Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Security Competition Ends in 30 Minutes

Posted by ryuzaki0 on from the how-secure-is-secure dept.

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

8 of 388 comments (clear)

  1. Why keep SSH on? by tak+amalak · · Score: 4, Interesting

    That's one of the first things you turn off to protect the machine.

    --
    Don't lead me into temptation... I can find it myself.
    1. Re:Why keep SSH on? by bombadillo · · Score: 3, Interesting

      It doesn't really matter that SSH was left on. The thing that made this easy was that they were allowed a shell account. Getting shell access is the easiest way to compromise a system. Lets see how long it would take with out a shell.

  2. gwerdna? by Loconut1389 · · Score: 5, Interesting

    I wonder if the hacker's name is Andrew G. by any chance?

    What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.

    If that's not his name, it's fairly random.

    He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUserP ublicProfile?gid=gwerdna

  3. Mac OS X Security Challenge by daveschroeder · · Score: 5, Interesting

    Mac OS X Security Challenge

    In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.

    The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    Almost all consumer Mac OS X machines will:

    - Not give any external entities access
    - Not even have any ports open

    The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.

    1. Re:Mac OS X Security Challenge by TClevenger · · Score: 3, Interesting

      What I'd be interested in is putting other operating systems on with the same rules as the submitter (fully patched system with free local accounts to any who ask) and see if Linux, Windows Server or any of the BSDs can stand up to the challenge.

    2. Re:Mac OS X Security Challenge by daveschroeder · · Score: 3, Interesting

      Yes. And I explain that on the site.

      But the original article makes it look like any Mac OS X machine out on the internet could just get "hacked", and was "easy pickings". Do you, or do you not, agree that the article should have made *some* reference, at least in passing, that people were allowed to have local accounts on the machine? I.e., a way that the vast, vast, vast majority of consumer Mac OS X machines will never be used (to say nothing that they'll probably never have any ports open, either)?

      So there's a local privilege escalation vulnerability that, according to the "hacker", hasn't been reported to Apple. So if it's "unpublished", and therefore hasn't (likely) been reported to Apple, what is Apple to do about it?

      The article is not fair because it doesn't tell a critical detail about the situation: that LOCAL ACCESS was allowed. If you don't think that's a *huge* omission in this context, I don't know what else to say. The majority of people who read that article will leave with the specific and distinct impression that a Mac OS X machine can be "hacked" just from being connected to the internet. That is patently untrue. I'm simply showing that.

  4. local account = assumed root access by acomj · · Score: 4, Interesting

    This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.

    It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)

  5. Astroturfing? by aphor · · Score: 4, Interesting

    The whole article seemed to culminate in the following information: some guy said if Macs were more popular they would have a worse record than "other operating systems." It seems to be comparing OS X to Linux, but it isn't entirely clear what the baseline is for their eval of Mac OS.X and it also doesn't clarify what exactly makes these OSs different. Also, the web site defacement isn't proof that the person with an unprivileged account acquired superuser privileges to do anything other than deface the web page. I don't doubt it could have happened, but maybe it did and maybe it didn't...

    "The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.... If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.

    Also, giving people LDAP accounts on the machine is really cheating. Maybe some noobs get a boner when someone fuzzes the hell out of a box from a local account until they get some fuzz escalated **BORING**. If they really wanted to throw down the gauntlet, then we would see Mandatory Access Control implemented on OS X . The big difference is that the MAC policies would be enforceable at the Mach MK level (on Mach ports, tasks, processes...), and OS X would be the ONLY OS with a security policy interface that could come close to usable for average people.

    --
    --- Nothing clever here: move along now...