then sure you are in for a world of hurt. Windows has a big sign across it saying "Beware: People Will Try To Hack This." Ironically, that is the kind of environment that leads to more security on the side of both the developers of the OS and the end users.
But Macs are so pretty! And so counter-culture! All the cool people have iPods, iPhones, iLives and iCars. You will be iAssimilated!!!!!! The smugness of Mac people drives me crazy.
Where does the signature go?
Not just that... if you offend the Mac faithful, this is what you get! http://apple.slashdot.org/story/07/07/19/1231216/Mac-Worm-Author-Gets-Death-Threats
This space for rent.
I find this funny, PC users know there is free porn out there, and the mac users are instantly willing to pay extra for it. says a lot about which world each lives in
My turtleneck is feeling a bit uncomfortable today.
This was true well into the 90's, but today the vast majority of malware is written for monetary gain.
+1
Bow before me, for I am root.
DHX is already deprecated in Lion, and people have been bitching about that. Typical Apple hater bait story.
So we are still saying virii?
Here's your fix:
Server Admin > AFP > Settings > Access
Authentication: Change from "Any Method" to "Kerberos"
That was hard.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Because they dislike that user base and would find it lulzworthy?
Never underestimate the combination of skill, malice, and boredom!
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I'd say it's because of the people that use that 10% think they're unaffected by vulnerabilities. Eventually the tipping point will be reached where it's easier to distribute malware on other platforms than Windows. Perhaps it's starting now.
WHich is why you pick the EASY one. There is plenty of money to be had on Windows, Mac and Linux. In fact, considering that Linux is used on bigger badder servers for handling money, you should pursue them if oyu want the large score. But, when you want to get the money, you go for the EASY SURE bet. That is anything from MS. At least for today.
It will be interesting to see what happens if MS ever hires decent coders and lock down their systems. Thank god that so far that is not the case. But if they ever become more secure, then I will be curious to see what systems the black hats pursue. My guess is Linux.
I prefer the "u" in honour as it seems to be missing these days.
10% is still millions of users, many who have no antivirus of any kind because Apple has told them they don't need it.
No, we are not.
...the future crusty old bastards are already drinking the Kool-Aid.
All those hacker conferences, I'm thinking of Pwn2Own, are exploits that: require user interaction such as visiting a hacked web page, require using the default and unchanged Safari browser. Running Firefox with noscript or even just a different browser would put an end to their "hacks". I'd be more impressed if they managed to root a machine without actually physically touching it, I'm not aware of that having happened yet--not to say it can't, but I don't think it has yet. I remember WinXP that could become infected simply by being connected to the internet and powered on. Is there anything even close to that for Linux/Mac?
Until I see a fully automated spreading worm, or viruses that can propagate through e-mail (bonus points if the user doesn't have to install anything, but requiring typing in your root pw is game over, I'd know something was up at that point) then I am going to remain convinced that the Unix security model is fundamentally superior to Windows, even if it has problems too.
If you build it, nerds will come. Soylentnews.org
DHX is used in AppleShare; don't use filesharing then that service is not open.
SMB is a mess... NFS is not secure... its no wonder AppleShare would be preferred... The ports are not open for clients, just servers. The network browser doesn't use DHX its not likely the problem...
Getting the user's file server password by spoofing the fileserver is a DNS poisoning style attack; the ad-hoc nature is what is causing the problem. If you don't use file sharing, no problem. If you use a DIFFERENT password to connect to the fileserver your mac is not compromised; your data on the fileserver is.
Sounds like ServerAdmin has a similar design-- get into server admin and if they use other management servers you could get into the whole group! (not just the fileserver) If you run a REAL server with afpd on freebsd for example, the ability to do harm will be reduced to shared files. A fancy network setup could prevent peer to peer connections over afpd. This would prevent spoofing and adhoc discovery of this 1 service. ServerAdmin features would be more difficult to protect using the network hardware.
Any adhoc network is going to pose similar problems -- this means Bonjour discovered services from MANY apps (servers) are at risk of similar attacks as those services are designed with authentication security in mind but are not thinking about identity security. An open wifi could spoof DNS and other services causing similar issues; identity is a big problem gone unnoticed a lot of the time.
Bonjour ad-hoc is a wonderful thing; its surprising somebody didn't think about how poisoning it would be a problem.... its highly likely this was known from the beginning but the issues not made clear to the people who were coding network services who didn't think about identity issues outside of basic authentication; identity is often only thought in terms of authentication and nothing deeper than that.
This likely means a solution will be SSH style logging of servers -- but passive as they are detected and notifications when a connection involves a mismatched identity-- and bitching again because of apple devices recording every service they discover over wifi... Just like SSH, this will pose a risk when somebody connects the 1st time and that happens to be the spoof and not the real server (I don't know if a spoofed SSHD can compromise your password... it must be a risk if they put in the server signature system; sure, if you use keys instead of a password its a moot point, but that is a mess to setup account keys for everybody.)
