• Enjoy the freedom to innovate and grow your business

    [ad] With Microsoft Azure you have hybrid cloud flexibility, allowing your platform to span your cloud and on premise data centre. Learn more at microsoftcloud.com.

  • IT Admin: No Time to Save Time?

    [ad] Do you spend too much time patching machines or cleaning up after virus attacks? With automation controlled from a central IT management console accessible anytime, anywhere – you can save time for bigger tasks. Try simple IT management from GFI Cloud and start saving time today!

  • Free Forrester analysis of CRM solutions

    [ad] In this 25 page report, independent analyst house Forrester evaluates 18 significant products in the customer relationship management space from a broad range of vendors, detailing its findings on how CRM suites measure up and plotting where they stand in relation to each other. Download it for free now.

  • Great articles on other sites
  • RSS Great articles on other sites

  • Reader giveaway: Google Nexus 5

    We’re big fans of Google’s Nexus line-up in general at Delimiter towers. Nexus 4, Nexus 7, Nexus 10 … we love pretty much anything Nexus. Because of this we've kicked off a new competition to give away one of Google’s new Nexus 5 smartphones to a lucky reader. Click here to enter.

  • News - Written by on Monday, September 26, 2011 12:36 - 29 Comments

    Aussie researcher cracks OS X Lion passwords

    news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.

    According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.

    In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.

    In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.

    “So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”

    This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.

    Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.

    The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.

    However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.

    As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.

    Image credit: Apple

    submit to reddit


    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. Posted 27/09/2011 at 12:01 am | Permalink |

      It seems they have more hipster user interface folks working at Apple than security folks because security is the core at most UNIX operating systems. Seems like the hipsters have gutted UNIX because they didn’t understand it and built a stinking dog pile mess then sold it as “Macs don’t get viruses” but ask Charlie Miller who pwns a Mac each time he gets his hands on it.

      • Posted 27/09/2011 at 12:10 am | Permalink |

        Anyone can break any system if they “get their hands on it.” Nice try, though.

        • Posted 27/09/2011 at 10:47 pm | Permalink |

          Yeah but not every product is marketed with billions of dollars of advertisements and false sense of security such as “Macs don’t get viruses”. $10 says you wrote that comment on an iPad but wait until the iPad 4 comes out with DUAL SCREENS!!!

      • Anonymous
        Posted 27/09/2011 at 12:41 pm | Permalink |

        Wow, you managed to use “hipster” twice when writing a post about Apple. I’m impressed!

        Can you manage to work it into something about Microsoft or AT&T for double points?

    2. Anonymous
      Posted 27/09/2011 at 12:17 am | Permalink |

      There are a lot of if’s before an attacker can actually get to your password. By the time it is actually cracked (I hope the article headline is fixed), Apple will have time to address the issue through a security fix. One thing for sure, this exploit is not obvious.

    3. Posted 27/09/2011 at 12:41 am | Permalink |

      Lots of FUD, very little substance. Finding the hash file isn’t the same as “cracking”.

      • Jon Do
        Posted 27/09/2011 at 1:09 am | Permalink |

        Nah, the guy reverses the hash system so that he can brute force it. It’s not cracking the passwords, but it enables it.

      • Posted 27/09/2011 at 3:08 am | Permalink |

        You need to find the hash file, in order to have something to crack. If you don’t know what you are talking about, maybe you should refrain from posting about FUD.

        • Posted 27/09/2011 at 5:43 am | Permalink |

          See, the problem is: the article says he cracked them. So until he does, and can reproduce it, its FUD. On my Lion box the permissions in question remain tight. Only root has access to the Default tree mentioned in the post.

          The only way I can duplicate the methods mentioned in the article are by assuming a root shell manually, or using sudo. So not only is the cracking thing misleading, but so is the methodology he’s depicting. The comments seem to show others having similar responses.

          So the point still stands. FUD, link-bait, however you want to describe it.

