Forgot your password?
typodupeerror

Mac OS X Security Competition Ends in 30 Minutes 388

Posted by Hemos
from the how-secure-is-secure dept.
ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
This discussion has been archived. No new comments can be posted.

Mac OS X Security Competition Ends in 30 Minutes

Comments Filter:
  • Why keep SSH on? (Score:4, Interesting)

    by tak amalak (55584) on Monday March 06, 2006 @11:56AM (#14858258)
    That's one of the first things you turn off to protect the machine.
    • by good soldier svejk (571730) on Monday March 06, 2006 @12:00PM (#14858298)
      Or at least restrict by host at the firewall. On OS X, remember to turn on ipfw's statefulness. [unimelb.edu.au]
    • Re:Why keep SSH on? (Score:5, Informative)

      by Daedala (819156) on Monday March 06, 2006 @12:02PM (#14858311)
      It's a Mac. You don't _keep_ SSH on. It's disabled by default. You have to turn it on deliberately.
      • Re:Why keep SSH on? (Score:2, Informative)

        by Frangible (881728)
        Excellent point, I'd mod you up if I had the points. I suppose it wasn't much of a true competition, then.
      • Re:Why keep SSH on? (Score:2, Informative)

        by BrokenHalo (565198)
        I turn SSH on on machines I routinely have to maintain. It's very useful. But I make damn sure I don't use an idiotic password crackable by any snotty-nosed little 11-year-old script-kiddie...
      • We have a Mac server here at work for testing, we set it up 100% default mainly because none of us are Mac people. A quick nmap (using just well known ports) reveals not only is SSH open, but several others. Also, non-open ports report closed, not filtered indicating no firewall, at least none with respect to it's local subnet.

        Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.
        • by Johnny Mnemonic (176043) <mdinsmore.gmail@com> on Monday March 06, 2006 @01:04PM (#14858974) Homepage Journal

          Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.

          Of course SSH is on by default on a Mac Server--it is designed to run, and be configured from first boot, headless. That would be pretty difficult to do if you had no services. Other default services are Apple Remote Desktop, for GUI control, and the Server Admin Suite; even the Apple Server Admin Tools can be port forwarded through SSH if you prefer.

          The assumption is that servers will be managed by those with a clue, whereas desktops will not usually be. Also, no Mac desktops are expected to be configured and maintained headless from first boot, whereas you have to specify a video card for an Xserver for it to be graphical at all. I don't think those are unreasonable assumptions to make.

        • Yes, OSX Server ships with some remote admin ports open. Apple assumes that anyone who shells out the extra cash for Server should at least poke around Server Admin.app (or Terminal if you prefer) for a few minutes. sshd and ipfw are easily controlled by either method.
    • Re:Why keep SSH on? (Score:4, Informative)

      by foniksonik (573572) on Monday March 06, 2006 @12:02PM (#14858312) Homepage Journal
      in fact with OS X you have to turn it on... it's a Sharing preference called Remote Login... hello, yes I'd like people to remotely login to my machine.. I'll just start this right up. OTH there should be a little more help info on what SSH is for those who think being able to remotely login is a good idea even though they really don't know how to do it.
    • by leonmergen (807379)

      That's one of the first things you turn off to protect the machine.

      Because the goal was to test the mac mini's security, not the ability of the system administrator to secure the box...

      • by shotfeel (235240) on Monday March 06, 2006 @12:13PM (#14858439)
        Or in this case, the ability of the system administrator to open up the box...

        SSH is off by default, the admin had to turn it on.

        Hackers don't generally have shell accounts -the admin had to set them up.

        So if you take steps to make the Mac Mini less secure, then advertise you've done so, it gets hacked. Expect all major tech outlets to cover this new and amazing Mac vulnerability (you think I'm joking?).
    • Re:Why keep SSH on? (Score:4, Interesting)

      by bombadillo (706765) on Monday March 06, 2006 @12:04PM (#14858336)
      It doesn't really matter that SSH was left on. The thing that made this easy was that they were allowed a shell account. Getting shell access is the easiest way to compromise a system. Lets see how long it would take with out a shell.
    • by falkryn (715775)
      it was setup as a typical server. without ssh, how exactly would you propose enabling access to it? telnet?? unless you actually like having to console in to 100+ servers via a serial cable...
      • Re:Why keep SSH on? (Score:5, Informative)

        by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Monday March 06, 2006 @12:11PM (#14858406) Homepage Journal
        The problem wasn't even that he had SSH running. It was that he was giving out accounts [nyud.net]! I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

        Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.
        • by falkryn (715775) on Monday March 06, 2006 @12:14PM (#14858451)
          true, though a timeshare box on a college campus is somewhere you would easily see such a setup. remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.
          • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Monday March 06, 2006 @12:26PM (#14858563) Homepage Journal
            remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.

