back to article Beware of Macs in enterprise, security consultants say

Apple may have built its most secure Mac operating system yet, but a prominent security consultancy is advising enterprise clients to steer clear of adopting large numbers of the machines. At a talk last week at the Black Hat security conference in Las Vegas, researchers from iSec Partners said large fleets of Macs are in many …

COMMENTS

This topic is closed for new posts.
  1. Eric O'Brien

    What if no Mac Server?

    Is the weakness specifically in Mac OS *Server?*

    That is, will things be OK if you have hundreds, or thousands, of Macintosh machines but NO Macintosh servers?

    1. Marvin the Martian
      Paris Hilton

      It seems so.

      It seems to be a OSX Server vulnerability specifically.

      But I find it a bit of a swooping conclusion --- buying into a platform or not based on a specific vulnerability? Next week the same guy comes up with one of the many cross-site scripting windows vulnerabilities and suggests to avoid PCs?

      1. Anonymous Coward
        FAIL

        XSS?

        XSS vulnerabilities are independent of the operating systems involved.

        1. Anonymous Coward
          FAIL

          But it's not anything to do with XSS, it's a problem in the DHX network authentication protocol.

          FAIL yourself, idiot. RTFA.

          1. Anonymous Coward
            Mushroom

            You will note that my post is in reply to a previous post.

            I was therefore addressing an issue with that commenter's post and not with the FA.

            Maybe you should RTFC?

    2. Matt Bryant Silver badge
      Boffin

      RE: What if no Mac Server?

      "......That is, will things be OK if you have hundreds, or thousands, of Macintosh machines but NO Macintosh servers?" Well, you will have stopped this one vulnerability, but you will have left yourself with a massive admin task for updates. Most companies have standard builds for their desktops and servers, and tools to help them push out updates and additions (or removals) from those builds. Those tools usually provide significant savings over employing large numbers of PFYs to run around and manually update each machine. In the case you suggest, you would need to manually run around and update your hundreds or thousands of Macs.

  2. Christian Berger
    Facepalm

    Macs insecure?

    Oh my, so the non-existence of any security, like for example a proper package manager, might actually lead to insecurity? Oh my, that's a bold statement Captain Obvious.

    1. Anonymous Coward
      Thumb Down

      That requires...

      ..that all software registers with the package manager in the first place.

      Guess what? Malware doesn't want to be found, noticed or recognised. So it won't.

      And a package manager will stop the user from clicking "install software xxx using admin rights?" how, exactly?

  3. Anonymous Coward
    Anonymous Coward

    Just to clarify...

    ...the problem i in OS X server but corporations should avoid all OS X versions ?

    That is like saying "The problem is really in Windows XP but you should avoid all versions of Windows."

    btw. Google didn't change their Windows servers to OS X servers, all Google is run on Linux servers.

    1. pan2008

      that explains it

      That explains then why they have 960,00 servers, see earlier article in the register. May God bless them with a million.

  4. jake Silver badge

    To say nothing of the fact that it's trivial ...

    ... to boot a Mac into single user mode, if you have access to the keyboard (no removable media or network access needed). Apple computers are NOT what I consider secure in an enterprise environment.

    1. This post has been deleted by its author

      1. jake Silver badge

        @ Jose Cardoso

        Firmware passwords don't stop users from booting into single user.

        Active Directory is an 'orrible, 'orrible, Redmondian kludge ...

        1. This post has been deleted by its author

          1. jake Silver badge

            @Jose Cardoso

            For "keyboard" read "hardware". If I have physical access to your Apple computer, I can get into your porn stash. That isn't security.

            Note: I am NOT trying to claim that Redmond is doing anything better than Cupertino ...

            1. This post has been deleted by its author

    2. moronatwork
      Facepalm

      And you can't boot into Safe Mode on Windows?

      Mucking Forons are not what I consider secure in any environment.

  5. Bilgepipe
    Windows

    Windows?

    Yeah, because Windows has the whole "security" thing down pat.

    1. Anonymous Coward
      Headmaster

      Those Apples who do not learn from Microsoft's history are doomed to repeat it.

      Windows suffered from numerous auth downgrade attacks similar to this about ten years ago - NTLM could be made to fall back to lanman, NTLMv2 could be made to fall back to NTLMv1- and IIRC MS eventually fixed them by implementing schannel which IIUC is pretty much the technique being recommended here by Stamos and iSec.

      This is not the first time that Apple have recreated an old Windows security fail, and it is fascinating to watch the late-90s/early-2000s being replayed as if nothing had been learnt from them. In fact, much has; just not by Apple, which, now that Macs are receiving significant market share and enterprise usage for the first time, is stepping on every rake and walking face-first into every custard pie that previously hit MS.

      It's very lulzy to see that Jobs has feet of mud every bit as much as Gates.

  6. Anonymous Coward
    Anonymous Coward

    If you want to be secure...

    ... steer clear from computers altogether. And pens and paper. And don't talk to anyone.

    I sound like my IT department, I'm surprised they didn't take keyboards away from us yet as many problems originate from some keystrokes.

    1. BorkedAgain
      Terminator

      Classic ROTM scenario

      Historically, all security / malware cases have been traced back to human activity. Therefore the simplest solution is to eliminate all humans.

      Initiating wetware cleanse in 5... 4... 3...

      1. Richard 102
        Coat

        Remove all humans from workplaces

        Sounds like the last 20 years of taxation and economic policy from DC

        Mine's the one with Road to Serfdom in the pocket

  7. Magnus_Pym

    kerberos

    So are they saying that if authentication was kerberos only everything would be OK? Not a big fix surely.

    1. Sir Sham Cad

      Not quite

      From the 4th paragraph in:

      "Stamos and fellow iSec researchers Paul Youn, Tom Daniels, Aaron Grattafiori, and William "BJ" Orvis found it was trivial to force OS X server to resort back to Apple's insecure protocol."

      So setting the server to use Kerberos is irrelevant because you can 'sploit it back to donkey mode.

      1. Magnus_Pym

        but...

        ... if there was a fix to stop reversion all would be well in the cupertinoverse?

        1. AlexStamos

          Better, not fixed

          "... if there was a fix to stop reversion all would be well in the cupertinoverse?"

          A setting to disallow downgrade is a necessary but not sufficient step to securing against network escalation attacks against OS X. Another important step would be to implement "channel binding", which uses a cryptographic key derived by the authentication handshake to protect the integrity of the subsequent conversation. Without this protection, a MITM attacker merely relays the initial handshake and then manipulates the actual data. In some cases (like LDAP or binaries on AFP) this would allow the attack to take over the client machine.

          Our suggestion to Apple was to break compatibility in 10.8 Server with downlevel clients and to create a single wrapper protocol for all of the various services offered by OS X server. A good option would be TLS with SRP password auth, and TLS with Kerb Auth in OpenDirectory environments. These protocols (AFP, ARD, Server Admin) could then be easily tunneled over TLS as long as a reasonable multiplexing system was put in place. This would reduce the complexity of fixing these problems one by one on each protocol.

  8. Sean Baggaley 1
    Mushroom

    The problem isn't malware, then.

    It's social engineering. No platform is safe from that. People have been "hacking" other people since the dawn of time. Read Macchiavelli's "The Prince" if you don't believe me. (Or your spouse.)

    Ignorance, not operating systems, is by far the greatest security risk in any organisation.

  9. Lord Zedd
    Thumb Down

    OS X in the age of espionage malware

    That makes Windows the most secure, safe and virus free option.

    Black Hat is just scared because they know OS X could put them out of work if Apple continues to gain support.

  10. Microphage

    iSec logic fart

    "iSec's recommendation is premised on the assumption that a small percentage of employees in any large business or government organizations will be tricked into installing malicious software, no matter what platform they use"

    What rules of logic make the underlying platform less secure merely because some employee don't know not to click on YES and enter the admin password.

    1. Dave 142

      even more dumb

      their point doesn't make much sense to me as employees don't normally get admin rights on their computers anyway.