          • Posted 27/09/2011 at 5:48 am | Permalink |

            If you get the contents of the shadow file, cracking the password of that user is simply a matter of clock cycles.
            As I described here: http://www.appfail.com/read/55/WebCT-fails-at-password-hashing/ it is quite trivial to crack a password has once it is exposed. We saw this happen when Gawker’s database was compromised, with a database containing all of the users, email addresses and hashed passwords, the attackers were able to crack 1000s of passwords in a matter of days. This is a serious flaw, it just takes a bit of understanding. The research is valid, the reporting may be a little off, but that does not make this FUD at all. If you don’t understand hashing, read this: http://geekrt.com/read/91/What-is-a-Hash/

            • Posted 27/09/2011 at 5:53 am | Permalink |

              Except that nobody but him seems to be able to duplicate it. As I pointed out, I can’t. The permissions on my machine appear to be such that it is secure (or at least not suffering from the same vulnerability), insofar as I can test (i’m not foolish enough to say anything is for certain).

              I tend to take ANY of these kinds of announcements with a truckload of salt, simply because 9 times out of 10 they end up being attention grabs based on soft data or misinterpreted results. This is especially true when the announcements revolve around Macs, because of the collective dementia that is induced anytime Mac vs PC security is brought up.

              • PeterA
                Posted 27/09/2011 at 12:41 pm | Permalink |

                Many people on his blog reported they could reproduce it.
                Many others mis-understood his comment about changing passwords and couldn’t replicate it.

                What you can do: with a non-authenticated user you can get the password hash.
                (this is step 1 for cracking a password – ie the getting the thing to crack)

                What you can also do is change the password of the current user without knowing the current users password
                Many people misunderstood his statement to mean you could change ANY users password at ANY time.
                You cant, you can only change the *current* users password (WITHOUT sudo and WITHOUT their old password)

              • Posted 28/09/2011 at 1:40 am | Permalink |

                As PeterA is saying, when you are dealing with access to the password database, you always have two options. 1) take the hashed password, go away, crack it, and return with the known password and compromise the system. 2) overwrite the hash with a new one for a known password, and compromise the system. The disadvantage to the second option is that it becomes immediately obvious to the user that they have been compromised, because their old password no longer works. Of course, after you have gotten in to the system, you could add your self a separate user account, and return the original password to the compromised account.

              • Posted 28/09/2011 at 1:52 am | Permalink |

                The bottom line is that the article is misinterpreting and misrepresenting what has happened. The article implies that you can RETRIEVE a user’s password. Not just change it. If i change a user’s password on one system, great. I can now run amok on that system, and that’s bad. If I can REVERSE the salted hash, I can potentially get access to many more systems, if the user uses the same password in multiple locations.

                The former situation is bad for the Everyman. The latter is incredibly bad for network managers, system admins, etc.

                I don’t contest that what the BLOG POST reports is bad. But the RE-Reporting being done here is disingenuous link bait, plain and simple.

    4. Posted 27/09/2011 at 12:43 am | Permalink |

      He found a way to get the hash/salt data. The password then still needs to be cracked with brute force. Which is very hard. The title of this article is kinda misleading.

      • Posted 27/09/2011 at 3:06 am | Permalink |

        It really isn’t that hard. and with GPU powered password cracking, it is remarkably fast. I happen to own a cluster of GPUs that I use for bitcoin mining, but I could easily redirect that error to cracking billions of password combinations per second.

        • jtc
          Posted 28/09/2011 at 12:17 am | Permalink |

          And how will you copy the shadow file off of any (OS X Lion) computer you desire to your fancy GPU cluster for cracking, pray tell?

          Any issue here is a “local” weakness. Your fancy GPU the other side of the world is nuetered.

          So you need Physical Access (e.g. get on a plane to go and physically interactive with your chosen OS X Lion machine), or allegedly trick the user to download and run an application of some sort that apparently allows it to see the shadow file by default (note: Java is not installed by default in Lion; another hurdle to to a Java based app).

          How is this different from any other local vulnerability? And *basically* having to revert to social engineering to do *anything* useful as an exploit.

          This article is pure link bait, esp. given the title.

