U of Wisconsin's Mac OS X Security Challenge

digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet

Logs

[Bromskloss]

Mabye logs could be published (in real-time) so that we all can see some of what possible challengers are up to. That would be interesting.

* yawn *

[Noryungi]

I am sorry, but what exactly does this prove? That ZDNet is wrong? That Mac OS X is secure?

It proves neither: every operating system on the face of this earth has been hacked, cracked, and 0wned. Numerous times. Get over it.

Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine. Even better, make that two manuals: one for the average joe, with nice color screenshots for every step that has to be taken, and another for people like me, who manage systems for a living. THAT would be a valuable contribution to the field of computer security, instead of this stupid challenge.

Possible Danger

[zaguar]

Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.

Re:A Different Test

[mekkab]

I think you can't "see the forest for the trees."

The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!" Most houses don't have everything bolted down to the floor.

But how often do you allow someone into your machine? For A desktop, not often, perhaps never.

The biggest risk to most computers is a network based attack; this is the real meat and potatoes and a better test of the security of a machine.

Re:A Different Test

[Fahrvergnuugen]

The problem is that the media presents the original test as though Mac OSX is insecure out of the box. It's very misleading.

An acquaintance of mine runs a small web hosting company. His original service plan offered SSH accounts to every hosting account. Despite his best efforts to secure the box, it was still rooted by a script kiddie.

His customer's PC was compromised and the ssh password for his account on the linux server was found by the script kiddie. The shell account had access to GCC. The script kiddie logged in as the non privileged user and used gcc to compile a rootkit. The rest was a walk in the park.

The OS was Slackware linux. All of the accounts were jailed, and all of the "best practice" measures were taken to harden the box (I can't comment on every detail as I am not a linux system admin).

My point is that when a malicious user gains shell access to any *nix system, you're in deep trouble.

My friend has since stopped offering SSH access to his customers.

Re:A Different Test

[Paradise+Pete]

The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!"

I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.

When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.

Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

Re:A Different Test

[jav1231]

Exactly. If you wanted to truly compare OS X to Windows in this scenerio, put a PC on the Net with TS opened and give out the user account information.

Re:I'm not sure what the value of this is.....

[emerrill]

The point of this is to see how secure the OS is w/o hardening, and in a more typical networked situation. For that matter they are softening it to attack compared to the stock configuration.

The ZDnet article simply was not reported correctly, and gave the wrong implications. Even with the added sentence, the article tries to make it sound like its vulnerable to remote exploits and you have to be worried about having your machine on the internet.

Fink could have contributed to the original "hack"

[Been+on+TV]

One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.

Fink lists a catalog of 6359 open source projectsthat can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves. Fink is a Debian style package manager for Mac OS X.

Still no comparison

[massysett]

Lots of hosting companies offer ssh access, not to mention that if an account exists on the machine with ssh access, it may be only a matter of time before someone manages to gain access to it.

True, but this test still does not compare to what hosting companies are doing. Web hosting companies are (hopefully) run by professionals who secure the boxes. Web hosting companies run operating systems like RHEL that were designed for server use--Mac OS X on a Mac Mini was designed for home use.

Most importantly though, hosting companies are not giving ssh to any anonymous joe off the street, which is exactly what happened in this contest. At a minimum, web hosting companies have your credit card number before they offer you ssh. Some will demand additional information, such as a faxed copy of a driver's license. Of course a crook can get a drivers' license and a stolen credit card, but these are additional hoops to jump through that make the process of cracking the machine that much more trouble. Plus, if someone does crack the machine despite his lack of anonymity, the hosting company might be able to track him down.

This contest as reported on ZDNet was a joke. The guy gave ssh accounts to anyone who asked for them, without demanding any proof of identification. He ran it on an OS that was not designed to be run with untrusted users logged in. Furthermore, the crack was done by an anonymous person using an "undocumented" security hole, which to me calls the credibility of the whole episode into question. In what real-world situtation does anyone allow ssh login to any random, anonymous Joe?