Matasano Chargen - Latest Comments in A Little Challenge To Our Mac Advocate Friends

Re: A Little Challenge To Our Mac Advocate Friends

Jordan Wiens — Fri, 27 Apr 2007 14:34:06 -0000

Sorry to post on an old thread, but anybody know how this might work?

http://www.subrosasoft.com/OSXSoftware/index.ph...

They seem to think they've got a way to get access to all the keychain passwords and it doesn't look like they're hijacking the individual applications. They also claim it's forensically sound, though that seems... well, patently false since the very fact of mounting the usb drive modifies the system, but I'll save that for the forensic experts to argue.

Re: A Little Challenge To Our Mac Advocate Friends

Jesse — Tue, 24 Apr 2007 17:30:14 -0000

JohnGruberIsARobot: At 23c3 there was a talk about the security of file vault and that the key derivation didn't suck in an obvious way. However there were some very serious flaws mentioned but not focused on in that talk including: The low power behavior of OS X includes writing the encryption key to the disk without protection.
This means that the main goal for disk encryption, "protecting your data when your machine is stolen" is not achieved. I would consider this a fatal flaw - although not apropos to the rest of the discussion here.

Re: A Little Challenge To Our Mac Advocate Friends

Dave G. — Tue, 24 Apr 2007 12:22:09 -0000

@Robert C:

Overall, I think Bert gives some solid advice. I am not sure I know everything that Bert is doing to protect the InputManagers directory, but it will probably provide some protection, specifically around automated attacks.

The most solid recommendation is to make sure that your user account is not an administative user. I definitely recommend not running with a user in the admin group. While it won't help you with your data, it will prevent someone from immediately running amok with your /Applications diretory.

Re: A Little Challenge To Our Mac Advocate Friends

Max — Tue, 24 Apr 2007 04:10:33 -0000

Thomas, Rosyna, et al. Thanks for the discussion here. I learned something.

BTW Thomas,

$ id 501
id: 501: no such user

;-)

Re: A Little Challenge To Our Mac Advocate Friends

Thomas Ptacek — Mon, 23 Apr 2007 23:33:21 -0000

I know I sound like I know what I'm talking about, and that serves me well when I'm poking holes in things, but I'm going to leave it to Dave G. to give actual recommendations on how to deal with this stuff.

Like I said, I live dangerously, and I live by what Dave wrote about safety vs. security;

http://www.matasano.com/log/644/safety-vs-secur...

Re: A Little Challenge To Our Mac Advocate Friends

Robert C. — Mon, 23 Apr 2007 23:08:53 -0000

@Thomas: Your last comment is hilarious. :)

What sorts of things should Mac users be doing? Does Bert have the right idea with that InputManager thing he's talking about?

Or is the point simply that this kind of vulnerability is really going to hurt no matter what we do? Because I believe you. It will hurt. I'd just like to find out if there's anything I should do to mitigate my risk.

Re: A Little Challenge To Our Mac Advocate Friends

JohnGruberIsARobot — Mon, 23 Apr 2007 16:34:20 -0000

dre: Hrm? The only thing they showed at 23c3 is that filevault is cryptographically secure, but it can be brute forced quicker than extremely slow (read: somewhat slowly) in hardware. And everyone already knew that anyway.

Re: A Little Challenge To Our Mac Advocate Friends

Ryan Russell — Mon, 23 Apr 2007 16:32:15 -0000

Rosyna: thanks for the info about the keychain and binary modifications, I learned something. When did they do that? OS X used to do a rebasing step that would change your binaries, and I always thought that was really stupid.

Re: A Little Challenge To Our Mac Advocate Friends

Thomas Ptacek — Mon, 23 Apr 2007 16:05:52 -0000

"At what risk factor"? I'm the attacker. Am I going to trip and fall over my exploit script?

I guess if you just declare the whole discussion moot, it's easy to "win". You win! I mean no offense when I continue to respond to the rest of the comments in the thread as if you hadn't won. For, indeed, you have won.

Re: A Little Challenge To Our Mac Advocate Friends

Daniel — Mon, 23 Apr 2007 15:02:44 -0000

Thomas you can have what you want, in fact if you fancy doing some retouching on the images i currently need to send to client, hell, have those as well

Again this is one area where security researchers sometimes forget about applying risk. Yes you can root a box, but at what risk factor?

seriously you lot take this too seriously, maybe it's because i've been doing it since 94, but damn... IT ONLY A FUCKING OS!!!