    2. AlexStamos

      Logic

      I'm not sure where the logical fallacy is, but the point here is that while we applaud Apple's efforts to increase the difficulty of exploiting client-side flaws to seed malware, our experience as well as the well-documented experience of many enterprises is that every large group has somebody that can be tricked into downloading a malicious .dmg/.msi and installing it without the need of an exploit. This is especially true in state-sponsored attacks that utilize human intelligence and professional operatives to improve their social engineering.

      If you accept our premise, then it is critical that a corporate network be designed to reduce the methods by which an attacker can hop from machine to machine or escalate to an admin account. That is the basis for our analysis and recommendations.

  11. Anonymous Coward
    Coat

    Amazing

    For once a story about security that isn't pointing it's finger at the atrocity called Windows which our employers keep foisting upon us!

  12. Anonymous Coward
    Anonymous Coward

    Bob and Sally?

    Shouldn't that be Bob and Alice?

  13. Anonymous Coward
    Joke

    Bit like...

    ...a bunch of guys in the greyest of grey suits writing off the US's credit rating, merely because they extended the overdraft a wee bit...

    ..I mean it's only $13tn dollars...

    oh wait.

  14. Joe Montana
    FAIL

    Ridiculous...

    The claim that if a single mac is compromised, then its easy to compromise them all is amusing... Not only does this require a particular configuration involving an OSX server configured to push updates to the clients... But it also seems to require exploitation of a specific bug, which i imagine Apple will be fixing in short order..

    But it's also EXTREMELY easy to compromise a windows network in the same way, get onto one system and you can grab hashes, either of the local users (how many places build from images and all the local passwords are the same), or of logged in domain users... And then you can use these password hashes to access other machines without even having to crack them!

    Get a semi competent pen test company to do an internal audit of your windows based network, give them an ethernet socket and nothing else... They will almost certainly have domain admin access before lunch.

    While issues may exist in OSX, they look like fixable bugs whereas many of the holes in windows are serious design flaws that will break all manner of things if fixed.

    Also another point, the assumption that at least one employee will fall victim to a social engineering attack and run a malicious binary... There is a simple solution to this, ensure that users don't have execute permissions for any device they can write to. Typical users have no business running anything that's not been preinstalled by the admin staff anyway.

    And finally, even assuming that macs are just as insecure as windows, their presence still improves security because it creates diversity.. Sure, they may also have serious vulnerabilities but now the hackers need to have 2 sets of tools and 2 sets of skills instead of just 1.

    1. Anonymous Coward
      FAIL

      RTFA

      "The claim that if a single mac is compromised, then its easy to compromise them all is amusing"

      The process is: one mac server (with the vulnerability built in), steal credentials, get details of all the macs served by that server. So yes, if you "compromise" the server then all those others are game.

      1. DZ-Jay

        Re: RTFA

        So what you're saying is, hacking OS X is simply done in three very easy steps:

        Step 1: Find vulnerability in OS X Server.

        Step 2: Compromise server.

        Step 3: Get all client passwords.

        Wow, that's easy indeed! I'd say it could be even easier. I bet I could even do it in one step:

        Step 1: Hack server to get all passwords in system.

        Done.

        -dZ.

        1. dogged
          FAIL

          Oh god, you still didn't read.

          No.

          1. Compromise one client Mac.

          2. OSX Server pushes updates.

          3. Compromised Mac steals credentials from stupid insecure update protocol.

          4. Compromised Mac pushes compromised updates using stolen Server credentials.

          5. All other Macs blithely accept this.

          Just stop defending Apple no matter what. Everyone is wrong sometimes.

          1. Anonymous Coward
            FAIL

            @dogged

            No-one is "defending Apple no matter what". What they are saying is that essentially iSec Partners claims are spurious and bordering FUD. Whilst this is obviously a problem, it is probably a bug that would be trivial to render correct; however iSec Partners are suggesting that it is a trivial "hack", when it isn't.

            1. AlexStamos

              Please elaborate

              Now that you've had a chance to read the slides, please let me know which of our conclusions are not accurate so that I can correct the "FUD".