          (p.s. Not coming here again and I life in Oz.)

          • Posted 28/09/2011 at 12:26 am | Permalink |

            As I wrote in the article, I’m aware of the exploit;s limitations:

            “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user.”

            However, the permission change in Lion which Dunstan demonstrated was worth reporting, and it does open up the possibility of more automated attacks on Mac OS X. In addition, any attack on a users’ password — as opposed to just getting access to a machine in general — is broadly interesting.

            I also thought the exploit was worth reporting because it was a Mac OS X/Unix exploit. It seems clear that Windows has been the subject of vastly greater attacks than Unix, and certainly Mac OS X, in the past. So even “less dangerous” attacks on Mac OS X are of interest.

            I hope I can convince you to come back to Delimiter by writing better articles in future — let me know what sort of articles you’re interested in! :) I take requests.

          • Posted 28/09/2011 at 1:36 am | Permalink |

            Each of the last 5 Adobe Flash vulnerabilities (all if which applied to Mac and Linux as well), allowed for this type of exploit, so it is not as impossible as you seem to imply.

            But the real master.passwd or shadow file on a Unix or Linux machine is protected such that no one with user access can view or modify the file. To compromise the file on linux, would require physical access and rebooting in to single user mode, or removing the hard drive for inspection. Some configuration beyond the default would close this loop hole by requiring the root password to access single user mode as well. Mac OS X has broken this traditional model by using separate shadow files per user, and not adequately protecting them.

    5. Rashkae
      Posted 27/09/2011 at 1:17 am | Permalink |

      People have been cracking Unix Hash passwords for decades.. It’s not hard at all, unless all the passwords are “secure”. Letting non-root users read the password hash cmpletely breaks the Unix password security model.

    6. Posted 27/09/2011 at 1:58 am | Permalink |

      Hi everyone, I’ve deleted a couple of abusive comments from this article; please keep things polite as per our site comments policy:


      Otherwise your comment will be deleted.


      Delimiter Editor

    7. Laughingskeptic
      Posted 27/09/2011 at 3:13 am | Permalink |

      This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions. This is not true. The Windows OS provides for much more fine grained control of permissions. “ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”.

      • Doctor Velvetear
        Posted 27/09/2011 at 4:03 am | Permalink |

        Yes and Apple use an ACL system as well as posix if you use ls -lae
        on a mac you will see the extended access levels.

        • Posted 28/09/2011 at 12:28 am | Permalink |

          “This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions.”

          Interesting; you’re perhaps right technically, but as a user I’ve never actually had to tinker with my Windows permissions; while I tinker with Linux permissions all the time. It seems to me that the Unix permission structure is much more baked into everyday use of the operating system than it is in Windows (certainly in Windows XP and below etc).

    8. Anonymous
      Posted 27/09/2011 at 9:00 am | Permalink |

      “its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”

      As already stated, the Windows permissions model is much much “finer-grained” than *nix, this has nothing to do with it. Windows uses Access Control lists, which are groups of ACE’s(access control entries).Even linux and Mac zealots agree with this.

      Windows is still a bigger and more profitable target for Malware.
      Windows attracts more security un-aware users, the majority of whom are members of the Administrator group (IMO the biggest blunder of all)
      There are always and always will be flaws in all Operating Systems.
      The user is the biggest risk.

      • Posted 28/09/2011 at 12:28 am | Permalink |

        Hmm see my comments above about Windows permissions.

    9. Posted 27/09/2011 at 11:42 am | Permalink |

      “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches”

      As we all know, end users are one of the biggest security holes. Just ask the RSA accounts department about Excel files that have been quarantined.

      Now Mac OS X Lion users, think first before opening that fish in a blender Java app that your friend email you. :)

    10. MJ
      Posted 27/09/2011 at 12:29 pm | Permalink |

      This hardly sounds serious. Yes it needs to be fixed but I won’t be losing any sleep over it. It’s pretty hard to secure a system with users who are silly enough to run unsafe programs from untrusted sources.


