Mac OS X Security Competition Ends in 30 Minutes

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

Lord, save us from morons

[AKAImBatman]

What was this fool trying to prove? He allowed direct SSH access to the machine! Of course someone is going to hack it! Once you're inside the system, it becomes incredibly easy to find configuration mistakes, and exploit holes in priviledged programs. Remember, this system runs much of the same software as Linux and FreeBSD. Much of that software hasn't been properly audited and locked down. Why? Because this is a desktop machine.

Mac OS X security primarily stems from not doing anything stupid by default. Which means that there are no remote services enabled, the system tries to be intelligent about handling executable files (like most Unixes), and super-user functionality is handled by Sudo. But that's not a bullet-proof vest. There's nothing in the system that makes it automagically secure against all attacks. So if you want security, don't turn on those remote services, and don't give out SSH accounts!

Re:Lord, save us from morons

[AKAImBatman]

Like all systems, tradeoffs have to be made. I'm sitting next to a Sun Solaris system with JDS on it right now. To get the system running like I want it, I constantly have to resort to the root account to install the simplest of software. (Replace root access with sudo as you prefer.) I have to do this because it is a locked down machine intended to run software packages approved by management. Under this configuration, it's pretty hard to gain root access even with a local account.

This configuration absolutely sucks for a home user.

A home user can't install new software without providing a root (or sudo) password everytime they want to try a software package, they can't update the system configuration from the GUI, they can't start and stop their personal webserver, they can't look at the drive space remaining without having to decode a complex partitioning scheme, they can't do a lot of things that Mac OS X lets them do without interfereing. If Mac OS X *did* restrict these activities, users would balk at the user-unfriendliness and go back to Windows.

So it comes back to a matter of design. It's easy to say, "that should have been secure!", but the costs of making that secure would have been too high for the average home user. Mac OS X's security has been proven to date to be sufficient for what it was designed to do, and has been shown to be at least as secure (perhaps moreso) than your average FreeBSD or Linux desktop. Show me the beef of the problem (i.e. everyday machines being compromised on a scale similar to Windows) and I'll agree with you that Mac OS X is insecure for its intended purpose. Until then, however, I'm going to go with the fact that this guy wasn't thinking straight.

Plenty of people use them for servers as well

Which is why Apple produces OS X Sever Edition.

and apparently OS X isn't secure by default for them.

You show me a server situation that involves hundreds of anonymous, remote logins to a system without any lockdown of the services to move it from a home server to a full-blown webserver, and I'll agree with you. I, personally, can't think of such a situation. Some webhosts provide SSH access, but they certainly don't run a default Linux or FreeBSD installation unless that distribution has been preconfigured for the security they need.

Re:Mac OS X Security Challenge

[tpgp]

Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Whilst I agree that this is not the same as a remote exploit, do not underestimate the seriousness of local privilege escalation.

For instance, an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)

I don't believe (as some pundits seem to) that Mac OS is a Microsoft style security disaster only awaiting the attention of hackers to happen - but I do believe that Mac owners are going to have to start paying a little more attention to security matters then they currently are.

Re:Why keep SSH on?

[shotfeel]

Or in this case, the ability of the system administrator to open up the box...

SSH is off by default, the admin had to turn it on.

Hackers don't generally have shell accounts -the admin had to set them up.

So if you take steps to make the Mac Mini less secure, then advertise you've done so, it gets hacked. Expect all major tech outlets to cover this new and amazing Mac vulnerability (you think I'm joking?).

Re:Why keep SSH on?

[falkryn]

true, though a timeshare box on a college campus is somewhere you would easily see such a setup. remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.

Re:Why keep SSH on?

[AKAImBatman]

remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.

But you need to remember that OS X is not designed for remote, multi-user usage. The features are there, but mostly for adminstrative purposes. The machine is first and foremost a Desktop machine that is intended to keep good guys in and bad guys out.

Also keep in mind that it is incredibly difficult to properly configure a Unix system to be completely secure against users with shell accounts. Such security requires a complete system lockdown, complex partitioning, reassignment of services to non-root accounts, jailing of priviledged services (or equivalent), and several other procedures that I sincerely doubt that this guy performed. (In fact, the article confirmed that he could have locked the system down further, but didn't.)

By handing out shell accounts, he might as well have been handing out the root password to his system.

Local access IS important!

[Chemisor]

Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.

Re:Why keep SSH on?

[gowen]

But you need to remember that OS X is not designed for remote, multi-user usage

That excuse was bullshit when it was used to defend Windows boxes, and, amazingly, it remains bullshit when applied to fashionable platforms, too.

Re:Perhaps with a desktop Mac

[Kadin2048]

I believe that Mac OS X Server has sshd running by default -- if you think of how it's intended to be used, this is not just a feature, but possibly quite necessary. Setting up a rack of headless servers could be quite a PITA if they didn't have ssh running by default -- you'd have to connect to them over the serial port and turn it on for each machine (or create a custom HD image where it was enabled and load it to each machine).

I think there are probably some also remote-administration services running by default on Server, but don't quote me on that. I know for sure that ssh is not running on regular, consumer MacOS, however. (I just set up a new G5 a few days ago and I had to turn it on manually.)

I think it's also worth pointing out that based on my understanding of the article in question here (the second link in the summary doesn't point to what I think it originally did), ssh wasn't just running on the machine, attackers were allowed to log-in as a non-root user. So really what happened wasn't a cracking in the strict sense, but privilege escalation. Still bad -- and I'm rather annoyed that "gwerdna" or whatever his name was didn't tell us what this great "unpublished and unreported vulnerability" was that he used, but I don't think that it means that any box is compromisable simply by virtue of running sshd.

Re:Why keep SSH on?

[RetiredMidn]

I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

Considering that the picture of the machine posted on the web site (which now seems to be unavailable) showed it sitting on a shelf next to Windows programming books, I'm guessing that his "blind faith" is in something other than Apple, and his motiviation was to generate the misleading buzz that ZDNet and Cnet are facilitating.