            But you need to remember that OS X is not designed for remote, multi-user usage. The features are there, but mostly for adminstrative purposes. The machine is first and foremost a Desktop machine that is intended to keep good guys in and bad guys out.

            Also keep in mind that it is incredibly difficult to properly configure a Unix system to be completely secure against users with shell accounts. Such security requires a complete system lockdown, complex partitioning, reassignment of services to non-root accounts, jailing of priviledged services (or equivalent), and several other procedures that I sincerely doubt that this guy performed. (In fact, the article confirmed that he could have locked the system down further, but didn't.)

            By handing out shell accounts, he might as well have been handing out the root password to his system.
            • by gowen (141411) <gwowen@gmail.com> on Monday March 06, 2006 @12:46PM (#14858777) Homepage Journal
              But you need to remember that OS X is not designed for remote, multi-user usage
              That excuse was bullshit when it was used to defend Windows boxes, and, amazingly, it remains bullshit when applied to fashionable platforms, too.
              • by AKAImBatman (238306) *
                That excuse was bullshit when it was used to defend Windows boxes

                That excuse would work for Windows if Windows didn't ship with remote vulnerabilities built-in. Unfortunately, it does. Regularly. Without fail.

                When someone can prove that OS X has the same problems (which is pretty difficult with zero open ports, and 2 degrees of separation between attachments and executable code) then I'll jump on the "OS X isn't secure" bandwagon. But for now, it remains far more secure than Windows which can be so easily e
            • Re:Why keep SSH on? (Score:3, Informative)

              by soft_guy (534437)
              MacOS X Server is in fact meant for remote multi-user usage. And it has been around since MacOS X started shipping (i.e. day one.) Where are you getting this stuff?

              Is the standard desktop version of MacOS X configured for that purpose straight out of the box? No. That's why they sell MacOS X Server. OTOH, MacOS X (non-server) is properly configured for its intended purpose and does not ship with a bunch of things turned on that make the machine particularly vulnerable to outside attacks.
        • by Brunellus (875635) on Monday March 06, 2006 @12:15PM (#14858457) Homepage

          I have a feeling that the Reality Distortion Field has already cancelled whatever negative effect this has had

        • I agree its not much of a vulnerability, but it still may point to something Apple needs to fix in proofing the OS from local exploits.
        • Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.

          And somewhere in Redmond, someone is writing him a cheque.
        • The problem wasn't even that he had SSH running. It was that he was giving out accounts! I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

          Well, I do have shell access to the macs in my University's computer labs. Are you telling me that they're no better than Windows when it comes to privilege separation and preventing a low-privilege user account from taking control over the system? Seeing how many Macs are in multiuser University labs, this might strain the RDF a
          • Re:Why keep SSH on? (Score:5, Informative)

            by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Monday March 06, 2006 @01:26PM (#14859216) Homepage Journal
            Are you telling me that they're no better than Windows when it comes to privilege separation and preventing a low-privilege user account from taking control over the system?

            Yes and no. If your admin locks the machines down tight, then it's quite possible that the Mac servers are more secure than the Windows servers. Left with default settings, they're both highly vulnerable to anyone who already has access to the machine and is determined to find a hole. (Whether it be a buffer overflow in a priviledged service, or a soft link that gave elevated permissions.)

            Systems are extremely hard to secure once untrustworthy individuals have access to them. That's why there's a market for products like Trusted Solaris and Trusted Linux. If you need high security against local users, you can't trust anyone. Not even root.
        • by RetiredMidn (441788) * on Monday March 06, 2006 @04:52PM (#14861467) Homepage
          I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

          Considering that the picture of the machine posted on the web site (which now seems to be unavailable) showed it sitting on a shelf next to Windows programming books, I'm guessing that his "blind faith" is in something other than Apple, and his motiviation was to generate the misleading buzz that ZDNet and Cnet are facilitating.

