Macintosh Security Site -> iDisk under Mac OS X 10.1 is significantly less secure... By Open Door Networks

Site Information

	About this site
	Site Background
	Who runs the site
	Advertising
	Security Consulting
	Employment/Jobs
	Feedback Form

SecureMac Software

	MacScan
	PrivacyScan

Mac OS X Security

	Root Shell in 4 steps with setuid apps
	sudo buffer overflow exploit + fix
	Disable Single User Boot Mode
	Malevolence - Dumping Passwords
	nidump security
	Startup Security - Open Firmware Password Protection

Mac OS X Network Security

	OpenSSH for Mac OS X
	SAINT
	Secure FTP Wrapper
	Ettercap - sniffer interceptor logger
	Snort - Network Intrusion Detection System
	SSH Admin
	SSH Helper
	xnu - enable MAC Address spoofing

Mac OS X Virus

Virex for Mac OS X - Command Line Scanner

Mac OS X Firewalls

	BrickHouse Firewall Utility
	Firewalk Firewall Utility
	NetBarrier X

Mac OS X App Sec.

Timbuktu OS X Preview Security Advisory + Fix

Mac OS X Encryption

	LittleSecrets
	Crypt for Mac OS X
	GPGMail - PGP Functionality

Mac OS X DoS

Mac OS X CGI Flaw

SecureMac Library

	Data Loss Prevention & Recover
	Mac Cable Modem Security
	Mac Security Auditing
	Mac OS X Security Understanding
	Mac OS X Security Second Lessons
	Mac OS X Security Third Lesson
	Mac OS X Single User Mode Root Access
	Mac OS X Shareware Firewalls
	Mac OS X Secure Installation
	Cable & DSL Connections - Security Measures
	Better Safe than Sorry
	Apple.com Security Resources
	Marketing Macintosh Security Programs

Mac OS X iDisk Security Advisory
Discovered: Open Door Networks
(WebDAV protocol standards not followed leaving passwords in plaintext visible to any hacker.)

Fix: Use the Software Update feature in Mac OS X to resolve the issues with WebDAV security issues.

Security Advisory: Apple's Mac OS X iDisk WebDAV vulnerability

Open Door Networks recently discovered that Apple's iDisk under Mac OS X 10.1 wasn't properly written to WebDAV standards. They said in Mac OS X 10.1 your iDisk is usually accessed using the WebDAV protocol rather than the Apple Filing Protocol (AFP) used previously. Like AFP, WebDAV is supposed to not send your password over the Internet, so in that respect it should be as secure as AFP. However the implementation of WebDAV in Mac OS X 10.1, as used with iDisk, violates the WebDAV specification and sends your password in a way that makes it is easy for hackers to discover.

iDisk under Mac OS X 10.1 is significantly less secure than under previous versions of Mac OS X.

Apple not following the standard WebDAV protocol made it possible for any hacker who has access to sniff the network to see your password in plaintext. After the password has been sniffed the hacker has full access to read and write the files on your iDisk and the personal homepage and MAC.COM e-mail account.

If you select "iDisk" from the "Go" menu or click on the iDisk icon in the Finder, your iDisk will be vulnerable.

Open Door Network suggests to connect to iDisk the old (secure) way under Mac OS X 10.1, you should use "Connect to Server" under the "Go" menu and enter the address "afp://idisk.mac.com". Doing so is highly recommended until Apple comes out with a fix for this problem.

The book "Internet Security for Your Macintosh: A Guide for the Rest of Us" (written by two Open Door employees) provides additional technical details on how a hacker could look at your data and extract your password. See the chapter "Just Say No to FTP". The book also includes a full chapter specifically on Mac OS X Internet security. Well worth the read. Although I do not think it includes a link to SecureMac.com (;

FEEDBACK TIME!
If you have any alternative solutions for this problem please let us know.

Enter Email Address:

Enter your message:

Select Either of These Two Buttons

Special Thanks to Open Door Networks for Discovering and reporting this security issue

Security + OS

	AtEase
	DiskLock
	PowerBook Security Control Panel
	Empower Pro
	FileGuard
	FreeGuard
	FoolProof
	Deus Lock Master
	OnGuard
	Keys Off
	LockOut
	MacOS Algorithm
	Modem Security
	Password Key
	PGPuam
	PPF
	Shift Key Suite
	Stealth Signal
	SuperLock Lite
	SuperLock Pro
	Web-Confidential

Macintosh Viruses

	Agax 1.3
	Disinfectant
	Sophos Anti-Virus
	Norton AntiVirus Nav 7 Nav 6 Nav X
	Virex - Oct
	VirusBarrier - Netupdate
	vScan - Discontinued.

Mac Physical Security

SecurityWare

Macintosh Firewalls

	ContentBarrier
	DoorStop Firewall
	Firewall Q & A
	IPNetSentry
	NetBarrier
	Norton Personal Firewall

Mac Spyware & Privacy

	TypeRecorder
	Monitorer
	NetShred - Delete Files Safely

Network Security

	AppleTalk
	MacAnalysis
	Oyabun Tools
	WDTech RAE
	ToolDaemon

Application Security Issues

	America Online
	AIM - AOL Instant Messenger
	Back Orifice
	Eudora E-Mail Client
	Internet Configure
	IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
	MS Personal webServer
	NetBus
	Outlook Express 4.5 Password Flaw
	SubSeven
	Sub7ME Server

Resource Info

	ResEdit
	AppleShare Server Info

Mac OS Encryption

	Enigma
	EnScript
	FGP
	FileTwister
	ForgotIt?
	GenPass
	MacLockSmith
	My-Privacy
	My Secret
	PGPi
	PGPhone
	PGP Personal
	PGP Freeware
	PowerCrypt-dev
	Private File
	Quick Encrypt
	SubRosa Utilities
	Tresor

Deleting Files

	Burn 2.5
	Eraser Pro
	ShredIt

Backups

Tri-BACKUP

Apple Hardware

Apple LaserWriter

MacOS DoS

	GrouchySmurf
	Mac Attack