Slashdot Mirror
Mac OS X Security Competition Ends in 30 Minutes
ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest.
According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
That's one of the first things you turn off to protect the machine.
Don't lead me into temptation... I can find it myself.
I wonder if the hacker's name is Andrew G. by any chance?
P ublicProfile?gid=gwerdna
What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.
If that's not his name, it's fairly random.
He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUser
Mac OS X Security Challenge
In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
Almost all consumer Mac OS X machines will:
- Not give any external entities access
- Not even have any ports open
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.
"Let the flood of *I challenge you to hack me* ip posts begin...
:( )
You can start with this one: XX.XX.XXX.XXX.
(Man... I just didn't have the heart to post it.
-=fshalor
how many local privilege elevation exploits exist, why am I not surprised. They should have mentioned it was NOT a remote exploit
The war with islam is a war on the beast
The war on terror is a war for peace
My IP is 127.0.0.1. :)
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
Oke, I'm game. This OS X has every port open, no firewall so go ahead! 81.68.209.58 aka kilburn.nl
What was this fool trying to prove? He allowed direct SSH access to the machine! Of course someone is going to hack it! Once you're inside the system, it becomes incredibly easy to find configuration mistakes, and exploit holes in priviledged programs. Remember, this system runs much of the same software as Linux and FreeBSD. Much of that software hasn't been properly audited and locked down. Why? Because this is a desktop machine.
Mac OS X security primarily stems from not doing anything stupid by default. Which means that there are no remote services enabled, the system tries to be intelligent about handling executable files (like most Unixes), and super-user functionality is handled by Sudo. But that's not a bullet-proof vest. There's nothing in the system that makes it automagically secure against all attacks. So if you want security, don't turn on those remote services, and don't give out SSH accounts!
Javascript + Nintendo DSi = DSiCade
This contest would be much more relevant if the machine was remotely exploited. Few OSs in their default configuration would be able to stand up to an attacker with local access.
/ waits for *OMG NOT JOO NEWB
To a nail, every person with a hammer looks like a problem.
To fully protect a Windows/Linux/BSD/OS X box, is to plug out the network-cable
But since that's not worth much, I suppose you can say a total secure box, isn't something from the near future.
I rm -rf
Don't feel lonely, Mac-geeks, you're in the very good company of Linux users. The benefit of your security: You're uninteresting.
Since "hacking" and all the other activities that end in "-ing" and often start with a "ph" are no longer fun pastimes for geeks but actually became a hunting ground for very money oriented very well organized criminal organisations, security is in small numbers: An attack has to hit as many targets as possible. Maximize your output. And, well, if there are potentially 100 Linux boxes out there with a blatant security hole or 10.000 boxes running Windows with an obscure and hard to exploit hole, the latter will be chosen.
Not (only) because the respective users usually also employ a very different attitude towards security and because they usually have very different levels of understanding concerning the abilities and liabilities of their machines. But simply because you can hit more targets with your attack.
Plain and simple as that.
You can run the most insecure, most open system you want, as long as you're the only one using it you're safe. Unless hacking you alone already warrants the cost associated with it.
Yes, hacking has become a matter of cost/benefit calculation.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If it were windows, you'd not have seen this as an issue. Plus he was talking about default stuff. Windows is safe if you patch your system, leave the firewall on, and yeah and don't web browse ;).
Btw, Windows hasn't had a network based remote exploit since SP2 came out. That is, to get compromised you must either visit a malicious website or view an email that contains malicious code (Mac OS was vulnerable to this too until they patched it a couple weeks ago).
I'm not really sure why this competition happened in the first place. If you were a Mac OS X enthusiast wanting to show the "amazing" security of your OS, why would you leave the first major door wide open?
And who gains from this publicity? It would seem like sponsoring a hacking competition that took MORE than 30 minutes (seemingly the goal of such an event) would be good for Apple, but then why leave the system more vulnerable at the start of the contest? And if it was really sponsored by an anti-Apple group posing as an pro-Apple group, why have the hacker claim that Macs are essentially "small pickin's"?
It just doesn't make sense...
The contest mentioned in the article is available here http://rm-my-mac.wideopenbsd.org.nyud.net:8080/
...consider disconnecting your Internet connection. Duh.
The only trend to security is that there isn't any financial motivation to hack small-potatoes.
This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.
It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)
What's interesting in this case (and different from real world servers) is that they gave SSH login accounts to the people testing the system.
The idea was to test that even *if* someone had all the access that SSH allows, how easy it would be to get further.
