IT Admin: No Time to Save Time?
[ad] Do you spend too much time patching machines or cleaning up after virus attacks? With automation controlled from a central IT management console accessible anytime, anywhere – you can save time for bigger tasks. Try simple IT management from GFI Cloud and start saving time today!
Free Forrester analysis of CRM solutions
[ad] In this 25 page report, independent analyst house Forrester evaluates 18 significant products in the customer relationship management space from a broad range of vendors, detailing its findings on how CRM suites measure up and plotting where they stand in relation to each other. Download it for free now.
Great articles on other sites
- Music Rights Australia backs Brandis' copyright crackdown
- NSW prepares revised guide to data offshoring
- Government to crowdsource broadband speed, quality data
- What a croc: NT Police data retention proposal 'overreach'
- NBN set to sign $35m deal to boost regional broadband
- Equinix boss departs to join Avaya
- MelbourneIT stores domain passwords in cleartext
- eGov AU: Are you prepared for Australia's new privacy law?
- NBN Co plans retaliation for TPG fibre project
- KPMG’s Alder and AIMIA’s Butterworth form digital agency
News - Written by Renai LeMay on Monday, September 26, 2011 12:36 - 29 Comments
Aussie researcher cracks OS X Lion passwords
news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.
According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.
In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.
In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.
“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”
This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.
Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.
The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.
However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.
As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.
Image credit: Apple
Analysis, Enterprise IT - Mar 17, 2014 11:08 - 0 Comments
More In Enterprise IT
- Dental network builds Azure data extraction tool
- Will Australia meet its April 2014 Open Government commitment?
- IT upheaval at Qantas as IBM wins big
- Vic Govt mulls choose your own device policy
- Get a free Forrester CRM Suite comparison [ad]
News, Telecommunications - Mar 14, 2014 12:05 - 32 Comments
More In Telecommunications
- NBN technology choice doesn’t matter, says Switkowski
- Five ways NZ is smarter than Australia on broadband
- Melbourne CBD to get free Wi-Fi
- ‘Severe impact’: Rival FTTB plans worry NBN Co
- ISPs, consumers sign up for NBN Co’s FTTB pilot
Blog, Digital Rights, Featured, Industry - Mar 14, 2014 14:09 - 3 Comments
More In Industry
- Apple iTax: Made in Ireland, designed in the US
- Did Apple shift $9bn of profits out of Australia?
- Hyde quit NEC to run HP’s Enterprise division
- Connecting to Australia’s first digital technology curriculum
- IBM Australia to reportedly slash 500 staff
Digital Rights, News - Mar 14, 2014 14:26 - 5 Comments
More In Digital Rights
- Bitcoin miner lists on ASX
- Devine accuses Ludlam of “viral hate speech”
- Telstra pays tiddlywinks for huge privacy breach
- Pirate Party crowdfunds $10k for WA Senate
- Virgin wants in on Australian IPTV scene