×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Macs More Vulnerable Than Windows For Enterprise

CmdrTaco posted more than 2 years ago | from the commencing-holy-war dept.

Security 281

sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

281 comments

NNNGGGHYAAA!!!! (5, Funny)

Anonymous Coward | more than 2 years ago | (#37031996)

Macs Good! Microsoft BAD! MACDOR THE BARBARIAN SMASH THE HEATHENS!!!!

--
Filter error: Don't use so many caps. It's like YELLING.
(really? you'd almost think that was the intent

Re:NNNGGGHYAAA!!!! (2)

sacridias (2322944) | more than 2 years ago | (#37032816)

Mac is a evil pathetic dogmatic corporation. Mac BAD, Microsoft BAD. I also hate mate because they bastardized the greatest OS ever, Free BSD. Mac needs to stop child labor and labor camps associated with their company, and stop suing people because they are jealous of their success. They are a bunch of cry babies that need to be put down.

A virus? In my MAC? (1)

TheyTookOurJobs (1930780) | more than 2 years ago | (#37031998)

It's more likely than you think! Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Re:A virus? In my MAC? (3, Insightful)

Samantha Wright (1324923) | more than 2 years ago | (#37032054)

A Stuxnet? In my PLC?

It's more likely thank you think! Why would someone write a worm that is targeted at 0.00001% of the user base when they can target 90?

Unpatched vulnerabilities leave open doors for custom-tailored villainy. I would call it a pretty big deal.

Re:A virus? In my MAC? (1)

TheyTookOurJobs (1930780) | more than 2 years ago | (#37032194)

Now now, stux was extremely specific and with purpose. Most douchenozzles write virii for kicks. This is all from statistics I made up for the purpose of this post. Please ignore me, nothing to see here.

Re:A virus? In my MAC? (4, Funny)

BrokenHalo (565198) | more than 2 years ago | (#37032720)

Most douchenozzles write virii for kicks.

And much worse, only a total and utter douchebag uses "virii" as a plural form of "virus".

Re:A virus? In my MAC? (1)

u-235-sentinel (594077) | more than 2 years ago | (#37032236)

It's more likely than you think!

Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Actually they are targeting the other 89.1%. I'm running linux :-)

Re:A virus? In my MAC? (2)

gatkinso (15975) | more than 2 years ago | (#37032258)

>> Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

Because they are an asshole?

Re:A virus? In my MAC? (1)

mark-t (151149) | more than 2 years ago | (#37032342)

If it is so abnormal to find a virus for a minority platform, why would you propose that it is more common than people might expect for that platform?

Re:A virus? In my MAC? (4, Insightful)

asdf7890 (1518587) | more than 2 years ago | (#37032512)

Why would someone write a virus that is targeted at 10% of the user base when they can target 90?

I'm assuming you are implementing sarcasm there, but in case you are not...

How about because you've got as large a chunk on the 90% as you are going to get any time soon in your botnet already, and you are having to fight every other botnet going to keep them? A chunk of that 10% could make a useful difference.

Or if you are installing a key logger to try purloin credit card details or authentication credentials, why not target the more-affluent-on-average users of that 10% who might actually take less effort to infect as they are complacent?

Or how about "just to prove you can". I'm guessing that in lieu of actually making money simple bragging rights still count for something in the hacker/cracker world.

Re:A virus? In my MAC? (2, Interesting)

Anonymous Coward | more than 2 years ago | (#37032796)

Also, one can lodge malicious code in a Mac that would require physical replacement of components, such as the flash ROM of the keyboard, or even the battery of a Macbook.

This isn't new to Macs either. Back in the System 6 days, where the OS would read from the SCSI drive code to execute a hard disk driver, it would be trivial to hide a malicious payload there, and because it ran before anything else, there would be no way to stop it. Had a virus that did that been combined with WDEF (which infected machines the second a floppy disk was inserted), it would have caused extreme pain for a lot of users. Think bad MBR code is an issue with PCs, this was a glaring hole. Thankfully, nobody exploited it.

Thankfully's Apple's pants are shown down only at the cons. However it won't be long until stuff that lodges in a keyboard HID ROM or other places hard to dislodge goes to the wild.

