“At the recent ShmooCon hacking conference, an unknown hacker took control of [a] researcher’s computer, disabling the firewall and starting up a file server. While such compromises have become common in the Windows world, this time the computer was an Apple PowerBook running the latest version of Mac OS X. The compromise underscores a number of trends that has already caused a shift in focus among flaw finders and could result in more attacks on Mac OS X. “This is almost certainly the year of the OS X exploit,” said Jay Beale, an expert in hardening Linux and Mac OS X systems. “The OS X platform may be based on a Unix platform, but Apple seems to be making mistakes that Unix made, and corrected, long ago.”
After reading the article, I could have made this claim and got away with this for publicity. It would be nice for these explain the procedure used to gain access to this Powerbook. Or even explain the flaw. Can anyone take this seriously?
I think the example was just that– an example. Whether or not it really happened (I’m not doubting that actually) is irrelevant. It was used an illustrative introduction.
The rest of the article brought forward some pretty strong arguments as to why OSX might get attacked more often in the coming years. The fact that the article explained throughly to take the vuln. numbers with a grain of salt also speaks for it.
Edited 2006-02-08 18:53
“I think the example was just that– an example. Whether or not it really happened (I’m not doubting that actually) is irrelevant. It was used an illustrative introduction. ”
Whether or not it happened or not is quite relevant when the “hook” of this story is that it DID happen!
The only thing that makes this story different to a whole bunch of “it could happen” stories about OSX insecurity is that this one claims it DID happen. So it is entirely relevant.
The difference between reports and urban legends are names, dates, and documentation, you know, proof.
How was this done? What was the vulnerability and how was it exploited?
Without these details it cannot be taken seriously.
Keep It Simple, Stupid
I’m willing to bet that this guy’s Powerbook was owned not through some complex/unrevealed exploit, but rather probably quite simply. Hell, I had my Windows system owned by some friends at a LAN party, and I couldn’t figure out how they had done it — until I realized that I took a 30-second bathroom break at one point and didn’t bother locking the desktop.
All it takes is one minute and a seasoned OS X user with healthy UNIX experience to own an unlocked Mac, or prepare it for remote ownage.
Could you explain how one can own a OSX box with only normal user access? A locked down box doesn’t just let you disable the firewall.
System Preferences –> Sharing –> Firewall –> Stop
That’s how. I belong to the Admin group. This is the default on OS X for all accounts created during setup. Obviously the security researcher in question is the lone user of the Powerbook, and the safe assumption is that he’s running as an Admin.
(For the uneducated, OS X Admin != Windows Admin)
Easy the box wasn’t actually locked down as well as the user thought. If he left his system settings unlocked, which is very easy to do then it’s relatively simple.
I talked my brother through On how to lock down his OS X box so that it required a password to do anything. But when I saw him at christmas the only setting I forgot to tel him was to turn on the lock system settings at the bottom. I couldn’t log into his machine, but once it was on I could change anything quickly. Yes i told him how to fix that as well.
More than likely though this security researcher had SSH enabled, with a password that was either easily brute forced, or someone was looking over his shoulder one time while he typed it in. I have had both done to my linux boxes. They weren’t cracked through exploits but hacked through poor choice of passwords.
So the article was really another plug to say the same thing many other outfits are saying, ‘OS X might get attacked’? Nobody can draw anything from this. Bring some credibility to the table and actually break into an OS X box this way, then I’ll listen.
Really, what is the point of this? Now, I’m understanding a little more of why Apple declines to comment. Because, what would they comment on actually?
Thanks for posting the weekly Macs Are Actually Less Secure Than All Other Computers And They Will Meet Their Doom Soon article. Was anything said in this article that hasn’t been regurgitated a thousand times in the past year by every self-proclaimed security expert under the sun? The answer is no. It gave us the same old crap: Macs are getting more popular, and Macs are moving to x86. And it took two pages to say it!
If you’re going to claim Apple is making the same mistakes that UNIX made and corrected years ago, at least provide one (one!) example.
I’m with you. The quote that “Apple seems to be making mistakes that Unix made, and corrected, long ago.” is what drew me into the article, but there was nothing there! What mistakes? Not checking your code for buffer overflows? Something else? No, it was just drivel that Apple’s code isn’t perfect and someday, somebody’s going to write a virus/worm and then you’re all in trouble!
It’s so disappointing to read an article that promises so much but delivers nothing. What a waste.
The quote that “Apple seems to be making mistakes that Unix made, and corrected, long ago.” is what drew me into the article, but there was nothing there! What mistakes? Not checking your code for buffer overflows? Something else?
Read this article (“Ancient flaws leave OS X vulnerable”):
http://www.zdnet.com.au/news/security/soa/Ancient_flaws_leave_OS_X_…
Apple is patching security holes today that were fixed on other forms of UNIX a decade ago. Quite obviously, there are issues with its engineering practices. Get it?
The reason Thom is right, and the reason the article is right, is revealed in the chorus of disapproval. These people are not attacking Apple. But the reaction of the posters is one of complacent rage, if one can put it so paradoxically, at anything which can, however remotely, be construed as critical. And this is why it will happen.
Security is not just in the product, its in the culture. The product has a couple of big advantages, no administrative sign-on being the biggest. But the culture has a huge negative: complacency, and fury towards even well wishers offering advice to be cautious.
I wasn’t sure till I read the responses, but I am now. It will happen. And it will happen because of the culture. Its different from the Windows culture, but its equally disastrous from a security point of view.
And its quite unlike the Linux culture, which is why I don’t think it will happen to Linux.
I woudn’t be so sure about Linux either.
Every OS camp has its fanboys that go into a rage when you attack it.
I don’t think you were being honest when you said that the OS X culture is unlike the Linux culture. Seriously now, friend, are you trying to tell me that Linux users don’t also have a smug attitude about the inherent security of their platform? How many forums must you visit in order to see “Well, I run Linux, so I don’t have to worry about viruses or worms”?
The answer is one. This is *no different* than the OS X culture.
Both are deeply flawed.
“How many forums must you visit in order to see “Well, I run Linux, so I don’t have to worry about viruses or worms”? ”
Its a fair point. And maybe quite a few of us have, without really meaning to, led our users to feel that way.
Its a fair point. And maybe quite a few of us have, without really meaning to, led our users to feel that way.
Exactly what I was saying in my column last Sunday– which got flamed into oblivion for stating this obvious fact.
Yeah, I was with you on that one too. 🙁 I didn’t bother saying anything, because there’s no getting through to some of the religious OS fanatics.
How many forums must you visit in order to see “Well, I run Linux, so I don’t have to worry about viruses or worms”?
But it’s true, though. Even though there is a theoretical risk of malware infection, in the real world where there are NO Linux viruses in the wild. So while technically Linux isn’t immune to viruses, in reality someone can run Linux without having to worry about malware.
When the situation changes, perhaps you’ll have a point. Right now, in the real world, you don’t.
Well the same is true for OS X users, then. Obviously people situated in the real world know that OS X viruses/malware/exploits are coming sooner or later, so why can’t you see the same thing about Linux?
The same fallacious conclusion can be drawn about OS X:
“But it’s true, though. Even though there is a theoretical risk of malware infection, in the real world where there are NO OS X viruses in the wild. So while technically OS X isn’t immune to viruses, in reality someone can run OS X without having to worry about malware.”
Do you not see that this attitude is *exactly* the attitude that these articles talk about? Cheaply defending Linux with poor logic isn’t going to work here, champ.
Do you not see that this attitude is *exactly* the attitude that these articles talk about? Cheaply defending Linux with poor logic isn’t going to work here, champ.
First, I’ve been around this site a lot longer than you.
Next, you obviously missed the point I was trying to make.
You’re saying that a theoretical risk exists. I agree with you, however I also point out the fact that, right now, there are no Linux viruses in the wild. None.
So while there is a theoretical threat, there is no actual threat. To make a real-world-events analogy, this is akin to saying that the US was right to invade Iraq because there possibly could have been a WMD threat, even though there wasn’t any actual threat (as was stated by the UN inspectors).
My attitude is not one of zealousness, but one of pragmatism. Malware may one day be a problem for Linux/OS X, but right now it isn’t. In other words, Linux/OS X is safer (with regards to malware) than Windows RIGHT NOW, and one is quite justified in saying that Linux and OS X are not at risk from malware right now.
