<<O>>  Difference Topic SecurityTeam (r1.11 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Line: 16 to 16

If someone gets their hands on your hashes (which they can't do unless they get root access somehow) they can try to figure out your password using a brute force method (trying every possible combination of letters, numbers, and symbols for a given number of charachters, encoding them, and comparing them to the hash), or a dictionary method (encoding huge word lists and comparing the hashes to yours). This takes forever, especially the brute force method. These passwords are pretty secure. The best way to ensure security is choosing a good password. Mac os x has a cool little utility to help you choose a good password built into the users and groups system preference.

Changed:
<
<		 Tools like john-the-ripper are used in these attacks. John cracked my password in about 9 hours, so I changed it. You need a patch to get it to try to crack salted SHA1 passwords.
>
>		 Tools like john-the-ripper are used in these attacks. John cracked my password in about 9 hours, so I changed it. It cracked cs0's password in less than a second. You need the patch below to get it to try to crack salted SHA1 passwords.

Why would someone want to get your password if they have root access somehow? so they can log in as you and you won't know it, cause your password hasn't changed.

 <<O>>  Difference Topic SecurityTeam (r1.10 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Line: 27 to 27
shell codes
Changed:
<
<		 A shellcode is some machine code stored in a C string which an attacker uses to take advantage of software vulnerabilities, smash the stack, and execute a shell with root priveledges.
>
>		 A shellcode is some machine code stored in a C string which an attacker uses to take advantage of software vulnerabilities such as buffer overruns, smash the stack, and execute a shell with root priveledges.

links
 <<O>>  Difference Topic SecurityTeam (r1.9 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Security under Mac OS X

Changed:
<
<
shadow passwords
>
>
shadow passwords

Changed:
<
<
  • passwords: shadow passwords using salted SHA1 1-way encoded hash function
>
>
  • passwords: Tiger uses shadow passwords using salted SHA1 1-way encoded hash function

  • stored in netinfo database (/private/var/db/shadow/hash/*)
  • (Debian GNU/Linux stores MD5 encoded shadow passwords in /etc/shadow)

They are 1 way encoded because once encoded, they can't be decoded. When you enter your password, it is put through the hash algorithm and compared to the hash stored on disk.

Changed:
<
<
password attacks
>
>
password attacks

If someone gets their hands on your hashes (which they can't do unless they get root access somehow) they can try to figure out your password using a brute force method (trying every possible combination of letters, numbers, and symbols for a given number of charachters, encoding them, and comparing them to the hash), or a dictionary method (encoding huge word lists and comparing the hashes to yours). This takes forever, especially the brute force method. These passwords are pretty secure. The best way to ensure security is choosing a good password. Mac os x has a cool little utility to help you choose a good password built into the users and groups system preference.

Line: 20 to 20

Why would someone want to get your password if they have root access somehow? so they can log in as you and you won't know it, cause your password hasn't changed.

Changed:
<
<
physical access
>
>
physical access

If they have physical access, being root on a mac is rediculously simple, just hold down command-s while it starts up. There are some ways of keeping people from getting into single user mode without a password.

Changed:
<
<
shell codes
>
>
shell codes

A shellcode is some machine code stored in a C string which an attacker uses to take advantage of software vulnerabilities, smash the stack, and execute a shell with root priveledges.

Changed:
<
<
links
>
>
links
mac hacking contests Joe was referring too

 <<O>>  Difference Topic SecurityTeam (r1.8 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Line: 34 to 34
Added:
>
>


META FILEATTACHMENT john-1.7-saltsha1.diff attr="" comment="" date="1143227466" path="john-1.7-saltsha1.diff" size="38029" user="ForrestEngland" version="1.1"
 <<O>>  Difference Topic SecurityTeam (r1.7 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Line: 34 to 34
Deleted:
<
<

META FILEATTACHMENT john-1.7-saltsha1.diff attr="" comment="" date="1143227466" path="john-1.7-saltsha1.diff" size="38029" user="ForrestEngland" version="1.1"
 <<O>>  Difference Topic SecurityTeam (r1.6 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Security under Mac OS X

shadow passwords
Changed:
<
<		 
passwords: shadow passwords using salted SHA1 1-way encoded hash function 
stored in netinfo database (/private/var/db/shadow/hash/*)
(Debian GNU/Linux stores MD5 encoded shadow passwords in /etc/shadow)
>
>

  • passwords: shadow passwords using salted SHA1 1-way encoded hash function
  • stored in netinfo database (/private/var/db/shadow/hash/*)
  • (Debian GNU/Linux stores MD5 encoded shadow passwords in /etc/shadow)

They are 1 way encoded because once encoded, they can't be decoded. When you enter your password, it is put through the hash algorithm and compared to the hash stored on disk.

password attacks
Line: 28 to 28

A shellcode is some machine code stored in a C string which an attacker uses to take advantage of software vulnerabilities, smash the stack, and execute a shell with root priveledges.

