|Home » Learning Curve
Cowboys and Maccies
Uncle Steve would grin from ear to ear.
There have been considerable reports about OS X boxes being compromised. They're not alone - most of the compromises in this new attack wave happen on Windows, but OS X being compromised is not good news.
OS X is Unix and it's difficult to compromise Unix, as opposed to Windows where it's difficult to not succeed at a compromise - but give any fool enough freedom with configuration etc and anything is bound to happen.
The compromises - across platform - are done basically with attacks on port 22, the SSH port used for remote login.
A caveat on the Unix side is that if the box accessed has the root account enabled, remote login by root can also be possible.
Which is just nuts - but more: OS X boxes come - for a very good reason - with the root account disabled. No OS X user needs the root account - and certainly not the way these people are using it.
A member of the 'admin' group can at any time escalate to root and even establish a root shell. There is no reason to use an enabled root account ever.
Network administrators are of course another matter entirely, but a network where everyone plays network administrator is a network administrator's nightmare.
Consider a specific IP range that has been combed for possible holes. Consider further that a hacker has attacked machines in this range with brute force engines on port 22, attempting remote login as root.
The account name is already known; given enough time, and with assistance from a weak password system, the attacker will gain entry - as root.
Consider then what this intruder will find out about the network and the machines behind the IPs surrounding the '0WNed' machine.
Consider further that once the attacker is inside measures will be taken to ensure that future access will be possible no matter security is heightened.
Consider further that network administrators attempting to find the source of the attacks will mostly likely come up empty-handed: with root access the attackers can remove or obfuscate all the logs so no trace of their ever being there remains.
Consider further that rootkits can be installed so network administrators will not even see that particular boxes have been compromised.
And all this because someone with less than an ounce of brains was given the go-ahead to allow remote root access.
Consider further that the attacker begins to sense that security is extremely weak in the range and tries other IPs and finds them easy to crack as well.
Will the attacker return?
You only get one guess, so make it good.
Now while you're choking on all that, know that the Cooperites at CNET are at it again. With over 100,000 Windows viruses in the wild, and no known viruses for OS X, they're again beating the drum and saying Apple Unix is a pushover, and this is because little JJ in Oslo 'broke' the FairPlay DRM in one day.
No matter that stripping DRM from iTunes downloads is only possible if you actually have the files and that starting now you have to pay for them to get them, CNET know the score.
Of course it's all traditional Microsoft-sponsored FUD, but that's the point: CNET are already out campaigning with little or nothing to go on; imagine what they would do if they got ahold of this remote root story.
Uncle Steve would grin from ear to ear.
Weak passwords are a Internet security weakness only if remote login is allowed; otherwise it's irrelevant. As Kurtz, McClure, and Scambray put it, you can't break in if no one's listening.
If an attacker cannot gain access to a machine over the Internet, the password paradigms don't matter one single iota - not from across the net at any rate. (How things work locally is another matter entirely: weak password systems are not to be tolerated anywhere at any time for any reason - period.)
Trying to figure out just what is so important that people not only think they need root accounts enabled but also need remote root access is a futile exercise: it's a waste of time and perhaps the single greatest security risk there is.
In the case of OS X it's the only one to speak of and is further proof that if you were to open Fort Knox to the public, trade in gold bullion would rise immediately.
As long as the brute force attack is allowed to continue, it will sooner or later succeed. It's just a matter of time.
OS X is secure 'right out of the box'. It takes quite a lot of foolish creativity to open OS X up to the bad guys. Do that, and the game of Cowboys and Maccies will begin.
If you're running a network with OS X boxes, make sure no one has their root account enabled and establish communication channels so that all connected boxes remain invisible behind their firewall - no exceptions. Get people to understand the seriousness of the situation with passwords - get them to adopt pass phrases rather than passwords; make sure those phrases are long.
If you're a kitchen table user, turn that root account off and do it now. Escalate to root if you need to but learn the dos and don'ts: never do it while connected to the Internet or any other network; never run GUI apps as root; and exit your root shell as soon as you can.
NEVER give your pass phrase to anyone except Apple; NEVER let anyone get the upper hand unless you're at least 101% sure you know what's going on.