Re:A virus? In my MAC? (0)

jellomizer (103300) | more than 2 years ago | (#37032588)

Most likely because they want to wipe off the smug smile that the Mac users have. And 10% is a good number to target... Assuming that most viruses for windows are targeted to hit particular patches of Windows. So they may be targeting around the same percentage perhaps more or less.

So far OS X has had few targets that have gone wild, However they are the first that hacker conferences love to show they can break into.

Re:A virus? In my MAC? (2)

silanea (1241518) | more than 2 years ago | (#37032646)

Think applications for OS X: Why would someone write software that is targeted at 10% of the user base when they can target 90? Because those 10% are highly profitable and support issues are lower due to the limited amount of different hardware and software configurations. Looking around me I would argue that the more affluent a person, the higher the chance they own a Mac, and I do not know anyone in person who still is on a PowerPC Mac.

Re:A virus? In my MAC? (1)

v1 (525388) | more than 2 years ago | (#37033042)

Why would someone write software that is targeted at 10% of the user base when they can target 90?

My favorite analogy to that is to say that if you set a sack of $2,000 and a sack of $200 in cash beside each other on the street, that only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.

Thieves will take everything that's not nailed down. Risk and effort matter more than payout when selecting targets. Most thieves prefer low risk easy marks over large payouts.

All computers are less secure (3, Insightful)

improfane (855034) | more than 2 years ago | (#37032004)

...when you hook them up.

I have no love for Apple but even this article smells like astroturfing.

Re:All computers are less secure (1)

gcnaddict (841664) | more than 2 years ago | (#37032034)

Have you seen any recent networked exploits on Windows which compromise an entire bank of passwords?

No? That's what I thought.

Re:All computers are less secure (5, Informative)

NatasRevol (731260) | more than 2 years ago | (#37032216)

You might want to go read the actual presentation.

It starts out with an exploit called Aurora, which compromises AD.

Whoops.

Re:All computers are less secure (5, Informative)

NatasRevol (731260) | more than 2 years ago | (#37032254)

And the Mac exploit STILL REQUIRES AN ADMIN PASSWORD. Which is not typically given to users in a corporate setting - at least by sane sysadmins.

Re:All computers are less secure (2)

hansraj (458504) | more than 2 years ago | (#37032382)

The whole point of TFA is that if even one computer gets infected on the network then it can be used to infect other machines without requiring the admin password on the remote machine. All it would take is one malicious person with physical access to one mac, or one careless click from someone who does has admin access to their own mac in the building.

Re:All computers are less secure (1)

NatasRevol (731260) | more than 2 years ago | (#37032406)

Yeah. And how is that not having the admin password?

Tell you what, give me the admin password to an active directory forest. See if I can fuck things up a bit. Want to bet I can?

Re:All computers are less secure (1)

Anonymous Coward | more than 2 years ago | (#37032492)

Yeah. And how is that not having the admin password?

Tell you what, give me the admin password to an active directory forest. See if I can fuck things up a bit. Want to bet I can?

I believe the GP is referring to the fact that a single *local* admin password on a networked Mac can lead to a compromise of all Macs on the network through this exploit, which is not quite the same as having an AD administrator password.

Re:All computers are less secure (1)

NatasRevol (731260) | more than 2 years ago | (#37032550)

That's not the case though. Otherwise, it can't authenticate to another network Mac. Unless all the local admin passwords are the same, in which case they're effectively the network admin password.

It's always going to need the network admin password. Now lazy sysadmins often make them the same as the local admin passwords, but they're not actually the same thing.

Re:All computers are less secure (5, Insightful)

DrgnDancer (137700) | more than 2 years ago | (#37032630)

It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.

They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".

A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.

Re:All computers are less secure (0)

Anonymous Coward | more than 2 years ago | (#37032902)

It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins.

As are the majority of all network type exploits, Apple or non Apple. What's your point?