      • by jd142 (129673) on Monday March 06, 2006 @12:18PM (#14858485) Homepage
        without ssh, how exactly would you propose enabling access to it?

        Restrict the ip addresses of the computers that can access the ssh connection. Ah, you'll say, then all the attacker has to do is get access to the computer that is on the allowed ip address list. True, but let's say you are a company with the web server www.verigon.com. That's a nice public target running apache, mysql, php, etc. All the things a good lamp server should run. That's going to be the public target.

        If I want to ssh in, I first have to connect to a different box. The thing here is that this ssh box (I'll just call it that to save typing) doesn't have to run anything but the os and ssh, thus lowering the number of software packages that can open a vulnerability. Remember, every daemon you run, every piece of software you install, every service that's enabled is another potential whole. The second part to this is that the ssh box is not a big target. It's dns name may be something like comp-1.it.verigon.com or ideally its name isn't even registered in dns. Either way, the bullseye is going to be on www.verigon.com for the casual cracker. Only someone who is specifically interested in my company is going to try to find a way in. The script kiddies will just see that ssh doesn't respond and go on to the next webserver.
      • A mac mini is *NOT* a typical server, it's intended as a workstation.

        This would have made more sense if they'd installed the version of OSX which is designated as being for servers.
    • In other news, after giving burglers the first three of four numbers for your safe's combination, the fastest can open it in less than 30 minutes.
    • The article also failed to mention that the password to gain root access to the Mac was "password."
    • I think you are missing the really obvious point here - the fact that granting shell access over SSH leads to a non-administrative user gaining root access in 30 MINUTES makes the OS entirely unsuitable in a server environment.

      True, a Mac Mini isn't typically going to be used as a server, but if Apple decides to make some kind of Intel based server, this kind of thing is a HUGE problem.
      • Re:Why keep SSH on? (Score:5, Informative)

        by bombadillo (706765) on Monday March 06, 2006 @12:28PM (#14858585)
        True, a Mac Mini isn't typically going to be used as a server, but if Apple decides to make some kind of Intel based server, this kind of thing is a HUGE problem.

        Not necessarily. The mac mini is a desktop and has a lot of software installed on it that would be deemed a security risk in production environment. Ever hear of using a complier to shell out? That is why compilers are usually left off of servers for security reasons. Your average linux/bsd desktop box with all the goodies installed probably would not have lasted much longer.
    • by adolfojp (730818) on Monday March 06, 2006 @12:30PM (#14858604)
      The safest computer that you can get is one that is not connected to the wall. Then again, it will not be very usefull.

      Turning off functionality because of security is not acceptable. It the OS offers certain features, they should be secure, otherwise, they are flawed. Stop apologizing for Apple computer and its defects.

      Cheers,
      Adolfo
  • gwerdna? (Score:5, Interesting)

    by Loconut1389 (455297) on Monday March 06, 2006 @11:56AM (#14858259)
    I wonder if the hacker's name is Andrew G. by any chance?

    What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.

    If that's not his name, it's fairly random.

    He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUserP ublicProfile?gid=gwerdna [ezboard.com]
    • Re:gwerdna? (Score:2, Informative)

      by maccalvin5 (455879)
      additionally

      gwendra [felinemenace.org]
    • Werdna was the name of the evil wizard nemesis in Wizardry -- anyone remember Wizardry? -- Apple ][ game with vector graphics for dungeon hallways?

      Aaah. Memories.

      • Re:gwerdna? (Score:3, Interesting)

        by Creepy (93888)
        yep - and incidentally, Werdna was Andrew Greenberg... - which could be gwerdna... odd coincidence?

        Not related at all, but the other guy that wrote Wizardry, Robert Woodhead, was Trebor.
  • by daveschroeder (516195) * on Monday March 06, 2006 @11:56AM (#14858262)
    Mac OS X Security Challenge [wisc.edu]

    In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.