(my guess is that the parent is a msft troll trying to suggest that windows terminal services is safer than ssh because ssh was enabled here)
Didn't we just have a discussion over how people leave their wireless AP open for anyone to use? I don't think the SSH agent is on by default, and I think that the firewall blocks it by default, but that doesn't mean this is always the case. Given the reality of modern setups, where cable modems and wireless gives untrusted parties direct acess to the computer, I hardly see this hack as having no practical implications.
Of couse such contents are of no practical use. Either they end with the machine hacked, which is simply to be expected, or they end with the machine not hacked, which proves nothing.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
This "30 min" contest was for people with an actual SSH account given to them for a LOCAL exploit, so its not a remote exploit, it also is not the most secure version of the Mac OS, but for SERVERS, nothing is as secure as MacOS.
.mil
:
Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.
Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinly using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.
The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.
http://uptime.netcraft.com/up/graph/?host=www.army
http://www.google.com/search?q=army+webstar+"os-9"
Check it out yourself. This entire post is full of factual citations and 100% facts.
No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.
Why?
Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.
That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers
This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward
Come and get it, kids...
Real Daleks don't climb stairs - they level the building.
This hacking contest don't proof anything to security, I saw that the user don't applied the recomended guidelines to secure a system. This contest will be more funny if it was with an OpenBSD system installed by default.
http://www.michel.eti.br
Before the Mac-o-philes here start getting all bent out of shape, perhaps reading the article in question would be a good start...
w s_leave_OS_X_vulnerable_/0,2000061744,39234678,00. htm
Here's a salient quote:
"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users... There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.
"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.
Bad anagram for a name or not, the guy sounds like he knows what he is talking about. There is a link to another article as well that talks about Apple's lack of diligence on security issues. Here's a link:
http://zdnet.com.au/news/security/soa/Ancient_fla
The point is that Security is everybody's business, and no company can afford to slack. Not even the lily-white Apple is immune.
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
I have a feeling that the Reality Distortion Field has already cancelled whatever negative effect this has had
So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."
But maybe people WANT something to be stolen. Many years ago, the garbagemen (sanitation workers) in NYC went on strike, and garbage was piling up in the streets. A relative of mine in Brooklyn still managed to get rid of his: he put it in big boxes, wrapped the boxes in gift paper with bows, and left them in his car with the doors unlocked. They always got stolen.
How this applies to the story, I dunno, but I still think it's funny.
$nice = $webHosting + $domainNames + $sslCerts
A lot of hoopla and it's over in a very short period of time. Kinda reminds me of the first time I had sex. Note: to most slashdot users, this sex thing I refer to is like compiling a kernel on Gentoo using -O3 and having it be stable.
Andrewg does know what he talking about. andrewg has published papers (not on mac security) and is part of some wonderful communities pulltheplug.org and felinemenace.org . I assure you that this machine would of been hacked... with SSH access or not. I think it shows the importance of having patches that minimize possible exposure (i.e grsec/pax etc) that would of decreased the chances of successful exploitation dramatically.... but then again nothing is bullet proof
What to have some fun? Count how many post show up that try to make excuses
for the Mac. Man, if this were a windows box, I assure you that 99% of the
the post would be slamming MS w/o a second thought.
Although people want to point out that they shouldn't have allowed people to
have a SSH connection, you need to keep in mind that an SSH connection was
allowed because they thought the config was secure enough to handle it.
I do give them kodos for allowing the hack contest to take place. The best
way to test your software is to allow others to try and break it. Hopefully
they will fix the exploit and run the contest again.
Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.
The first thing that I'm going to do as a "normal user" is turn on SSH and Personal Web Sharing. Then I'm going give anyone who wants access to my machine an SSH account.
This "test" was silly and unrealistic, at best.
Here's a "real" test:
1) Turn on brand new Mac Mini
2) Update to latest rev of OS
3) Try to hack it from the Internet, without knowing its IP address.
Good frackin' luck!
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
We have a Mac server here at work for testing, we set it up 100% default mainly because none of us are Mac people. A quick nmap (using just well known ports) reveals not only is SSH open, but several others. Also, non-open ports report closed, not filtered indicating no firewall, at least none with respect to it's local subnet.
Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.
I'm disturbed by the attitude that anything but a remote exploit against an ideally (not typically or justifiably) configured box is meaningless or misleading.
What good is a door if it's welded shut? Wouldn't a proper lock be more useful?
Security should be about maximizing functionality securely, not limiting it.
Yep, cuz' we know stupid Mac users are always going around enabling SSH and giving shell accounts to total strangers.
Oh, wait, 99.9% of Mac users are blissfully ignorant of what security defaults to change to make their system more hacker-friendly.
