Black Hat 2011 – The Myth of the Mac
August 2011 by Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
The average MAC user clearly believes that they are safe from most malicious attacks whether a virus, a Trojan or other forms of attack. This is evidenced by only 20% of MAC users even implementing basic security or virus checkers on their MACs. Compared to Windows-based machines, MACs only represent 6 to 8% of the total market, and therefore are not as big a target to the writers of malicious code, just due to the pure economics of WINDOWS vs OS X. Having said that, MAC is by no means immune to attack or being owned by nefarious users.
Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
Alex Stamos, Aaron Grattafiori, and Tom Daniels presented “Macs in the Age of APT” and highlighted some of the major examples of MAC’s being owned, and compared the MAC OS X to WINDOWS 7, along with their related vulnerabilities.
So first, what is APT? It is key that we understand that the bigger threat to corporations and governments is an APT attack. APT is:
Advanced – Attack, not your average Joe, may be government funded and zero day
Persistent – initial access leads to success in a stealthy manner, strategy is to stay and remain hidden
Threat – Types or groups of attackers, typically information driven, may not be $ driven.
So how does a typical attack begin? The Aurora Case Study is an example of this APT approach.
Case Study: Aurora
Originally disclosed by Google on January 2011 as a hack they have been hit by, along with 20 or so other companies.
1- Started in an overseas office, which is common in these types of attacks.
Many times an office in China for this type of attack.
Attack usually starts with a spear fishing attack.
2- Social Engineering is the primary approach to a Mac User.
MAC has vulnerabilities, but not the exploits are not in the wild like Windows due to commercial / scale issues. Not to say that these exploits are not there.
The spear fishing attack is usually against a well-researched individual. This individual is encouraged to install some sort of software, and findings are that MAC users are more susceptible to this type of approach.
3- Once the software is installed, the next step is to escalate local privileges; this can be done through prompts or via the program that was loaded to over time increase the local user’s privileges under the radar, with the goal of discovering other nodes.
4- Of course the next step is to set up higher network privileges. This will allow the discovery and owning of other elements in the network, and allow for creating other side or control channels to external networks. Now this will allow the infiltrator access to more network facilities and nodes.
5- Once the network and the node(s) have been compromised, it becomes critical for the infiltrator to remain in control, but more importantly ensure that this control is not discovered. The strategic goal is to remain undetected for even years for future use.
6- Since a number of elements or nodes on the networked are considered owned, this becomes the beachhead to do further exploration of the Network, its nodes and hosts, always trying to gain higher privileges and access to information, and the control of more nodes.
7- Since the goal is to stay undetected for large periods of time, the infiltrator usually sets up a server inside the organization, so tools like content based security systems cannot detect the information collection process. Also very little information leaves the network, so logging systems for data leaving the network are not triggered and logged until the appropriate information has been gathered.
APT Summary (Advanced, Persistent, Threat)
1. Social Engineering
2. Initial Exploitation
3. Local Privilege Escalation
4. Network Privilege Escalation
5. Persistence
6. Exploration
7. Ex-filtration
So what does this all have to do with the MAC and its OS X, as well as a couple of known vulnerabilities?
MAC vulnerabilities fixes typically lag behind Windows (Lags sometimes by years). Recent fixes include security on the MAC OS X.
– Stack
– Heap
– ASLR = Address Space Layout Randomization
One of the areas of the MAC that needs improvement is Inter Application Communications and Privilege Improvement. This implies that once a MAC is owned, then the chance of increasing privilege both of the user and of the network increases. This can include off-line brute force cracking of credentials.
From a Network perspective, MACs have been identified once privileges affect the Network Security of Network Administrations there are Pervasive Authentications Problems. This includes Apple remote Desktop as it has no other end node authentication functions and can be used to spoof the DNS.
Persistence
– Added to Start-up
– Events
– Network Layer
– Issue Certificates
– User mode Root Kits easier
Summary as recommended by the presenters, MAC needs to be more secure with password-based authentication. It is key that we allow for centralized disabling of mDNS and include SSL certificates. We recommend that MACs remain as independent Islands on the network, and the rationale to convert a Windows-based system is not replaced for security reasons by MAC systems, but on their own merit.
Related articles: