Beware of Macs in enterprise, security consultants say
OS X in the age of espionage malware
Black Hat Apple may have built its most secure Mac operating system yet, but a prominent security consultancy is advising enterprise clients to steer clear of adopting large numbers of the machines.
At a talk last week at the Black Hat security conference in Las Vegas, researchers from iSec Partners said large fleets of Macs are in many ways more vulnerable than recent versions of Windows to so-called APTs. Short for advanced persistent threats, APTs are usually the work of state-sponsored hackers who go to great lengths to infiltrate government and corporate networks with malware that steals classified information and proprietary data.
iSec's recommendation is premised on the assumption that a small percentage of employees in any large business or government organizations will be tricked into installing malicious software, no matter what platform they use. The problem with Macs stems from the OS X server that administrators use to push updates to large numbers of machines. The server's authentication routine is “inherently insecure,” making it trivial for a single infected OS X computer to compromise others, said iSec CTO Alex Stamos.
“With a large enterprise, you have to assume that people are going to get tricked into installing malware,” he told The Reg. “You can't assume that you'll never have malware somewhere in a network. You have to focus on parts where a bad guy goes from owning Bob the HR employee to become Sally the domain admin.”
At the heart of the Mac server's insecurity is a proprietary authentication scheme known as DHX that's trivial to override. While Mac servers can use the much more secure Kerberos algorithm for authenticating Macs on local networks, Stamos and fellow iSec researchers Paul Youn, Tom Daniels, Aaron Grattafiori, and William "BJ" Orvis found it was trivial to force OS X server to resort back to Apple's insecure protocol.
To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials. Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable data.
“If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,” Stamos said. He also faulted the OS X server for its lack of “channel binding” that ties an authentication handshake between two machines to the rest of the transaction that follows.
The iSec research comes 19 months after sophisticated hackers exploited a variety of security flaws in Windows machines to infiltrate the networks of Google and dozens of other companies. In response, the search engine reportedly phased out internal use of the Microsoft platform, mostly in favor of OS X.
Like many other researchers, Stamos praised a variety of advanced security protections built into Lion, the latest version of OS X. Among them is a design that isolates different application processes into their own sandbox that is separated from sensitive parts of the OS to minimize the damage that can be done by attackers. Apple engineers have made it simple for even small third-party developers to sandbox their applications. Windows sandboxing, by contrast, is so hard that it can usually be implemented only by large software manufacturers such as Adobe, Stamos said.
But Stamos said the defenses aren't enough to protect large organizations, even as they're looking for ways to resist against the types of attacks that ransacked Google or more recent APTs that afflicted at least 70 organizations for as long as 28 months.
“Our suggestion is for enterprises not to do that,” Stamos told The Reg. “Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure.” ®
In the comments section to this article, Stamos has responded to what he says is “lot of misunderstanding of our research.” It also includes a link to the slides for the iSec talk.
Let's Clear Some Things Up
There is a lot of misunderstanding of our research here, which is understandable, since the article didn't link to our slides:
As you can see from the slides, we used our experience responding to advanced, state-sponsored attacks to divide the attack tree into seven different generic steps that need to succeed for the attackers to "win". We examined OS X and OS X Server to see how they would hold up to each of these stages, compared to a baseline of Win2008R2 and Win 7.
We found that Lion has caught up to Windows on anti-exploit technologies, and has included sandboxing features that make it much easier for ISVs to use privilege separation to protect their end-users. The largest problems with OS X in an enterprise context revolves around Apple's proprietary protocols, like AFP, Server Admin, Apple Remote Desktop, and especially Bounjour/mDNS. Apple offers many password-based authentication options, but in almost any circumstance you can downgrade to unsigned Diffie-Helman, which is trivially decoded by an active MITM. Even if you could force only the use of Kerberos, almost none of their protocols use channel binding to tie to subsequent communication to the initial handshake, opening OS X up to a variety of relay attacks equivalent to the NTLM relay attacks famously used by the state-hackers during Aurora.
The network escalation step is the most important one in this scenario, since it is unreasonable to expect a network of thousands of users to never be infected via malware. Social engineering based upon human intelligence is very difficult to prevent, so it's important for an Enterprise security team to focus on preventing "Bob the HR Guy" from becoming "Sally the Domain Admin".
We are not anti-Mac (this is being typed on a 13" MBA), but we strongly recommend that our enterprise clients not use any of Apple's server technologies at this point, especially if they believe they are playing at the same level as the Aurora and Shady RAT victims.
Let me know if you have any questions.
If you want to be secure...
... steer clear from computers altogether. And pens and paper. And don't talk to anyone.
I sound like my IT department, I'm surprised they didn't take keyboards away from us yet as many problems originate from some keystrokes.
Yeah, because Windows has the whole "security" thing down pat.