Re:All computers are less secure (2)

DrgnDancer (137700) | more than 2 years ago | (#37032976)

That kinda is my point. If you do a bad job of building your network, it's going to be vulnerable, regardless of OS. If you do a good job (and MacOS has the tools to do a good job, the presentation points them out indirectly), you will be less vulnerable, regardless of OS. These guys are focusing on: "Don't use Macs in the enterprise" rather than the more obviously lesson: "Treat Macs in the enterprise with the same degree of care as any other machine with any other OS"

Re:All computers are less secure (1)

MacGyver2210 (1053110) | more than 2 years ago | (#37032952)

It's no more 'amateur' than the way these sites that keep getting hacked are setup, and they're supposedly enterprise-level business as well.

Re:All computers are less secure (2)

NeutronCowboy (896098) | more than 2 years ago | (#37033120)

Maybe. But I've heard too often that "Macs are more secure than Windows, so we don't need safety stuff." Mind you, this came from the guy who wanted to install an AV on all their Powerbooks, but handed out same Powerbooks without proper passwords, no password policy, no automatic lockdown and admin accounts to everyone.

I think these stories are valuable because you can show them to the twits in power who think that Macs are magically more secure, and drop every security practice there is.

Re:All computers are less secure (1)

DesScorp (410532) | more than 2 years ago | (#37032698)

You might want to go read the actual presentation.

It starts out with an exploit called Aurora, which compromises AD.

Whoops.

So the questions is, if it's AD, are Macs using AD somehow more vulnerable than Windows boxes? Or is the threat equal and the article misrepresenting things?

Either way, is AD the real problem?

Re:All computers are less secure (1)

ByOhTek (1181381) | more than 2 years ago | (#37032040)

More a reply to your sig, in particular, the last book... You like alien pornos?

You may be the one who referenced him last week or the week before, but if not, I'd recommend Alistair Reynods, since your other books suggest you can live with sci-fi lacking porn.

Re:All computers are less secure (1)

improfane (855034) | more than 2 years ago | (#37032116)

Uhhh...well. I cannot say I am massively into alien pornos, I don't really know for sure since I have not tried them. I don't mind romance or naughty bits in science fiction but as long as it does not distract from the science or depiction of the future.

Wait a minute, you tricked me!

Re:All computers are less secure (2)

WrongSizeGlass (838941) | more than 2 years ago | (#37032050)

All computers are less secure ... when you hook them up.

If that were true then hooking my computer up to the internet could end is disaster! It's a good thing I'm using a Siemen's SCADA firewall.

Re:All computers are less secure (0)

Anonymous Coward | more than 2 years ago | (#37032370)

Human beings also tend to get viruses when you hook them up...

Re:All computers are less secure (0)

Anonymous Coward | more than 2 years ago | (#37032786)

"Siemen's"? Wow.

Re:All computers are less secure (1, Flamebait)

ThisIsSaei (2397758) | more than 2 years ago | (#37032068)

I'd say it's sensationalist, but my bigger issue is that Apple doesn't make a secure OS, even with stand-alone setups.

Re:All computers are less secure (1)

improfane (855034) | more than 2 years ago | (#37032084)

Oh I should have read the article. It's a genuine exploit for Apple computers. It's also the Black Hat conference and not a media release. Apologies Slashdot crowd.

Just goes to show that all software has bugs and it is highly likely that those bugs include security bugs. Nobody is immune from making mistakes.

One thing I find amusing is that Apple deploys malware detection called XProtect based on string matching [avast.com] . It is irresponsible to say that Macs are completely immune from malware. Security on Macs can only go downhill as it becomes less obscure.

Re:All computers are less secure (1)

TWX (665546) | more than 2 years ago | (#37032088)

I have no love for Apple but even this article smells like astroturfing.

To me it sounds like there's two flaws that compound a problem. I don't know much about Apple's auth scheme, but I wouldn't be surprised if either the machines share credential information to such an extent that one infected machine ends up with a bunch of tasty data, or if there's a remote vulnerability that is normally not accessible when an Apple is behind a firewall and not on a direct network segment with another Apple. It's quite plausible that minimal firewalling like most cheap home broadband routers do is enough to block such a worm, but with a bunch of Apples on a LAN or overly generously routing WAN that there's nothing to stop such a spread.

Re:All computers are less secure (3, Insightful)

Anonymous Coward | more than 2 years ago | (#37032198)

...when you hook them up.

I have no love for Apple but even this article smells like astroturfing.

Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing. The article is sensationalist (duh, it's The Register!) but these are security researches presenting at the Black Hat conference, check out other sources and the actual basis for their claim before immidiately jumping to the astroturfing cop-out.

I've seen people with posting histories long as a mile proving they are Linux users and supporters getting called M$ astroturfers because they tried to be nuanced about facts and opinions in a discussion.

Re:All computers are less secure (1)

Anonymous Coward | more than 2 years ago | (#37032248)

Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing.

Of course, YOU'D say that. You're astroturfing.

Re:All computers are less secure (0)

Anonymous Coward | more than 2 years ago | (#37032344)

Sure, whatever you say, Mr. M$ Employee.

:)

Seriously though, Slashdot discussions generally have all the thought and reasoning of a barroom brawl. It's been that way as long as I've been hanging around here (about 10 years or so).

Re:All computers are less secure (1)

Dishevel (1105119) | more than 2 years ago | (#37032356)

But that is what astroturfing is!
The ability to instantly discount something you do not agree with by calling it names.

And? (3, Insightful)

Bert64 (520050) | more than 2 years ago | (#37032018)

Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

Finally this just seems to be a stupid bug in a service used for pushing updates, and should therefore be relatively easy to fix.

Re:And? (2, Interesting)

Baloroth (2370816) | more than 2 years ago | (#37032176)

Read TFA. It is possible (trivially, supposedly) to force Macs to use DHX (the insecure protocol). So, essentially, even if you use the secure system, it doesn't matter. That is a bit troubling for OS X enterprise users, to say the least.

I suppose the lesson here is that after 15 years of being the #1 target, M$ might finally be starting to get its shit in a respectable state, while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.

Re:And? (3, Funny)

NatasRevol (731260) | more than 2 years ago | (#37032360)

It's not a bug, it's a design difference. On Mac Server, it does fall back to simpler protocols because that's how it was often set up - no real sysadmins means no consistent use of strong authentication.

However, it would all go away if Apple required and ONLY allowed kerberos for authentication of any service from OS X Server. In other words, just like AD.

Having said that, this exploit still requires an admin password to escalate privileges - which isn't typically given in a corporate setting. In other words, admin passwords can do admin things.

Re:And? (2)

Bert64 (520050) | more than 2 years ago | (#37032634)

AD doesn't require and exclusively make use of kerberos, it can (and by default does, although which ones depend on the version) use weaker authentication schemes (ntlm, ntlmv2, lanman)... Apparently the hash passing vulnerabilities also exist when using kerberos only, its just that tools to exploit this are not publicly available to do this yet.

Re:And? (1)

Bert64 (520050) | more than 2 years ago | (#37032604)

But it doesn't *require* DHX, therefore it should be a relatively easy patch to make it possible to force DHX off at all times.

Re:And? (2, Insightful)

sl4shd0rk (755837) | more than 2 years ago | (#37033084)

...while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.

Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop (Sorry Linux. Your awesome, but slaying the n00bs will never get you on the Desktop). Hopefully Apple will do a better job at fixing vulnerabilities than Microsoft did. The user's are (As usual) going to be key howerver because (FTFA - pdf link):

    * Apple users feel safe because they have no history of exploitation
    * Apple users tend to be just as ignorant as anyone else
          - Go ahead and run this unsigned binary
          - Who needs AV ?
    * 14% of all publicly disclosed OS exploits in 2008 affected OSX
    * 1,151 CVEs in past 3 years affected Apple (Windows was 1,325)
    * Mac users not paranoid like Win users so may be easier to socially engineer

       

Re:And? (1)

WaffleMonster (969671) | more than 2 years ago | (#37032354)

Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

Just because a windows computer has joined a domain does not mean the domain now has root or for that matter *any* access to the local computer. It is still determined by local policy.

Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

Windows of today uses kerberos.

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37032532)

actually the default behavior when you join a domain is to place the domain admin group in the local administrators group, thereby giving domain admins local admin privileges by default. Also, by being in the domain, the domain can automatically enforce computer policy which can basically do anything to a windows PC.

