This is about the CROOKS closing the barn door AFTER they've stolen the horses to hide the fact they've done it... FUD.
Mac OS X iFud Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 02/18/2009 6:49:42 PM PST by Swordmaker
A new technique lets hackers targeting Apple's OS X cover their tracks more effectively.
Fans of Apple computers often boast about superior security. But as Macs have gained in popularity over the past few years, this has brought much more attention from hackers. At a presentation scheduled to take place today at the Black Hat DC computer-security conference in Washington, DC, one security expert will reveal a technique for attacking the Mac operating system--OS X--without leaving a trace.
Similar techniques have targeted both Windows and Linux machines for several years. They allow an attacker to cover her tracks, eliminating vital evidence that an investigator might normally use to prove that a machine has been compromised; they might also allow the investigator to put together details of the incident. Bringing the technique to the Mac, however, required a significantly more sophisticated approach.
Vincenzo Iozzo, a student at the Politecnico di Milano, in Italy, explains that the technique allows an attacker to break into a machine without leaving a trace in its permanent memory, which means that evidence of the attack will disappear as soon as the victim's computer is turned off. Such a technique could be used, for example, in combination with another software flaw to covertly replace a legitimate version of Apple's Safari Web browser with a malicious one that logs the user's keystrokes and sends them to the attacker.
Normally, when a user runs an application, the code runs in various parts of the computer's memory. In OS X, a file format called Mach-O is used to specify where in the computer's memory the application's processes should run. Iozzo studied the Mach-O file format in order to predict in advance where these processes could be found. The technique identifies an active process (such as that for Safari) and injects malicious code into the space in memory where it is running. When the system reads from the expected location, it executes the attacker's code instead of the legitimate program. Since the technique leaves no trace, Iozzo says that it can only be detected using software that watches for intrusions on a network.
Predicting where to inject the malicious code is made more difficult by a security feature in OS X that stores the variables needed to keep the attack untraceable in random locations within memory. However, Iozzo discovered a way to anticipate where the variables would be stored based on pieces of information that remain unchanged.
Dino Dai Zovi, an independent security researcher who specializes in Macs, says that Iozzo's work is "very interesting," particularly given the difficulties that he needed to overcome to make the stealthy technique work on OS X.
Dai Zovi says that, for now, there are few Mac attacks sophisticated enough to need protection of this kind. But he adds that the technique could prove an effective way to get past advanced antivirus software in the future.
Attackers haven't focused much on the Mac to date because its smaller audience means smaller potential gains. But Dai Zovi notes that this is starting to change, and he says that researching the system's vulnerabilities now should give defenders time to prepare for future malware.
Iozzo says that it may take time for Apple to respond to his technique because it exploits fundamental elements of the operating system's structure that can't be changed with a simple software patch. He says that it may require a larger upgrade, such as the introduction of the new version of OS X, called Snow Leopard, which is scheduled to ship in 2010.
In the meantime, Iozzo says that users can protect themselves by keeping their systems up to date with any security patches released for OS X. Since the technique relies on other flaws that an attacker might exploit, users should focus on reducing those other threats as much as possible, he says.
However, the technique could soon pose a threat to another kind of device. Iozzo says that he is currently working with another security researcher to extend his technique to the iPhone.
"The technique that will be outlined at Black Hat DC allows an attacker to remove virtually all trace of an attack against OS X, after compromising the system using another exploit."
It looks as if this presentation is on how to cover the cracker's tracks AFTER another exploit, to be discovered later, gets the cracker into the Mac... appatently it does not address that issue at all. In fact, the presenter apparently states that very fact:
"In the meantime, Iozzo says that users can protect themselves by keeping their systems up to date with any security patches released for OS X. Since the technique relies on other flaws that an attacker might exploit, users should focus on reducing those other threats as much as possible, he says."
The article gives as an example replacing the standard Safari browser with a malicious version IN MEMORY that will phone home with keylogging information... but that is, by definition, leaving traces behind, a hacked version of Safari... so this is a "real time," retail (not wholesale plan incapable of attacking multiple Macs), technique to hide the fact of access to the Mac after some mythical method is found to gain access... one at a time. The cracker would have to gain access to the Mac for each intrusion and insertion of malicious code into the random memory locations, code which would be lost when the user logs off or the computer is shut down. In addition, attempts to modify the Application folder, Root directory of the boot hard drive, and the system libraries would be unsuccessful unless the hack somehow gained access to an administrator name and password since those directories are all protected from additions, erasures, or over writing unless an administrator password is presented.
