Dailydave mailing list archives
Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers)
From: "Adriel T. Desautels" <adriel () netragard com>
Date: Wed, 21 Mar 2007 14:13:35 -0400
Bob, I'm sure that you remember the Month of Apple Bugs, there's one example of people tearing OSX apart. A lot of those vulnerabilities could have been used to break into affected systems, in particular if they were used as helper apps. On the other hand, I did recently come across a network that had been compromised. The standard servers on that network were the Apple X servers. I can try to look up the details on how that happened if you'd like. IMHO the only reason why you don't hear a lot about Mac's being hacked is because people don't focus on them yet. Well, not enough anyway. On 3/21/07 10:10 AM, "Bob Mahoney" <bob () zanshinsecurity com> wrote:
On Mar 20, 2007, at 6:00 PM, Dragos Ruiu wrote:This promises to be much more fun than capturing "flags." :-) And a quantitative experiment on the real security of OSX.I've tried a number of times to get details of actual OSX compromises in the wild, without success. I'd like to know details of a real computer being used by a real person, compromised by a real attacker. I've been told a number of times (even here) that examples exist. But I've never gotten real info. I am genuinely interested- while I use a Mac, nothing is invulnerable. It seems reasonable that such an example must exist. But I have never seen or been pointed to one. Given the sort of talent here, I'd be disappointed if no one here could beat a default install, if motivated to do so. But I'd also be disappointed if a Navy SEAL couldn't kill me with a paper clip. Serious expertise yields solid results, and I have appropriate fear and respect for true ninja skills. But ninjas aren't my threat model, so this isn't a very relevant test from my perspective. There are many detailed analyses of compromised Windows and Unix machines. Thousands and thousands. Example autopsies abound. What I'd like to see is an equally expert and detailed analysis of a real- world OSX compromise, where the attacker was not a security researcher. I keep my eyes open, and ask occasionally, but it's entirely possible I've missed the example I'm looking for. If someone can point me to one, I would be grateful and interested. There is a Secret Service presentation on Mac forensics scheduled for an upcoming HTCIA meeting in Boston. I'll be interested in hearing what sorts of numbers they have seen, and if any examples involved compromise instead of merely evidence gathering. -Bob PS: I also would like to see more OSX security presentations at conferences. But given the general orneriness of security people, is it really as simple as Apple lawyers scaring everyone off? (This is a tough crowd. I expect to be knifed in the parking lot. :-) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 857-636-8882 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: my idea of the day, (continued)
- Re: my idea of the day Robert Graham (Mar 19)
- How Apple orchestrated web attack on researchers George Ou (Mar 20)
- Re: How Apple orchestrated web attack on researchers Daniel (Mar 20)
- Re: How Apple orchestrated web attack on researchers James Sineath (Mar 20)
- Re: How Apple orchestrated web attack on researchers Daniel (Mar 20)
- Re: How Apple orchestrated web attack on researchers Ralph Logan (Mar 20)
- Re: How Apple orchestrated web attack on researchers Matt Beaumont (Mar 21)
- Re: How Apple orchestrated web attack on researchers Mark J Cox (Mar 21)
- PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Dragos Ruiu (Mar 21)
- Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Bob Mahoney (Mar 21)
- Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Adriel T. Desautels (Mar 21)
- Re: PWN to OWN (was Re: How Apple orchestrated web attack on researchers) Nicolas RUFF (Mar 21)
- Re: my idea of the day Robert Graham (Mar 19)
- Re: How Apple orchestrated web attack on researchers Thomas Ptacek (Mar 20)
- Re: my idea of the day Trey Keifer (Mar 16)