            2. Matt Bryant Silver badge
              Boffin

              RE: @dogged

              "......Whilst this is obviously a problem, it is probably a bug that would be trivial to render correct; however iSec Partners are suggesting that it is a trivial "hack", when it isn't." Really? All you have to do is get one compromised client, and that wouldn't be too hard with a bit of social engineering ("You mean all I have to do is click here to guarantee myself the first iPhone5 when they are released?" - <click>). I have a friend that does security testing and he says he still finds many companies where the WiFi network is not seperated from the Ethernet LAN, no internal firewalls, which means wardrivers in the carpark just have to crack access to the WiFi to be on the main corporate netwok. So this trick could even be done with a Mac laptop over WiFi wihtout the need to actually get inside and plug into the target's LAN if you can get onto the targets WiFi network.

    2. AlexStamos

      No

      This has nothing to do with centralized patching. I'm not sure where you got this idea.

      "But it's also EXTREMELY easy to compromise a windows network in the same way, get onto one system and you can grab hashes, either of the local users (how many places build from images and all the local passwords are the same), or of logged in domain users... And then you can use these password hashes to access other machines without even having to crack them!"

      This is a significant risk on Windows networks, however, the majority of methods to escalate privilege via these types of attacks on Active Directory have been mitigated by default or can be mitigated via centralized configuration settings on Windows 2008R2 and Windows 7. You can build a Windows network with GPO that makes these attacks hard (Kerb-Only, IPSec required, IPAuth, NoLMHash, smartcard Kerb pre-auth) but it is impossible to do so with OS X. That's of little benefit to enterprises struggling with downlevel Windows servers and backwards compatibility concerns, but if you were building a new network today and were concerned about APT-like attacks, I would recommend Windows over OS X.

      OS X clients with no servers and no management would probably be the most secure configuration. Obviously that doesn't work for most enterprise IT departments.

  15. David Neil

    Quite a bit of denial and lalala going on here

    The problem is that even if the server starts with a "secure" session, it can be forced down to insecure with relative ease.

    Instead of pointing at other OS's and engaging in general whatabout'ery maybe you should acknowledge this is a major screw up?

    We all know Windows can have problems if incorrectly configured, but this article is about OSX and it's management in the enterprise.

  16. Sam Liddicott

    Hollywood

    It's because in most movies it is a mac that the bad guys manage to hack

    1. Anonymous Coward
      Anonymous Coward

      Not quite

      ..it's normally the other way round: Mac doing the hacking against non-descript PC box. Or in some films - against vasty technically superior aliens.

      Give apple their due - they certainly know product placement; just about every ad/film has one in, even if it's just background scenery. Or maybe it's 'cos the designers love 'em?

      Also see Nokia; very good at product placement too.

      1. Galidron

        Hollywood Computers

        Sometimes the even hack the system using PC hardware running a Mac OS with a DOS prompt (aka Office space). Frequently even the Mac hardware doesn't appear to be running a Mac OS. The only thing I can think of for some of the "OS"s they display is some odd Linux GUI. I'm pretty sure in real life they just have an artist make up something to overlay onto the screen.

        1. Stupidscript

          Hollywood Film

          I had a tech guy ask me once about how cinematographers were able to take film of computer monitor screens without the moire pattern (slowly sweeping horizontal lines caused by the intersection between the projection device's scanning frequency and the recording device's scanning frequency). (This was before filters became available to do this.)

          I replied that ... cinematographers did NOT shoot the monitor screens ... they shot the full frame, and then post-production filled in what ended up on the monitor using masking techniques, replacing whatever was on the screen with whatever the director/screenwriter needed.

          He was incredulous. Simply could not believe that cinematographers were not shooting actual computer activity. So I asked him ... "Do you really think that Sandra Bullock was hacking The 'Net? Or that Hugh Jackman was actually breaking into DoD systems while cameras rolled?"

          He still couldn't believe that those actors did NOT do the actual computing. Sheesh. I guess that explains the Republicans' success ...