    The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    Almost all consumer Mac OS X machines will:

    - Not give any external entities access
    - Not even have any ports open

    The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.
    • And when you're done there, connect to 127.0.0.1 and root me there. Be sure to delete any files you find.
    • So, test.doit.wisc.edu is some guy you're having a war against, and now you want him to have an.. umm... unfortunate accident with his computer, right? With our help, sneaky. ;-) Mabye by the slashdotting alone. Welcome to the wild web.
    • Does Slashdotting the site count ;)

      gasmonso
    • by tpgp (48001) on Monday March 06, 2006 @12:09PM (#14858389) Homepage
      Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

      Whilst I agree that this is not the same as a remote exploit, do not underestimate the seriousness of local privilege escalation.

      For instance, an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article [slashdot.org] could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)

      I don't believe (as some pundits seem to) that Mac OS is a Microsoft style security disaster only awaiting the attention of hackers to happen - but I do believe that Mac owners are going to have to start paying a little more attention to security matters then they currently are.
      • Yes, local security holes are an issue...
        But a much worse issue, would be simply running as a privileged user already (no privilege escalation necessary). So no matter how many local privilege escalation holes OSX has, it's still not as bad for an end user as default installs of windows are.
    • by squiggleslash (241428) on Monday March 06, 2006 @12:16PM (#14858466) Homepage Journal
      On the other hand, it tells you what's possible if a user downloads a trojan and runs it. Despite the common argument that such hacks are, supposedly, impossible because "Only root is able to change critical files" and/or "Only admin users are able to do critical things and Apple does everything they can to encourage users not to set up their default accounts as "admin", explaining what an admin account is and the consequences of using it in their comprehensive, well written and easily readable user manual, shipped with every copy of OS X" (*snort*), it appears that, in actual fact, a trojan can escalate itself to root pretty easily.

      I've always thought OS X was more hackable than its supporters tend to say. The very fact that, until recently (like, early 2005), you could set something like this up:

      1. Set up page to "redirect" to a .sit or .zip if Safari is the browser.

      2. Have trojan in .zip or .sit associate itself with many common types of file, especially uncommon variants of popular files (MPEGs, for instance, seem to randomly pick whether they're Quicktime, VLC, MPlayer, or just not associated with anything, files in OS X)

      3. Wait (giggling with insane glee)

      Apple fixed the bug exploited in (2) above sometime in early 2005 by having the OS warn you if it was running an application for the first time. For those who are scratching their heads though: Safari, by default, opens "safe" files. This means that step one would have caused the .zip or .sit to be downloaded and extracted on the user's desktop without any user intervention. Once an application is present on a hard drive, it's already installed. In OS X (as with previous versions of Mac OS), applications include associated metadata that tells the OS "I'm an application, and I open files of types JPEG, WDOC, and CARP." If the user hasn't already associated a specific application with a specific file (because, for instance, you just downloaded it from the Internet), then opening a new file will generally cause the OS to search for applications that can open that type, pick one, and open it.

      Why am I talking about an old bug? Well, this was present in Mac OS for years, and nobody did anything about it, nobody even considered it a bug until relatively recently. Despite all the crap that's leveled against Microsoft on the same subject, some justified, much not, Apple's attitude towards security is not much better.

      If you can get a user to open an application, then you have some access to their machine. If root privileges are gainable from a regular account, then you have root access to their machine.

      And all this time I thought you'd have to do the social engineering step of, perhaps, waiting for an application that causes the "Type in an administrator username and password" dialog to come up (perhaps Installer.app, or.. perhaps... Software Update...) and throw a dialog over it that looks identical. It's easier than I thought.

    • Actually OSX has a number of UDP services open externally by default, but no TCP.
    • Be sure to deface the web server running on a system with no ports open. *grin*
    • by TClevenger (252206) on Monday March 06, 2006 @01:04PM (#14858975)
      What I'd be interested in is putting other operating systems on with the same rules as the submitter (fully patched system with free local accounts to any who ask) and see if Linux, Windows Server or any of the BSDs can stand up to the challenge.
  • how many local privilege elevation exploits exist, why am I not surprised. They should have mentioned it was NOT a remote exploit
  • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Monday March 06, 2006 @12:04PM (#14858331) Homepage Journal
    What was this fool trying to prove? He allowed direct SSH access to the machine! Of course someone is going to hack it! Once you're inside the system, it becomes incredibly easy to find configuration mistakes, and exploit holes in priviledged programs. Remember, this system runs much of the same software as Linux and FreeBSD. Much of that software hasn't been properly audited and locked down. Why? Because this is a desktop machine.

