Fats
08-04-2006, 12:28 AM
MacBook Security Gone in 60 Seconds
Two security specialists have demonstrated how they could exploit a vulnerability in the code of a MacBook wireless device driver to gain control of the computer, causing a small uproar at the Black Hat security conference in Las Vegas.
Get your electronic copy of TechNewsWorld's Spotlight on Security here. Free download with registration.
At the Black Hat USA conference, two security researchers demonstrated how easily they could hack into a Mac computer -- in this case Apple's (Nasdaq: AAPL) MacBook -- over a wireless network.
Operating from a nearby laptop, David Maynor, a senior researcher with SecureWorks, and graduate student Jon Ellch took aim at the MacBook's wireless card and wireless device, compromising the computer in about 60 seconds.
The object lessons from this demonstration are manifold, starting with the simple fact that computer security must go beyond installing software to shield the operating system to include protection for wireless devices and cards. There is also this hard truth: It is becoming increasingly clear that Apple computers are not as safe as they were once perceived to be.
Targeting Mac
However, a caveat is necessary: Using a Mac is still far safer than using a Windows system.
"Out of the box, a Mac is more secure than Windows," Scott Carpenter, director of security labs at Secure Elements, told MacNewsWorld.
"The problem is, Apple has been fostering a campaign telling consumers they don't have to worry about security if they use a Mac. They are not any more or less secure about vulnerabilities in their code than Windows, but they like to pretend that they are," he observed.
Noting that Apple has some smart security people on its staff, Carpenter suggested there might be "a behind-the-scenes war between them and marketing about the image a Mac should project."
He voiced another big gripe about Apple's approach to security: "Microsoft will tell you the criticality of a certain patch. Apple refuses to tell you if a patch is critical or not. It won't even tell you if it is a fix to a vulnerability or whether it is just a problem in the code. Their attitude is, 'Just trust us.'"
Wireless Security
That said, the hack attack into the MacBook would have worked on any laptop that didn't have the highest wireless encryption available installed.
Even with such encryption, Carpenter said, no system is 100 percent fail-safe. "Wireless in particular is inherently insecure, because people tend to use the lowest level of security that there is."
However, Mac's wireless device uses an old version of encryption -- WEP, or Wired Equivalent Privacy -- which is very easy to hack, he pointed out.
"It is very easy to break that protocol," Carpenter said. "I've done it for a major metropolitan government. I sat outside their office on my Harley and sniffed and sniffed and sniffed until I broke into their network."
Source (http://www.technewsworld.com/rsstory/52208.html)
Two security specialists have demonstrated how they could exploit a vulnerability in the code of a MacBook wireless device driver to gain control of the computer, causing a small uproar at the Black Hat security conference in Las Vegas.
Get your electronic copy of TechNewsWorld's Spotlight on Security here. Free download with registration.
At the Black Hat USA conference, two security researchers demonstrated how easily they could hack into a Mac computer -- in this case Apple's (Nasdaq: AAPL) MacBook -- over a wireless network.
Operating from a nearby laptop, David Maynor, a senior researcher with SecureWorks, and graduate student Jon Ellch took aim at the MacBook's wireless card and wireless device, compromising the computer in about 60 seconds.
The object lessons from this demonstration are manifold, starting with the simple fact that computer security must go beyond installing software to shield the operating system to include protection for wireless devices and cards. There is also this hard truth: It is becoming increasingly clear that Apple computers are not as safe as they were once perceived to be.
Targeting Mac
However, a caveat is necessary: Using a Mac is still far safer than using a Windows system.
"Out of the box, a Mac is more secure than Windows," Scott Carpenter, director of security labs at Secure Elements, told MacNewsWorld.
"The problem is, Apple has been fostering a campaign telling consumers they don't have to worry about security if they use a Mac. They are not any more or less secure about vulnerabilities in their code than Windows, but they like to pretend that they are," he observed.
Noting that Apple has some smart security people on its staff, Carpenter suggested there might be "a behind-the-scenes war between them and marketing about the image a Mac should project."
He voiced another big gripe about Apple's approach to security: "Microsoft will tell you the criticality of a certain patch. Apple refuses to tell you if a patch is critical or not. It won't even tell you if it is a fix to a vulnerability or whether it is just a problem in the code. Their attitude is, 'Just trust us.'"
Wireless Security
That said, the hack attack into the MacBook would have worked on any laptop that didn't have the highest wireless encryption available installed.
Even with such encryption, Carpenter said, no system is 100 percent fail-safe. "Wireless in particular is inherently insecure, because people tend to use the lowest level of security that there is."
However, Mac's wireless device uses an old version of encryption -- WEP, or Wired Equivalent Privacy -- which is very easy to hack, he pointed out.
"It is very easy to break that protocol," Carpenter said. "I've done it for a major metropolitan government. I sat outside their office on my Harley and sniffed and sniffed and sniffed until I broke into their network."
Source (http://www.technewsworld.com/rsstory/52208.html)