Post by: gunug on September 26, 2011, 08:36:15 AM
QUOTE
“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”
http://delimiter.com.au/2011/09/26/aussie-...lion-passwords/
http://delimiter.com.au/2011/09/26/aussie-...lion-passwords/
Post by: Xairbusdriver on September 26, 2011, 09:54:39 AM
As I understand "hashing," and I haven't even looked up anything about it, the text to be encrypted is run through a bit of code that 'simply' converts each character and/or groups of characters into another character and or/group. The code may use bits of code so that it knows how to reverse the process and that may be stored in a different place, which adds a bit more security.
So, IMHO, this specialist hasn't "broken" any passwords, he's merely found the file that contains the password hash data. Most importantly, he has found that Lion (and maybe earlier versions) are not protecting that file as well as possible. Now, if he finds the actual hashing algorithm, he'll be more likely to reverse engineer it to find out what the actual passwords might be. It is not clear to me, however, if the work he is doing requires direct physical access to the hardware or if it is actually a software-based 'attack.' Once someone has physical access, of course, the majority of the hard work has been done. It might be easier to simply run some diagnostic software tools and read an unencrypted hard drive, which might even be removed from the computer, and gather any and every thing on it—who care's if there is a password?
As has been pointed out many places, security has many parts. Physical access being one of the most easy parts...for a business or government. About all we have for our home computers is the lock on the front door. The second major aspect of security is on a network. Again, most businesses/governments know how to handle that. Home computers are not so well protected because many people don't even consider the Internet as just another network. So we are only as protected as the OS builders and our own knowledge and behaviors are. If we click on links wilt-nilly and allow anything downloaded permission to run on our hardware, we shouldn't be surprised at losing our security. As we used to say about car accidents, "The most dangerous thing in a vehicle is the nut behind the wheel!" The modern corollary might be, "The weakest link in personal computer (and more and more of our devices are actually computers) security is the animal in front of the monitor!"
Post by: Paddy on September 26, 2011, 10:46:19 AM
http://www.infosecurity-magazine.com/view/...swords-cracked/
QUOTE
Although Dunstan says that the current crop of Mac password crackers - from the darker side of the internet, Infosecurity notes – do not support the SHA512 plus four-byte salt password hash structures seen on OS X Lion, he has created his own simple script in python, which he is offering for download.
“Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user”, he says
“So, in order to change the password of the currently logged in user, simply use:
$ dscl localhost -passwd /Search/Users/bob
And voilà! You will be prompted to enter a new password without the need to authenticate.”
As a temporary measure to mitigate these attacks - before Apple releases a patch – Dunstan recommends users limit their standard access to the dscl utility using a `$ sudo chmod 100 /usr/bin/dscl' command.
“Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user”, he says
“So, in order to change the password of the currently logged in user, simply use:
$ dscl localhost -passwd /Search/Users/bob
And voilà! You will be prompted to enter a new password without the need to authenticate.”
As a temporary measure to mitigate these attacks - before Apple releases a patch – Dunstan recommends users limit their standard access to the dscl utility using a `$ sudo chmod 100 /usr/bin/dscl' command.
Again - requires physical access to the Mac in question, and one hopes Apple will fix this quickly!
Post by: Xairbusdriver on September 26, 2011, 12:16:47 PM
After looking into some hashing info, all of more concerned with it's use on web sites, I noted that most of these methods don't even store the actual password, just the hash. That's why the mention of 'dictionary' lookups. Basically, a hacker generates every possible but generally used password and can then compare that list with the hash file entries. "Salt" refers to another, usually computer generated and often random, word that is added to the password (often in different places rather than either end), before getting run through the 'hashing.' This further increases security, and the longer that 'salt' word, the better, of course.
I think Keychain stores the actual password along with any hash, however. That's one reason to use a different way of storing at least some passwords...if my suspicions are true.
Bottom line: Use strong passwords, as long as possible, including upper and lower-case letters, numbers and punctuation marks! Absolutely do not use 'dictionary' words, ever. Period!!