The article also states that Snow Leopard is "scheduled to ship in 2010". That is not true. Snow Leopard is not "scheduled" to ship at any time. It is expected to ship in June 2009.
I think the article is about a theoretical presentation, not a practical, useful technique for gaining access to a Mac. As such, it's FUD.
This is about the CROOKS closing the barn door AFTER they've stolen the horses to hide the fact they've done it... FUD.
If you want on or off the Mac Ping List, Freepmail me.
The article also states that Snow Leopard is "scheduled to ship in 2010". That is not true. Snow Leopard is not "scheduled" to ship at any time. It is expected to ship in June 2009.
Thanks for that, as well as for your analysis of the FUD article. I was thinking that Snow Leopard was slated for midyear, not next year. I so look forward to applications exploiting the number crunch capabilities of the graphics processor. Particularly speech processing.
I have already hacked a number of Macs in such a stealthy way that no one can tell they were hacked. Absolutely no evidence. None.
Really.
And it even drags out that old worn chestnut:
Attackers haven't focused much on the Mac to date because its smaller audience means smaller potential gains.Bull-hockey (you know the riff, I needn't repeat it).
Anyway, I welcome the fact that researchers are working on this stuff. The very fact that they have to work this hard is a testament to the strength of OS-X, and more importantly, anything they discover will go into a fixed and stronger version.
One thing I'll add, from a conversation I had with Golden Eagle the other day:
Researchers who publish attack vectors and other vulnerabilities publicly, before the vendor is informed and has a chance to address them, are no better than the vile scum who write viruses for money.
So the fact that this is presently only some impotent research is good. But I sure hope if this researcher manages to actually produce a working exploit, even one that's limited to single machines at a time, that he keeps his trap shut publicly and tells Apple about it privately, and gives them a chance to respond and address it.
Otherwise, this guy is just a publicity-seeking egotistical a$$hole, and worthy not only of our scorn, but of going to jail, in a just world.
I believe you. Truly, I do. No, really... in fact I think you must have hacked -my- Mac that way too, because it's showing exactly the same symptoms!
The really ironic thing is that even if this is true x 10 we could still boast of superior security.
Fans of Apple computers often boast about superior security. But as Macs have gained in popularity over the past few years, this has brought much more attention from hackers. At a presentation scheduled to take place (fill in date, time and location) one security expert will reveal a technique for attacking the Mac operating system--OS X--(include generic attack type here).Similar techniques have targeted both Windows and Linux machines for several years.
(Include name of guy living in his mother's attic here. Add unrelated computer geek stuff qualifications, like he did a basic program to count to 100 when he was only 14) explains that the technique allows an attacker to break into a machine (insert theoretical attack specifics here. You may only invoke the tooth fairy twice). Such a technique could be used, for example, in combination with another software flaw to (Insert results of attack, must be more damaging than opening a web browser, but should not include activating Skynet).
(Original geek's name here) says that, for now, there are few Mac attacks sophisticated enough to need protection of this kind. But he adds that the technique could prove an effective way to get past advanced antivirus software in the future.
Attackers haven't focused much on the Mac to date because its smaller audience means smaller potential gains. (Geek's last name) notes that this is starting to change.
In the meantime,(Geek's last name) says that users can protect themselves by keeping their systems up to date with any security patches released for OS X.
I think this generic article should suffice for about five years, anyway. I think I'll do an AP and require payment whenever it's used.
Further proof that no operating system is completely immune from potential attack, software is an imperfect product built by imperfect beings that is in constant need of improvement. Hopefully he's already shared his info with Apple before sharing it with all these hackers at this conference, this is the exact kind of info an advesarial government would love to have for their cyberwarfare units.
I did it last week with my little hatchet... except it was a banana...
I can levitate birds................
No proof of that is offered at all. This guy is talking about a technique to exploit a machine that has already been exploited, and in a non-permanent manner. There's still the chicken-and-egg problem of having to have an original exploit.
Right. This is akin to wiping down all the surfaces you may have touched leaving fingerprints, restoring everything to a pre-entry condition, and vacuuming the floor on your way out AFTER you've breached security, found the securely hidden safe, opened it, and photographed all the top secret documents.