Instead of calling this “poor logic”, why don’t you try to demonstrate how my argument is fallacious?
Your argument makes sense, and sounds reasonable at first glance. But at second glance, what you’re saying is akin to “I’ve never had a car accident, so in reality, I can drive a car and not worry about car accidents.”
That’s simply not true. The argument is presented in such a way that makes it seem like running Linux/OS X automatically prevents you from malware. Again, that’s just not true.
The whole point of these articles is to illustrate that blind faith/devotion in the “inherent security” of the two OSes is damningly incorrect, and will bite you in the ass. Yes, right now there is nothing to worry about (for the most part), but that has no impact on the future, nor does it have any impact on the actions of the user.
Your argument makes sense, and sounds reasonable at first glance.
That’s because it is.
But at second glance, what you’re saying is akin to “I’ve never had a car accident, so in reality, I can drive a car and not worry about car accidents.”
That’s not akin to what I’m saying at all. I’m saying that, until there are sightings of Linux malware “in the wild” that are credible enough to cause concern, then in fact there’s little reason to be concerned. As usual, it’s good practice to follow security bulletins (because, even though malware isn’t a problem for Linux, there are still software vulnerabilities to take care of).
Again, I’m not saying that running Linux/OS X prevents you from getting malware. What I’m saying is that there is no malware for Linux/OS X as of yet. Until there is, there’s no reason to worry. When (and if) there is, then we’ll take the appropriate steps to protect our boxen.
Note that I added “and if”, because in fact the *nix security model is in fact better to prevent virus propagation, and thus will always make *nix viruses less “interesting” to write. To recap, the main elements of this model are:
1) no executable file simply by providing the appropriate extension
2) a more varied OS/App ecosystem (monoculture is BAD)
3) a strong normal user/root user separation
4) generally more computer-savvy users
How will the user know when malware finally starts propagating for his/her OS? Will a nice little box show up that says “WARNING! THERE IS NOW MALWARE FOR OS X/LINUX! PLEASE SMARTEN UP FROM NOW ON!”?
No.
You should be consciously aware of malware for *all* platforms *all* the time. Complacency is not security.
How will the user know when malware finally starts propagating for his/her OS? [Shouting deleted]
He’ll know about it pretty quickly, because such big news (i.e. a Linux virus epidemic) will be all over the computer security/anti-virus sites, as well as here, on Slashdot, on Digg, etc.
But the fact is that, even if the user did want to prepare in advance, if the virus has yet to be identified then no anti-virus would help against it anyway.
You should be consciously aware of malware for *all* platforms *all* the time.
How can you be aware of something that doesn’t exist yet?
Don’t worry, when a Linux/OS X virus starts spreading, we’ll hear about it. It’s not clear yet how such a virus could successfully spread, though.
Complacency is not security.
Neither is focusing on threats that don’t actually exist yet.
Edited 2006-02-09 01:44
Hehe, okay. You take your complacency, I’ll take my awareness.
Remember, awareness starts early. Teach users that they don’t have to worry, and they won’t — ever. Tell them that right now there are no threats, but that they should always be smart when using their computers, and everyone will be happier.
Complacency? I get security advisories delivered in my inbox daily. My systems are up-to-date and patched.
You’ve completely ignored my argument that, when Linux viruses start to appear, EVERYONE will hear about it one way or the other.
Teach users that they don’t have to worry, and they won’t — ever.
Yeah, because users are freakin’ robots, right?
Tell them that right now there are no threats, but that they should always be smart when using their computers, and everyone will be happier.
In other words, EXACTLY what I’ve been saying. You should have just agreed with me the first time I said it, we’d both have saved some time.
Now, if you’ll excuse me, I have to go repair a friend’s Windows PC whose performance has dramatically decreased, probably because of spyware, adware or other malware.
See, that’s the reality. There is a malware problem for Windows PCs. There isn’t for Linux/OS X PCs. The rest belongs to the realm of hypothesis and suppositions.
I give up, simply because I don’t know how else I can explain the idea.
Telling your users that they don’t need to worry is complacent. Since most users don’t read tech sites, well … it’s only a matter of time until the whole scheme comes toppling down.
