Mac Security - Gone 10 Seconds.

Faolan wrote in post #7561258
Apple spends a lot of time saying Microsoft Windows is insecure, you just have to look at the advertising they have done over the years such as Mac/PC adverts. This gives the user a false feeling of security in that they're system is hack proof. In fact you can see some of this attitude from a few people in this fora.

I don't think the adds said anything about PC's being 'insecure' per say, just that there were 100,000+ known PC viruses & spyware . Parody or not, they cannot say anything outright inaccurate or libelous, but they can express opinions.

No one is saying that OS X is hardened as much as it could - with ease of use comes security holes. Vista locked up their OS to the irritation of many Snow Leopard is going to fix many issues too, so this time next year should be interesting (Windows 7 vs Snow Leopard).

For Mac users that may be interested: Mac OSX Security Guides

"Physical Access" in this case just means that he was connected over a simulated internet. You don't run something like this over the actual net so that you can monitor all the traffic that goes across the network more closely. Yes, there are cables connecting the hacked machine to the server that put out the code that led to the hack, but it didn't take the attacker sitting at the keyboard himself to execute the code and take advantage of the vulnerability. There was no more or less physical access to the machine than happens anytime someone connects to the 'net.

And yes, I did used to work in security.

smcclelland wrote in post #7556803
Also keep in mind they are configured via computer-to-computer and there is no additional task of breaching network protocols, external security etc. It's pretty much a walk in, raise hell and walk out scenario which isn't very common in todays day and age

Since the vulnerability was exploited via an http connection, it really is pretty similar to a "invite the bad guy in, let him have a look around and raise hell" situation.

The user initiated the connection to the exploit. The hacker didn't have to initiate the connection to the target. Once the http connection was established, it was game over.

The other security mechanisms that work to recognize and prevent these sorts of vulnerabilities are largely pattern and behavioral based, which makes them reactive, and not proactive. If they don't know something is supposed to be bad, they don't block it. That's why anti-virus packages and the like have constant updates. They can't react if they don't know they're supposed to react. With a "zero-day" exploit, none of those other mechanisms know there's something out there they should be watching out for.

Arguing that you're not going to give an attacker a cable and hook it up to your machine for them is missing the point. If you have ever browsed a website, you already have given the attacker a cable that's hooked up to your machine.

got to laugh

I have never been hacked. Ever.

Who the fu*ck cares...Seriously. Except the fanboys who must insist their "whatever" is better.

*racist, but sarcastic warning*
Well guess what? White females MUST be better. Cause they are not black and don't live in Africa. White female people MUST *rolls eyes* be better than black female people...fanboy FTW!

I mean seriously? That is how extremely redic it is to argue about stuff like this.

I feel no threat, cause I don't go around DLing stupid stuff that could compromise my computer and I'm one in billions that owns one. And seriously, you guys back up your files right? The chance that you are going to get hacked and your files messed up is about the chance your hard drive fails or lighting fries your compy. GTFO.

AlphaChicken wrote in post #7572168
I have never been hacked. Ever.

Who the fu*ck cares...Seriously. Except the fanboys who must insist their "whatever" is better.

*racist, but sarcastic warning*
Well guess what? White females MUST be better. Cause they are not black and don't live in Africa. White female people MUST *rolls eyes* be better than black female people...fanboy FTW!

I mean seriously? That is how extremely redic it is to argue about stuff like this.

I feel no threat, cause I don't go around DLing stupid stuff that could compromise my computer and I'm one in billions that owns one. And seriously, you guys back up your files right? The chance that you are going to get hacked and your files messed up is about the chance your hard drive fails or lighting fries your compy. GTFO.

<MaxxuM> moves slowly away from AlphaChicken & toward door....

Alpha, I don't think anyone is going fanboy on anyone. It's just a talk about security is all.

Hah...yeah I go a little nuts when people argue over what company is better...as if it is as simple as one simply being better.

Seemed like fanyboyism to me...arguing about who has better security to no reasonable end.

Tony-S wrote in post #7557967
Still today, no one has hacked into a Mac without having physical access to the computer.

Tony-S wrote in post #7558675
No one has ever said Macs are infallible. So everything else you say is pretty meaningless.

based on your dismissive logic quoted above:

macs have been hacked without physical access to the computer. therefore, everything else you say is pretty meaningless.

I am sorry but if it takes an action buy the end user then it is not a solid hack that is like saying that if I convince you to let me into your house I have successfully broken in to your house. I have successfully gained access but I did not break in just as if I trick you into downloading a file and installing it and that file then gives me access to your computer I have not hacked your computer all I have proved is that you have an id10T problem. This does not count as a hack on any platform.

Damian75 wrote in post #7572487
I am sorry but if it takes an action buy the end user then it is not a solid hack .......

The problem is the vast majority of "hacks" into computers ARE the result of the user doing something stupid and clicking on something they shouldn't have.

It is eactly why MS put UAC in Vista.


The biggest threat to any system is not the system, but the operator, and it just so happens that a lot of niave and stupid people use computers, and are exploited.


I can garuntee you right now a hacker somewhere is doing a cost benifit anlysis on targeting Mac users.
Once the numbers add up they will be targeted just as much as Windows users, and operator error will cause them to become infected.

Moppie wrote in post #7572628
The problem is the vast majority of "hacks" into computers ARE the result of the user doing something stupid and clicking on something they shouldn't have.

It is eactly why MS put UAC in Vista.


The biggest threat to any system is not the system, but the operator, and it just so happens that a lot of niave and stupid people use computers, and are exploited.


I can garuntee you right now a hacker somewhere is doing a cost benifit anlysis on targeting Mac users.
Once the numbers add up they will be targeted just as much as Windows users, and operator error will cause them to become infected.

QFT. Everything you said is 100% accurate and I obviously agree 100%

Damian75 wrote in post #7572487
I am sorry but if it takes an action buy the end user then it is not a solid hack that is like saying that if I convince you to let me into your house I have successfully broken in to your house. I have successfully gained access but I did not break in just as if I trick you into downloading a file and installing it and that file then gives me access to your computer I have not hacked your computer all I have proved is that you have an id10T problem. This does not count as a hack on any platform.

As I read the attack, the way that it worked is that a user goes to a webpage that they believe to be 100% legit. Hidden, inserted, injected, hacked into -- whatever you want to call it -- the legitimate webpage was malicious code. The malicious code then executed and gained access without any additional user intervention beyond browsing a website that they would ordinarily trust. The user did not have to directly execute the malicious code.

This sort of drive-by attack has been used successfully against Windows machines for some time starting with attackers inserting code into servers from all OSes. There have been attacks where hundreds of thousands of hosts serving up advertisements and the like have had evil code injected that, when browsed as part of an otherwise completely legitimate and believed to be safe site, executed malware. Photobucket was recently targeted with this very sort of attack (https://photography-on-the.net/forum/showthre​ad.php?t=648519 was related to this very sort of attack.)

This was not a "click this EXE" or "download this file" sort of attack. This represents a very real, and very common way that attackers spread malware these days. Attack a database that serves up ads, get the database to serve up evil code instead of the legit ad, and when users go to their regular, everyday sites that happen to use ads ordinarily hosted by that server, they get the malware instead.

I don't take sides in this debate (I don't care). I just want people to be aware that this sort of attack is extremely common, and is the very same sort of passive attack that has been victimizing Windows users for a while.

Pwn2Own Contest winner: Macs are safer than Windows

Charlie Miller still recommends people get a Mac. Odd this isn't stated in the 'sensationalized' contest. Here is the link.

MaxxuM wrote in post #7607506
Charlie Miller still recommends people get a Mac. Odd this isn't stated in the 'sensationalized' contest. Here is the link.

probably because of all the disclaimers he gives right after that comment and the fact that a sensationalized article attracts more viewers. which catches your attention more?:

1. "MAC HACKED IN TEN SECONDS!"

2. "EXPERT HACKER RECOMMENDS MACS!"

3. "Miller states that Macs are less likely to be targeted by malicious programmers."

Two of those headlines are meant to grab attention, while one depicts a more accurate representation of what was actually quoted.