Kang might have something to say about that.
The CB App. What's your 20?
Try reading the article or at least the /. post. Limiting yourself to the slashdot headline won't quite do. This wasn't Apple holding a contest. It was a single "enthusiast" in Sweden.
(And the term is "kudos.")
"Fundamentalism" isn't about divine morality. It's about human authority.
It's clear what's going on here. Billions of dollars must be protected. The sheep must be kept on Windows. Excellent explanation here: Spate of recent Mac security stories signal that Microsoft, others getting nervous
It's because there are a huge number of more insecure targets. If the market share of the Macs was 50%, Windows would still get most of the exploits, simply because it is easier to hack. OTOH, if all the Windows machines disappeared, then you WOULD see a whole slew of Mac exploits. Without low-hanging fruit, the hackers would target the next tempting target, and some of them would get in, especially if the WinLusers switched to the Mac.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
The title to this is comepletely inaccurate. If the person that submitted the article would have read it they would have realized that it was hacked after several hours, however the person that did it said it took only 30 minutes for the person to complete his work. Care to reword this please?
I can only please one person a day. Today is not your day, and tomorrow does not look good either.
That's one of the first things you turn off to protect the machine. No, you don't have to turn it off. Just don't give out user accounts to other people. These guys who broke in where gien accounts with passwords. SSH is very secure as long as you closely control what accounts may be accessed via ssh and varify that these accounts use strong passwords. But if you machine has an account with username "bob" and uses "bob" as the password your sytem is wide open, or at least Bob's account is.
The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack." Thats like giving someone the keys to your house and seeing if they can steal something.
There are two lessons to learn here.
First, if you're running services from your Mini-Mac workstation connected directly to the internet, don't enable ssh without a strong upstream firewall.
Secondly, don't hand out local accounts to someone named 'gwerdna'.
The whole article seemed to culminate in the following information: some guy said if Macs were more popular they would have a worse record than "other operating systems." It seems to be comparing OS X to Linux, but it isn't entirely clear what the baseline is for their eval of Mac OS.X and it also doesn't clarify what exactly makes these OSs different. Also, the web site defacement isn't proof that the person with an unprivileged account acquired superuser privileges to do anything other than deface the web page. I don't doubt it could have happened, but maybe it did and maybe it didn't...
Also, giving people LDAP accounts on the machine is really cheating. Maybe some noobs get a boner when someone fuzzes the hell out of a box from a local account until they get some fuzz escalated **BORING**. If they really wanted to throw down the gauntlet, then we would see Mandatory Access Control implemented on OS X . The big difference is that the MAC policies would be enforceable at the Mach MK level (on Mach ports, tasks, processes...), and OS X would be the ONLY OS with a security policy interface that could come close to usable for average people.
--- Nothing clever here: move along now...
Try me
ip: 127.0.0.1
alter the web page and post here when done.
Then he should put his gpg public key at
http://test.doit.wisc.edu/ and sign and publish on slashdot an invitation to hack this machine to prove that he's the owner of this machine.
k2r
Nobody will probably see this post since the parent got modded into oblivion. But there's no question that an OS claims to be so simple anybody can use it must also be so secure and bug free that nobody could accidentally screw it up. There's a whole herd of Mac users that still believe the the Mac is un-hackable and virus-proof. They'll click on any attachment they get. Those same people will feel free to screw with any setting on their Mac because there's no way they could ever get hacked.
It's those types that will end up with a machine that is completely hackable. Windows and Linux users are never under the false impression that their machines are 100% hacker and virus proof. So, in general, we are extra careful when we are changing settings, opening attachments, or surfing the web in general.
"Would HAVE", not "would OF".
what would be much more interesting is if some nice person set up multiple OS platforms, configured them with the same services, and waited to see how long it'd take to hack each of them. maybe lock them down a little more than the mac mini test, just to make it more of a challenge. maybe: windows XP, os x, solaris, and a couple of linux dists ... ?
"Let the flood of *I challenge you to hack me* ip posts begin...
You can start with this one: XX.XX.XXX.XXX.
I think tihs is a quite amusing... If anyone with any OS is so sure about their OSes security they are willing to come on Slashdot and make claims like OSX is not hackable, or OS (Generic) is safe from exploits and hackers...
Then they should also have the nerve to add their machines IPs in their post to prove theit point of how much they trust their OS.
Although OSX is not my OS of security choice, I don't belive any OS could hold to the claims I see Mac users throwing around in here. I understand the nature of OSes, and hacking from a security perspective.