Telling your users that they don’t need to worry is complacent. Since most users don’t read tech sites, well … it’s only a matter of time until the whole scheme comes toppling down.
Your logic is flawed. If I’m in communication with users, as you imply (i.e. “Telling your users…”), then of course I would warn them of Linux viruses when those would appear. If, on the other hand, I don’t, then I can’t really warn anyone, now, can I.
BTW, Linux users are very likely to consult tech sites once in a while, or at the very least go to community forums (like the Ubuntu forums). They would get their info there.
So, yeah, if the improbable Linux virus epidemic ever happens(and you have failed to provide a likely scenario for such an event), then users will learn about it. Until then, needlessly crying wolf over non-existent Linux viruses is likely to do more harm than good.
Excellent post, alcibiades. Totally agree. Assuming that Macs gain market share, attackers are going to take notice and exploit their users’ complacency. It’s staggering to me how people can completely disavow the possibility of being attacked.
“And its quite unlike the Linux culture, which is why I don’t think it will happen to Linux.”
It would seem many Linux users also suffer from the “it cant happen here” syndrome, at least if you judge from recent threads here on osnews.
“And its quite unlike the Linux culture, which is why I don’t think it will happen to Linux.”
I don’t think so. A lot of Linux users think they are not vulnerable just because they run linux.
“Apple seems to be making mistakes that Unix made, and corrected, long ago.”
And you said they are not attacking Apple ….
A lot of Linux users think they are not vulnerable just because they run linux.
That would be the noobies who haven’t had the rites of passage yet. (rm -rf, faulty kernel-compiling, e.g. root filesystem as module and no initrd, shutting down the system and forcing it with -f).
There is one thing in the GNU/Linux community that is different from other OS communities. If you screw your computer up, you are the sole person to blame. It’s not the developers, it’s not the software, it’s your own stupid ignorance. Tough luck, get back on the horse and learn some more.
It’s eletist, but it keeps most from setting that Free-Charlize-Theron-Pr0n in the e-mail as executable.
Write security-focus/the author/or the sources and ask them your questions. I too would like to know what types of forensics were used, did the person dump out the kernel memory to check for rootkits? Also I would like to see more discussion on how Apple is lagging on security. What’s the average delay time between vuln discovery and a patch? Or is it just because Apple advertises security, but doesn’t educate their users? I hope security-focus publishes a follow-up article.
When something reaches security-focus it usually has some weight (judging from past articles), and is not another poorly reasoned editorial inferring that failure to use GPLv3 will result in the apocolypse.
I’ve always felt the comments that Macs are secure through obscurity is/was dogma. With their market share growing it only makes sense that they’ll become more of a target. This is true for any OS. Growing pains..
There is some truth that the relative obscurity of MacOS provided some degree of security, but not necessarily from secure coding.
Many other OS’s have been doing a lot more over the Internet (Win/BSD/Linux/Solaris/etc) for years and have gained and learned a lot more in this area from exploits and seemingly bad press. 100% security (perfection) is impossible. The way I hear many Mac fans talk, it is practically infallible. That is a huge security risk right there – complacency.
Edited 2006-02-08 20:27
100% security (perfection) is impossible. The way I hear many Mac fans talk, it is practically infallible. That is a huge security risk right there – complacency.
Good take. At the risk of being totally cliché here, there is a phrase that always comes to my mind when reading on this topic: “Pride before the fall.” Again, not saying the fall is inevitable, just that it doesn’t seem unlikely.
This reminds me very much of firefox a year or two ago. It was gaining popularity but still hadn’t really gained a large base and there were very few security holes known. A couple of security researchers recommended it as a secure alternative to IE and suddenly it became a marketing ploy. There was the whole firefox as a condom for the web thing and whatnot. The userbase continued to grow and as it did, lots of vulnerabilities started to pop up. Now it’s to the point that I don’t think that anyone believes that firefox will save you from all harm and while you can still argue about whether it’s much better than IE (due to its still-smaller userbase?) the point is: you’re not safe.
