Mac OS X Security Competition Ends in 30 Minutes 388
ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest.
According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
Why keep SSH on? (Score:4, Interesting)
gwerdna? (Score:5, Interesting)
What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.
If that's not his name, it's fairly random.
He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUser
Mac OS X Security Challenge (Score:5, Interesting)
In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
Almost all consumer Mac OS X machines will:
- Not give any external entities access
- Not even have any ports open
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.
Re:Why keep SSH on? (Score:4, Interesting)
Security in small numbers (Score:2, Interesting)
Since "hacking" and all the other activities that end in "-ing" and often start with a "ph" are no longer fun pastimes for geeks but actually became a hunting ground for very money oriented very well organized criminal organisations, security is in small numbers: An attack has to hit as many targets as possible. Maximize your output. And, well, if there are potentially 100 Linux boxes out there with a blatant security hole or 10.000 boxes running Windows with an obscure and hard to exploit hole, the latter will be chosen.
Not (only) because the respective users usually also employ a very different attitude towards security and because they usually have very different levels of understanding concerning the abilities and liabilities of their machines. But simply because you can hit more targets with your attack.
Plain and simple as that.
You can run the most insecure, most open system you want, as long as you're the only one using it you're safe. Unless hacking you alone already warrants the cost associated with it.
Yes, hacking has become a matter of cost/benefit calculation.
If you want a secure computer... (Score:2, Interesting)
The only trend to security is that there isn't any financial motivation to hack small-potatoes.
local account = assumed root access (Score:5, Interesting)
It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)
Re:Doors unlocked, windows open (Score:1, Interesting)
As a side note, I am truly amazed by Apple's marketing abilities
Re:Mac OS X Security Challenge (Score:4, Interesting)
Re:Mac OS X Security Challenge (Score:1, Interesting)
Astroturfing? (Score:5, Interesting)
The whole article seemed to culminate in the following information: some guy said if Macs were more popular they would have a worse record than "other operating systems." It seems to be comparing OS X to Linux, but it isn't entirely clear what the baseline is for their eval of Mac OS.X and it also doesn't clarify what exactly makes these OSs different. Also, the web site defacement isn't proof that the person with an unprivileged account acquired superuser privileges to do anything other than deface the web page. I don't doubt it could have happened, but maybe it did and maybe it didn't...
Also, giving people LDAP accounts on the machine is really cheating. Maybe some noobs get a boner when someone fuzzes the hell out of a box from a local account until they get some fuzz escalated **BORING**. If they really wanted to throw down the gauntlet, then we would see Mandatory Access Control [freebsd.org] implemented on OS X . The big difference is that the MAC policies would be enforceable at the Mach [stepwise.com] MK level (on Mach ports, tasks, processes...), and OS X would be the ONLY OS with a security policy interface that could come close to usable for average people.
multi-platform hack (Score:3, Interesting)
Re:Perhaps with a desktop Mac (Score:3, Interesting)
Hmm. Maybe we should ask Andrew G?
(Hint: backwards)
Re:gwerdna? (Score:3, Interesting)
Not related at all, but the other guy that wrote Wizardry, Robert Woodhead, was Trebor.
Re:Mac OS X Security Challenge (Score:4, Interesting)
But the original article makes it look like any Mac OS X machine out on the internet could just get "hacked", and was "easy pickings". Do you, or do you not, agree that the article should have made *some* reference, at least in passing, that people were allowed to have local accounts on the machine? I.e., a way that the vast, vast, vast majority of consumer Mac OS X machines will never be used (to say nothing that they'll probably never have any ports open, either)?
So there's a local privilege escalation vulnerability that, according to the "hacker", hasn't been reported to Apple. So if it's "unpublished", and therefore hasn't (likely) been reported to Apple, what is Apple to do about it?
The article is not fair because it doesn't tell a critical detail about the situation: that LOCAL ACCESS was allowed. If you don't think that's a *huge* omission in this context, I don't know what else to say. The majority of people who read that article will leave with the specific and distinct impression that a Mac OS X machine can be "hacked" just from being connected to the internet. That is patently untrue. I'm simply showing that.
Wrong! (Score:2, Interesting)
- URL
- There was a bug in the URL parsing code which permitted to read the data fork of any file provided you knew its path. This bug existed in MacHTTP 2.2 and was fixed in 2.2.1 when I notified MacHTTP's author.