Security expert at Black Hat: Whatever you do, keep Macs out of enterprise
Report describes clearly what malware attacks, what Macs defend and why networking is the weak link
The latest version of Mac OSX Lion is the most secure operating system Apple has ever shipped – far more resistant to malware, with fewer operational flaws or other characteristics easily exploited by hackers than five years ago, according to a report presented at last week's Black Hat conference by Alex Stamos of San Francisco-based security consultancy iSEC Partners.
That would make OSX Lion much more secure than any Macintosh product available five or more years ago, when threats to Macs were so rare many users thought they could do without antivirus.
Within large organizations – especially those like some government agencies, that do substantial amounts of work that has to be kept confidential – Macintoshes shouldn't even make the short list of products that might have access to sensitive data, or even the Internet, the iSEC Partners report concluded (PDF).
The problem is that, while individual Macs have been hardened against attack, Mac OSX Server has not. Because of its relative chattiness and trust of the client machines connected to the server or each other, it is alarmingly easy for a single malware-infected Mac to attack and take over the server through brute-force attack, according to a presentation of the report given at Black Hat by iSEC's Alex Stamos.
Individual Macs can be secured as tightly as PCs, but both are vulnerable to phishing and spear phishing attacks, among others, that virtually guarantees at least on client machine within any networked group will be infected with some form of malware.
No matter how well built the OS, security risk assessment requires assuming at least one client machine has been compromised.
What exactly do you mean that Macs are 'more vulnerable?'
Among networked Macs, the protocols – especially DHX User Authentication – don't offer much protection to the server. Raising a user's Administrator privileges two levels to the point a client machine can control the server's root is "two steps beyond trivial."
Windows client machines have far greater protections within the OS – especially within the heap and stack –structures within the OS applications use to assemble code, request the memory to execute it and set a priority for that function compared to others also waiting to run.
Malicious code can corrupt data in heaps or stacks specific ways to cause other security modules to choke, or overflow the buffer protecting the heap, allowing the virus to assign itself whatever memory and priority it wants and give it access to the lists of data or resources linked to the heap or stack for easy reference.
Versions of Windows from XP SP2 and above use a security cookie to identify chunks of code as safe.
They also include the ability to unlink tables pointing to other resources so that if the heap or stack are corrupted, the virus can be isolated there, rather than learning how to access other disks, more memory or other machines.
Mac 10.5 uses a checksum to verify the identity of the code that's about to execute within the heap.
The Login Keychain with the Mac OS is also vulnerable to brute-force cracking of the user's password, which a piece of malware can be designed to do after getting itself enough memory and privileges to run.
Login Keychains typically contain login data for more than one user, so once one password is cracked, the malware can give itself privileges of all the users in the chain, then use those to authenticate it to various segments of the OS through which it can then explore.
The Windows User Account Control is also vulnerable to spoofing, but not as simply as MacOS, Stamos said.
The Lion version of OSX includes a sandbox that can trap malware in an area with restricted access to memory, disk and network access and refuse to elevate its privileges far enough that it can get itself out of the trap.
What about the server?
Within the server itself – or at least on the way to the server – malware has a far easier time.
The default install of the Snow Leopard version of Mac OSX leaves 28 network ports open and includes so many authentication flaws it's not reasonable to trust it.
The host of available authentication mechanisms, for example, allows an attacker to degrade the authentication – request and receive a simpler signon process – that relying on the comparatively save Kerberos authentication gives server administrators a false sense of security.
A host of other mechanisms designed to make it simple for users to connect with and use the server do the same for malware as well, Stamos says.
The Apple Remote Desktop authenticates through a tight, 128-bit encrypted tunnel. Bonjour, the ad-hoc DNS service that helps find other Apple hardware in the networked area, requires no authentication, lets linked machines call dibs on a particular network name and pushes away a second machine trying to use the claimed name.
Malware that can listen to enough network chatter to identify names of machines linked through Bonjour can claim a network name for themselves and undercut the Remote Desktop's tighter authentication by pretending to be an account that has already authenticated.
Among other problems or weaknesses are:
- VPN credentials that remain present and available for hijacking after the original session is complete;
- Software tokens and issued certificates that can also be hijacked;
- The ability to create new users in an one of several available directory formats while spoofing a more secure ID;
- There is no central, required cryptography protocol.
Mac servers also lack functions such as memory forensics to check for malware that's already running, simple ways to check the integrity of the OS and securely signed binary and driver files, all of which are available for Windows.
So what's that add up to in practical terms?
Overall, a single Mac connected to the Internet but not to a Mac server is safer than a PC, primarily because Macs are still far less popular than PCs, so there are fewer viruses in circulation for them and no preconfigured Mac exploits built in to popular cracking toolkits.
However, Mac users are more vulnerable than Windows users, primarily because they assume they're safe. That makes them less wary of attacks based on social-engineering – such as the phishing and spear-phishing techniques that are the leading entry point for cyber-spies penetrating U.S. military networks.
In socially engineered attacks, all the hacker has to do is fool a user, not a secure operating system; much simpler. Users then install the malware themselves by going to maliciously salted web sites or opening tainted attachments.
All users are vulnerable to these types of attacks at one time or another, Stamos said. Mac users are more vulnerable because of their guards are lower.
So what's the conclusion about Macs in the enterprise?
Fine for individuals connecting to servers running Windows or other OSes on TCP/IP networks; death-in-waiting for anyone running Mac OSX servers on network segments linked to the Internet.
"Run your Macs as little islands on a hostile network," Stamos told attendees at his Black Hat presentation."Once you turn on the administrator stuff, once you install OS X Server, you are toast."
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.