OS X has been seeing a similar rise in popularity, albeit stretched over a longer period of time. Most of the talk about how it’s so secure is driven firmly by apple’s own marketing tactics but it’s pissed off enough security researchers and the platform has enough users (I’m a relatively recent convert myself) that it is now going to attract much more attention, decreasing the ‘obscurity’ factor, if you will. I think the recent rash of articles claiming that it’s a leaky seive are proof of that trend.
Now it wouldn’t surprise me if the same thing happens to os x that happened to firefox: exploits will start appearing and people will realize that their beliefs were somewhat unfounded. In the end, you may still be better off with a mac than windows, but switching over won’t suddenly be the solution to all your security woes.
People in this thread have raised a decent point though: nothing has really been substantiated yet. It’s entirely possible that all this time, while nobody was watching them, apple wasn’t lazy about security. Maybe they’ve been doing extensive audits and analyses on their own and don’t have much to worry about. The wave of scrutiny is coming one way or another but maybe they’ll stand up to it. I personally really hope it turns out this way as it will set a good example for the industry in general.
I won’t put money on either outcome, but I find it hard to believe that any product could be as perfect as apple marketing makes os x out to be.
Is there an article like this from a reputable source? I refuse to click a link to the register, they’re just makin’ money off big false stories and I’m not going to add to their ad revenue.
Is there an article like this from a reputable source? I refuse to click a link to the register, they’re just makin’ money off big false stories and I’m not going to add to their ad revenue.
This article on El Reg is a reprint of the same article of SecurityFocus [1].
Does that help?
[1] http://www.securityfocus.com/news/11375
1/ Security researchers, especially unnamed, have a vested interest in highlighting security issues….
2/ OSX might be getting a market share big enough for them to start paying attention…
Whilst there are vulnerabilities with OSX like with any other OS, I’d rather read a security bulletin, rather than about an unexplained attacks on an unnamed researcher’s laptop.
1/ by email : most *nix users know mostly people who use windows so the virus would have a hard time spreading geometrically or it would have to be a Windows virus. On a linux box, it has to find which email client you use, that could be thunderbird, kmail, evolution, mutt. Mac users are likely to be more predictable.
2/ by a web vulnerability : same thing, the thing would have to scour the web to find the 4% of users who run these systems. Or manage to replace an picture on an Apple related site exactly when a jpeg vulnerability is unpatched. Note that viruses don’t have a 100% infection rate, even on Windows. Some are machines are patched, some other will spam filter it, Linux machines in particular might not even have the same vulnerable binary installed to get execution privilege…. So in epidemiologic terms, they will have a hard job…
3/ on *nix types of sytems, there is no way to make a file executable by just adding exe at the end. You have chmod them. So newbies won’t even manage to start the most common and simple type of virus, the social engineering type. The others small group driven by curiosity will probably do : su – sandbox; before lauching the thing…
4/ I have not read anywhere anything convincing on a effective way for *nix virus to spread, except the supposed complacency of their users…. Say “firewall” in a Mac or Linux audience, and people are quite likely to know what you are talking about. These are people who took the decision not to use Windows.
Most of my Windows using acquaintances know the sound of the word and that it’s something on their computers but they don’t know what it is. Should I add that they are not entirely convinced about paying €60 per year for an anti virus whereas there is clearly a scope ?
It’ll be a long time before *nix viruses do even make sense.
Now, worms exploting flaws in LAMP webapps have already had some success, but the demographic is a lot more favorable on the net and the outcome a lot more interesting …
my 2 cents.
Edited 2006-02-08 23:08
If you are the 1337 h4x0r who r0073d this guy’s box, prove it! Post the exploit you gutless freak. Otherwise this is just more self aggrandising FUD from so called “security experts” trying to make a name for themselves. More than likely this dumbass walked away from his Mac and some dork screwed with it. All it proves is that this “expert” is too stupid use a Mac.
i actually “wrote” a program once that used two vulnerabilities in the linux kernel to spread and get root… about 80% of the code was copied and pasted from the original proof of concept exploits… my program itself was basically just a proof of concept, but if i released the code, it would have been trivial for someone to change it so that it would download and install a rootkit instead of just adding a comment to the end of /etc/passwd…
those particular exploits were fixed within a few days of being discovered, but there are probably still some machines running vulnerable versions of linux on the web (especially embedded devices, which are usually never upgraded)…