  17. Jonathan White

    Network security

    Starts at the network, rather than the desktop. If someone walks into your organisation, plugs a computer into a wall socket and gets the same stuff everyone else does, your security is already broken, before we even ask what OS the box is running. You have properly segmented networks and you make damn sure that if an unauthorised computer pops up on your network it gets feck all access until it's somehow been validated. No update servers, no access to services, nothing. At best you get some sort of proxy which allows someone with network admin rights to validate the PC as being 'ok' from the PC and that's all.

    Anyone letting unknown kit dance around on their network as much as they like is asking for trouble.

    Jon

    1. Matt Bryant Silver badge
      Boffin

      RE: Network security

      You can turn off network ports so those vacant Ethernet sockets actually don't connect to anything, then a luser has to request a socket be activated and give a good reason why before a new system is connected. This is a major issue with company WiFi nets as they effectively give a "socket" to anyone unless you introduce MAC address access lists (and even the latter can be spoofed). But the article is not about a new device being added, it is about an existing Mac being first compromised by the luser by a bit of social engineering, then using that compromised system to mimic the server and compromise all the other Macs.

  18. Keith 21
    FAIL

    Not convinced

    So a black hat organisation which depends upon OS insecurities in order to thrive suddenly tells us MacOS X's new security features are weak and we should all avoid Macs.

    Hmmm... it couldn't be that the reason they are scared of orgs going Mac is precisely because it is now a lot more secure and the black arses can't hack it.

    It is in their interests to push people away from the more secure platforms!

    1. Anonymous Coward
      Thumb Down

      Sounds like a fanboi knee-jerk to me

      I rated this article 'pretty poor' because I thought the quality of the article was pretty poor, not because I balked at the mere suggestion that someone said something bad about macs.

  19. Anonymous Coward
    Facepalm

    What's that?

    You gave your (mac) users the admin password and where surprised when things went wrong?

  20. John Savard

    Just Fix It

    Although in general an individual Mac is more secure than an individual Windows PC, if a vulnerability that lets an attacker to revert the network from Kerberos to DHX turns multiple Macs into a house of cards, that is very serious. The thing to do is to both fix that vulnerability, and provide a tool with which to remove DHX completely from a Mac.

    It's not good enough for the Macintosh to have the potential to be a secure platform if even one flaw makes it less secure.

    However irrational this fear may be, though, some people wonder if Apple might not move someday to a closed App Store model with the Macintosh similar to that for the iPhone and its relatives. That, not security, is the greatest threat to the success of the Macintosh at the moment.

  21. SteveBalmer
    FAIL

    Fear not..

    Hardly anyone uses macs in the business world, as they are practically useless (unless your job just involves surfing the net all day).

  22. Juan Inamillion
    FAIL

    So

    "To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. "

    So you have to have a Mac equipped with this tool attached to the network. This is assuming the admin has been so lax as to allow users attach devices from which to copy the tool. Or. Allow someone to bring an unauthorised Mac in and connect it to the network without it showing up in the network admins screens.

    "It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials."

    Huh? Since when do you wait for a server to contact your Mac? Or does it mean you need the credentials to log into the server first.?

    Several here have pointed out that it would be pretty lax admin to even get this far. And it assumes that the enterprise uses the now defunct OS X server to admin update. If a company uses, say, Casper, then it ain't gonna happen.

    Where I am there are 300 Macs (plus a few PC's) and these are locked down with regard to what they can and cannot run.

    More FUD from a 'security' company looking for work.

    1. Anonymous Coward
      Anonymous Coward

      Hmmm

      >More FUD from a 'security' company looking for work.

      iSec Partners is not a company that needs to look that hard for work......or given your description above, one which you could afford to hire in any case.

      >This is assuming the admin has been so lax as to allow users ....

      Dunno about this - is security your number one concern to the extent that you search your users bags and watch them all the time? The US Army did but Bradley Manning still happened.

      Personally I worry about any admin who claims their network is secure.

    2. Stupidscript

      Just Got Here, Did You?

      "Since when do you wait for a server to contact your Mac?"

      Surely you are aware of the concept of "push"? Whereby (as noted in the article and throughout history) a server "pushes" things to receptive clients? For instance, when OSX Server "pushes" updates out to the clients attached to its network?

