Slashdot Mirror
U of Wisconsin's Mac OS X Security Challenge
digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet
Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes?
So guys, what do you say? Should we all mabye prove ZDNet wrong by not breaking into that computer?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:
As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.I wish someone running windows 2003 professional could start a competition like this.
Mabye logs could be published (in real-time) so that we all can see some of what possible challengers are up to. That would be interesting.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
I am sorry, but what exactly does this prove? That ZDNet is wrong? That Mac OS X is secure?
It proves neither: every operating system on the face of this earth has been hacked, cracked, and 0wned. Numerous times. Get over it.
Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine. Even better, make that two manuals: one for the average joe, with nice color screenshots for every step that has to be taken, and another for people like me, who manage systems for a living. THAT would be a valuable contribution to the field of computer security, instead of this stupid challenge.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.
"Sure there's porn and piracy on the Web but there's probably a downside too."
...if the little Mac Mini melts from a good /.'ing?
So far each article has been based on unique situations that lack credibility to begin with, give little detail, and take focus away from the fact that it's basically a machine running a collective of industry proven software (such as apache and openssh.)
Also of note is that Mac OSX currently has an a user base of over 10 million machines. So the argument that it's too small a target is ridiculous. In fact it's a bigger target as it's untouched territory with a bonus of headline making news.
I hacked in, and in 22 minutes changed one of the pixels from #FFFFFF to #F0F8FF, but it is very hard to tell.
In fact, nobody even noticed.
He who knows best knows how little he knows. - Thomas Jefferson
Yes, this is approved. But it's getting moved to its own /29 today...unfortunately, that didn't happen before slashdot got to it. ;-)
There is an identical clone of that Mac mini waiting to go on the new network, and our DNS TTL is currently set to 5 minutes, so when the cutover happens, it should be pretty transparent.
128.104.16.150
"Sure there's porn and piracy on the Web but there's probably a downside too."
One of the user names is "das".... as in http://test.doit.wisc.edu/~das/
So run that against a dictionary and see if you can get in....
SpyDock: Scientific Python in a Docker container
Corsaire - Securing Mac OS X Tiger
NSA - Mac OS X Security Configuration Guide (not yet updated for Mac OS X 10.4)
Apple - Common Criteria configuration guide
And for the "average joe"?
- Keep your machine patched
- Don't randomly open ports for services you don't use
- Have a personal firewall/router
- Don't run software you don't trust
And this doesn't "prove" anything, except that the initial ZDnet article was totally vague and sensationalistic, making it seem to an average person reading that article that a Mac OS X box could just be "hacked" by being on the internet. That is wrong, and I'm showing that. Simple. It's all explained on http://test.doit.wisc.edu/
The point of this is to see how secure the OS is w/o hardening, and in a more typical networked situation. For that matter they are softening it to attack compared to the stock configuration.
The ZDnet article simply was not reported correctly, and gave the wrong implications. Even with the added sentence, the article tries to make it sound like its vulnerable to remote exploits and you have to be worried about having your machine on the internet.
The process is pretty simple, "It's too expensive to compromise the Hardware, but the Humanware; That's cheap, and easy. First your dog/pet/loved is shoot, dead, in front of you. The next comes easier. The gun is pointed at you, and you are given 2 minutes to change the web page to some off topic theme. If you are given an extra 5 minutes, you'll learn Photoshop so that you can put an image of you doing it to a male Shetland pony in front of the members of the supreme court, all looking down on you and smiling in that knowing fashion." The D.O.D. Security Instructor that said this to me didn't even bat an eye; That's the chilling part.
The real problem is that tests like this are garbage in the first place.
In fact, Bruce Schneier (a respected cryptographer, responsible for Blowfish) addressed the topic thoroughly almost 8 years ago in his column Crypto-Gram. Here's a relevant snippet:
You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.
It doesn't.
Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.
You can read the original here.
