August 3, 2006

Professionals Hack a MacBook — and Make a Larger Point (UPDATED - Demo Was Rigged)

Filed under: Business Moves, Money Tip of the Day, Privacy/ID Theft — TBlumer @ 1:01 pm

August 19 UPDATE (Update is also posted as a separate August 19 entry) It turns out the “presumably good guy” label in the very first sentence of the original post that begins below was VERY incorrect: (HT Techdirt):

Now it seems SecureWorks is backing away from its suggestion that MacBooks are just as vulnerable as other Wi-Fi-capable computers. The company has posted a disclaimer on its site to make it clear that the demonstration at Black Hat used a modified MacBook.

“This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers,” the disclaimer says. “Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver–not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.”

This is truly sad, especially in light of the snide comments from Dave Maynor and Jon “Johnny Cache” Ellch about Apple’s alleged security arrogance. It’s a trick right out of the same playbook as the rigged Dateline exploding gas tank in 1993, and it’s sickening.

Since I don’t pull posts, what is below will remain, and I’m coining a new term for people like Maynor and Ellch: MDS, or Mac Derangement Syndrome. The advice at the end of the piece (keep your wireless card off when not using it) is still a good idea, just not do-or-die urgently good.
____________________________________________

(original post)

Last week , two (presumably good-guy) hackers have demonstrated how to hack a MacBook in under 60 seconds and entirely hijack it through its wireless card. They are also telling us that it can be done to virtually any computer (bolds are mine):

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook — and presently not publicly disclosed — Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the “Mac user base aura of smugness on security.”

….. according to Maynor and Ellch, this attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. It is, they said, enough for a vulnerable machine to have its wireless card active for such an attack to be successful. That’s a trivial demand, given that most wireless devices embedded in laptops these days are switched on by default and are configured to continuously seek out available wireless networks.

Because the software that powers these wireless devices operates at such a fundamentally low level of the operating system, traditional system safeguards like firewalls and anti-virus software most likely will not stop the operating system from accepting a maliciously crafted network probe from an attacker seeking to exploit device driver-specific flaws. The result, said Maynor, is that a system using poorly designed device drivers is vulnerable to compromise just by doing what it was programmed to do.

But that explanation eclipses the larger point that Maynor and Ellch said they are trying to get across: Namely, that wireless device drivers are largely developed and written by an odd mix of hardware and software developers in an environment where time-to-market often trumps any thorough code review for potential security flaws.

(Aside: Okay guys, I get the point about Mac security smugness. To its credit, Apple resisted hyping that advantage for years. To its detriment, it decided to start hyping the advantage just as it converted its product line to Intel chips and started enabling easier use of Windows XP, meaning that successful virus attacks and hacks are more likely with Macs than they have ever been.)

To protect yourself while the computer makers play catch-up — If you’re not actively connected to a wireless network, turn the wireless card OFF.

________________________________

UPDATE: Information Week also has a story on the demo here.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

RSS
RSS (Comments)
© 2008 BizzyBlog

"Budgeting, without the drudgery."
Follow-up on Your Money-Control Resolution!

Never Forget:
Pentagon

This Month's Posts

August 2006
M	T	W	T	F	S	S
« Jul		Sep »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Comments

Comments are welcome, but are moderated.
Posting of comments is not immediate, and may take up to 24 hours.
Comment posting, as well as possible deletion, is
at the sole discretion of BizzyBlog.
Allowing a comment to be posted does not constitute agreement with it, or endorsement of it.

-----------------------------

S.O.B. Alliance

Testimonials

"Seems that there are more than a couple of folks taking notice of your postings, Tom. Excellent job ..... I believe Cleveland is better off because of the job you did."

-- commenter "stratman"
NewsBusters
Oct. 30, 2007

"Kudos to Tom for doing some excellent original reporting."

-- Mark Finkelsteiin
NewsBusters
Dec. 19, 2006

"Tom Blumer at BizzyBlog brings actual facts about coal miner fatalities to light and gives the BDS'ers a reality check."

-- Michelle Malkin
Jan. 5, 2006

".... the best blogger in the state and a more talented, natural economist than any of those pointy-headed Keynesian halfwits."

-- Matt Naugle
Right Angle Blog
Nov. 20, 2006

"Tom Blumer .... (is) doing stuff that MSNBC and AP 'should' have done before providing the teenager (Farris Hassan) a national/ international forum and 15-minutes of fame."

-- Geoff Metcalf
Accuracy in Media
Feb. 14, 2006

"Guys like Tom Blumer cover what really matters, and they're independent enough to tell the truth, without fear of aggravating .... corporate media owners."

-- Jeff at
Credit/Debt Recovery
Aug. 12, 2005

"BizzyBlog made my point with numbers and facts and stuff."

-- Jonah Goldberg at National
Review's The Corner
Jan. 23, 2006

"My favorite pajama-clad economist."

-- Pamela at Atlas Shrugs
Aug. 10, 2005

"This is why I read Bizzy Blog. He catches the stuff that I manage to miss..."

-- Matt at WoMD
Oct. 6, 2005

"Great job with the investigation of Mr. McEwen. I hope your insightful commentary and investigation prowess will come to light in other races."

-- The Duke at
The Duke's domain
June 17, 2005

Blogroll

Professionals Hack a MacBook — and Make a Larger Point (UPDATED - Demo Was Rigged)

No Comments

This Month's Posts

Categories

Money, Biz, Econ, IT

Local Yokels (SWO-NOKY)

* Technical, Search, Media *

Other Localities, State Lists

Mil sources & Mil Blogs

Religion and Positivity

z Campaign Sites z

z Pol-Party-Lobby Sites z

Unclassified

Comments

S.O.B. Alliance

Testimonials

Blogroll