Re: A Little Challenge To Our Mac Advocate Friends

Bert JW Regeer — Mon, 23 Apr 2007 12:44:04 -0000

wideload:~ xistence$ id
uid=1001(xistence) gid=1001(xistence) groups=1001(xistence)

(NFS on my FreeBSD has that uid for that account, so had to be the same on my Mac to be able to read/write, took me a while to figure out how to change it)

If you got my UID 501 account, i'd be up shit creek without a paddle since it has admin privs.

wideload:~ xistence$ id 501
uid=501(administrator) gid=501(administrator) groups=501(administrator), 81(appserveradm), 79(appserverusr), 80(admin)

I almost never use that account. The only time I use it is when I get a stubborn installer that does some shell script ninjutzu, and needs to do it as root. I look at you KisMac.

Now as for my current user account, you'd get a whole lot of data about me. Keychain however is under a different password, and I am very suspicious when an app needs access to it. I keep my mail password in it for example, and if it is locked, it will ask me for access.

InputManager? The folder is set to chmod 000. No read or write access, also, just in case something is put in there, AppleScript will pop up letting me know something was dumped there (can only be done as root on a chmod 000).

Thing that would suck the most, is if my SSH keys were stolen. Access to too many machines, and no real fast way to remove them from each of the machines it has access to.

What I would worry about the most is just general information about me, stuff that could probably be found on the Internet, but would take a lot of time. I don't think that what I do have is interesting. A few PDF's, a shitload of TV Shows, Movies, projects for school, and just some open source projects I am working on.

Rosyna: Only way I have found that a keylogger would work under Mac OS X is if it was a kernel module. But that is a general problem with all operating systems, not just Mac OS X.

Thomas: The assumption that everyone that is reading your blog would run under UID 501 is a really bad one. The only reason someone would be reading your blog is if they were interested in security, and those people would be smarter than your average grandma or grandpa. That being said, my dad is a Mac OS X user and I set him up with split accounts, just so that he would do everything under his own UID and only when installing apps use Administrator.

Cheerio!

Re: A Little Challenge To Our Mac Advocate Friends

dragonfrog — Mon, 23 Apr 2007 12:27:20 -0000

Well, if you assume that I'm the only user of my computer, then the answer is indeed, there is nothing important you don't have with my UID.

But in fact, they're not single-user machines. With my UID, on my computer, you win (given that you can get my password sooner or later and then have UID 0).

But with my UID on my wife's computer, you have not so much of interest. Some audio projects, but nothing of major value. With my UID on my mom's computer, you have practically nothing - I check webmail when I go back home, and that's about it.

Re: A Little Challenge To Our Mac Advocate Friends

dre — Mon, 23 Apr 2007 12:19:39 -0000

i thought filevault (and therefore keychain) had serious implementation problems as talked about at 23C3?

Re: A Little Challenge To Our Mac Advocate Friends

Thomas Ptacek — Mon, 23 Apr 2007 10:36:24 -0000

Not sure you read the whole comment thread, but, uh, the challenge still stands? I can inject code into iTunes (or any Cocoa app) from a Safari exploit.

So, not close to "STFU" yet.

What can't I get to on YOUR MacBook from UID 501?

Re: A Little Challenge To Our Mac Advocate Friends

Daniel — Mon, 23 Apr 2007 10:33:16 -0000

ps..

Thomas we love you anyway, but it's good to be humbled every now and then, it makes us better people ;0)

Re: A Little Challenge To Our Mac Advocate Friends

Daniel — Mon, 23 Apr 2007 10:12:17 -0000

1: Thinking yer the shnizzle for all things anti-mac $100
2: Posting a little challenge to prove the point $25
3: Telling people "You’re not following..." whilst huffing and pufffing and strutting your stuff $10
4: Getting smacked in the face and told to STFU and listen for once $priceless

Re: A Little Challenge To Our Mac Advocate Friends

DG — Mon, 23 Apr 2007 09:32:38 -0000

Thomas,

I can see how it's game over for me if you can run code as my UID, but (forgive my ignorance) do you have any more details as to how/why the "single user machine" is more hostile for the tightening up you just mentioned?

I was under the impression that the saving grace was "on a multi user machine, you'd have only 'lost' one user not everybody", but your last comment makes me think I'm still not getting the whole picture...

Also, if I did split off, say, all "my financial stuff" into a completely separate account, would it actually be any safer despite the inconveniences? Sure it's toast if you get root, but would my other account topple anyway? Say, if I normally fast user switch from the now compromised user account?