They've removed the biggest security hole in an OS X system: The Mac User. The Mac User will set "fluffy" as their password, and attempt to install any interesting-looking screensaver that gets e-mailed to them. Not that any other OS would do much better in the face of such adversity. But it's funny that they would use a test like this to "demonstrate the security" of a desktop OS.
include $sig;
1;
One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.
Fink lists a catalog of 6359 open source projectsthat can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves. Fink is a Debian style package manager for Mac OS X.
The future is in beta
The server appears to be Apache 1.3.3.3, one version behind the current release. The 1.3.3.4 release has a fix for this item, which would be my favorite vector, but I doubt that this server has an application that uses chunked encoding (often used for file uploads).
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.
Okay- I like that analogy better. I've got deep deadbolts on my outside doors; the door between my basement and house has a cheap handle lock that can be popped with a long, thin screw driver.
Not to get lost in the analogy details, but I think you'll find most security skews the same way.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
I think this ability to elevate privs should be analyzed on a case by case basis for all programs; as such if you are concerned about what applications a user can and can't run, remove the ability to run those applications from the machine.
However with most desktop machines your biggest worry isn't normally* an attack from within; its usually from without.
*)people on slashdot aren't normal and typically have needs that extended beyond normal users. Feel free to contribute some examples that counter this assertion.
In the future, I would want to not be isolated from my friends in the Space Station.
While you're right on the "das", it's doubtful that a dictionary crack would fix it. Since "das" is also his U of Wisc NetID (ref. the e-mail address at the bottom of the page), it's more likely that the password is the same as his U of Wisc password.
So... Anyone up for breaking into the U of Wisc password database?
Actually, I think the original test was more interesting than this one. For years we've read countless +5 Insightful posts that OS X is more secure than Windows because normal users run in restricted accounts by default. That trojans can't do anything to the system unless you're "stupid enough to type in your password". If the original hack was indeed an exploit of an undisclosed buffer overflow, it means that this argument is pretty much moot. There have already been lots of posts in this and the previous article that amounted to saying "a local exploit is no big deal, everybody has them, if you have local (restricted) access you should be expected to be compromised anyway". Are these posters saying that the supposed advantages of restricted user accounts on OS X are very overrated? Are they saying it's no big deal if the next social engineering attack is combined with a buffer overflow exploit, meaning no popups asking for your password?
If the original hacker Gwerdna (Andrew G?) was right that there are many undisclosed priviledge escalation bugs, that is a case for concern, not something to be dismissed as a mere "local" vulnerability. BSD, Linux and even Windows already have patches for NX to contain buffer offerflows, where is Apple on this?
I think that, especially if you're an Apple user, it is very important to test the claim that the OS is rifle with local priviledge escalation issues. And that's why I think the first test was much better than this one. I don't expect this U of W box to be hacked anytime soon. But this proves very little. You can even setup a Windows SP2 ISS+Remote Desktop box like this, and I don't think it will be hacked anytime soon either. But if you redo something like the original box (give normal user ssh accounts to anyone) and get hacked very quickly again, it proofs a lot. Namely that the local security measures of OS X that many have come to thrust amount to very little.
No, my position is not funded or "rewarded" by Apple.
Also, I can't say I've *ever* gotten a "freebie" anything from Apple in 22 years other than a couple of T-shirts. Oh, and a nice pen once. I've also never heard of anyone in enterprise or education getting free flat panels and iPods from Apple (except for the free iPod promotions they've had when people buy certain laptops).
Also, since Mac OS X is used *heavily* in education, particularly at large research universities, and diversity of computing platforms is important to avail faculty, staff, and students of the best resources to do their jobs, I'm sure many are interested in the general security of a typical Mac OS X machine with a couple of typical services running on the internet, especially in the wake of such misleading press coverage of the same. The only interests I represent are those of the University of Wisconsin - Madison.
And yes, this challenge is sanctioned. I'm glad that the University of Wisconsin supports the genuine interests of its faculty, staff, and students, and encourages individual thought, research, discovery, and exploration. That's why it's a great place to be!