    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:

  • Most Popular Content

  • Six smart secrets for nurturing customer relationships
    [ad] Today, we are experiencing a world where behind every app, every device, and every connection, is a customer. Your customers will demand you to be where they and managing customer relationship is the key to your business’s growth. The question is where do you start? Click here to download six free whitepapers to help you connect with your customers in a whole new way.
  • Enterprise IT stories

    • NetSuite in whole of business TurboSmart deal turbosmart

      Business-focused software as a service giant NetSuite has unveiled yet another win with a mid-sized Australian company, revealing a deal with automotive performance products manufacturer Turbosmart that has seen the company deploy a comprehensive suite of NetSuite products across its business.

    • WA Health told: Hire a goddamn CIO already doctor

      A state parliamentary committee has told Western Australia’s Department of Health to end four years of acting appointments and hire a permanent CIO, in the wake of news that the lack of such an executive role in the department contributed directly to the fiasco at the state’s new Fiona Stanley Hospital, much of which has revolved around poorly delivered IT systems.

    • Former whole of Qld Govt CIO Grant resigns petergrant

      High-flying IT executive Peter Grant has left his senior position in the Queensland State Government, a year after the state demoted him from the whole of government chief information officer role he had held for the second time.

    • Hills dumped $18m ERP/CRM rollout for Salesforce.com hills

      According to a blog post published by Salesforce.com today, one of Ted Pretty’s first moves upon taking up managing director role at iconic Australian brand Hills in 2012 was to halt an expensive traditional business software project and call Salesforce.com instead.

    • Dropbox opens Sydney office koalabox

      Cloud computing storage player Dropbox has announced it is opening an office in Sydney, as competition in the local enterprise cloud storage market accelerates.

    • Heartbleed, internal outages: CBA’s horror 24 hours commbankatm

      The Commonwealth Bank’s IT division has suffered something of a nightmare 24 hours, with a catastrophic internal IT outage taking down multiple systems and resulting in physical branches being offline, and the bank separately suffering public opprobrium stemming from contradictory statements it made with respect to potential vulnerabilities stemming from the Heartbleed OpenSSL bug.

    • Android in the enterprise: Three Aussie examples from Samsung androidapple

      Forget iOS and Windows. Today we present three decently sized deployments of Android in the Australian market on Samsung’s hardware, which the Korean vendor has dug up from its archives over the past several years for us after a little prompting :)

    • Businesslink cancelled Office 365 rollout cancelled

      Microsoft has been on a bit of a tear recently in Australia with its cloud-based Office 365 platform, signing up major customers such as the Queensland Government, Qantas, V8 Supercars and rental chain Mr Rental. And it’s not hard to see why, with the platform’s hybrid cloud/traditional deployment model giving customers substantial options. However, as iTNews reported last week, it hasn’t been all plain sailing for Redmond in this arena.

    • Qld Govt inks $26.5m deal for Office 365 walker

      The Queensland State Government yesterday announced it had signed a $26.5 million deal with Microsoft which will gain the state access to Microsoft’s Office 365 software and services platform. However, with the deal not covering operating system licences and not being mandatory for departments and agencies, it remains unclear what its impact will be.

    • Hospital IT booking system ‘putting lives at risk’ doctor

      A new IT booking platform at the Austin Hospital and Olivia Newton-John Cancer and Wellness Centre in Melbourne is reportedly placing the welfare of patients with serious conditions at risk.

  • Enterprise IT, News - Apr 17, 2014 16:39 - 0 Comments

    NetSuite in whole of business TurboSmart deal

    More In Enterprise IT

    News, Telecommunications - Apr 17, 2014 11:01 - 134 Comments

    Turnbull lies on NBN to Triple J listeners

    More In Telecommunications

    Featured, Industry, News - Apr 17, 2014 9:28 - 1 Comment

    Campaign Monitor takes US$250m from US VC

    More In Industry

    Digital Rights, News - Apr 17, 2014 12:41 - 14 Comments

    Anti-piracy lobbyist enjoys cozy email chats with AGD Secretary

    More In Digital Rights