Mac OS X Security Competition Ends in 30 Minutes

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

Why keep SSH on?

[tak amalak]

That's one of the first things you turn off to protect the machine.

gwerdna?

[Loconut1389]

I wonder if the hacker's name is Andrew G. by any chance?

What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.

If that's not his name, it's fairly random.

He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUserP ublicProfile?gid=gwerdna [ezboard.com]

Mac OS X Security Challenge

[daveschroeder]

Mac OS X Security Challenge [wisc.edu]

In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

- Not give any external entities access
- Not even have any ports open

The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.

Re:Why keep SSH on?

[bombadillo]

It doesn't really matter that SSH was left on. The thing that made this easy was that they were allowed a shell account. Getting shell access is the easiest way to compromise a system. Lets see how long it would take with out a shell.

Security in small numbers

[Opportunist]

Don't feel lonely, Mac-geeks, you're in the very good company of Linux users. The benefit of your security: You're uninteresting.

Since "hacking" and all the other activities that end in "-ing" and often start with a "ph" are no longer fun pastimes for geeks but actually became a hunting ground for very money oriented very well organized criminal organisations, security is in small numbers: An attack has to hit as many targets as possible. Maximize your output. And, well, if there are potentially 100 Linux boxes out there with a blatant security hole or 10.000 boxes running Windows with an obscure and hard to exploit hole, the latter will be chosen.

Not (only) because the respective users usually also employ a very different attitude towards security and because they usually have very different levels of understanding concerning the abilities and liabilities of their machines. But simply because you can hit more targets with your attack.

Plain and simple as that.

You can run the most insecure, most open system you want, as long as you're the only one using it you're safe. Unless hacking you alone already warrants the cost associated with it.

Yes, hacking has become a matter of cost/benefit calculation.

If you want a secure computer...

[kidjan]

...consider disconnecting your Internet connection. Duh.

The only trend to security is that there isn't any financial motivation to hack small-potatoes.

local account = assumed root access

[acomj]

This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.

It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)

Re:Doors unlocked, windows open

[Anonymous Coward]

Here's a different analogy. You like to entertain guests in your home, and since you don't trust all your guests 100% (new friends, children, etc.) you keep your jewelry locked in your bedroom, which should keep it safe from any potential thiefs ... it turns out that people were able to get into your bedroom by unlocking it with a paperclip. Upon notifying the lock manufacturer of this defect the manufacturer calls you 'dumb' for allowing guests into your home at all and advises you that the problem isn't the lock but that you stupidly allowed people into your home.

As a side note, I am truly amazed by Apple's marketing abilities ... they sure do have 'loyal' consumers.

Re:Mac OS X Security Challenge

[TClevenger]

What I'd be interested in is putting other operating systems on with the same rules as the submitter (fully patched system with free local accounts to any who ask) and see if Linux, Windows Server or any of the BSDs can stand up to the challenge.

Re:Mac OS X Security Challenge

[Anonymous Coward]

Well, 'das' is one of the accounts on the machine. Asking for http://128.104.16.150/~das [128.104.16.150] returns the standard 'insert your web page here' web page.

Astroturfing?

[aphor]

The whole article seemed to culminate in the following information: some guy said if Macs were more popular they would have a worse record than "other operating systems." It seems to be comparing OS X to Linux, but it isn't entirely clear what the baseline is for their eval of Mac OS.X and it also doesn't clarify what exactly makes these OSs different. Also, the web site defacement isn't proof that the person with an unprivileged account acquired superuser privileges to do anything other than deface the web page. I don't doubt it could have happened, but maybe it did and maybe it didn't...

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.... If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.

Also, giving people LDAP accounts on the machine is really cheating. Maybe some noobs get a boner when someone fuzzes the hell out of a box from a local account until they get some fuzz escalated **BORING**. If they really wanted to throw down the gauntlet, then we would see Mandatory Access Control [freebsd.org] implemented on OS X . The big difference is that the MAC policies would be enforceable at the Mach [stepwise.com] MK level (on Mach ports, tasks, processes...), and OS X would be the ONLY OS with a security policy interface that could come close to usable for average people.

multi-platform hack

[farble1670]

what would be much more interesting is if some nice person set up multiple OS platforms, configured them with the same services, and waited to see how long it'd take to hack each of them. maybe lock them down a little more than the mac mini test, just to make it more of a challenge. maybe: windows XP, os x, solaris, and a couple of linux dists ... ?

Re:Perhaps with a desktop Mac

[GlobalEcho]

I'm rather annoyed that "gwerdna" or whatever his name was didn't tell us

Hmm. Maybe we should ask Andrew G?

(Hint: backwards)

Re:gwerdna?

[Creepy]

yep - and incidentally, Werdna was Andrew Greenberg... - which could be gwerdna... odd coincidence?

Not related at all, but the other guy that wrote Wizardry, Robert Woodhead, was Trebor.

Re:Mac OS X Security Challenge

[daveschroeder]

Yes. And I explain that on the site.

But the original article makes it look like any Mac OS X machine out on the internet could just get "hacked", and was "easy pickings". Do you, or do you not, agree that the article should have made *some* reference, at least in passing, that people were allowed to have local accounts on the machine? I.e., a way that the vast, vast, vast majority of consumer Mac OS X machines will never be used (to say nothing that they'll probably never have any ports open, either)?

So there's a local privilege escalation vulnerability that, according to the "hacker", hasn't been reported to Apple. So if it's "unpublished", and therefore hasn't (likely) been reported to Apple, what is Apple to do about it?

The article is not fair because it doesn't tell a critical detail about the situation: that LOCAL ACCESS was allowed. If you don't think that's a *huge* omission in this context, I don't know what else to say. The majority of people who read that article will leave with the specific and distinct impression that a Mac OS X machine can be "hacked" just from being connected to the internet. That is patently untrue. I'm simply showing that.

Wrong!

[Ibu001]

That's just wrong, sorry. There was at least two bugs in MacHTTP I discovered in 96, iirc:

- URL /M_A_C_H_T_T_P_V_E_R_S_I_O_N gave statistics about the server and wasn't documented (i.e. it was a back door). There was a discussion on MacHTTP mailing list, many Mac fans estimating this was a feature and not a backdoor, and finally MacHTTP was changed to provide only a version string instead of statistics.

- There was a bug in the URL parsing code which permitted to read the data fork of any file provided you knew its path. This bug existed in MacHTTP 2.2 and was fixed in 2.2.1 when I notified MacHTTP's author.