Apple Mac Security Takedown

denverpilot said:
And so it begins...

http://apple.slashdot.org/story/11/03/10/0319224/SafariMacBook-First-To-Fall-At-Pwn2Own-2011?from=headlines

The kiddies have decided to start embarrassing Apple for zero-day exploits in Safari. Apple responded, but it proves everything is vulnerable...
Click to expand...

Interesting, but if Apple already had it patched and released about at the same time, I'm not too worried. Besides, I wouldn't call the Pwn2Own people "kiddies," they're damn good at what they do and they generally crack everything.
 
Reading the article, Apple patched 50 items with the recent Safari patch and it did not stop these guys. There's at least one remote root exploit in Safari still right now. The one he used. It has not been patched.
 
In reality, the "it can't happen to me" mentality is the most dangerous thing a user can have. As someone that has seen (and used) various operating systems (and had to hot flash DIP / PLCC BIOS chips in the old days) anything can be attacked. I don't care if it's VMS, *nix, Windows, or OS/2. Heck, any OS. Rule number one is simple:

There is an exploit that can nail you.

Only two things can perfectly protect you:

1) never allowing another person to use your machine, ever

And (not or)

2) never allowing your machine on any network, ever

Short of that, you can be targeted.

Oh and the French Team "owned" Safari after the updates? Their spokesman / leader stated that the recent patches broke some, but not all of the exploits.
 
Short of data warehousing, there's no avoiding the inevitable hack, unless you're really boring, and then, even if you get hacked, who cares?

I've been hacked on Linux (granted, I left the door WIDE open, but it still shows that someone out there had the desire).

Are virus scanners the answer? Not unless you are on Windows, where it is basic as a requirement. We should not let ourselves get to that point on the only two remaining good OSes. I think our societal move toward "WE GOTTA HAVE ANTIVIRUS!" is what has made Windows suck so bad lately. So much so that before I jumped away from Windows for good (except at work where I have no control), I was runnng a completely un-protected PC, and planning to reimage every 6 months or so.

I don't want to get to that point on OSX or Ubuntu. Let's hold them accountable and make sure they keep up with the security so that we don't need to run anti-virus on them. The day Apple comes out and says similar things to Microsoft about how AntiVirus is a must have for their computers is the day I move one more step toward Linux and drop my OSX machines too.
 
You'll notice the initial hole is via the open-source Webkit rendering engine (used in both Safari and Chrome). So much for open source being better. :tongue:
I did find it interesting they also bypassed some of the other protections built into OS X.
 
JesseD said:
Only two things can perfectly protect you:

1) never allowing another person to use your machine, ever

And (not or)

2) never allowing your machine on any network, ever

Short of that, you can be targeted.
Click to expand...

#3: Get rid of the dumb users.

I heard a story of a corporation hiring a security firm to test their hackability. They thought their systems were quite tough. Security firm went in through the social engineering route -- found out when the outdoor company picnic was, and scattered a few USB thumb drives throughout the grass the night before. People picked them up thinking that one of their co-workers must have dropped them. Plugged them into their PC's and found it contained "Pictures". Ah, I can just open those to see who's in the photos and determine which co-worker the USB drive belongs to...

...only the Pictures weren't pictures, they were exploits that got the security team into the corporate network.

Game, set, match.
 
Let the updates run while I slept. iPad feels a little snappier, browser-wise.

Only error so far is that iMovie refuses to install on the iPhone 4 with an "Unknown error" message. Will deal with that later.

About to go see if the WiFi hotspot works. And iTunes Home Sharing.
 
rpadula said:
#3: Get rid of the dumb users.

I heard a story of a corporation...

...only the Pictures weren't pictures, they were exploits that got the security team into the corporate network.

Game, set, match.
Click to expand...

I know of a major finance institution where their internal security team (with permission!) sent an e-mail from a Yahoo account that mimicked the look and feel of their internal IT department announcements which requested usernames and passwords of users.

1/3 of the company, including most execs or assistants to execs, replied.

That one e-mail triggered their use of two-factor authentication with key fobs for access to critical data. (Read: Customer's account information.)

How much do you trust your bank's IT Security department? ;)
 
rpadula said:
You'll notice the initial hole is via the open-source Webkit rendering engine (used in both Safari and Chrome). So much for open source being better. :tongue:...
Click to expand...
Well, that depends. What does Internet Explorer's track record look like?
-harry
 
denverpilot said:
I know of a major finance institution where their internal security team (with permission!) sent an e-mail from a Yahoo account that mimicked the look and feel of their internal IT department announcements which requested usernames and passwords of users.

1/3 of the company, including most execs or assistants to execs, replied.

That one e-mail triggered their use of two-factor authentication with key fobs for access to critical data. (Read: Customer's account information.)

How much do you trust your bank's IT Security department? ;)
Click to expand...

I once ran a l0ftcrack (with permission) on a client's Domain Controller. They were a bit lax on password change policies. I found ~2/3 of users had the company name as their password.:hairraise:
 
SkyHog said:
Short of data warehousing, there's no avoiding the inevitable hack, unless you're really boring, and then, even if you get hacked, who cares?
Click to expand...

LOL! One dose of reality, courtesy of Nick! Right on.

This "Mac was hacked" thing from Pwn2Own really isn't news - I think that they generally hack every machine they try there.

Remember hack.microsoft.com? A friend of mine was the main guy behind LinuxPPC back then, so he set up hack.linuxppc.org and offered to give the machine to anyone who could hack it (Hmmm, Pwn2Own style). hack.microsoft.com got taken down many times per day - hack.linuxppc.org lasted over a year, and finally got taken down by a hole that had already been patched. (No patches were ever added to the hack machine.) Jeff had a good laugh and sent the guy the machine.

I don't want to get to that point on OSX or Ubuntu. Let's hold them accountable and make sure they keep up with the security so that we don't need to run anti-virus on them. The day Apple comes out and says similar things to Microsoft about how AntiVirus is a must have for their computers is the day I move one more step toward Linux and drop my OSX machines too.
Click to expand...

Apple recently provided the currently-being-worked-on version of OS X 10.7 to the security/hacker community so they could help find any holes in it, something that hasn't been done before. So, they certainly know that as they gain market share they're going to become an ever-larger target and that they'd better get some help WRT stepping up security as well.

rpadula said:
#3: Get rid of the dumb users.
Click to expand...

Good luck with that. :frown2:

My mom called last night and asked if she should install the Flash update - I asked if it had popped up when she loaded a web page, or otherwise? She'd seen the alert twice, both in Firefox, when viewing different web sites, so I figured it was legit. But yeah, an unsuspecting user is probably the easiest way to get into a machine, and no OS will ever be immune to that.

JeffDG said:
I once ran a l0ftcrack (with permission) on a client's Domain Controller. They were a bit lax on password change policies. I found ~2/3 of users had the company name as their password.:hairraise:
Click to expand...

:hairraise::hairraise::hairraise:!!!!! I think they probably shouldn't have set people's accounts up with that password to begin with... Can't blame that solely on stupid users!
 
You must log in or register to reply here.
Back
Top