Ummm... if his definition of "few" is zero... then he is right.
Re: Zero
In fairness, it should be noted that Dai Zovi was the guy who won the $10,000 and a MacBook at the CanSec conference two years ago by compromising the MacBook by reading a file on the Macbook by using a flaw in Safari and Java. At leasthe got the ten grand; the guy at the conference got to keep the MacBook.
Even in your own choice of words, it's still a quote "technique to exploit a machine". It's a weakness, and all operating sytems have them. Nothing is completely immune, just as I said, nor will anything ever be, though some may tempt you to believe otherwise.
On the other hand, wasn’t that the “competition” that actually progressed by intentionally taking down layers of built-in security one at a time until someone broke in?
Yup. Zovi did on the second day.
While not quite as bad as these hackers giving exploit info away to black hats at these conferences, inticing them with bribes like that competition did gives people a monetary motive that they otherwise wouldn’t have for LEGALLY creating hacks, meaning more people are looking for holes than otherwise might be. I think the best solution is to treat those who create exploits without reporting them to the vendor as equivalent to loading a gun and leaving it at a city park - unsafe use of a weapon if nothing comes of it, but accessory to the crime if something does. That way you discourage people from looking for hacks altogether, unless they plan on reporting to the vendor as they should, for the benefit of us all, not just themselves. Glorifying these punks is just making it worse.
“I can levitate birds................ “
But Obamed can telivate wurds...
(:>)
"What did you do?"
You're using flawed logic. This is akin to saying, "if someone can get into the house, they can get into the living room." The fact that access to the living room is available, in the event the house is breached in no way makes the house itself less secure.
The fact is, successful attacks against "Macs" all boil down to actually being attacks against users -- the choice of OS is irrelevant if the user allows himself to be compromised into installing a trojan or otherwise granting access to a a malicious party.
In other words, no amount of technology can protect a user from himself if he chooses to ignore proper security.
No it's not. The flaw is in the software, whether some are ever willing to actually admit it, or not.
I know you’re just anxious to make Macs look as bad as PCs, but perhaps you could use a refresher course in logic.
What we have here is a case of IF AND ONLY IF A THEN B — B is irrelevant if A is never true. In the specific case IF AND ONLY IF (MACHINE IS COMPROMISED) THEN (MACHINE CAN BE COMPROMISED).
The machine has to be compromised before it can be compromised, meaning said attack is merely theoretical, since the only effective attacks attack the user and not the system, and once a user grants access to malicious code, it’s a given that the malicious code can do whatever it wants (at least, the the user has permissions to do) regardless of the OS security.
Should the theoretical vulnerability be patched? Yes. Does it “prove” that Macs aren’t secure? No, it doesn’t. If you can’t see the distinction, it’s only because you don’t want to.
Not at all, I'm typing this on a Mac, just smart enough to know that even it has security vulnerabilities, no matter what some may want you to believe. If anyone has an agenda, it would seem to be those who take an article describing a security vulnerability in Macs, and try to twist it into a positive for Macs somehow.
Should the theoretical vulnerability be patched? Yes.
Which is all I ever said, along with the fact that this is the exact type of info that advesarial governments would love to have for their cyberwarfare units. You're welcome to keep debating I'm wrong, but it's clearly a losing argument.
You've got to be kidding. An attack that only works against a compromised machine? It's an axiom of cybersecurity that once a machine is compromised, the attacker already can do anything to it.
So the fact that an attacker can do a particular "something" is irrelevant. If the machine is compromised, it's compromised. This is just some yahoo trying to get attention by pretending he found a serious flaw in OS X.
No, a process that would help cybercriminals, cyberwarfare units, etc, cover their tracks automatically, which this does. I'm certainly not kidding, but your lack of basic understanding of these subjects is pretty hilarious considering how frequently you like to comment.
This is just some yahoo trying to get attention by pretending he found a serious flaw in OS X.
Congratulations, you finally said something fairly accurate. While everyone would have been much better served had he given info of the flaw, which it clearly is, privately to Apple instead of releasing it at a black hat hacker conference, the reason it's getting so much coverage is the result of those who constantly try to infer OSX is infallible, which it isn't. And you're contributing to that problem right here yourself without even realizing it LOL.
Mighty kind, thank you very much.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.