MacBook Air First To Be Compromised In Hacking Contest 493
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
Identical articles (Score:3, Insightful)
Ouch, that didn't take long. (Score:3, Insightful)
Re:Identical articles (Score:5, Insightful)
Re:I think this section is relevant (Score:5, Insightful)
Users == the problem (Score:4, Insightful)
Good to see that social engineering is still all it requires to compromise something.
Re:I think this section is relevant (Score:3, Insightful)
But as a mac user
Re:Keep the laptop (Score:5, Insightful)
Re:Identical articles (Score:1, Insightful)
You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet.
Now if Vista and Ubutunu machines are tested by folks and hold up, then that news is more interesting to me.
My bet is on the Vista machine having an exploit but not Ubuntu.
Re:right (Score:5, Insightful)
And, in this case, the attacker deliberately chose (Score:3, Insightful)
But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browser unless they are two separate browsers.
It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.
Re:Hack a Mac, Get More Publicity (Score:1, Insightful)
Re:Users == the problem (Score:5, Insightful)
Maybe it's major, or maybe no big deal (Score:5, Insightful)
So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.
One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.
Thus far most of the Mac vulnerabilities have been the second type. Luckily.
Contest rules... (Score:0, Insightful)
Re:Get the Facts is a better tag. (Score:2, Insightful)
Re:Identical articles (Score:4, Insightful)
Hold on - are you saying that Mac's have a better reputation for security than linux?
Congratulations sir. Apple fanboy's capacity for self-delusion never ceases to amaze me.
Re:I wouldn't be surprised.. (Score:5, Insightful)
I say well done. (Score:5, Insightful)
I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.
Re:I think this section is relevant (Score:5, Insightful)
Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.
So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.
Re:Users == the problem (Score:3, Insightful)
I doubt it'll take much longer for all three to get taken over. There'll be some office bug, or a local service vulnerability that hasn't been patched yet, and it'll be game over, sooner rather than later.
There's a lot to be said for being exposed, it does give you the benefit of a lot more hindsight.
Re:right (Score:3, Insightful)
Re:And in other news..... (Score:4, Insightful)
Re:I wouldn't be surprised.. (Score:2, Insightful)
From what I've seen, (correct me if I'm wrong) the rules stated that no previously disclosed vulnerabilities could be used. So, if this guy kept quiet for a few weeks, he could have used exploit code he had already developed.
Good. (Score:5, Insightful)
I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.
Re:And in other news..... (Score:4, Insightful)
Re:misleading (Score:3, Insightful)
Re:Owning Beauty (Score:4, Insightful)
Re:I think the relevant part is: (Score:5, Insightful)
Yes, that sounds logical, if your genitals are hooked up to a car battery.
The winner got to keep the unit AND 10,000. So OBVIOUSLY they should crack the easiest unit, flip it on ebay, and then buy whatever they actually want, while pocketing the remaining 8-9 grand...
So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]
I
Re:right (Score:4, Insightful)
Re:Users == the problem (Score:4, Insightful)
That said, ubuntu (and linux in general) are heading that way too, just not quite with the same fevered pitch.
It's the same basic premise that windows was based on: The user is in control. OSX and linux both have fairly strong boundaries between admin and user, but things are slowly wearing down, in the name of convenience. The difference being that things started out far more secure, and there's a bit more separation at the display itself, whereas win9x was not designed with this security in mind, and while NT was, it also inherited parts from win9x's shell and there were compromises at the display, etc.
Microsoft gets this now though. SQL Server's a great example of that. Hundreds of thousands of man-hours have gone into making that thing far more secure than the slammer days, just compare critical vulnerability counts from SQL-server to Oracle. Microsoft's biggest curse is legacy code now, plus a fair amount of ongoing training, and they will only shrink with time. This is mainly shifting market pressure, of course, it costs money to have negative press regarding security nowadays. It didn't in the past, and it will only increasingly have negative press for the next couple of decades at least. It's surprising that Oracle is now doing what Microsoft used to do: treat security as a marketing buzz word (Unbreakable on linux took how long to break?)
But who knows how many holes were in the old X11R6. But you didn't run that on servers, for a good reason. Guess what, there are probably lots of applications that don't handle the Windows messaging system securely and buffer-over/underrun free either.
These days, things like IE operate in Limited user mode. This goes even further than ordinary users (far more than a "power" user, and lightyears away from Administrator or SYSTEM). It's restricted to \users\%USER%\AppData\LocalLow\ and one or two other locations, and that's it (Favorites spring to mind. It gets to be a pain if those accidentally wind up back with normal ACLs, as I mentioned here [mycronite.net].)