Re:And? (3, Informative)

Revotron (1115029) | more than 2 years ago | (#37032758)

I do have modpoints, but unfortunately there is no "-1, Wrong" rating. And unlike other people, I will not substitute Troll, Overrated or Flamebait.

But anyway, back to the topic at hand... uh, where the hell do you work? I work in a very Windows-heavy environment, and every time we add any Windows boxen to the domain, the domain admins get automatic admin rights. There's nothing we can do to stop it. This is a 10,000+ workstation university, though, so at least they're distant and maybe (only maybe) competent enough to not abuse it.

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37033000)

The bigger issue is why the hell is ANYONE using a full domain administrator account and why does anyone except for maybe two people and a locked safe have the password? The problem is not the MS implementation, it is your administrators.

Oh, and you can block domain administrator rights (or anyones rights) from propagating to places you don't want them. We do this on purpose for many reasons in our AD structure.

Re:And? (4, Insightful)

Bert64 (520050) | more than 2 years ago | (#37032764)

Under a typical/default configuration, a domain has full control over a local machine once it has been joined to the domain... Buy that's not the point, the fact that having compromised the *server* you can take control of the *clients* is a given in any distributed authentication scheme, be it nis, kerberos, ldap or whatever...

The problem discussed in the article is that having compromised a single *client* you can take control of the server or other clients. Windows has such problems too, for instance once a domain user is logged in their password hash is stored on the system where it can be retrieved and then used. Also since most machines are built from images, local admin passwords are often the same and thanks to hash passing vulnerabilities can be used immediately without having to crack them (and as such irrespective of how strong the password is).

Windows of today still has NTLM and NTLMv2 enabled by default... It also still supports LANMAN although that is disabled by default in the latest versions. It is also apparently possible to do hash passing attacks even with only kerberos enabled, although i'm not aware of tools for doing that being widely available yet.

Ideally compromising a single client should get you nowhere (and many admins incorrectly assume this to be true)... But as some recent high profile attacks show, a serious attack can easily start from a single unimportant workstation, and there are many ways to compromise a single workstation (social engineering, browser exploit, malicious document exploiting whatever app they open it with etc)...

What is really needed, is a complete rethink of the old perimeter defence model... Although you can (and should) take steps to reduce the chances of the perimeter being breached in the above ways, if you don't pay attention to internal security then once a single small breach has happened its game over for you.

One morning (1)

AHuxley (892839) | more than 2 years ago | (#37032104)

I found 10.7 with Airport turned on and little snitch (software outgoing firewall for Mac OS X) needing to be reinstalled....
Could it be?

ANARCHY IN THE UK !! SAYS THE ANTI-CHRIST !! (-1)

Anonymous Coward | more than 2 years ago | (#37032126)

Right !! now !!
ha ha ha ha ha (Cause it's true !!)

I am the anti-christ
I am an anarchist
Don't know what I want
But I know how to get it
I wanna destroy passer-by

Cause I wanna be anarchy
No douchebaggy

Anarchy for the UK
It's coming sometime and maybe
I give a wrong time stop at traffic line
Your future dream is a sharpie's scheme

Cause I wanna be anarchy
In the city

How many ways to get what you want
I use the best
I use the rest
I use the N-M-E
I use anarchy

Cause I wanna be anarchy
It's the only way to be

Is this the M-P-L-A or
Is this the U-D-A or
Is this the I-R-A
I thought it was the UK
Or just another country
Another council tenancy

I wanna be anarchy
And I wanna be anarchy
Oh what a name
And I wanna be an-anarchist
I get pissed, destroy, Will Robinson, mofos !!

Lalalalalalala (0)

JustAnotherIdiot (1980292) | more than 2 years ago | (#37032130)

I'm not listening! My Mac is perfect in every shape, form, and fashon, Steve Jobs said so! Clearly you hackers are lying, and put windows in those machines!

Re:Lalalalalalala (0)

whiteboy86 (1930018) | more than 2 years ago | (#37032334)

Happy times! Macs are perfect, protected by the genius design of OSX and blessed by SJ himself. Windows nerds are just spreading lies and fearmongering. I've never got any virus or got hac

Re:Lalalalalalala (0)

Anonymous Coward | more than 2 years ago | (#37033136)

Clearly, these users are using Their(tm) Macs wrong! Of course you're not supposed to place these precious, precious creatures — each of them one of Steve's own creations, no less — in such a hostile, Jobs-less environment! How could anyone be so cruel?

Mac's lacking Enterprise tools that windows has (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37032142)

Mac's lacking are Enterprise tools that windows has.

At least apple should yet you run mac os X sever on ANY VM on any hardware.

Re:Mac's lacking Enterprise tools that windows has (-1)

Anonymous Coward | more than 2 years ago | (#37032302)

Why would Apple want to let you do that? Apple is a hardware company. It's one thing to argue they should let you run OSX on any VM on any Mac hardware, but why should they let you run OSX on on any VM on any Dell or IBM or HP?

Re:Mac's lacking Enterprise tools that windows has (0)

Anonymous Coward | more than 2 years ago | (#37032924)

I find it really hard to call Apple a hardware company with respect to their Mac offerings, when 99% of their hardware is off the shelf parts.

Is DHX enterprise grade? (4, Insightful)

Midnight Thunder (17205) | more than 2 years ago | (#37032146)

Reading the tech note (marked archived) it makes it appear that DHX is an optional install and it is not clear. Also, doesn't MacOS X also provide enterprise grade solutions for authentication? Kerberos is available out of the box if I understand, for example.

BTW With the description "The DHX (Diffie-Hellman Exchange) UAM provides a relatively secure way to transport cleartext passwords..." (emphasis mine),
I am not sure you would want to use this for anything serious.

Re:Is DHX enterprise grade? (0)

Anonymous Coward | more than 2 years ago | (#37032534)

Any problems would be in the implementation rather than the actual Diffie–Hellman key exchange method [wikipedia.org] as it's used in so many cryptographically secure protocols it's a joke.

Re:Is DHX enterprise grade? (0)

Anonymous Coward | more than 2 years ago | (#37032568)

It's not like Diffie-Hellman is the foundation of public key cryptography or anything. Their implementation is what it says on the tin. Why don't you go read about cryptography; then you can actually make informed comments about their algorithms instead of fearmongering.

Re:Is DHX enterprise grade? (1)

Midnight Thunder (17205) | more than 2 years ago | (#37032794)

I'll admit I don't have much experience in the realm of crypto, but the on the tin it did have labelled "relatively secure" as opposed to "secure". Sure I am may be misreading the label and it may be Apple's way of saying "it is secure, but we won't guarantee it legally"?

Also, if the tech note is marked "archived", what is the current status of DHX in Lion?

Re:Is DHX enterprise grade? (1)

Anonymous Coward | more than 2 years ago | (#37032772)

To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials. Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable data.

There's nothing wrong with the Diffie-Hellman Key Exchange as long as you know what it's meant for, and it's not meant for authentication it's used for sharing a secret over an insecure channel. It's vulnerable to man-in-the-middle attacks and this is exactly what is happening here. It's a problem with their protocol not the cryptography.

Easy fix, for lazy administrators (5, Informative)

schmidt349 (690948) | more than 2 years ago | (#37032150)

defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO

There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.

To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.

Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?

No Way... (0)

Anonymous Coward | more than 2 years ago | (#37032154)

This "exploit" only works when users do stupid things. OSX isn't perfect or secure by any stretch of the imagination, but it's no more vulnerable than any other OS when users install malware.

Thanks (0)

Anonymous Coward | more than 2 years ago | (#37032162)

Hey Doodz! You 1337 hax0r5. I appreciate the heads up. Now I expect Apple to improve their encryption and secure this protocol in the next update. Suddenly, Macs will be more secure than Windows, again.

Frankly, this reminds me of the weak sauce that is LANMAN which still haunts us to this day.

wtf? (1)

mark-t (151149) | more than 2 years ago | (#37032164)

FTA:

To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials. Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable data.

Why is the server transmitting any authentication credentials to a machine that it hasn't actually confirmed is supposed to be receiving them in the first place?

I understand the point of DHX... it's ideal for secure communication on an otherwise open channel, but it's just plain stupid to use it to talk between strangers... you have to use another protocol along side it to really verify the identity of the listener and sender.

mormormonic boys choir to release 2nd organic cd (-1)

Anonymous Coward | more than 2 years ago | (#37032170)

tones never heard before hormonic alteration. on CDs made of recycled hymens. nature wins again?

babylon has fallen, again. the whore remains safe with council members. on to mebotuh, is the chant of the continuously submerged southern hillarians.

still showing up here there & everywhere

should it not be considered that the domestic threats to all of us/our
freedoms be intervened on/removed, so we wouldn't be compelled to hide our
sentiments, &/or the truth, about ANYTHING, including the origins of the
hymenology council, & their sacred mission? with nothing left to hide,
there'd be room for so much more genuine quantifiable progress?

you call this 'weather'? much of our land masses/planet are going under
water, or burning up, as we fail to consider anything at all that really
matters, as we've been instructed that we must maintain our silence (our
last valid right?), to continue our 'safety' from... mounting terror.

meanwhile, back at the raunch; there are exceptions? the unmentionable
sociopath weapons peddlers are thriving in these times of worldwide
sufferance? the royals? our self appointed murderous neogod rulers? all
better than ok, thank..... us. their stipends/egos/disguises are secure,
so we'll all be ok/not killed by mistaken changes in the MANufactured
'weather', or being one of the unchosen 'too many' of us, etc...?

truth telling & disarming are the only mathematically & spiritually
correct options. read the teepeeleaks etchings. see you there?

diaperleaks group worldwide.

Sounds Like Windows95 (1)

Anonymous Coward | more than 2 years ago | (#37032192)

We're not moving backwards here, are we?

Re:Sounds Like Windows95 (0)

Anonymous Coward | more than 2 years ago | (#37032266)

How about you STFU while the grown-ups talk, OK?

Re:Sounds Like Windows95 (-1)

Anonymous Coward | more than 2 years ago | (#37032328)

You tell the boy, slut. We grlz need to stick together like lezzies in a field of dreamz.

Users with admin rights? (2)

Udo Schmitz (738216) | more than 2 years ago | (#37032234)

Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

Re:Users with admin rights? (0)

Anonymous Coward | more than 2 years ago | (#37032350)

"Users in said Enterprise have admin privileges?"

Lt Cdr Data
Lt Cdr LaForge
Lt Worf
Cdr Riker
Capt Jean Luc Picard

I don't think that Ens Wesley Crusher should have admin privileges, but he's probably hacked the system anyway

Re:Users with admin rights? (0)

Anonymous Coward | more than 2 years ago | (#37032814)

Are there any actual software administration type systems that call for multiple admins to enter credentials for sensitive processes (ie blowing up the ship)?

Re:Users with admin rights? (3, Insightful)

NatasRevol (731260) | more than 2 years ago | (#37032376)

Yeah, which is not the case most of the time.

Users with admin passwords can do admin things. Duh.

Meaning this 'exploit' isn't much of an exploit.

Re:Users with admin rights? (1)

BradleyUffner (103496) | more than 2 years ago | (#37032384)

Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

Yes, and typically the admin of the system has admin privileges. It may not be good practice to run a normal account with admin rights, but every company I've worked for has done it. Typically more than just that user have admin rights too, other tech support people, and even some of the higher level programmers seem to get admin rights to the domain (not just the local system).

Re:Users with admin rights? (4, Insightful)

CapuchinSeven (2266542) | more than 2 years ago | (#37032400)

No, you got it, this is a load of rubbish and is being presented as some sort of reason to bash Macs. If you're a Admin and you let your users have admin rights, you shouldn't be in your job. Interestingly, as I understand it, the same vulnerability used on Microsofts AD, doesn't need an admin password. So... how does that make any sense that Macs in enterprise are more vulnerable...?

Re:Users with admin rights? (0)

Anonymous Coward | more than 2 years ago | (#37032528)

the same vulnerability used on Microsofts AD, doesn't need an admin password

Citation needed

Re:Users with admin rights? (1)

NatasRevol (731260) | more than 2 years ago | (#37032572)

I didn't see the actual presentation, but the exploit at the beginning of the presentation shows an AD hack, and doesn't mention needing passwords - just clicking on a malicious link.

Mac is not for the enterprise (1, Insightful)

erroneus (253617) | more than 2 years ago | (#37032320)

This should be no surprise to anyone. MacBook, MacBook Pro, iMac, Macmini, and Mac Pro are not enterprise machines. The service and support offered by Apple to Enterprise customers is below the needs of an enterprise environment. Mac OS X is increasingly more consumer oriented as well. And I think it is no secret that Apple has been pulling anything that resembles Enterprise -anything and focusing more on consumer-side things.

So... is this a surprise?

Re:Mac is not for the enterprise (1)

CapuchinSeven (2266542) | more than 2 years ago | (#37032412)

As I said above, there is no surprise, but not for the reasons you've suggested. To make this work, a user is required to enter an admin password, If you're a Admin and you let your users have admin rights, you shouldn't be in your job and as I understand it, the same vulnerability used on Microsofts AD, doesn't need an admin password. So, how does that make any sense that Macs in enterprise are more vulnerable?

Re:Mac is not for the enterprise (0)

jedidiah (1196) | more than 2 years ago | (#37032590)

Having a smart attacker anywhere inside your network is a problem. In a corporate environment, your weakest link is the person sitting in the chair and the biggest problem is social engineering. This is more of an internal threat posed by a determined and dedicated attacker rather than the usual sorts of browse by infections you get from visiting the wrong web site.

Whether or not MacOS is "sturdy" under these conditions seems to be the least important aspect of the entire situation.

The version of Windows you are running already gave away the corporate family jewels remotely already.

Easy bug to fix (0)

Anonymous Coward | more than 2 years ago | (#37032396)

DHX is an obsolete authentication system that has been replaced by Kerberos. It is virtually unused these days - especially not in an Enterprise setting. I'm surprised to find that it's still installed.

There are several trivial fixes for the problem that Apple can implement. Heck, simply disabling DHX would fix the problem - only ancient networks would be affected.

It seems to be a total over-reaction to recommend not installing Mac because someone found an easily fixable bug. If that was the case with other systems, nothing would ever be installed.

So... practical linux attacks next? (4, Insightful)

mark-t (151149) | more than 2 years ago | (#37032404)

It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.

Client/Server (0)

Anonymous Coward | more than 2 years ago | (#37032730)

It's my understanding that Linux has even more widespread enterprise adoption than Mac does.

Linux has vastly more enterprise adoption in the server room.
Mac OS has more enterprise adoption on the desktop.

This was a desktop/workgroup attack.

Re:So... practical linux attacks next? (1)

Registered Coward v2 (447531) | more than 2 years ago | (#37032734)

It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

While Linux has a strong following in several critical areas of the enterprise, such a servers, this really wasn't about server exploits. Sure, it needed a server to work, but it really was about individual desktops and laptops being used to compromise others from an non-server machine. Since Linux has very low desktop / laptop adoption compared to even Macs I'd say it's doubtful anyone would even try to exploit it. Even if they did, someone would have to be actively looking to detect it - I doubt they'd simply submit a kernal patch to spread the exploit.

How many people are actively looking at ways to exploit Linux on the desktop? Very few I'd guess because it simply isn't a worthwhile target yet.

Not surprised (0)

Anonymous Coward | more than 2 years ago | (#37032408)

Windows has been more secure than Mac.

WE ARE PC.

Always need more info (1)

joshhibschman (2051312) | more than 2 years ago | (#37032558)

Does this hack still work if people have all remote access disabled on their machines? Is there / will there be a response from Apple on the issue?

propostureous (0)

Anonymous Coward | more than 2 years ago | (#37032792)

Steve Jobs is always right

Physical Access (0)

Anonymous Coward | more than 2 years ago | (#37033072)

They have to have physical access. All bets are off with physical access, as quite simply, you can even install a new OS, (if they know what they are doing, the data and OS will be on separate drives). All bets are off if they have physical access to the machine.

Apple's ignoring it (0)

Anonymous Coward | more than 2 years ago | (#37033154)

This vulnerability was discussed on a call with our Apple representatives today, and their response to me was that "Apple does not respond to or comment on articles from small websites like such as this."

I guess ostrich syndrome is alive and well in Cupertino.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...