Macs in Enterprise; "Steer clear" says Black Hat

[TheSideshow]

http://www.theregister.co.uk/2011/08/08/mac_security_risk/

Black Hat Apple may have built its most secure Mac operating system yet, but a prominent security consultancy is advising enterprise clients to steer clear of adopting large numbers of the machines.

At a talk last week at the Black Hat security conference in Las Vegas, researchers from iSec Partners said large fleets of Macs are in many ways more vulnerable than recent versions of Windows to so-called APTs. Short for advanced persistent threats, APTs are usually the work of state-sponsored hackers who go to great lengths to infiltrate government and corporate networks with malware that steals classified information and proprietary data.

iSec's recommendation is premised on the assumption that a small percentage of employees in any large business or government organizations will be tricked into installing malicious software, no matter what platform they use. The problem with Macs stems from the OS X server that administrators use to push updates to large numbers of machines. The server's authentication routine is “inherently insecure,” making it trivial for a single infected OS X computer to compromise others, said iSec CTO Alex Stamos.

“With a large enterprise, you have to assume that people are going to get tricked into installing malware,” he told The Reg. “You can't assume that you'll never have malware somewhere in a network. You have to focus on parts where a bad guy goes from owning Bob the HR employee to become Sally the domain admin.”

 

[*LTD*]

More details:

http://www.zdnet.com/blog/igeneration/black-hat-macs-in-the-enterprise-steer-clear/12075

http://www.theregister.co.uk/2011/08/08/mac_security_risk/

As per The Register’s report, iSec bases this on the assumption that a small percentage of users in any business, organisation or government department could be duped into installing malware — regardless of the operating system they use.

Macs running Apple’s flagship operating system, however, are more vulnerable due to Mac OS X Server that port updates to its machines. Authentication used by the server is “inherently insecure”, making the infection rate far more likely.

While Mac OS X Server uses Kerberos authentication, it uses a backup authentication method — which is easy to override. While Macs alone are good at defending themselves, “once you install OS X Server you’re toast”.

Remember Google and China?

Two years ago, while Windows machines were taken over by an exploitation unpatched at the time, in a massive hacking attack with an alleged China to be behind it, Macs may not have been a better defence.

The proof of concept run was able to collect and copy all the authentication credentials, which then contacts other Macs on the network pretending to be the stolen administrator account, to further collect valuable corporate or governmental data.

Now, granted this could be used against governments and major technology organisations, defence contractors and specialists working in their field.

But universities encompass all of the above — with academics working with government on policy, defence issues and sensitive matters of state.

 

[Moribund]

http://apple.slashdot.org/comments.pl?sid=2371366&cid=37033830

I am the researcher quoted in the article.

This would be easier if the story linked to the real presentation.

Yes, Apple services generally support Kerberos as an authentication scheme. The problem is that it's almost always possible to downgrade from Kerberos to unsigned Diffie-Hellman and retrieve the plaintext password trivially. This requires an active MITM attack on the network. Traditional ways attackers have done this include ARP spoofing, DHCP spoofing and DNS poisoning attacks. Our talk also discussed a Mac-specific MITM which uses Bonjour to temporarily take over the identity of OS X servers and relay or downgrade authentication.

Even if OS X allowed itself to be limited to Kerberos auth (and it doesn't) most Apple protocols do not perform channel binding, meaning there is no cryptographic integrity protection tied to the initial handshake. This allows an attacker to relay the Kerberos handshake and then modify the resultant communication, which can be disastrous if the communication is security critical, such as LDAP or an AFP mounted home directory.

A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other

That is incorrect. Our research has shown that it is currently impossible to secure a network using OS X services. The only secure Mac network is one that runs the machines as separate "islands" without directory services, file sharing, or remote server administration. There are a lot of insecure Windows networks, due to the use of downlevel versions as well as configuration mistakes, but in theory you can build a new Windows 2008R2/7 Active Directory network that is hardened against network privilege escalation using GPO (KerbOnly, NoLMHash, RPC privacy/integrity, AD integrated IPSec, smartcard auth, etc...)

 

[Bernard SG]

Good grief...
It's not like Apple ever presented OS X Server as a solution for huge and/or peculiarly sensitive organizations that would be subjected to the kind of risk that is described.

 

[maflynn]

Good grief...
It's not like Apple ever presented OS X Server as a solution for huge and/or peculiarly sensitive organizations that would be subjected to the kind of risk that is described.

The organization does not have to be "huge" or sensitive to have a risk. Clearly OSX's security is insufficient in this area and just saying its not needed for the type of customers OSX caters too is a bit foolish.

 

[Lennyvalentin]

Good grief...
It's not like Apple ever presented OS X Server as a solution for huge and/or peculiarly sensitive organizations

So what if they did or not?

Surely there's not a problem telling people there's security issues with OSX? Having information is never a bad thing you know.