• Windows Server 2012 Resource Centre


    [ad] Windows Server 2012 redefines the server category, delivering hundreds of new features and enhancements spanning virtualization, networking, storage, user experience, cloud computing, automation, and more. Click here to visit our Windows Server 2012 Resource Centre with case studies, white papers and articles about Windows Server 2012.

  • Nokia Lumia Smartphones: Innovation's calling


    [ad] Nokia Lumia with Windows Phone comes with unique camera technology, wireless charging and turn-by-turn navigation. Make every image picture perfect. See your city differently. Charge without wires. Click here to learn more.

  • Save up to $199 on Dell XPS 12 Ultrabooks: Power for your projects and passions.


    [ad] This convertible Ultrabook™ delivers the speed and performance you expect from the XPS family in a sleek new design that's ready for work and play. Don't get two pieces of technology when one will do it all. The Dell XPS 12 is a tablet and Ultrabook combined to produce the perfect laptop.

  • Great articles on other sites

  • RSS Great articles on other sites


  • Managing virtualised environments: Free whitepaper


    [ad] Virtualisation is one of the single most important technologies for efficiently operating servers. This free whitepaper presents information about current trends in virtualisation adoption, risks associated with single vendor virtualisation, and the benefits of open source virtualisation. Click here to download the whitepaper.

    • News - Written by on Monday, September 26, 2011 12:36 - 29 Comments

    Aussie researcher cracks OS X Lion passwords

    Tags: , , , , , , , , , ,

    news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.

    According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.

    In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.

    In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.

    “So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”

    This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.

    Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.

    The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.

    However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.

    opinion/analysis
    As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.

    Image credit: Apple

    Related posts:

    1. Cracks open in DSD’s iOS shield
    2. Aussie developer Graham Dawson on iPhone 4
    3. Samsung beats Apple to take top Aussie mobile spot
    4. ThreatMetrix acquires Aussie security firm TrustDefender
    5. iOS price cuts catch Aussie developers off-guard
    		 submit to reddit Print Friendly and PDF

    29 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. Attack Watch
      Posted 27/09/2011 at 12:01 am | Permalink | Reply

      It seems they have more hipster user interface folks working at Apple than security folks because security is the core at most UNIX operating systems. Seems like the hipsters have gutted UNIX because they didn’t understand it and built a stinking dog pile mess then sold it as “Macs don’t get viruses” but ask Charlie Miller who pwns a Mac each time he gets his hands on it.

      • Bryan
        Posted 27/09/2011 at 12:10 am | Permalink | Reply

        Anyone can break any system if they “get their hands on it.” Nice try, though.

        • Attack Watch
          Posted 27/09/2011 at 10:47 pm | Permalink | Reply

          Yeah but not every product is marketed with billions of dollars of advertisements and false sense of security such as “Macs don’t get viruses”. $10 says you wrote that comment on an iPad but wait until the iPad 4 comes out with DUAL SCREENS!!!

      • Anonymous
        Posted 27/09/2011 at 12:41 pm | Permalink | Reply

        Wow, you managed to use “hipster” twice when writing a post about Apple. I’m impressed!

        Can you manage to work it into something about Microsoft or AT&T for double points?

    2. Anonymous
      Posted 27/09/2011 at 12:17 am | Permalink | Reply

      There are a lot of if’s before an attacker can actually get to your password. By the time it is actually cracked (I hope the article headline is fixed), Apple will have time to address the issue through a security fix. One thing for sure, this exploit is not obvious.

    3. peelman
      Posted 27/09/2011 at 12:41 am | Permalink | Reply

      Lots of FUD, very little substance. Finding the hash file isn’t the same as “cracking”.

      • Jon Do
        Posted 27/09/2011 at 1:09 am | Permalink | Reply

        Nah, the guy reverses the hash system so that he can brute force it. It’s not cracking the passwords, but it enables it.

      • Allan Jude
        Posted 27/09/2011 at 3:08 am | Permalink | Reply

        You need to find the hash file, in order to have something to crack. If you don’t know what you are talking about, maybe you should refrain from posting about FUD.

