Great articles on other sites
- iiNet founder Michael Malone finally backs TPG Telecom takeover
- How and why the public sector must make friends with artificial intelligence
- Second anniversary of IT pricing report approaches - Computerworld
- Doctors spend 15 mins opening Fiona Stanley Hospital software
- What to expect from Abbott's national cyber security strategy
- ISPs need more time for data retention compliance
- TPG iiNet bid: major shareholders complain
- Qld emergency services payroll replacement on the rocks
- Victoria to wait another eight months for public IT dashboard
- Superloop CEO slams Australian govt tech policies
Renai's other site: Sci-fi + fantasy book news and reviews
- Kim Stanley Robinson’s new book Aurora is due in July
- What’s the future of “Grimdark” fantasy?
- An epic rant from Richard Morgan about nuance in writing
- Brandon Sanderson’s Firefight: Review
- Get into Jeff VanderMeer’s head as he writes the Southern Reach trilogy
- George R. R. Martin’s next book The Winds of Winter won’t arrive in 2015
- Alastair Reynolds’ Poseidon’s Wake launches 16 April
- Ann Leckie’s Ancillary Sword: Review
- Ann Leckie finishes Ancillary Mercy
- Hannu Rajaniemi’s The Fractal Prince: Review
News - Written by Renai LeMay on Monday, September 26, 2011 12:36 - 29 Comments
Aussie researcher cracks OS X Lion passwords
news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.
According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.
In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.
In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.
“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”
This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.
Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.
The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.
However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.
As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.
Image credit: Apple
Blog, Policy + Politics - Jul 31, 2015 12:43 - 0 Comments
More In Policy + Politics
- Four months later, data retention funding model still incomplete
- Less talk, more action: Entrepreneur tells ‘Labor for Innovation’
- Bronny Copter is here to save us from Bishop’s Choppergate
- 7:30 exposes Aussie Hacking Team industry
- Hypocrisy? Fletcher pushs tech exports to China while TSSR bill looms
Blog, Enterprise IT - Jul 31, 2015 14:16 - 1 Comment
More In Enterprise IT
- Microsoft wants to win you back with Windows 10
- Qld Govt Depts have no disaster recovery plan
- ASD releases Windows 8 hardening guide
- ASG picks up $35m CIMIC IT services deal
- Datacom completes mammoth Health ICT takeover
Industry, News - Jul 28, 2015 12:37 - 0 Comments
More In Industry
- iiNet shareholders vote ‘yes’ for TPG buyout
- iiNet chairman “proud” as TPG sell-out looms
- Kotaku alleges abuse, gross staff neglect at retailer EB Games
- Aussie software firm Marketplacer grabs $10m
- Expert360 pulls in $4.1m for consultancy 2.0
Consumer Tech, News - Jul 29, 2015 17:14 - 11 Comments
More In Consumer Tech
- Older Australians embracing video games
- Gasp … Qld will fuel electric vehicle charging stations with solar
- Oops … Tesla enthusiast charges car on Qld windfarm
- Netflix Australia: Review
- RAC builds electric vehicle highway in WA