Macs More Vulnerable Than Windows For Enterprise 281
sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."
Easy fix, for lazy administrators (Score:5, Informative)
defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO
There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.
To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.
Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?
Re:All computers are less secure (Score:5, Informative)
You might want to go read the actual presentation.
It starts out with an exploit called Aurora, which compromises AD.
Whoops.
Re:All computers are less secure (Score:5, Informative)
And the Mac exploit STILL REQUIRES AN ADMIN PASSWORD. Which is not typically given to users in a corporate setting - at least by sane sysadmins.
Re:And? (Score:4, Informative)
But anyway, back to the topic at hand... uh, where the hell do you work? I work in a very Windows-heavy environment, and every time we add any Windows boxen to the domain, the domain admins get automatic admin rights. There's nothing we can do to stop it. This is a 10,000+ workstation university, though, so at least they're distant and maybe (only maybe) competent enough to not abuse it.
Re:All computers are less secure (Score:5, Informative)
This would be easier if the story linked to the real presentation [isecpartners.com].
Yes, Apple services generally support Kerberos as an authentication scheme. The problem is that it's almost always possible to downgrade from Kerberos to unsigned Diffie-Hellman and retrieve the plaintext password trivially. This requires an active MITM attack on the network. Traditional ways attackers have done this include ARP spoofing, DHCP spoofing and DNS poisoning attacks. Our talk also discussed a Mac-specific MITM which uses Bonjour to temporarily take over the identity of OS X servers and relay or downgrade authentication.
Even if OS X allowed itself to be limited to Kerberos auth (and it doesn't) most Apple protocols do not perform channel binding, meaning there is no cryptographic integrity protection tied to the initial handshake. This allows an attacker to relay the Kerberos handshake and then modify the resultant communication, which can be disastrous if the communication is security critical, such as LDAP or an AFP mounted home directory.
A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other
That is incorrect. Our research has shown that it is currently impossible to secure a network using OS X services. The only secure Mac network is one that runs the machines as separate "islands" without directory services, file sharing, or remote server administration. There are a lot of insecure Windows networks, due to the use of downlevel versions as well as configuration mistakes, but in theory you can build a new Windows 2008R2/7 Active Directory network that is hardened against network privilege escalation using GPO (KerbOnly, NoLMHash, RPC privacy/integrity, AD integrated IPSec, smartcard auth, etc...)