      Surely, then, you must be capable of understanding the idea that a Mac client on a LAN is ALWAYS "waiting" for the OSX Server that acts as Master Domain Controller on that particular network to reach out and "push" software updates onto it?

      If you (a) are not aware of this concept or (b) do not understand its implications, then, sir, you should refrain from posting such drivel. Here's hoping that your AWESOME 300 Mac environment is NOT suffering under your clueless administration ...

  23. Bill Gould
    FAIL

    To be fair...

    ...people are stupid. If there's any possible way for a user to fsck up their machine, no matter the OS, they will. That extends to malware, viruses, trojans, etc being installed.

  24. Giles Jones Gold badge

    Monoculture

    So if they don't recommend lots of Macs then they think the enterprise customers are better off on Windows?

    A monoculture of computers and software is what helps viruses take down an organisation's systems.

    If OSX was so poor Google wouldn't have dumped all their Windows machines for OSX.

    1. Anonymous Coward
      Anonymous Coward

      Also...

      The lack of any realistic enterprise class servers does kind of prevent anyone running OS X in enterprise anyway.

    2. Anonymous Coward
      Anonymous Coward

      Hmm...

      I strongly suspect that the removal of Windows form Google is a lot more to do with Google's competitor OS than it is with insecurity of Windows. If Windows were really that insecure why do banks run it on ATMs? Why do big pharma and big finance run Windows desktops?

  25. Anonymous Coward
    IT Angle

    Server Security

    Forgive me if I've missed the point, but this article seems to basically amount to: 'Protect OS X Servers because if they're compromised, connected clients can be compromised.' Isn't that true of any server?

    It's almost a truism that networking introduces more potential attack vectors. A non-networked Mac is more secure, just as a non-networked Windows, Linux or BSD system is less vulnerable than a networked one. But that's no reason not to use said systems or not to network them. It just means you have to be aware of the additional security risks in doing so and take appropriate measures.

    The only possible 'news' I can see in this story is that Macs are typically seen as 'virus-free' unlike Windows systems, so end-users may get a false sense of security using one. Bob in HR might think twice before double-clicking on a binary executable on a Windows system, but might not think twice about double-clicking on a .pkg on Mac OS X. But one would hope that the admins are smart enough to know it's not as simple as 'Macs don't get viruses' and to consider their OS X Servers just as vulnerable as their Windows or BSD boxes and take the time to secure them properly.

    1. Stupidscript

      Concept

      You have, indeed, missed the point.

      This particular exploit is made possible by the nature of one the security protocols Apple gear use to exchange credentials within a LAN.

      This protocol is only in use on Apple gear, and is proprietary to them.

      When any system within a Mac-oriented LAN is compromised, the next domain controller connection made using that protocol reveals EVERY credential associated with that controller/server, allowing the compromised machine to capture and relay all of those credentials, or simply to incorporate them into whatever malicious payload is waiting on the compromised machine.

      This doesn't happen with Windows-based LANs, or with Posix (absent OSX) LANs because none of them use that protocol. Only Apple gear is susceptible.

  26. AlexStamos
    Pirate

    Let's Clear Some Things Up

    There is a lot of misunderstanding of our research here, which is understandable, since the article didn't link to our slides:

    http://www.isecpartners.com/storage/docs/presentations/iSEC_BH2011_Mac_APT.pdf

    As you can see from the slides, we used our experience responding to advanced, state-sponsored attacks to divide the attack tree into seven different generic steps that need to succeed for the attackers to "win". We examined OS X and OS X Server to see how they would hold up to each of these stages, compared to a baseline of Win2008R2 and Win 7.

    We found that Lion has caught up to Windows on anti-exploit technologies, and has included sandboxing features that make it much easier for ISVs to use privilege separation to protect their end-users. The largest problems with OS X in an enterprise context revolves around Apple's proprietary protocols, like AFP, Server Admin, Apple Remote Desktop, and especially Bounjour/mDNS. Apple offers many password-based authentication options, but in almost any circumstance you can downgrade to unsigned Diffie-Helman, which is trivially decoded by an active MITM. Even if you could force only the use of Kerberos, almost none of their protocols use channel binding to tie to subsequent communication to the initial handshake, opening OS X up to a variety of relay attacks equivalent to the NTLM relay attacks famously used by the state-hackers during Aurora.