Changed:
<
<		 PowerPC / OS X (Darwin) Shellcode Assembly
>
>

links

META FILEATTACHMENT john-1.7-saltsha1.diff attr="" comment="" date="1143227466" path="john-1.7-saltsha1.diff" size="38029" user="ForrestEngland" version="1.1"
 <<O>>  Difference Topic SecurityTeam (r1.5 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Line: 12 to 12

 They are 1 way encoded because once encoded, they can't be decoded. When you enter your password, it is put through the hash algorithm and compared to the hash stored on disk.
Changed:
<
<
attacks
>
>
password attacks

If someone gets their hands on your hashes (which they can't do unless they get root access somehow) they can try to figure out your password using a brute force method (trying every possible combination of letters, numbers, and symbols for a given number of charachters, encoding them, and comparing them to the hash), or a dictionary method (encoding huge word lists and comparing the hashes to yours). This takes forever, especially the brute force method. These passwords are pretty secure. The best way to ensure security is choosing a good password. Mac os x has a cool little utility to help you choose a good password built into the users and groups system preference.

Changed:
<
<		 Tools like john-the-ripper are used in these attacks. John cracked my password in about 9 hours, so I changed it. You need a patch to get it to try to crack salted SHA1 passwords.
>
>		 Tools like john-the-ripper are used in these attacks. John cracked my password in about 9 hours, so I changed it. You need a patch to get it to try to crack salted SHA1 passwords.

Why would someone want to get your password if they have root access somehow? so they can log in as you and you won't know it, cause your password hasn't changed.

physical access

If they have physical access, being root on a mac is rediculously simple, just hold down command-s while it starts up. There are some ways of keeping people from getting into single user mode without a password.

shell codes

A shellcode is some machine code stored in a C string which an attacker uses to take advantage of software vulnerabilities, smash the stack, and execute a shell with root priveledges. PowerPC / OS X (Darwin) Shellcode Assembly


META FILEATTACHMENT john-1.7-saltsha1.diff attr="" comment="" date="1143227466" path="john-1.7-saltsha1.diff" size="38029" user="ForrestEngland" version="1.1"
 <<O>>  Difference Topic SecurityTeam (r1.4 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

 <<O>>  Difference Topic SecurityTeam (r1.3 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Line: 18 to 18

Tools like john-the-ripper are used in these attacks. John cracked my password in about 9 hours, so I changed it. You need a patch to get it to try to crack salted SHA1 passwords.

Added:
>
>
META FILEATTACHMENT john-1.7-saltsha1.diff attr="" comment="" date="1143227466" path="john-1.7-saltsha1.diff" size="38029" user="ForrestEngland" version="1.1"
 <<O>>  Difference Topic SecurityTeam (r1.2 - 24 Mar 2006 - ForrestEngland)
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Security under Mac OS X

Added:
>
>
shadow passwords 
passwords: shadow passwords using salted SHA1 1-way encoded hash function 
stored in netinfo database (/private/var/db/shadow/hash/*)
(Debian GNU/Linux stores MD5 encoded shadow passwords in /etc/shadow)
They are 1 way encoded because once encoded, they can't be decoded. When you enter your password, it is put through the hash algorithm and compared to the hash stored on disk.

attacks

If someone gets their hands on your hashes (which they can't do unless they get root access somehow) they can try to figure out your password using a brute force method (trying every possible combination of letters, numbers, and symbols for a given number of charachters, encoding them, and comparing them to the hash), or a dictionary method (encoding huge word lists and comparing the hashes to yours). This takes forever, especially the brute force method. These passwords are pretty secure. The best way to ensure security is choosing a good password. Mac os x has a cool little utility to help you choose a good password built into the users and groups system preference.

Tools like john-the-ripper are used in these attacks. John cracked my password in about 9 hours, so I changed it. You need a patch to get it to try to crack salted SHA1 passwords.


 <<O>>  Difference Topic SecurityTeam (r1.1 - 24 Mar 2006 - ForrestEngland)
Line: 1 to 1
Added:
>
>
META TOPICPARENT CodingLikeYouMeanIt

Security Team

Security under Mac OS X

View topic | Diffs | r1.11 | > | r1.10 | > | r1.9 | More
Revision r1.1 - 24 Mar 2006 - 13:29 - ForrestEngland
Revision r1.11 - 24 Mar 2006 - 18:41 - ForrestEngland