Re: A Little Challenge To Our Mac Advocate Friends

Thomas Ptacek — Sun, 22 Apr 2007 15:43:48 -0000

MAC is great and all, but let's not lose sight of the real issue. You can, with a bit of userland C code, tighten up Mac permissions so that it is really hard to transition from "owning Safari" (and thus the auth cookie for your bank account) to "owning iTunes". It's not that MacOS X lacks the features to pull this off.

The problem is, "single user machine" is a really hostile setting for deploying those features.

Re: A Little Challenge To Our Mac Advocate Friends

tiresome — Sun, 22 Apr 2007 14:09:41 -0000

*Sigh* Rosyna. *sigh* You're arguing that people don't care if you slurp their entire home folder (and everything else they have read permission to on the computer) up to a web/ftp site. That is not an argument you can win. The password B*llsh*t is meaningless. People in general are not happy when they lose every bit of data they have due to a system crash, but they would be even LESS happy if everything on their computer was posted to usenet. To demonstrate this point, allow me to give you the simple test I use on beurocrats who like to use my SSN on documents where it's public. Post YOUR (SSN) home folder on the internet for everyone to see, and then tell me you don't care.

I saw a great talk by Marc Stiegler of HP research back in Feb where he showed their capabilities-based system which stops applications from fscking your over except, of course, in the presence of social engineering attacks. But even social engineering attacks are limited because the applications ask for their capabilities the first time they load or you can just set them based on profiles (like "web-browser", which is something which needs to read your bookmarks and cache files, but DOESN'T need to read or write files anywhere else on the system...). There were lots of caveats to the talk (like the fact that everything has to be written in an OO langauge like java, and excluding things like C++ which have those evil pointers), but the message is clear, and has been repeated in other contexts over the years: even user-level applications need to be heavily sandboxed and partitioned, and given "least privilege" (fo' real...not just given lip service) because otherwise, as the example he used repeatedly, we are left with a world where solitaire can send your turbotax pdf printout to my good friends over at 1.1dy.us and citi-bank.ru (don't go there ;)).

For those of you who may have missed it, 10.5 is supposed to have Mandatory Access Control based on the TrustedBSD code base. I am cautiously optimistic that the sandboxing therein when combined with ability that darwin already has to spawn mini-vms for applications, will help stop my applications from being able to access everything everywhere in my user account.

Re: A Little Challenge To Our Mac Advocate Friends

Robert Moir — Sun, 22 Apr 2007 11:56:55 -0000

RobertC:
Not running as admin certainly helps reduce(but doesn't prevent)the chances of people taking over your machine, but the question remains, what data can be mined?

As Thomas says, how do you decrypt that image. Couldn't someone just install an input manager to watch you do it?

Re: A Little Challenge To Our Mac Advocate Friends

Thomas Ptacek — Sun, 22 Apr 2007 11:37:49 -0000

Robert: how do you decryt the disk image? The disk image helper program runs with your user creds.

Re: A Little Challenge To Our Mac Advocate Friends

Thomas Ptacek — Sun, 22 Apr 2007 11:36:58 -0000

It's not a trick question. The point is, non-admin user code execution is game-over, even if you don't have root.

Re: A Little Challenge To Our Mac Advocate Friends

Robert C. — Sun, 22 Apr 2007 10:52:53 -0000

I think I have some assets you can't get. I don't run as admin normally, so that might keep you away from Applications (?). I keep important / sensitive financial & other documents in an encrypted disk image.

Questions: Would those things be safe? Does it help me that I don't run as admin?

Re: A Little Challenge To Our Mac Advocate Friends

Jon Bowie — Sun, 22 Apr 2007 08:46:49 -0000

Is there any platform on the planet that has a secure enough kernel code base to negate the fact that the ability to execute arbitrary code as a non-privilleged account is essentially already Game Over for local root (Hi Argus!!)? Let alone Mac OS X?

I call shennanigans on Tom for posing a trick question. You all fell for the bait too :)

Re: A Little Challenge To Our Mac Advocate Friends

Robert Moir — Sun, 22 Apr 2007 08:17:35 -0000

"Robert, the point of my exercise was to use an exploit without any kind of social engineering."

Fair enough.

In which case I'll go with malicious input manager copied to ~/libraries/inputmanagers. Quite possible from what Thomas says, and while I wouldn't own your machine I'd own your data. The data might be worth more.