Unless it is a closed system using redudndant biometrics authenication, it CAN be hacked, I don't care how much faith you have in Apple, Linux, BSD, Windows or any other OS on the market, period.
This is just something you 'accept' and design around, but I find it amazing people come on SlashDot with the ignorance and arrogance that their OS is better than the rest. This does not exist in consumer OSes, no matter how much you believe or how many times you click your heels together.
So I say, great idea, everyone that is running a perfect OS, be the first to start leaving their local and Server IPs in their signature, and maybe a line like, "My OS is the most secure in the world, I dare you."
Then when they are hacked in a few hours they at least won't be on the boards selling the religion of their 'perfect' OS.
BTW thanks for the sideline and laugh your post inspired, brilliant actually.
You are saying that providing web hosting means you should expect to be rooted all the time? People need to have unpriviledged user accounts. That should never mean they can root the system. OSX is insecure, and cannot be used as a server because of this. Its nothing at all like physical access, which gives you the ability to bypass the OS altogether. This is just a case of the OS being broken, plain and simple.
The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
No doubt.
Give me a break.
Nevertheless, I agree that privilege escalation exploits are very serious. And I suspect that this one will soon get fixed by Apple.
What a maroon.
The Admin and the Engineer
On Solaris, BSD, and Linux machines it is assumed that shell accounts can be freely given with minimal security risks. Local exploits are discovered but are treated seriously and fixed. Superuser privledges are only assumed if a user has physical access. None of the attackers had physical access in this case. The accounts should have been safe.
Don't appologise for Apple. Force them to fix the vulnerabilities.
I would like someone to have a real contest,but without doing stupid stuff like granting ssh access to everyone. Let the owner of the mac take all the security steps he has to and run the contest. I am sure they will need more than 30 minutes but it will get hacked in less than 48 hours as long as there is plenty of information about the contest and the reward is good enough
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Even if it is a closed system using redundant biometrics authentication, it CAN be hacked, I don't care how much faith you have in your closed-source redudndant (sic, with 'redudndant' "D"s) biometric-authenication (sic, and needed a 'redudndant' "T") OS on the market, period.
(Please note: These opinions are parent's, and I'm just throwing them back for humor.)
This flies in the face of science.
No, it's not like leaving your doors open. No, it's not like leaving your windows open. No, it's not like leaving both open. It's not a house, it is a computer. And they are not doors or windows; it is a daemon that is extremely popular. If you're going to use metaphors then at least come up with a better comparison. Such as, it's like letting someone walk into a bank and giving them a bank account. But, metaphors suck and people just use them to muddle the topic they're arguing so their side of the argument sounds better.
Mac fanboys are always screaming about how their OS is so much better. It used to be that their computers were easier to use, and then Apple tossed out their easy OS. It used to be that SCSI was better, and Apple threw that out. It used to be that G3s, then G4s, and then G5s were better than Intel equivalent, and Apple switched to Intel. And next we're going to find out what we already know, that their computers aren't much, if any, more secure.
And this guy proved that this OS was just as insecure as Windows, Linux, or any other network aware OS. And you can't say it wasn't a remote vulnerability, because it was accomplished through a network and the person was able to do what they shouldn't have been able to do, thus a remote vulnerability. It's an OS, written by imperfect people with imperfect tools. If this were a Windows box that was hacked through TS or RDP then you'd be all over calling Windows so easy to hack.
And yes, this wasn't an anonymous crack but that is no excuse. A password could be guessed through many means and you're saying if that someone guesses a user password then it doesn't matter that they can elevate tasks, and that's a bunch of crap. All computers are firewalled now out the box, but a server is only as good as the services it provides which means you need to open it up. This means that a computer is only as secure as it is when it's doing things.
"The optimist proclaims that we live in the best of all possible worlds, and the pessimist fears this is true." --James
If you can't connect to it you can't crack it. But really user education, manufacture patches, good passwords, and firewalls are an multi-layed approach to preventing crackers from breaking into your system.
Wow, that webpage loaded instantaneously. Way too fast for a Mac Mini. He must be on an Internet 2 connection (as am I) or thats one quick lil Mini...
EVERY SYSTEM IS HACKABLE!
I don't care what platform it is or how good you think you are at securing it, if you set up a box and tell the whole internet to "try and hack me" - guess what, YOU WILL GET HACKED.
Maybe more people should put their server security up to the public to break.
Rules should be something along the lines of a near default install, with all changes listed.
But there's no question that an OS claims to be so simple anybody can use it must also be so secure and bug free that nobody could accidentally screw it up.