It seems to me that tests like "remote break-in using ssh" are not as good of a fit to today's common home computing environment. For something like OS X, most home machines probably are not running any services, so it is rather pointless to try to break into them using standard ssh/http attacks.
I would prefer to see test break-in attempts set up like this:
an unprivileged "test account" is created on OS X and set up with email, web browser, and other common desktop programs
the "test account" is set up with several common methods of communicating with the outside world: email, IM, commonly-browsed web sites, webmail, banking sites, etc
the test account's email address and IM account are made public to the would-be attackers
someone regularly checks the test account's email and acts like a "gullible user" would, eg click on spam and phishing links, go to hostile web sites, follow dubious instructions received via IM from supposed friends
the challenge: attacker must be able to do something "bad": control box resources (think spyware), steal critical system information (think remote root), get bank account information (think phishing), whatever
A few years ago, this was trivial on Windows. I hear they've cleaned up their act to some extent. How well would OS X hold up? How about a standard desktop version of Linux?
Then IBM bought Data General and that was the last we heard of DG/UX B2 Secure. Pity really. They should have ditched AIX instead. But I digress...
OSX is pretty damn secure right out of the box, but Apple could do more to make it tighter by default. They've already managed the security versus usability balance far better than Microsoft has managed so far. I think Apple could push a little more over to the security side of the thing without noticably affecting usability. I also think that Apple users would accept slightly less user friendly systems in order to continue to walk around with that air of I-can't-get-spyware-or-virusses smugness that no Windows user will ever understand until they've seriously used an Apple machine for a few days. Apple's selling more than a machine. They're selling the ability to not have to live in fear every time you connect that machine to the Internet. They're selling the ability to not have to run so many third party security applications that the shiny new machine runs like a shiny new machine from 5 years ago. I think that is worth any percieved price premium.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
True, but this test still does not compare to what hosting companies are doing. Web hosting companies are (hopefully) run by professionals who secure the boxes. Web hosting companies run operating systems like RHEL that were designed for server use--Mac OS X on a Mac Mini was designed for home use.
Most importantly though, hosting companies are not giving ssh to any anonymous joe off the street, which is exactly what happened in this contest. At a minimum, web hosting companies have your credit card number before they offer you ssh. Some will demand additional information, such as a faxed copy of a driver's license. Of course a crook can get a drivers' license and a stolen credit card, but these are additional hoops to jump through that make the process of cracking the machine that much more trouble. Plus, if someone does crack the machine despite his lack of anonymity, the hosting company might be able to track him down.
This contest as reported on ZDNet was a joke. The guy gave ssh accounts to anyone who asked for them, without demanding any proof of identification. He ran it on an OS that was not designed to be run with untrusted users logged in. Furthermore, the crack was done by an anonymous person using an "undocumented" security hole, which to me calls the credibility of the whole episode into question. In what real-world situtation does anyone allow ssh login to any random, anonymous Joe?
Penny - plain text accounting
I love how the mac mini is surviving the slashdotting no probs. Sure its mostly text, but I've seen similar sites crumble in no time.
http://test.doit.wisc.edu/
Chris
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
- Former Badger, glad I ordered one of those new MacBooks
EOT
The test is now closed and there were no sucsessful security breaches. This proves what most of us already knew about Mac OS X .This is take directly from the site http://test.doit.wisc.edu/
Mac OS X Security Test
Tue 7 March 2006 11:59 PM CST (8 March 2006 0559 GMT)
The testing period is now closed.
The response has been very strong, and the test has illustrated its point.
Traffic to the host spiked at over 30 Mbps.
Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus.
The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up.
The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations.
There were no successful access attempts of any kind, including during the 38 hour duration of the test period, nor have their been any claims of success. The host is still the same host and configuration used for the test.
Some snippets from 7 March 2006:
The site received almost a half a million requests via the web.
There were over 4000 login attempts via ssh.
The ipfw log grew at 40MB/hour and contains 6 million events logged.
Several social engineering attempts were received, including one purporting to be from the government of Sweden, which apparently uses GMail. ;-)
More test results and information will be published here at a future date.