    The network escalation step is the most important one in this scenario, since it is unreasonable to expect a network of thousands of users to never be infected via malware. Social engineering based upon human intelligence is very difficult to prevent, so it's important for an Enterprise security team to focus on preventing "Bob the HR Guy" from becoming "Sally the Domain Admin".

    We are not anti-Mac (this is being typed on a 13" MBA), but we strongly recommend that our enterprise clients not use any of Apple's server technologies at this point, especially if they believe they are playing at the same level as the Aurora and Shady RAT victims.

    Let me know if you have any questions.

    1. Anonymous Coward
      Thumb Up

      Wow. Haven't seen that for a while.

      A coherent, well thought-out piece of writing made of full sentences with punctuation I mean.

      You must be new to the intertubes.

    2. Anonymous Coward
      Thumb Down

      um

      "The largest problems with OS X in an enterprise context revolves around Apple's proprietary protocols, like AFP, Server Admin, Apple Remote Desktop, and especially Bounjour/mDNS"

      I believe Server Admin uses HTTP, Apple Remote Desktop uses VNC, and Bonjour/mDNS is an open standard that anyone can use. The protocol draft will have a very familiar name in it if you go to the IETF.

      Zeroconf/mDNS isn't remotely proprietary. Even Ubuntu uses it for service discovery. If you don't want it, you don't have to use it in any event. It's optional.

  27. JOKM
    Trollface

    YAWWWN

    MAC VS PC is sooo nineties. And the occasional 'I run my stuff on linux' squeak is almost as tired.

    Its about time people actually engaged each other productively and took all their 'great' ideas and created an OS that works.

    ....

    Oh you can't, because your all sys admins and couldn't write a kernel if your sorry little lives depended on it.

  28. CanadianISP

    Fanbois (of any OS) really need to step away from the keyboard

    Good article. I find (as usual) the fanbois - this time Mac ones, once again don't actually read the entire thing, but just see "my favourite toy is being dissed, must defend!!!" - This is typical of so many uneducated fanbois of ***all** platforms.

    Given there has yet to be a perfectly secure computer network, the very fact of a security article pointing out a flaw in a particular platform should not be met with derision or putdowns, but rather a scramble back to the readers' own networks to see if the vulnerabilities listed exist within their own demesnes.

    Of course, those who do exactly that tend not to post in response because, well, they're busy securing their networks thanks to the new information. The fanbois, of course, still have their leaky sieves on the 'net, vulnerable as always, but thinking they're still secure "just 'cuz".

    Brilliant.

  29. Gil Grissum
    Thumb Down

    Hmmmm....

    This "Avoid the Mac Platform" advice seems to hinge on use of a MacOSX server to provide OS updates for client Mac's? What if you aren't using an OSX Server and pushing out Mac OS updates from an OSX Server to your Mac user base? What if they are updating on their own from Apple Servers? That pretty much negates this entire argument and renders the author's point pretty mute, doesn't it? Who do you know who is still using an OSX Server? None are in use where I work and no malware has gotten through to any of the Macs on our network. This article is a BIG FAIL, probably written by a Microsoft Shill.

    1. AlexStamos

      No

      This has nothing to do with centralized patching.

  30. Anonymous Coward
    Holmes

    To Alex

    Quote

    Let me know if you have any questions.

    Unquote

    (If you are able to say or answer)

    Was the OS X server potential attack vector shared with Apple before going public?

    1. AlexStamos

      Yes

      All of this information was shared with Apple before going public. Per our responsible disclosure policy, we decided to not "wait for a patch" since the issue is architectural, unlikely to be fixed within the next 90 days, and can be mitigated via non-patching behaviors (such as not using AFP or OpenDirectory) if users are aware of the risk.

      We also decided not to release our attack tool, since it pretty trivially retrieves a large number of usernames and passwords on an Apple network and has no non-malicious use.

  31. Gil Grissum
    Pint

    If there is no OSX Server to connect to, what then?