Umm, your sentence does not completely make sense. The OS is pretty simple to use and pretty secure. Apple claims it is easy to use and occasionally remarks upon security, usually comparing it to Windows. What's the problem? Compared to Windows OS X is fort Knox.
There's a whole herd of Mac users that still believe the the Mac is un-hackable and virus-proof. They'll click on any attachment they get. Those same people will feel free to screw with any setting on their Mac because there's no way they could ever get hacked.
I've heard this kind of comment before and I wonder what kind of Mac users these people know. Most people know Windows and some are vaguely aware there are other kinds of computers like macs and Linux systems. They've heard these systems are more secure than Windows and don't always get viruses and spyware. For the most part, this is true. Most users of any OS never "screw with any setting(s)" and for the most part most OS X users can click on any attachment they want and not have any problems. The only thing I've ever received in any of my mailboxes that would cause a problem if I double clicked on it was a single piece of malware that did not propagate and which I had to request a copy of from some security guys I know.
So maybe this is not the best practice, but for the most part people have not been burned by it. Maybe that will change and maybe people will become more cautious if it does.
I basically know three kinds of mac users: clueless people who don't change any settings, workers, who use it and may occasionally change settings, but only after asking someone, and experts who know the ramifications of their changes and would not dream of using OS X as a "secure" system. This correlates about the same as Linux users I know. Windows users I know mostly just expect to be hacked all the time and are resigned to periodically cleaning it up, or they are paranoid about it and try to insulate their Windows boxes from the internet as much as possible. Most of the former just open whatever and most of the latter don't use Windows for their e-mail.
"admin"
You misspelled fanboy.
How pathetic are you that you follow me from topic to topic and waste all your mod points at once modding me down?
Why would he need to do that, since if you go to http://test.doit.wisc.edu/, the machine itself presents a page explaining the competition?
The only function that signing the invitation here on Slashdot would do, is positively link the owner of the Slashdot account daveschroeder to the machine...but really, what does that matter? The owner of the machine, even if it's not daveschroeder (and I'm not implying that this is the case, but speaking hypothetically -- especially since his name is at the bottom of the page) is inviting people to hack it. I think that pretty much makes it valid, signature or not.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The really useful local vulnerabilities are the variety that exploit buffer overflows in system calls to either set capability bits or the effective UID of a process running as a local user. The really clever ones setup a tasklet that spawns a root shell after a random delay so you can't pinpoint the creation of the shell process with a system call.
No DDOS, no generated logs of weird URLs, no audit trail generated...
Stealth, bitches!
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
69.109.215.105
30 mins? The Windows XP Security Competition ended in 30 seconds.
How to Hack A Mac in Five Minutes Flat
-or-
I take up your challenge- with some provisos.
"Hey, Dave... Time to test your machine. But first, I'll need you to make sure its a fair challenge. Go into System Preferences, Sharing, and then click on the box labeled 'Remote Login'. Make sure it says 'Remote Login On'."
"Okay... Now what?"
"Now, click on 'Show All', and then 'Accounts'."
"Okay... What do I do now?"
"Click the lock thingy if it's not already open, then click on the little plus sign just under 'Login Options' Then, fill in the name, 'Hackme', short name 'hackme' and set the password, 'hacker.' Oh, and make sure the checkmark labeled, 'Allow user to administer this computer' is on."
"Done. Now what?"
"Prepare for a world of funtimes!"
Pretty much any Unix is low security. Unixes make very large numbers of applications available to all users. A huge number of those applications:
1) Have privilege escalations to run
2) Are turing complete
Finally Unixes use permissions and not capability models of security.
High security OSes
1) Users can't do anything unless specifically given permission. Further the programs are generally quite limited in their functionality and configurability.
2) Most applications with privs come from the OS vendor so there is only really one or a handful of security configurations to test
That's why Unixes that offere shells to untrusted users do so in a chrooted environment running stuff like rsh. OSX is not VMS but then again neither is Linux, Solaris or AIX.
I don't know what the other guy is telling you, but I'll tell you absolutely. The computers in the lab or fully hackable. So what?
1) They can be re-imaged no problem.
2) Nothing valuable (read worth $200k + to an a thief) can be stolen off them.
3) Students who persistently attack them machines can be suspended or expelled
Anybody at the University who wants to start reading security news can crack almost any university machine. OK then what?
People's expectations have changed over time. That was the old expectations. Of course any process thatis uid root should be under heavy scutiny. Apple should try to fix these problems.
One of the reasons Gopher went away and the web took off, was you could set up a server without having users login. Much more secure.
It would be more interesting to determine if the same problems exist in OS X Server.
