Vulnerabilities / Threats
8/4/2011
06:23 PM
Connect Directly
RSS
E-Mail
50%
50%

Apple OS X Vulnerability: Advanced Persistent Attacks

Macs are even easier to exploit than Windows via advanced persistent threats, warn security researchers.

Black Hat
Building The Mac Office
(click image for larger view)
Slideshow: Building The Mac Office
Many people see Apple OS X as being free from the security challenges facing Windows PCs. But researchers speaking on Wednesday at Black Hat, a UBM TechWeb event, in Las Vegas, said Macs are quite susceptible to advanced persistent threat (APT) attacks, which favor espionage over outright data exploitation.

"A number of our clients have made the decision to switch to Macs based on the fact that these APT technologies don't target them," said Alex Stamos, co-founder and CTO of iSEC Partners. But in fact, he said, while the specific types of attacks may differ, Macs are arguably even more vulnerable to APTs than Windows PCs, since many Mac-specific technologies are quite easy to exploit.

Are attackers actually gunning for Macs? Thankfully, aside from fake AV, such as Mac Defender, the answer is largely no. "There are no crime packs that are popular that target Mac OS X," said Paul Youn, a senior security consultant at iSEC Partners. That's likely because Apple's market share is only about 6%, meaning that if attackers want to compromise a large number of computers at once, they typically target Windows.

Even so, Stamos recommends treating Macs with care, since they're relatively easy to exploit. Notably, he said, there are "pervasive authentication issues" in OS X, and that it's easy to exploit "two of the most widely used protocols for managing Macs," including AFP (aka Apple Filing Protocol), as well as Bonjour, a service delivery protocol Macs use to connect to servers. In particular, it's relatively easy to substitute a malicious server for a fake one and then force users to connect. These vulnerabilities could serve as a foundation for launching APTs against Macs.

Terminology-wise, of course, the APT is a somewhat fuzzy concept. Generally, security experts define an APT as threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, all to support espionage efforts. "The advanced part doesn't mean that every attack is advanced, but rather that attackers are willing to upgrade their attack capabilities," said Stamos. "It just means people have the ability to turn the knob up on the advanced scale."

By definition, after gaining a foothold in an organization's network, APTs also persist. On Apple OS X, ways to persist include modifying startup items or the underlying operating system code. In addition, said BJ Orvis, a security researcher and consultant at iSEC Partners, "you could theoretically write a malicious script just using AppleScript, which is fun." Regardless of the technique used, persistence enables attackers to surreptitiously monitor the network and expand the attack over time. For example, they may compromise directory servers to steal and crack large numbers of passwords offline.

What can companies do to mitigate APTs? Regardless of operating system, "I would strongly suggest you log all of your DNS requests across the enterprise," said Stamos. Next, maintain a top 10 list of all dynamic DNS requests. "If you see 40 different machines doing hundreds and hundreds of identical dynamic DNS requests," he said, and it's to an unknown host, then suspect that they're communicating with a botnet command and control network.

Also put policies in place to automatically block unusual, large-scale data egress. That's because attackers, after infiltrating a network, may then wait to copy a large amount of data from the network. One favored technique is doing this after hours or during holidays, when personnel may not be present to manually block the data transfer. Accordingly, he said, organizations should "coordinate egress restrictions in all offices."

For organizations that want to specifically protect Macs against APTs, however, expect challenges. Notably, while there are well-known disk forensic products--including Guidance EnCase and BlackLight--"the problem is the disk forensics isn't how you fight APT anymore," said Stamos. "If you say that this machine is doing funny DNS requests, I'm going to pull it off the network and do disk forensics, well that's an 18-hour process, that's not a fast enough process to deal with these types of attacks." In fact, attackers may notice the missing machine, if not read actual stolen emails about hiring a forensics expert, and thus change their approach.

Instead, what's required is memory-based forensics, as offered by such products as Mandiant Memoryze, HBGary Active Defense, and Responder Pro. Except, those tools only work on Windows; none yet exist for Macs. Help could be on the way: Stamos said new Mac tools are in the works, and as with the recently publicized ability to pull Mac passwords from memory via FireWire, Thunderbolt connection technology should also provide forensic investigators with useful forensic capabilities. But there's nothing available today.

With all of the above in mind, Stamos recommends using Macs with caution, and only giving them access to some network resources. "We use Macs on our network," he said. "We treat them as I recommend you treat them--as little islands in a hostile network." Accordingly, his company also installs a 64-bit Windows 7 partition to give Mac users access to certain functionality, such as SharePoint.

Furthermore, security-conscious organizations should avoid using Mac OS X Server altogether, he said. Notably, a default Snow Leopard Server (10.6) contains 28 open network ports by default, as well as a number of other security vulnerabilities. "Once you install OS X server, you're toast," he said.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.