        • peelman
          Posted 27/09/2011 at 5:43 am | Permalink | Reply

          See, the problem is: the article says he cracked them. So until he does, and can reproduce it, its FUD. On my Lion box the permissions in question remain tight. Only root has access to the Default tree mentioned in the post.

          The only way I can duplicate the methods mentioned in the article are by assuming a root shell manually, or using sudo. So not only is the cracking thing misleading, but so is the methodology he’s depicting. The comments seem to show others having similar responses.

          So the point still stands. FUD, link-bait, however you want to describe it.

          • Allan Jude
            Posted 27/09/2011 at 5:48 am | Permalink | Reply

            If you get the contents of the shadow file, cracking the password of that user is simply a matter of clock cycles.
            As I described here: http://www.appfail.com/read/55/WebCT-fails-at-password-hashing/ it is quite trivial to crack a password has once it is exposed. We saw this happen when Gawker’s database was compromised, with a database containing all of the users, email addresses and hashed passwords, the attackers were able to crack 1000s of passwords in a matter of days. This is a serious flaw, it just takes a bit of understanding. The research is valid, the reporting may be a little off, but that does not make this FUD at all. If you don’t understand hashing, read this: http://geekrt.com/read/91/What-is-a-Hash/

            • peelman
              Posted 27/09/2011 at 5:53 am | Permalink | Reply

              Except that nobody but him seems to be able to duplicate it. As I pointed out, I can’t. The permissions on my machine appear to be such that it is secure (or at least not suffering from the same vulnerability), insofar as I can test (i’m not foolish enough to say anything is for certain).

              I tend to take ANY of these kinds of announcements with a truckload of salt, simply because 9 times out of 10 they end up being attention grabs based on soft data or misinterpreted results. This is especially true when the announcements revolve around Macs, because of the collective dementia that is induced anytime Mac vs PC security is brought up.

              • PeterA
                Posted 27/09/2011 at 12:41 pm | Permalink | Reply

                Many people on his blog reported they could reproduce it.
                Many others mis-understood his comment about changing passwords and couldn’t replicate it.

                What you can do: with a non-authenticated user you can get the password hash.
                (this is step 1 for cracking a password – ie the getting the thing to crack)

                What you can also do is change the password of the current user without knowing the current users password
                Many people misunderstood his statement to mean you could change ANY users password at ANY time.
                You cant, you can only change the *current* users password (WITHOUT sudo and WITHOUT their old password)

              • Allan Jude
                Posted 28/09/2011 at 1:40 am | Permalink | Reply

                As PeterA is saying, when you are dealing with access to the password database, you always have two options. 1) take the hashed password, go away, crack it, and return with the known password and compromise the system. 2) overwrite the hash with a new one for a known password, and compromise the system. The disadvantage to the second option is that it becomes immediately obvious to the user that they have been compromised, because their old password no longer works. Of course, after you have gotten in to the system, you could add your self a separate user account, and return the original password to the compromised account.

              • peelman
                Posted 28/09/2011 at 1:52 am | Permalink | Reply

                The bottom line is that the article is misinterpreting and misrepresenting what has happened. The article implies that you can RETRIEVE a user’s password. Not just change it. If i change a user’s password on one system, great. I can now run amok on that system, and that’s bad. If I can REVERSE the salted hash, I can potentially get access to many more systems, if the user uses the same password in multiple locations.

                The former situation is bad for the Everyman. The latter is incredibly bad for network managers, system admins, etc.

                I don’t contest that what the BLOG POST reports is bad. But the RE-Reporting being done here is disingenuous link bait, plain and simple.

    4. Pascal Altena
      Posted 27/09/2011 at 12:43 am | Permalink | Reply

      He found a way to get the hash/salt data. The password then still needs to be cracked with brute force. Which is very hard. The title of this article is kinda misleading.

      • Allan Jude
        Posted 27/09/2011 at 3:06 am | Permalink | Reply

        It really isn’t that hard. and with GPU powered password cracking, it is remarkably fast. I happen to own a cluster of GPUs that I use for bitcoin mining, but I could easily redirect that error to cracking billions of password combinations per second.

        • jtc
          Posted 28/09/2011 at 12:17 am | Permalink | Reply

          And how will you copy the shadow file off of any (OS X Lion) computer you desire to your fancy GPU cluster for cracking, pray tell?

          Any issue here is a “local” weakness. Your fancy GPU the other side of the world is nuetered.

          So you need Physical Access (e.g. get on a plane to go and physically interactive with your chosen OS X Lion machine), or allegedly trick the user to download and run an application of some sort that apparently allows it to see the shadow file by default (note: Java is not installed by default in Lion; another hurdle to to a Java based app).

          How is this different from any other local vulnerability? And *basically* having to revert to social engineering to do *anything* useful as an exploit.

          This article is pure link bait, esp. given the title.

          (p.s. Not coming here again and I life in Oz.)

          • Renai LeMay
            Posted 28/09/2011 at 12:26 am | Permalink | Reply

            As I wrote in the article, I’m aware of the exploit;s limitations:

            “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user.”

            However, the permission change in Lion which Dunstan demonstrated was worth reporting, and it does open up the possibility of more automated attacks on Mac OS X. In addition, any attack on a users’ password — as opposed to just getting access to a machine in general — is broadly interesting.

            I also thought the exploit was worth reporting because it was a Mac OS X/Unix exploit. It seems clear that Windows has been the subject of vastly greater attacks than Unix, and certainly Mac OS X, in the past. So even “less dangerous” attacks on Mac OS X are of interest.

            I hope I can convince you to come back to Delimiter by writing better articles in future — let me know what sort of articles you’re interested in! :) I take requests.

          • Allan Jude
            Posted 28/09/2011 at 1:36 am | Permalink | Reply

            Each of the last 5 Adobe Flash vulnerabilities (all if which applied to Mac and Linux as well), allowed for this type of exploit, so it is not as impossible as you seem to imply.

            But the real master.passwd or shadow file on a Unix or Linux machine is protected such that no one with user access can view or modify the file. To compromise the file on linux, would require physical access and rebooting in to single user mode, or removing the hard drive for inspection. Some configuration beyond the default would close this loop hole by requiring the root password to access single user mode as well. Mac OS X has broken this traditional model by using separate shadow files per user, and not adequately protecting them.

    5. Rashkae
      Posted 27/09/2011 at 1:17 am | Permalink | Reply

      People have been cracking Unix Hash passwords for decades.. It’s not hard at all, unless all the passwords are “secure”. Letting non-root users read the password hash cmpletely breaks the Unix password security model.

    6. Renai LeMay
      Posted 27/09/2011 at 1:58 am | Permalink | Reply

      Hi everyone, I’ve deleted a couple of abusive comments from this article; please keep things polite as per our site comments policy:

      http://delimiter.com.au/comments-policy/

      Otherwise your comment will be deleted.

      Cheers,

      Renai
      Delimiter Editor

    7. Laughingskeptic
      Posted 27/09/2011 at 3:13 am | Permalink | Reply

      This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions. This is not true. The Windows OS provides for much more fine grained control of permissions. “ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”.

      • Doctor Velvetear
        Posted 27/09/2011 at 4:03 am | Permalink | Reply

        Yes and Apple use an ACL system as well as posix if you use ls -lae
        on a mac you will see the extended access levels.

        • Renai LeMay
          Posted 28/09/2011 at 12:28 am | Permalink | Reply

          “This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions.”

          Interesting; you’re perhaps right technically, but as a user I’ve never actually had to tinker with my Windows permissions; while I tinker with Linux permissions all the time. It seems to me that the Unix permission structure is much more baked into everyday use of the operating system than it is in Windows (certainly in Windows XP and below etc).

    8. Anonymous
      Posted 27/09/2011 at 9:00 am | Permalink | Reply

      “its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”

      As already stated, the Windows permissions model is much much “finer-grained” than *nix, this has nothing to do with it. Windows uses Access Control lists, which are groups of ACE’s(access control entries).Even linux and Mac zealots agree with this.

      Windows is still a bigger and more profitable target for Malware.
      Windows attracts more security un-aware users, the majority of whom are members of the Administrator group (IMO the biggest blunder of all)
      There are always and always will be flaws in all Operating Systems.
      The user is the biggest risk.

    9. TenguTech
      Posted 27/09/2011 at 11:42 am | Permalink | Reply

      “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches”

      As we all know, end users are one of the biggest security holes. Just ask the RSA accounts department about Excel files that have been quarantined.

      Now Mac OS X Lion users, think first before opening that fish in a blender Java app that your friend email you. :)

    10. MJ
      Posted 27/09/2011 at 12:29 pm | Permalink | Reply

      This hardly sounds serious. Yes it needs to be fixed but I won’t be losing any sleep over it. It’s pretty hard to secure a system with users who are silly enough to run unsafe programs from untrusted sources.

      -MJ

    Leave a Comment

    Comment


    Home Forums Topics

    Viewing 15 topics - 1 through 15 (of 66 total)
    1 2 5
    Viewing 15 topics - 1 through 15 (of 66 total)
    1 2 5

    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:


    Get our daily newsletter

    Get all our new articles every weekday morning.

    Email address:



  • Anonymous tips

    Got some inside information on something that should be made public? Use our anonymous tips form. Even Delimiter won't have a clue as to your real identity.

    • Most Popular Content

  • Enterprise IT news & views

    • ANZ trials IBM’s Watson in customer service watson

      Australia and New Zealand Banking Group has revealed it will be one of the first companies globally to trial using IBM’s Watson expert data retrieval platform to attempt to enhance the quality of data available to the bank’s customer service team, in a move that could eventually lead to Watson taking questions from customers themselves.

    • Perpetual dumps CIO after Fujitsu outsourcing sacked

      It appears that the outsourcing arrangement between Perpetual and Fujitsu has gone well — so well, it appears, that Perpetual no longer believes it needs its chief information officer, Jenny Levy.

    • Victoria abandons IT shared services?
      Core CenITex services to be outsourced       exit

      Dramatic internal documents leaked from CenITex this week have revealed that the Victorian State Government plans to turn the IT shared services agency into a ‘broker’, rather than a provider of services, and that the Government is considering outsourcing massive chunks of CenITex’s work.

    • Australia gets two Windows Azure datacentres ballmer-cloud

      Microsoft this morning revealed plans to offer its Windows Azure platform as a service from Australian datacentres located in Sydney and Melbourne, in the latest move by a global technology giant to offer cloud computing services from Australian facilities to meet local demand and address concerns around data sovereignty.

    • Oracle reveals swathe of Aussie rollouts larryellison

      Enterprise technology giant Oracle has published details of half a dozen sizable deployments of its technology by Australian customers, as it continues its push to convince local technology buyers of the popularity of its Fusion platforms.

    • Australia’s universities hacked on a regular basis security

      Not all of the hype around IT security can be believed at the moment — several times when your writer has investigated so-called ‘hacking’ attacks in recent months, we’ve found only low-level script-kiddie-type of behaviour at the bottom of the situation. However, there definitely are some serious break-ins around, as chronicled in this somewhat disturbing article published in late April by citizen journalism site The Citizen.

    • Enterprise IT, Featured, News - May 24, 2013 10:38 - 4 Comments

    ANZ trials IBM’s Watson in customer service

    More In Enterprise IT


    Blog Enterprise IT Featured Security

    News, Telecommunications - May 23, 2013 11:57 - 85 Comments

    Mass piracy lawsuits are back in Australia:
    Law firm targets end users’ details

    More In Telecommunications


    Blog Telecommunications

    Blog, Gadgets - May 24, 2013 14:48 - 4 Comments

    Kindle Fire HD finally lands in Australia

    More In Gadgets


    Blog Gadgets

    Reviews - May 21, 2013 16:36 - 12 Comments

    HTC One: Review

    More In Reviews


    Gaming Reviews