    Mac OS X security primarily stems from not doing anything stupid by default. Which means that there are no remote services enabled, the system tries to be intelligent about handling executable files (like most Unixes), and super-user functionality is handled by Sudo. But that's not a bullet-proof vest. There's nothing in the system that makes it automagically secure against all attacks. So if you want security, don't turn on those remote services, and don't give out SSH accounts!
    • BTW, in case I wasn't clear enough above, his automated webpage to create SSH accounts is here [nyud.net]. That will allow you to remotely login to his machine within minutes of entering your information. (Assuming he hasn't disabled it by now.)

      The guy should feel thankful that the hacker (gwerdna) was nice enough to only deface his site rather than actually "rm -rf /" his box. (Which was what this guy was asking people to do, "if they can".) :-/
    • Mac OS X security primarily stems from not doing anything stupid by default.

      And, apparently, the assumption that you trust all of your local users. So what if most people use Macs for desktops? Plenty of people use them for servers as well, and apparently OS X isn't secure by default for them.

      Even in the desktop case alone, you can't seriously consider denying local access to be enough as far as security is concerned. Decent security has multiple levels, and this is a case where one of those lev

      • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Monday March 06, 2006 @12:46PM (#14858776) Homepage Journal
        Like all systems, tradeoffs have to be made. I'm sitting next to a Sun Solaris system with JDS on it right now. To get the system running like I want it, I constantly have to resort to the root account to install the simplest of software. (Replace root access with sudo as you prefer.) I have to do this because it is a locked down machine intended to run software packages approved by management. Under this configuration, it's pretty hard to gain root access even with a local account.

        This configuration absolutely sucks for a home user.

        A home user can't install new software without providing a root (or sudo) password everytime they want to try a software package, they can't update the system configuration from the GUI, they can't start and stop their personal webserver, they can't look at the drive space remaining without having to decode a complex partitioning scheme, they can't do a lot of things that Mac OS X lets them do without interfereing. If Mac OS X *did* restrict these activities, users would balk at the user-unfriendliness and go back to Windows.

        So it comes back to a matter of design. It's easy to say, "that should have been secure!", but the costs of making that secure would have been too high for the average home user. Mac OS X's security has been proven to date to be sufficient for what it was designed to do, and has been shown to be at least as secure (perhaps moreso) than your average FreeBSD or Linux desktop. Show me the beef of the problem (i.e. everyday machines being compromised on a scale similar to Windows) and I'll agree with you that Mac OS X is insecure for its intended purpose. Until then, however, I'm going to go with the fact that this guy wasn't thinking straight.

        Plenty of people use them for servers as well

        Which is why Apple produces OS X Sever Edition.

        and apparently OS X isn't secure by default for them.

        You show me a server situation that involves hundreds of anonymous, remote logins to a system without any lockdown of the services to move it from a home server to a full-blown webserver, and I'll agree with you. I, personally, can't think of such a situation. Some webhosts provide SSH access, but they certainly don't run a default Linux or FreeBSD installation unless that distribution has been preconfigured for the security they need.
    • by Chemisor (97276) on Monday March 06, 2006 @12:29PM (#14858598)
      Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.
      • It was six hours, thirty minutes, not thirty minutes absolute. The linked article is full of vague claims and a few outright mistakes, that being one of them.

        I would like to know the guy's methods also, but apparently he's not revealing how he accomplished the escalation (although he does make some rather ridiculous-seeming claims that it would still work against a locked-down machine, which implies remote root-ability).

        I agree that local priv escalation exploits are a problem, but they're a different sort
    • You seem to take it as self-evident that there should be ways to escalate privileges, and that this is to be expected. This is most of the problem that causes nightmares for Windows users, and its not supposed to be a problem for OSX or any other form of Unix.

      If I bought OSX, I'd do it so that I could have a server, and maybe give things out to other people. If all it takes is one remote exploit (such as, for instance, giving out ssh accounts) to allow any manner of local exploit, then its not secure! Se
    • So if you want security, don't turn on those remote services, and don't give out SSH accounts!

      Funny. Sourceforge gives out SSH accounts to anyone and their dog.

      The whole *point* of unix permissions is to allow local users a shell account without worrying about your webtree etc.

      OSX is not fit to be a server.. that's about the long and short of it.
      • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Monday March 06, 2006 @01:41PM (#14859367) Homepage Journal
        Funny. Sourceforge gives out SSH accounts to anyone and their dog.

        Indeed. And every once in a while, Sourceforge gets hacked [sourceforge.net]. And they have a trained staff of admins who attempt to very carefully lock down the systems and separate the user logins from the systems that run web services and code repositories. (Which is why you can't blow away your own code tree. You have to ask SF to do it.)

        The only thing that's funny here (which isn't even funny) is that an inexperienced admin made his box 100% public without taking the standard precautions that every admin worth his salt would take. He blindly trusted that his Mac would be configured to do something it wasn't designed for, and he got burned. Well, DUH. I had a friend who's RedHat Linux box was remotely rooted several times without the attacker being given a shell account. Does that mean that Linux sucks at security?
  • Don't feel lonely, Mac-geeks, you're in the very good company of Linux users. The benefit of your security: You're uninteresting.

    Since "hacking" and all the other activities that end in "-ing" and often start with a "ph" are no longer fun pastimes for geeks but actually became a hunting ground for very money oriented very well organized criminal organisations, security is in small numbers: An attack has to hit as many targets as possible. Maximize your output. And, well, if there are potentially 100 Linux b
    • except for the fact that the really "interesting" boxes out there for crackers are (most?)often linux/solaris/*nix boxes. it ain't grandma jones' windows 95 compie that she plays solitaire on, it's that sunfire running oracle with the employee payroll database they'll be after.
    • "...as long as you're the only one using it you're safe..."

      Or if you have information that someone else wants. Or you've made enemies with someone who wants to cause you harm. Or if your system has common vulnerabilities that might be exploited by bots, viruses, or worms. Or...
  • by RichDiesal (655968) on Monday March 06, 2006 @12:09PM (#14858383)
    I'm not really sure why this competition happened in the first place. If you were a Mac OS X enthusiast wanting to show the "amazing" security of your OS, why would you leave the first major door wide open?

    And who gains from this publicity? It would seem like sponsoring a hacking competition that took MORE than 30 minutes (seemingly the goal of such an event) would be good for Apple, but then why leave the system more vulnerable at the start of the contest? And if it was really sponsored by an anti-Apple group posing as an pro-Apple group, why have the hacker claim that Macs are essentially "small pickin's"?

    It just doesn't make sense...
  • ...consider disconnecting your Internet connection. Duh.

    The only trend to security is that there isn't any financial motivation to hack small-potatoes.
    • >...consider disconnecting your Internet connection. Duh.

      you don't understand why the Mac got hacked. even disconnecting the internet does not help if you're giving people accounts on your machine, it just means only people in the same room as you can take part in the competition instead of anyone else on the internet.

      if you want a secure computer without learning how to be a linux admin, then just buy a Mac and don't go out of your way to have it hacked.
  • by acomj (20611) on Monday March 06, 2006 @12:11PM (#14858403) Homepage
    This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.

    It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)

  • much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

    Didn't we just have a discussion over how people leave their wireless AP open for anyone to use? I don't think the SSH agent is on by default, and I think that the firewall blocks it by default, but that doesn't mean this is always the case. Given the reality of modern setups, where cable modems and wireless gives untrusted parties direct acess to the

    • Being on a cable modem puts your machine on the same network as others, but it does not give them an account on your machine. This hack would be no different than the person sitting down in front of the actual mini and logging in there. He already had some permissions on the machine and used a local exploit.

      It would be like asking the Pentagon for a username on their server, because hey, it isn't root, you can't do any damage. No admin in their right mind would do it.

  • by Anonymous Coward
    This "30 min" contest was for people with an actual SSH account given to them for a LOCAL exploit, so its not a remote exploit, it also is not the most secure version of the Mac OS, but for SERVERS, nothing is as secure as MacOS.

    Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.

    Even the US Army used macs exclu
    • So?

      You're describing an OS that hasn't been sold in 4-5 years, will not run on any currently-produced hardware, and because it is closed-source and nonstandard, cannot be easily used with the vast majority of modern server applications, languages, and tools being used these days.