Note that a quite a few shared web services disable remote login unless they feel there admins are up to the task.
http://test.doit.wisc.edu/
For something as great as OS X the exploit shouldn't have worked anyway. But it's a fact that as far as security goes, Apple are up the creek without a paddle, and as far as running Unix goes, Apple aren't running it.
Any process at all - as low as the default admin and sometimes even lower - can get any arbitrary code to run as root at any time on OS X. Yes, it is that bad.
Read this and test it yourself.
Apple's 'Unix' Runs Arbitrary Code on Boot
http://rixstep.com/1/20060306,00.shtml
Download the POC referenced in the article here.
ftp://rixstep.com/pub/BootRooter.tar.bz2
There is no Unix around that will allow such a thing. Congratulations, Apple. And congratulations to all OS X users. Smell the bread burning? Time to disengage your iPod earplugs and run for the exits.
If I read the findings correctly, there were a number
of questionable things done:
-giving shell access to anyone who asked for it.
-leaving ssh on and running.
But these weren't the most egregious things allowed:
Any machine, any operating system is vulnerable when
PHYSICAL ACCESS TO THE BOX is allowed.
If someone can just walk up to it you might as well
kiss your security goodbye.
Working in a large Fortune 500 company, I often notice
post-it notes with passwords stickied to monitors or the
underside of keyboards - it's not that different in the
real world either.
Again, any operating system can be defeated if you have
an account with the right priveleges and you have physical
access to the box.
> Personally I would really like to see similar competitions against default-installs of some other OSes
This is absolutely irrelevant. A secure OS is secure regardless of how many insecure OSes there are. Security is an absolute measurement; can you hack the box or not? If you pass it, you are secure, if you don't then you are not.
Giving people nologin for a shell doesn't do anything. Any web host that lets you run CGI or PHP or anything dynamic at all is giving you all the same abilities that you get with a real shell. Its just less convienient. You can still exploit local holes to gain root priv all you want.
What asshat modded this guy Insightful? "Turning off functionality because of security is not acceptable." - WTF???? He obviously doesn't know what the hell he's talking about. There's a big diff between insight and head-in-the-clouds idealism.
While the implications of this "test" are debateable, what I would really like know is how the hack was done. Is there some flaw in OS X that was exploited? Or did the admin do something else silly like make the root password something simple like "hello" and it was guessed/dictionary attacked. Is this a Mac OS X specific hack? Or did they use a vulnerabilty that is common to other UNIX flavors as well?
"This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.
It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)"
A local account is much different than physical access to a machine. If an OS is secure, local users shouldn't be able to get root access. The reason physical access nullifies security is that you can just reboot the machine with your own OS and mount the hard drive and modify to your hearts content.
Vote for Pedro
I mean, really. You have local root exploits on OS X. I'm not surprised, when you have companies like Adobe shipping apps containing setuid root shell scripts. Suppose you set them up with an Interix or Cygwin ssh login on Windows, how long would it take to deface IIS? Or would you even bother calling that an "exploit"?
If you need to give potentially hostile users shell, you want them in a FreeBSD jail at a minimum.
If you set up a web server, you should also take into account that some, for example, PHP application can be hacked. phpBB, mambo.. should I name quite a few? When I set up a web server, I always consider that its user ("apache", "www") may run some code on a system - since everyone have access to the web server. I wouldn't like it if someone, who's found a phpBB exploit, would get a root on the server in 30 minutes after that.
In your example this would rather mean that your jewelry is not kept in safe in a house which could be visited by guests at any time, but simply put on the table. Not exactly the best idea. And I don't think it's funny.
That's just wrong, sorry. There was at least two bugs in MacHTTP I discovered in 96, iirc:
/M_A_C_H_T_T_P_V_E_R_S_I_O_N gave statistics about the server and wasn't documented (i.e. it was a back door). There was a discussion on MacHTTP mailing list, many Mac fans estimating this was a feature and not a backdoor, and finally MacHTTP was changed to provide only a version string instead of statistics.
- URL
- There was a bug in the URL parsing code which permitted to read the data fork of any file provided you knew its path. This bug existed in MacHTTP 2.2 and was fixed in 2.2.1 when I notified MacHTTP's author.
Oh, and Ann Arbor is a whore.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
Even if it is a closed system using redundant biometrics authentication, it CAN be hacked, I don't care how much faith you have in your closed-source redudndant (sic, with 'redudndant' "D"s) biometric-authenication (sic, and needed a 'redudndant' "T") OS on the market, period.
:)
Yes it can, I was using an illustrative concept we put together in the early 90s for the pentagon to set the bar for what is in the close to non-hackable range and how far that is from a consumer OS with barely even C2 level security.
Besides we have all seen McGyver do the sheet rock thing with a piece of paper to bypass the handprint scanners...
So now can we just go back to the subject, or you have another item you want to point out that the rest of us already realize?
One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.
Fink lists a catalog of 6359 open source projects that can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves.
The future is in beta
Okay, ... ... therefore there are no secure OSses.
letting someone ssh in as an admin?
Surely you don't have sudo set up to allow non-admins to sudo root?
The default sudoers on Mac OS X does allow the initial (in other words, original admin) user to sudo, as I recall. No one else, however.
One thing Apple should do is something MS seems to be doing with recent XP (sometime since I wrote about it on my personal webserver which it seems no one but the search engines ever look at) --
Prompt the owner to set up a non-admin account in addition to the admin account. If the owner doesn't tell the setup routine otherwise, set it to auto-login to the non-admin account.
he has a neat script for giving people ssh accounts. I wonder if he thought to make them non-admin.
Oh, and he proved that Mac OS X is not SELinux. (Neither is FC4 for most users, but that's beside the point, I suppose.)
do you advocate putting SELinux on Grandma's computer?
Hmm. Actually, if Grandma is just going to be doing e-mail, that might not be a bad idea. Does SELinux run well on old 256 MHz class x86 CPUs? Gotta get an elderly aunt off that MSW98.
How about my dad, who would occasionally want to install software for the foreign language classes he taught part time after he retired?
the host's stupidity. I don't know about 'little known exploit'. Stupidity is rampant. Apple can't patch that, so they're SOL as is this fool. Stupidity can't be patched (too bad) and if they try to make an idiot proof OS, well, you know what happens.
Fighting over religion is like seeing whose imaginary friend is best.
You can start with this one: XX.XX.XXX.XXX.
Okay, done. Not much there. I just saw one application running called pr0nb0t. *shrug*
with your "wipe the hard drive"
Back in my day, we didn't have hard drives. We used our fingers! AND WE LIKED IT THAT WAY!
And if someone rooted your box, it meant they were groping your crotch.
It's not offtopic, dumbass. It's orthogonal.
Okay, so there aren't any "secure" OSes.
That was fun -- how about a conclusion we can actually use?
I'd like to see a competition between OSes, because as a user at some point I might want to choose between them, and even if none of them are truly secure (as long as they're plugged in), there's a certain value in knowing which one is more secure than the others, in various use cases.
There's a certain point where a system becomes 'secure enough' for a particular use. Depending on the use, you might be okay with a default install of Debian-stable, or you might want SELinux with all the hardening options. It's a matter of exposure the system will have and what the consequences of it getting compromised would be.
Sure, to get enough datapoints to be really valid, you'd have to run 'competitions' like this pretty much continuously, and even then I'd have serious questions about them and how they model real-world hacking scenarios, but that's not to say you wouldn't get interesting results. Certainly more interesting that TFA's "competition."
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
He didn't say that no Mac server admin knew what "headless" meant. He was talking about the majority that he knows. That said, I'd wager that the bulk of server admins out there don't know what headless means. The bulk of servers administered is likely a different story.
One server is a cakewalk. 100?
I'm not saying that MacOS X is a super secure system. But the truth is, despite all the fuss we have heard about Mac OS X lately, so far there IS NO VIRUS OR SPYWARE known for Mac. How's that compared to the gazzilion of Windows?
:( And proof of concept viruses which no one has even bothered to re-use to build up something really nasty... Maybe the system is not Fort KNOX, but so far, Mac users do not have to run anti-virus or anti-spyware, and they're right to be ignorant there's NO SUCH THINGS. It does not exist.
:) :)
:)
There are a few exploits that necessitate either SSH or physical access to the machine. Bad
- Virus and spyware makers do not care about the 1% Mac marketshare. good
- They do not have the expertise
- Those who have usually like Macs, so don't develop such nasty things
- Apple breaks the backward compatibility very often (there used to be REAL viruses before on MacOS... but they can't work on current hardware/OS) Today it's the ppc->x86 change. Yesterday it was OS 9 -> OS X, or 68k -> ppc
- Components are usually not dependent with one another in silly ways (see IE): you don't browse your files with a webbrowser, you don't d/l your security updates with a web browser, there's no such things as custom toolbars or activex in ur default browser..