    And again I ask, what if no Mac OSX Server is in use on the network? But let's go one better. Let's say that you have Macbooks that are ONLY connected to the Internet via WiFi access points but aren't logging into any domain, NOR any Mac OSX server and are therefore NOT getting updates from any Mac OSX Server? What can your tool do under those circumstances? This is a situation under which I've worked previously. The Windows PC's logged into the Domain. The Macbooks did not. Since these Macbooks weren't connected to a Domain or Mac OSX Server, it's not possible to infect or control an OSX Server and hack the network, is it?

    Seems the solution to this problem is simply to NOT have an OSX Server anywhere on your network, isn't it? It's not rocket science.

    1. AlexStamos

      That is optimal

      If you read the slides you will see that this is our recommended optimal configuration and how we personally use Macs, as "islands" on the network. No OpenDirectory, no Windows domain integration, no AFP, no screen sharing, all services off in the "Sharing" pref pane, Deny All Incoming set on the Firewall pref pane.

      It should be noted, however, that you don't need OS X Server to run afoul of authentication downgrade issues. The AFP and "Share Screen" functions in OS X client use the same protocols and can be used to retrieve credentials. If you HAVE to use network file mounts, I would recommend an SMB share on a NAS that uses different credentials than your real user. This will prevent OS X from automatically attempting to authenticate using your user credentials, and NTLMv2* is harder to crack than DHX. If you want to remotely manage machines, use SSH with RSA keys.

      Running completely disconnected, I would judge OS 10.7 slightly safer to use than Windows 7 x64.

      1. dr2chase

        Which is to say, to increase security, do the following:

        Apple logo -> System preferences -> Sharing

        By default, uncheck all but "Remote login".

        ALWAYS, uncheck "File Sharing" and "Screen sharing".

        Do I have that right?

        1. AlexStamos

          That's a good plan.........................................

          Yes.

          Make sure to set up an authorized_keys file and disable password authentication in the SSH configuration.

  32. Gil Grissum
    Pint

    Understood

    Then we are thinking along the same lines, Mr. Stamos.

    And to the offer, I retract my statement in the thinking that you could be a "Microsoft Shill". I'm quite satisfied based on our e-mail conversation, that you are not a "Microsoft Shill". My statement was not meant to be a personal attack of any kind, however we often find articles for or against both Microsoft and Apple technologies that may give the appearance that a Shill is at work. In your case, I stand corrected and since I made a public statement that has been proven inaccurate, I retract that statement (You're not a Microsoft Shill).

    I trust said retraction meets with your approve, mate?

    1. AlexStamos

      I do approve

      I have a feeling we have elevated the conversation well above the normal level here. Perhaps next we can attempt a serious conversation on 4chan?

  33. ronabop

    BEWARE OF BAD HEADLINES, SECURITY CONSULTANTS SAY

    Kind of sad that said consultants had to correct the article headline, and content.

  34. Anonymous Coward
    Joke

    Does not compute.

    I am disgusted to find that this thread has descended into a sensible and grown-up discussion. This is not the behaviour I expect on El Reg and demand something be done or I shall be written to the Daily Mail!

  35. Anonymous Coward
    Paris Hilton

    Polite applause

    Polite applause

  36. RHoltslander
    Meh

    I'm not surprised

    Not too surprising. Mac is an incredibly unpopular enterprise computer so they haven't had to deal with it too much. I'm sure if they become a popular enterprise machine they'll do something about it.

  37. Anonymous Coward
    Thumb Down

    propriewhaaaaa

    "The largest problems with OS X in an enterprise context revolves around Apple's proprietary protocols, like AFP, Server Admin, Apple Remote Desktop, and especially Bounjour/mDNS"

    I believe Server Admin uses HTTP, Apple Remote Desktop uses SSH and VNC, and Bonjour/mDNS is an open standard that anyone can use. The protocol draft will have a very familiar name in it if you go to the IETF.

    Zeroconf/mDNS isn't remotely proprietary. Even Ubuntu uses it for service discovery. If you don't want it, you don't have to use it in any event. It's optional.

This topic is closed for new posts.

Other stories you might like