OS X Server weak on authentication, say experts

Security experts who have gathered in Las Vegas this week for the Black Hat conference admit that Macs can often be more resistant to the initial stages of wide-scale, sophisticated enterprise-level hacking attacks -- such as those seen with Operation Shady RAT -- than Windows machines. But the same experts point out that once a network has been compromised, Apple's server version of OS X offers little to stop further intrusion, according to a report from IT World.

The problem with Mac security primarily lies with Mac OS X Server, according to the analysts. Server protocols such as mDNS, Apple Remote Desktop and the Mac implementation of Kerberos use weak authentication models, even for the administrative password, say experts. Although security has been improved in the recently-released Lion version of OS X Server, more could be done, they point out. For example, once a network is compromised and a remote user has access to a fully-shared home folder on a Mac, the administrative password can be learned with a simple (though time-consuming) brute-force attack.

The biggest issue with network security is that it is most often compromised -- often unintentionally -- from within the target corporation or institution, says iSec founder Alex Stamos. Stamos and his team specifically looked at the Advanced Persistent Threat (APT) type attacks such as the intrusion that compromised Google and other tech companies, and how Macs running OS X Server would fare in similar circumstances. While Macs are very resistant to remote hacking attacks, they say, the compromise of a network often begins with an attacker tricking one employee -- either through social media or psychological techniques -- into downloading malicious software or visiting a website compromised with attack code, and willingly installing it.

As the recent MacDefender scamware attck proved, it is both easy to trick people into installing bad software, but difficult -- on a Mac -- for it to go very far. But on a mixed-platform network, for example, malicious code is much easier to hide, and can utilize network resources to attack even Mac-based servers by guessing or working out administrative passwords, leaving the entire system wide open for the second stage of a APT attack, letting attackers move around the network and copy valuable documents.

Many companies are and remain completely ignorant that their systems and data have been accessed remotely until sensitive data comes to light, and even then most institutions are extremely reluctant to admit or discuss how the attack was accomplished.

While admitting he has yet to see a Mac compromised during his investigations, Rob Lee of Mandiant says that Mac servers are no shield to the possibility of data theft on mixed-platform networks, though they are not usually targeted since Mac penetration in enterprise networks is still very low. In fact, according to the report, Lee usually recommends to executives who have been victimes of hacking attacks that they replace the compromised machine with a Mac in order to lower the chance of re-infection.

As Macs become more popular in the IT community, both Apple and system administrators will have to prepare more for APT type attacks, the experts agree. This includes both technological maneuvers as well as better training of employees to guard against being unwitting agents for attackers. [via ITWorld]

by MacNN Staff