- All crappy default stuff are disabled by default
- No one runs MacOS X in "root" mode, unless a geek (it's hard to activate, those who do it know what to do).. So it's hard for one user to fuck up another's users documents and stuff, or for a virus/spyware to trash the whole machine
so yeah. I feel pretty safe with a Mac in the hands of my mom who knows nothing about security. If she had a Wintel PC I'd have to install all those crappy anti-virus / anti-software that eat CPU cycles and HD spins, and cost money, and even like that, I'm sure my mom's computer would go in such a nasty state i'd have to re-install it from scratch...
macos x itself is far from being perfect. it is probably not that secure, but the risk for the guenine user is today "non existant"
as for the servers, they do run the same software as their Linux/UNIX counterparts. So it's no more no less secure
Mangee: Father to Lliam
And enabling root is elementary for a user with sudo access Theres a few bits over on my blog post about it
Mangee: Father to Lliam
Uhhh, there were two recent Viruses found for OS X: http://www.symantec.com/avcenter/venc/data/osx.lea p.a.html
http://www.symantec.com/avcenter/venc/data/osx.inq tana.a.html
... but that's about 29 and a half minutes longer than a similarly configured Windows box.
I know these exploits/proof of concepts and mentioned them. As I said, there's NO TRULY HARMFUL VIRUS ON MAC. This is just propaganda from these security/anti virus companies that cannot justify the need for their products on Mac. As I said, it does not mean MacOS X is secure, but it's a mix of broken backward compatibility, small market share, few people able to program this and lack of interest. So we're safe for a long while my friends :)
:) Wooow.. am scared. I think I have never ever used blutooth on my laptop, and all my desktop macs don't have it, and the bug is patched on all my machines thanks to security updates :)
:).... Then it hooks up on the user's InputManagers, if you're lucky and have mac os X 10.4 (will fail with all other versions) tries to infect 4 applications which are writable (by default /Application needs root rights to be writable, so on a brand new mac it fails). It's buggy, so it fails and prevent the application to launch in practise, but does not trash it (it's possible to restore normal behavior). The only successful way it has to propagate is to use iChat (I know no mac user around me who uses it.. lolz.. but ok, it's pretty common i imagine being there by default). Your contact must accept, uncompress and launch the crap to be infected too (and have a mac!!). And even that, does not always work because of another bug, the receiver might get a corrupted version sometimes. And did I mention it only works on ppc machines and not the new iMacs, mac mini and macbook pro which run on x86?
:) In addition, as long as it will require the use to nicely open it, it will probably fails to propagate because 99% of computer in this world run Windows
These two beasts u show are exploits/proof of concepts which are merely classified as worms by Symantec with LOW risk (= no risk)
- the second is a real joke It's just an old exploit. Nothing harmful at all. You need BLUTOOTH activated, be in the range, and have an old not up to date macos x version (with apple software update it's hard). It just replicates, that's all it'll ever do
- the first one is a proof of concept but buggy! which means it's slightly harmful but it was not designed to be. To be infected the user must nicely unpack an archive and launch the program. It's a bit like sending a "rm -Rf" script to a Linux friend and tell him he can see Monica Lewinsky naked in Ascii-Art if he starts this
it's interesting to see that the second stuff could be improved and customized to do very nasty stuff. But no one even tried to.
As I said, Macintoh users are ingorant of these things. So far there's been no threat. And these two exploits are unlikely to change anything. Install MacOS X out of the box and let it run a few days, there's hardly a chance u got infected by anything... I remember not so long ago reading an article that says the average time ur windows XP SP1 gets trashed: it is 20 mins.
http://www.theregister.co.uk/2004/08/19/infected_i n20_minutes/
Sure, the SP2 made a lot of progress (by simply disabling stuff no one used by default wowooo.. ). It was 2004. That same year I remember seing an exploit which made root escalation on Mac. It was not promoted by virus software editors therefore no one talked about it even here on slashdot. But i was pretty shocked to gain root access on a machine easily. I also remember in those days people talking about disguising an application with a document icon. I think there was even a proof of concept but unlike "oompa" it did not replicate. Truth is, that thing has been around for eons, but no-one really ever used to produce some malware code, so it remained unpatched for a while.
And the day it becomes a problem?? Well Apple will make the finder says smth like "hey this application has never been launched before. you sure u wanna run this?". Duh it h
> Would be nice to see something like this for all platforms.
:P
Well, huh! Here's a challenge! I've got a Windows box which you can attack at IP 124.235.13... [silence]
PS: What's even funnier is I've actually got a W2K webserver/SSH/SFTP server running here but I dare not give the IP away at slashdot - if OSX has 'an unpublished vulnerability' I wonder how many Windows does... Which is double funny again since supposedly OSX weaknesses haven't been exposed cause of small user base whereas my only defence against horders of hackers here is to keep my website as unpopular as possible!
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications