Black Hat says Macs insecure in the enterprise segment
August 8, 2011
A high profile security advisory is telling enterprise clients to stay away and to not adopt Macs since various security issues have been discoverd in the operating system.
Last week at the Black Hat security conference in Las Vegas, researchers from iSec Partners said large fleets of Macs are in many ways more vulnerable than recent versions of Windows.
Short for advanced persistent threats, APTs are usually the work of state-sponsored hackers who go to great lengths to infiltrate government and corporate networks with malware that steals classified information and proprietary data.
iSec's recommendation is governed on the assumption that a small percentage of employees in any large business or government organizations will be tricked into installing malicious software, no matter what platform they use.
The problem with Macs stems from the OS X server that administrators use to push updates to large numbers of machines. The server's authentication routine is inherently insecure, making it trivial for a single infected OS X computer to compromise others, said iSec CTO Alex Stamos.
“With a large enterprise base, you have to assume that people are going to get tricked into installing malware. It's not if, but when. You can't assume that you'll never have malware somewhere in a network. You have to focus on parts where a bad guy goes from owning Bob the HR employee to become Sally the domain admin,” added Stamos.
At the heart of the Mac server's insecurity is a proprietary authentication scheme known as DHX that's trivial to override. While Mac servers can use the much more secure Kerberos algorithm for authenticating Macs on local networks, Stamos and fellow iSec researchers Paul Youn, Tom Daniels, Aaron Grattafiori, and William Orvis found it was trivial to force OS X server to resort back to Apple's insecure protocol.
To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials.
Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable information.
“If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in just a couple of minutes,” Stamos said. He also faulted the OS X server for its lack of channel binding that ties an authentication handshake between two machines to the rest of the transaction that follows.
The iSec research comes less than two years after sophisticated hackers exploited a variety of security holes in Windows computers and servers to infiltrate the networks of Google and dozens of other companies. In response, the search engine reportedly phased out internal use of the Microsoft platform, mostly in favor of OS X. Now Google is left with the same security issues it had when it was using Windows machines.
Like many other researchers, Stamos praised a variety of advanced security protections built into Lion, the latest version of OS X. Among them is a design that isolates different application processes into their own sandbox that is separated from sensitive parts of the OS to minimize the damage that can be done by attackers.
Apple OS engineers have made it simple for even small third-party developers to sandbox their specific applications. Windows sandboxing, by contrast, is so hard that it can usually be implemented only by large software manufacturers such as Adobe, and even then the results are still unpredictable, Stamos said.
But Stamos was quick to point out that the defenses aren't enough to protect large organizations, even as they're looking for ways to resist against the types of attacks that ransacked Google or more recent APTs that afflicted at least 70 large organizations for as long as 2 1/2 years.
“Our suggestion is for enterprises not to do that. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure,” added Stamos.
In other internet security news
According to a U.S. grand jury indictment, a resident of Las Vegas, Nevada is accused of sending more than 27 million e-mail spam messages to Facebook users, and now the man faces federal fraud and computer tampering charges that could send him to federal prison for more than 40 years.
Self-proclaimed "Spam King" Sanford Wallace pleaded not guilty during an initial court appearance on August 4 after being indicted July 6 on no less than six counts of electronic mail fraud, three counts of intentional damage to a protected computer and two counts of criminal contempt.
The indictment filed in San Jose federal court said Wallace compromised about 500,000 Facebook accounts between November 2008 and March 2009 by sending massive amounts of spam through the company's servers on three separate occasions.
Wallace would collect Facebook user account information by sending "phishing" messages that tricked users of the social networking site into providing their passwords, the indictment said.
He would then use that information to log into their accounts and post spam messages on their friends' Facebook walls, the indictment said.
Those who clicked on the link, thinking it came from their friend, were redirected to websites that paid Wallace for the Internet traffic.
In 2009, Palo Alto-based Facebook sued Wallace under federal anti-spam laws known as CAN-SPAM, prompting a judge to issue a temporary restraining order banning him from using the website. The indictment alleges he violated that order within a month, prompting the criminal contempt charges.
The judge in the lawsuit ultimately issued a default judgment against Wallace for $711 million, one of the largest-ever anti-spam awards, and referred him for possible criminal prosecution.
The indictment came after a two-year investigation of Wallace by the FBI, prosecutors said.
"We will continue to pursue and support both civil and criminal consequences for spammers or others who attempt to harm Facebook or the people who use our service," Chris Sonderby, Facebook's lead security and investigations counsel, said in a statement.
Wallace was released after posting $100,000 bond Thursday, and he's due back in court on Aug. 22.
"Mr. Wallace looks forward to defending himself," his lawyer, K.C. Maxwell, said Friday, declining further comment.
Wallace, 43, earned the monikers "Spam King" and "Spam Ford" as head of a company named Cyber Promotions that sent as many as 30 million junk emails per day in the 1990s.
In May 2008, social networking site MySpace won a $230 million judgment over junk messages sent to its members when a Los Angeles federal judge ruled against Wallace and his partner, Walter Rines, in another case brought under the same anti-spam laws cited in the Facebook lawsuit.
In 2006, Wallace was fined $4 million after the Federal Trade Commission accused him of running an operation that infected computers with software that caused flurries of pop-up ads, known as spyware.
If convicted on all counts in the latest criminal case, Wallace could face more than forty years in state prison and a $2.5 million fine.
In other internet security news
Scotland Yard officers investigating phone-hacking and police corruption claims at News Corp arrested earlier this morning a man suspected of being involved with the crime.
"At 10:50 AM on Tuesday, Aug. 2nd, officers from Operation Weeting together with officers from Operation Elveden arrested a 71-year-old man on suspicion of conspiring to intercept communications, contrary to Section (1) of the Criminal Law Act of 1977 and on suspicion of corruption allegations contrary to Section 1 of the Prevention of Corruption Act 1906," said Scotland Yard in a statement.
The elderly man was arrested by appointment and is currently in custody at a North London police station. The Police Dept reopened its investigation into phone-tapping allegations at News International's now-defunct tabloid News of the World in January 2011, by ordering a fresh probe called Operation Weeting.
Source: The Black Hat Security Conference.
You can link to the Internet Security web site as much as you like.