Mac Hacks - some analysis of CanSecWest

[Paddy]

http://www.roughlydrafted.com/2008/03/28/c...f-mac-security/

This is a great article, though rather long-winded - and should be required reading for any Mac owner thrown into a tizzy by the likes of CanSecWest and sensationalist reports in the press. (meanwhile, there are rumors afloat that major Mac-hater George Ou at CNet has been laid off...)

Note: you may want to skip most of the comments at the end, as they devolve rather quickly into political sniping!
 
By the way - missing from most of the early stories I read is any emphasis that this appears to have been a Safari exploit, not an OS X hack. Also, the machines were in their default-out-of-the box configurations - and that means the Mac's firewall was OFF. (why Apple persists in leaving it this way in Leopard is a mystery to me - the explanations they provide are also rather lame) Vista's firewall is ON by default. Nobody managed to hack any of the OS' on the first day - apparently nobody even tried. Further, it was a hack that required social engineering - getting the user to go to the web site that (apparently) contained malware that Miller had previously set up and had been working on for over a year. Which is not to deny that there is something that needs fixing - there clearly is. Nor can we deny that as of an hour ago on Day 3, the other two machines (Vista and Ubuntu) were still standing.

Anyway, it's certainly brought out the trolls again.

And no, we shouldn't be smug - there is no such thing as a 100% secure system, but the ridiculous hysteria that develops and bitter arguments that break out whenever there is the slightest whiff of a Mac exploit/hack/virus gets very old, very quickly. The fact that there are no viruses in the wild for OS X after 7 years says a lot. It would be nice if the myth of security via obscurity was overturned once and for all...

[Paddy]

End of Day 3 and the Vista machine fell to a Flash exploit:

http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up

Looks like Adobe has more than one problem to fix in Flash:

http://www.macworld.com/article/132749/2008/03/flashbug.html

[krissel]

What I found interesting is the comment that they didn't try the Apple "exploit" on any of the other two machines.

More reading:

http://www.channelregister.co.uk/2008/03/28/mac_hack/

http://dvlabs.tippingpoint.com/blog/2008/0...er-with-picture

[Paddy]

The Register article was the most detailed description of the hack that I've read yet:

QUOTE

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing.

Interesting - since I'd commented that the default setting for Leopard's firewall is "OFF"! What would be interesting to know is if, when it is enabled, this hack could still be performed and under what conditions. Will the Mac allow that port to be opened under any conditions or if Safari is one of the applications with incoming connections allowed? There is no way to use the security settings to block ports - you need to do it in the Terminal and it's not something the average user will feel comfortable doing.

http://www.macworld.com/article/132558/200...onnect2504.html

At any rate - this does raise the question as to whether this is actually simply a Safari exploit or whether there is something that needs to be done to the OS X firewall. It certainly would have been interesting to see if this hack worked in Safari on the Vista machine as well - I'd be surprised if Charlie Miller doesn't give it a try.

[Xairbusdriver]

QUOTE

The exploit involved getting an end user to click on a link, which...

I still fail to see how this is a "Mac" or "Safari" 'exploit!' Surely almost anything can be done if you can get the user to do something for you.

QUOTE

"Please open your Firewall and turn it OFF so we can hose your System for you. Once cleaned, you can turn the Firewall back ON. Thank you for your gullibility."

There are always going to be enough fools to counter any 'fool proof' setup.

[Paddy]

I think the problem here is that Safari/OS X allowed the port to be opened. That shouldn't happen, but my question is, would it happen on a machine with the firewall turned on, because as I noted, the machines were all still in their default, out-of-the-box states on Thursday, and with Leopard, that means the firewall is OFF. And if it doesn't happen if the firewall is ON, under what conditions? If I put Safari in my list of programs allowing incoming connections, then does it allow ANY incoming connections on ANY port? From what I've read, the stateful-packet-inspection firewall, called ipfw, is set to allow all traffic through, so it's no help.

Also, from what I've read, the hack only involved clicking on the link - it didn't involve having to install anything (like a Trojan) so I don't think claiming that it's simply user stupidity, which therefore nullifies the seriousness of the security hole. Sure, lots of us run behind routers and this sort of thing wouldn't happen, but not everyone does, and with the way legitimate web sites are getting hacked these days, how can you be sure that the link you click on is safe if something like this is a possibility?

Anyway, I'm not concerned that this is a real-live-in-the-wild issue now - but Apple needs to fix it, and from all reports, are working on doing just that.

[Xairbusdriver]

I'm probably just showing my ignorance (first time for everything, I guess! ) but I wonder if the 'user' of the machine was also operating with Root privileges? It would seem that then linking to a site with a know (Unix) script could easily open any ports desired without any further input from said user.

But a user running as Root and leaving the Firewall OFF seems to be daring anyone to attack his machine, no matter what OS is in use.

Obviously, I need to learn more about what and how the Firewall from Apple works...

[Paddy]

Jim, the hackers had no physical access to the machines being hacked - Miller simply directed the contest organizer who was acting as the user to go to the web site he'd set up and from there was able to open a port on the Mac and take control of the machine. The hacked Mac was an out-of-the-box default set up - not running under Root. And as I noted, the default setup is with the firewall set to off.

[Xairbusdriver]

OK. Still need to understand the 'settings' that are available in "Security." Seems like pretty much allow everything or allow only "Essential" stuff with or without specific apps. Which apps? Anything that uses the Internet, I would assume but that could include any app that does automatic checks for updates, right? And who knows how many of the System functions use various ports?

Seems like one should be able to specify what ports can be used rather than what apps/services since most would simply use the normal http (can't remember that one) or email port (25?). All the other ones should be reported to the user if needed right after the first OS install or an update. That's probably just way over-simplified and impractical...