This revisits the identity issues with SSL online which is similar; trusting 1 3rd party business to identify/verify websites because SSL encryption is not enough if you are talking to a spoof. (hopefully apple doesn't address this the same way because they'd make themselves a 'free' monopoly signer.)
Democracy Now! - uncensored, anti-establishment news
+5 BTC at current exchange rates, amIright?
Well obviously you don't know me in person but I run several PPC Macs. Yes, you guessed it, I am not affluent!
http://www.acetonestudio.com
>> Why would someone write a virus that is targeted at 10% of the user base when they can target 90?
Because they are an asshole?
By they I assume you mean the elitist 10% using Apple.
Respect the Constitution
It's arguable, which one is EASY(er) at this point. Yes, historically Microsoft systems have been targeted more often, but they have also developed more protection over the years as a result. WSUS, SCCM, MBSA, UAC, myriads of antivirus solutions and hardening guides, ActiveSync, BES, IPS signatures - all of these have been developed to further secure Windows platforms out of necessity. Borderline next to nothing has been developed for Mac OS security at this point, and with Apple gaining market share and entering enterprise environment, the race of exploits versus protection, which has been going on for decades for Microsoft, is about to begin for Apple. It remains to be seen, how Apple will come out of this, and the myth they have perpetuated for years, that there is no malware for Apple, is going to haunt them through all the sales and executive staff blindly believing that they're safe, while clicking on the Mac Defender packages and spear-phishing email links and ordering more and more shiny new Apple computers for their staff.
Bow before me, for I am root.
A good story, the detail was reasonable, and there was careful choice of wording. As was pointed out in other comments, it may apply to 10.6 or older, which may still be running in larger numbers, but as there are estimates that just under half of the window machines are still running security poor XP, I'll remain smug, but cautious.
There was an unknown error in the submission.
Actually, if you read through the slideshow at the end of TFA it points out that security is getting much better on macs in the past couple of releases. The main vulnerability, and where Windows is significantly better, seems to be network exploits from within the LAN, since kerberos can be bypassed in several ways to fall back to the default security and there are exploits to that. It should allow forcing kerberos only with no fallback, and if it did that would match it with Windows. Kerberos is a very good protocol and has been beaten on for many years (it is the required security model for IPv6 support because it is used by IPsec).
I like the bonjour hack best - Apple's "nice network" vulnerability exploit (if hostnames conflict, one will change itself allowing the other to spoof).
Some of the exploits I have noticed from version 10.0 - like how easy it would be to spoof the credentials page (which they say is harder on Windows, but I think in some ways it is easier since all you need to do is get them to click a button).
only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.
Thieves will take everything that's not nailed down.
ay? so the $2000 sack will get stolen even though it's chained down but the $200 sack won't get stolen yet isn't chained down but thieves will take everything that isn't nailed down. Is there some key difference between being chained down and nailed down? if the $2000 sack was nailed down it wouldn't get stolen? but because it's chained down but not nailed down it will get stolen? if the $200 sack isn't chained down then why wouldn't the thieves steal it if they steal everything that isn't nailed down? or is it nailed down but not chained down?
and the mac's lack dual psu and hot swap HDD's
What it means is everything eventually gets stolen. But what's not chained down properly gets stolen first, regardless of its value.
So if there's a $2000 sack sitting next to the $200 sack, and the $2000 sack gets stolen immediately (and perhaps the $200 sack remains there for quite some time, or even never gets taken) you must assume the former has much poorer security. It's foolish to try to blame the disparity on the value of the contents. (if they had the same security, they'd both disappear at about the same time)
I work for the Department of Redundancy Department.
Did we ever? Pretty sure that was always reserved for douchebags and morons.
What it means is everything eventually gets stolen. But what's not chained down properly gets stolen first, regardless of its value.
Huh? But you said only the one of larger value gets stolen even if it is chained down:
My favorite analogy to that is to say that if you set a sack of $2,000 and a sack of $200 in cash beside each other on the street, that only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.
So if there's a $2000 sack sitting next to the $200 sack, and the $2000 sack gets stolen immediately (and perhaps the $200 sack remains there for quite some time, or even never gets taken) you must assume the former has much poorer security. It's foolish to try to blame the disparity on the value of the contents.
Why? If the security to profit ratio is better on the $2000 than the $200 then regardless of the actual security you'd go for the bigger score.
first time, got to mark my calendar!
I thought this theory had been explored and exploited quite well when the moral of "Independence Day" http://www.imdb.com/title/tt0116629/ was:
Connect a Mac to any network (even advanced alien invaders) and it WILL crash.
Would you care to point out the architectural differences between Windows and Unix-type OS's that, in your opinion, make latter so much more secure?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Market share has NOTHING to do with what platforms virus writers will target. That was already shown above.
Where was that shown above?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.