Slashdot Log In
U of Wisconsin's Mac OS X Security Challenge
Posted by
Zonk
on Tue Mar 07, 2006 10:10 AM
from the they-really-don't-have-anything-better-to-do-over-there dept.
from the they-really-don't-have-anything-better-to-do-over-there dept.
digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet
Related Stories
[+]
Mac OS X Security Competition Ends in 30 Minutes 388 comments
ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest.
According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
[+]
IT: Call for Apple Security 'Czar' 254 comments
conq writes "The second security non-incident to hit the Mac platform in as many weeks has been debunked. People are talking a lot about security on the Mac these days, and the result is that a great deal of FUD is being spread around. BusinessWeek's latest Byte of The Apple column suggests that its time for Apple to appoint a security Czar to get out ahead of the FUD before it spreads much more." From the article: "Creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Prove it! (Score:5, Funny)
So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?
Re:Prove it! (Score:5, Funny)
Parent
Re:Prove it! (Score:5, Funny)
So to anyone wanting to compete in this challenge: sorry.
Parent
Easy, To Do (Score:5, Funny)
Parent
A Different Test (Score:5, Informative)
This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:
As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.Re:A Different Test (Score:5, Insightful)
The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!" Most houses don't have everything bolted down to the floor.
But how often do you allow someone into your machine? For A desktop, not often, perhaps never.
The biggest risk to most computers is a network based attack; this is the real meat and potatoes and a better test of the security of a machine.
Parent
Re:A Different Test (Score:5, Insightful)
I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.
Parent
Re:A Different Test (Score:5, Funny)
Science never enters the picture here, this is a religious debate.
Parent
Much better analogy! (Score:5, Interesting)
Okay- I like that analogy better. I've got deep deadbolts on my outside doors; the door between my basement and house has a cheap handle lock that can be popped with a long, thin screw driver.
Not to get lost in the analogy details, but I think you'll find most security skews the same way.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
I think this ability to elevate privs should be analyzed on a case by case basis for all programs; as such if you are concerned about what applications a user can and can't run, remove the ability to run those applications from the machine.
However with most desktop machines your biggest worry isn't normally* an attack from within; its usually from without.
*)people on slashdot aren't normal and typically have needs that extended beyond normal users. Feel free to contribute some examples that counter this assertion.
Parent
Re:A Different Test (Score:5, Informative)
And the whole point isn't that the test "isn't the same". This is how most Mac OS X machines will appear to outside entities on the internet. The original article - and definitely before it was updated - left people with the impression that a Mac OS X machine could be owned in 30 minutes just by being connected to the internet, without the user "doing" anything, and the subsequent coverage of this in most press proves it. None speak to the fact that a local account was given, or even explore the implications. What could have been a useful article was useless, vague sensationalism. I updated the bottom of the page this morning:
Update
The ZDnet article has been updated to include the sentence, "Participants were given local client access to the target computer and invited to try their luck." But might it not have been interesting to explore:
- What are the implications of local account access, and under what conditions might a computer be used in that way?
- How can such access normally be obtained? Do home users behind firewalls and with no ports open need to worry?
How can a vendor fix the claimed local privilege escalation vulnerabilities when they are not informed of the issue?
- What are the moral and ethical implications of knowing about allegedly severe vulnerabilities in products, like the "hacker" they interviewed, and actively choosing to NOT give the vendor an opportunity to fix the problem(s)?
- How might a Linux or BSD distribution, other commercial UNIXes, or Windows stand up to a similar challenge, where anyone who wishes is given local account access?
- A discussion about how since much of OS X is closed, this might make it more difficult for the community to discover - and report and fix - potential vulnerabilities in the closed pieces
...and things of that nature, instead of leaving people with the impression that any Mac OS X machine connected to the Internet can be taken over in 30 minutes?
Parent
Re:A Different Test (Score:5, Insightful)
Parent
Re:A Different Test (Score:5, Interesting)
Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system. There have been serious vulnerabilities in Mac OS X that could be taken advantage of; however, most Mac OS X "vulnerabilities" to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities. The recent Safari vulnerability was promptly addressed by Apple, as are any exploits reported to Apple. Apple does a fairly good job with regard to security, and has greatly improved its reporting processes after pressure from institutional Mac OS X users: Apple is responsive to security concerns with Mac OS X, which is one of the most important pieces of the security picture.
The "Mac OS X hacked under 30 minutes" story doesn't mention that local access was granted to the system. While local privilege escalation exploits can certainly be dangerous - and used in conjunction with things like the above Safari exploit - this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet.
Of course, I'd have no problem with this if the original article had actually talked about it meaningfully in the context of a local privilege escalation and explored the implications; instead, they just made it sound like you could throw a patched OS X box onto the internet and it'd get owned. The average reader would leave with that *distinct* impression, and most of the subsequent coverage of it talked about it exactly in that fashion.
Mac OS X has had several local privilege escalation vulnerabilities, just as other OSes have had. Apple fixes them when they become known. (Also, and this is another discussion, but what can Apple do if the "hacker's" claims are correct, i.e., that the vulnerability is unknown to Apple? It doesn't prove that Mac OS X is "insecure"; all it "proves" is that open scrutiny is difficult with closed source pieces, and that some people intentionally and knowingly refuse to give vendors a chance to fix problems.)
Parent
Re:A Different Test (Score:5, Insightful)
The problem is that the media presents the original test as though Mac OSX is insecure out of the box. It's very misleading.
An acquaintance of mine runs a small web hosting company. His original service plan offered SSH accounts to every hosting account. Despite his best efforts to secure the box, it was still rooted by a script kiddie.
His customer's PC was compromised and the ssh password for his account on the linux server was found by the script kiddie. The shell account had access to GCC. The script kiddie logged in as the non privileged user and used gcc to compile a rootkit. The rest was a walk in the park.
The OS was Slackware linux. All of the accounts were jailed, and all of the "best practice" measures were taken to harden the box (I can't comment on every detail as I am not a linux system admin).
My point is that when a malicious user gains shell access to any *nix system, you're in deep trouble.
My friend has since stopped offering SSH access to his customers.Parent
No, you're still wrong about the REAL problem (Score:5, Informative)
In fact, Bruce Schneier [schneier.com] (a respected cryptographer, responsible for Blowfish) addressed the topic thoroughly almost 8 years ago in his column Crypto-Gram. Here's a relevant snippet:
You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.
It doesn't.
Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.
You can read the original here [schneier.com].
Parent
Re:A Different Test (Score:5, Informative)
Parent
Logs (Score:5, Insightful)
* yawn * (Score:5, Insightful)
It proves neither: every operating system on the face of this earth has been hacked, cracked, and 0wned. Numerous times. Get over it.
Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine. Even better, make that two manuals: one for the average joe, with nice color screenshots for every step that has to be taken, and another for people like me, who manage systems for a living. THAT would be a valuable contribution to the field of computer security, instead of this stupid challenge.
Re:* yawn * (Score:5, Informative)
Parent
Your wish has been granted: (Score:5, Informative)
NSA - Mac OS X Security Configuration Guide (not yet updated for Mac OS X 10.4) [nsa.gov]
Apple - Common Criteria configuration guide [apple.com]
And for the "average joe"?
- Keep your machine patched
- Don't randomly open ports for services you don't use
- Have a personal firewall/router
- Don't run software you don't trust
And this doesn't "prove" anything, except that the initial ZDnet article was totally vague and sensationalistic, making it seem to an average person reading that article that a Mac OS X box could just be "hacked" by being on the internet. That is wrong, and I'm showing that. Simple. It's all explained on http://test.doit.wisc.edu/ [wisc.edu]
Parent
Possible Danger (Score:5, Insightful)
With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.
Generic smear campaign (Score:5, Interesting)
So far each article has been based on unique situations that lack credibility to begin with, give little detail, and take focus away from the fact that it's basically a machine running a collective of industry proven software (such as apache and openssh.)
Also of note is that Mac OSX currently has an a user base of over 10 million machines. So the argument that it's too small a target is ridiculous. In fact it's a bigger target as it's untouched territory with a bonus of headline making news.
Hint (Score:5, Informative)
So run that against a dictionary and see if you can get in....
Fink could have contributed to the original "hack" (Score:5, Insightful)
One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.
Fink lists a catalog of 6359 open source projects [finkproject.org]that can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves. Fink is a Debian style package manager for Mac OS X.
Re:the original post (Score:5, Informative)
There is an identical clone of that Mac mini waiting to go on the new network, and our DNS TTL is currently set to 5 minutes, so when the cutover happens, it should be pretty transparent.
Parent
Re:I'm not sure what the value of this is..... (Score:5, Insightful)
The ZDnet article simply was not reported correctly, and gave the wrong implications. Even with the added sentence, the article tries to make it sound like its vulnerable to remote exploits and you have to be worried about having your machine on the internet.
Parent