      I have faithfully used the mac for 15 years and I agree there were some strong security benefits to the classic OS. At the same time, when I am working as an admin and/or developer these days I want recent versions of MySQL and PH
  • RTFM guys... (Score:2, Informative)

    by d3ac0n (715594)
    Before the Mac-o-philes here start getting all bent out of shape, perhaps reading the article in question would be a good start...

    Here's a salient quote:

    "The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users... There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

    "There are only limited
    • Re:RTFM guys... (Score:3, Insightful)

      by MBCook (132727)
      The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server[...]

      Wrong. He was using OS X, not OS X Server. Running a little website behind a firewall is probably safe with OS X. Handing out shell accounts on a desktop os?

      From his site: It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues.

      Default install of Mac OS X Tiger.

      Apple has a serv

  • by Dekortage (697532) on Monday March 06, 2006 @12:19PM (#14858497) Homepage

    So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."

    But maybe people WANT something to be stolen. Many years ago, the garbagemen (sanitation workers) in NYC went on strike, and garbage was piling up in the streets. A relative of mine in Brooklyn still managed to get rid of his: he put it in big boxes, wrapped the boxes in gift paper with bows, and left them in his car with the doors unlocked. They always got stolen.

    How this applies to the story, I dunno, but I still think it's funny.

    • by Phanatic1a (413374) on Monday March 06, 2006 @12:40PM (#14858703)
      So SSH was on and accessible?

      My ISP, Panix, will gladly sell you a shell account. You can SSH into it, or telnet, if you don't care. And yet, they're not rooted every 30 minutes. Or, ever.

      If giving someone SSH access is 30 minutes away from giving them root, that's not secure.
    • by Coryoth (254751) on Monday March 06, 2006 @02:24PM (#14859797) Homepage Journal
      So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."

      There have been SELinux security competitions that gave out SSH access as root and the boxes remained quite safe. There do exist standards of security which make your standards look remarkable poor and forgiving. Good security does exist, and pretending that it doesn't does not make you any more secure.

      Jediiah.
  • andrewg = gwerdna (Score:3, Informative)

    by numacra (805808) on Monday March 06, 2006 @12:23PM (#14858540) Homepage
    Andrewg does know what he talking about. andrewg has published papers (not on mac security) and is part of some wonderful communities pulltheplug.org [pulltheplug.org] and felinemenace.org [felinemenace.org] . I assure you that this machine would of been hacked... with SSH access or not. I think it shows the importance of having patches that minimize possible exposure (i.e grsec/pax etc) that would of decreased the chances of successful exploitation dramatically.... but then again nothing is bullet proof

  • What to have some fun? Count how many post show up that try to make excuses
    for the Mac. Man, if this were a windows box, I assure you that 99% of the
    the post would be slamming MS w/o a second thought.

    Although people want to point out that they shouldn't have allowed people to
    have a SSH connection, you need to keep in mind that an SSH connection was
    allowed because they thought the config was secure enough to handle it.

    I do give them kodos for allowing the hack contest to take place. The best
    way t
  • The first thing that I'm going to do as a "normal user" is turn on SSH and Personal Web Sharing. Then I'm going give anyone who wants access to my machine an SSH account.

    This "test" was silly and unrealistic, at best.

    Here's a "real" test:
    1) Turn on brand new Mac Mini
    2) Update to latest rev of OS
    3) Try to hack it from the Internet, without knowing its IP address.

    Good frackin' luck!
  • This is hardly irrelevant.

    I'm disturbed by the attitude that anything but a remote exploit against an ideally (not typically or justifiably) configured box is meaningless or misleading.

    What good is a door if it's welded shut? Wouldn't a proper lock be more useful?

    Security should be about maximizing functionality securely, not limiting it.

    • by 99BottlesOfBeerInMyF (813746) on Monday March 06, 2006 @02:08PM (#14859653)

      What good is a door if it's welded shut? Wouldn't a proper lock be more useful? Security should be about maximizing functionality securely, not limiting it.

      Ideally, any user should be restricted to the behaviors intended by the administrator and there should be no local privilege escalations. Realistically, however, this does not really happen except in a few special cases of extremely security oriented OS's. The first line of defense is how many services you have, think of them as gates in a castle. The second is the firewall, how many gates are open for business. The third is the username/password, do the guards know you and will they let you in. These guard against most threats except for someone who can impersonate someone else or insider threats who have access but want more access. In this case the "hackers" was given legitimate access to come in through the open gate. (A gate the admin specifically had to open and using the username and password the admin gave them.)

      Once inside there is still security, but it is much, much less. On the average Windows machine at this point there is no security at all and even on a well secured Windows machine there are thousands of unpatched privilege escalation exploits. At this point on either a Mac OS X desktop or the average Linux machine a knowledgeable security person will be able to gain admin access. That is a sad fact, but it is the case for the vast majority of systems. Exceptions might be a locked down OpenBSD box running jails, an SELinux box, or some other specialized ultra-secure OS running virtual machines. Very few people run those machines as desktops and those that due generally don't have the best experience because they sacrifice a lot of usability to gain that level of security.

      This "test" was no surprise to anyone with a clue. That is exactly what would be expected to happen. Also, some of the better security guys out there can definitely gain remote access to machines using unpublished vulnerabilities. If they really want in they will get into the average OS X or Linux box. So what are we talking about here? Well obviously this is still much better than Windows, but not impregnable. What it does is make you pretty safe from automated worms and your average script kiddie, which far outnumber the knowledgeable crackers out there.

      Ideally, all desktop OS's would be locked down more tightly. They would do more security auditing and they would implement ACLs, VMs, or jails for all remote access and all applications. Some day perhaps they will. But for right now it is not a big concern, simply because market does not call for it. Not many people really have data that needs to be kept secure against experts and those that do have specialized OS's to use. Of course they can't run photoshop or World of Warcraft and the users would not trust their internet connection to talk to WoW servers anyway using all closed source. That is a task better allocated to a regular desktop, not a locked down, ultra-secure server. And that is what this "test" has shown. OS X is a desktop and if you bypass all the primary security on it, it will not stand up to a cracker from the inside like OpenBSD might. Of course anyone who really cares already knew that.

  • by ChrisA90278 (905188) on Monday March 06, 2006 @01:17PM (#14859106)
    That's one of the first things you turn off to protect the machine. No, you don't have to turn it off. Just don't give out user accounts to other people. These guys who broke in where gien accounts with passwords. SSH is very secure as long as you closely control what accounts may be accessed via ssh and varify that these accounts use strong passwords. But if you machine has an account with username "bob" and uses "bob" as the password your sytem is wide open, or at least Bob's account is.
  • Astroturfing? (Score:5, Interesting)

    by aphor (99965) on Monday March 06, 2006 @01:45PM (#14859408) Journal

    The whole article seemed to culminate in the following information: some guy said if Macs were more popular they would have a worse record than "other operating systems." It seems to be comparing OS X to Linux, but it isn't entirely clear what the baseline is for their eval of Mac OS.X and it also doesn't clarify what exactly makes these OSs different. Also, the web site defacement isn't proof that the person with an unprivileged account acquired superuser privileges to do anything other than deface the web page. I don't doubt it could have happened, but maybe it did and maybe it didn't...

    "The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.... If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.

    Also, giving people LDAP accounts on the machine is really cheating. Maybe some noobs get a boner when someone fuzzes the hell out of a box from a local account until they get some fuzz escalated **BORING**. If they really wanted to throw down the gauntlet, then we would see Mandatory Access Control [freebsd.org] implemented on OS X . The big difference is that the MAC policies would be enforceable at the Mach [stepwise.com] MK level (on Mach ports, tasks, processes...), and OS X would be the ONLY OS with a security policy interface that could come close to usable for average people.

  • multi-platform hack (Score:3, Interesting)

    by farble1670 (803356) on Monday March 06, 2006 @02:04PM (#14859619)
    what would be much more interesting is if some nice person set up multiple OS platforms, configured them with the same services, and waited to see how long it'd take to hack each of them. maybe lock them down a little more than the mac mini test, just to make it more of a challenge. maybe: windows XP, os x, solaris, and a couple of linux dists ... ?
  • I mean, really. You have local root exploits on OS X. I'm not surprised, when you have companies like Adobe shipping apps containing setuid root shell scripts. Suppose you set them up with an Interix or Cygwin ssh login on Windows, how long would it take to deface IIS? Or would you even bother calling that an "exploit"?

    If you need to give potentially hostile users shell, you want them in a FreeBSD jail at a minimum.

I have not yet begun to byte!

Working...