So you need to work harder to break out of internet explorer, and IIRC, it takes permission from a privileged application to do it. Outlook's probably a juicier target, but it's been subject to the fabled crucible for a long long time, so again, it's harder.
OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.
We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.
Can't wait to find out what and how (Score:5, Insightful)
There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.
At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.
Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.
Re:Owning Beauty (Score:5, Insightful)
Re:Get the Facts is a better tag. (Score:5, Insightful)
Re:right (Score:3, Insightful)
I don't get it (Score:5, Insightful)
Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?
Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.
Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.
Re:And, in this case, the attacker deliberately ch (Score:2, Insightful)
Many people in this thread keep praising privileges restriction (be it UNIX user management, IE7 sandboxing, virtual machines, or anything else) as the ultimate solution to desktop security.
While this can reduce the chance of being "totally r00ted", you can still get "pwned" pretty badly. As long as you use your sandboxed browser daily, and have any kind of permanent storage for bookmarks / cache / saved files / etc, you still risk to become a botnet zombie, spam machine, DDOS node, pr0n/warez share, whatever. Who cares if that all works under restricted privileges.
So, by all means, manage your privileges, but beware the fake safety feeling that gives you.
Re:Get the Facts is a better tag. (Score:5, Insightful)
Re:A real hero (Score:3, Insightful)
So what if he did? As somebody who uses a Mac (and Linux, and Windows XP), I'm much happier with him having taken this route to gaining from the exploit than the one so many Windows hackers use of putting it up for auction to the highest bidder, or the Month Of Apple Bugs tactic of making exploits public before giving the people or companies whose code was at fault a chance to fix them. Nobody was directly harmed by his actions, and Apple get to close this particular hole before before its details are published, so this is a net benefit to all Mac users except rabid Apple fans who are being forced to eat crow.
Modern OS distros are a vast web of complex interactions between modules, APIs, drivers, and applications, many of which were written by different people at different times who had widely differing goals. The best programmers in the world can and do make mistakes, so even if a design is flawless (and none of the currently available offerings can claim this), and every programmer is the very best example of his or her craft (the vast majority aren't), there will still be bugs, and some of those bugs will turn out to be exploitable by malicious people. Expecting things to be otherwise is even more naive than expecting those who've found an exploit to report it instead of using it for personal gain.
Maybe Apple will get serious about security now (Score:4, Insightful)
Just as long as they don't implement some Vista like "Allow or Deny?" crap... God that would drive me *nuts*!
Re:Owning Beauty (Score:4, Insightful)
Oh sweet jesus... Apple owners... spinning a truly piss-poor performance into a plus.
Reality will disappoint morons. (Score:3, Insightful)
CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security [roughlydrafted.com]
Ho-hum (Score:3, Insightful)
The perceived general level of security in a system can be directly correlated to the most recent compromise of that system. The fact that the Linux and Windows systems involved in this contest have not yet been compromised does not indicate that they are more or less secure in a general sense than the Mac. It does indicate that no one has found the vulnerability that inevitably lurks within the kernal or a piece of installed software on those system. But rest assured, the exploits are there.
"FireFox is more secure than IE", you say on Monday. Then Slashdot posts "HUGE FRIGGING HOLE FOUND IN FIREFOX: DOOM!!!" on Tuesday. And suddenly the absolute statement you've made sounds silly.
If you don't believe this is true, try this: get hold of a system exactly like the ones currently considered "unhackable" in the contest and disable any automatic updates (and don't install any manually). Wait three months and then compare that system against one with the most recent updates. You're sure to find that your unhackable system is now full of known exploits and security holes.
The systems we rely on today are very complex and in a very real sense cannot be completely understood. There are techniques that can make them generally more secure and all of the OS developers are working to bring these features online every day. Some are better than this than others (or so it seems), but they all do it. Even Microsoft. But the thing about security is this: the bad guys only need one hole and the good guys have to cover all the bases.
The only real security in a system comes from user practices, not software. If you don't install updates on your system, it will be vulnerable. If you don't consider HOW and where you use your system, it will be vulnerable. In other words, the core component in a secure system is YOU.
It's probably true that there is a "most" secure OS and a "least" secure OS right at this moment. Take a guess which is which and you might even be correct. But there's no absolute answer that will be true tomorrow. We need to stop with the absolutes and "MY FLAVA ROCKS YER FLAVA" hyperbole and start to think more like real security experts do. The next big hack for your favorite OS is just around the corner. And there's no doubt about that.
Re:Owning Beauty (Score:3, Insightful)
To be completely fair, though, the Vista and Ubuntu machines are, according to all sources I've found, still up and still unhacked. If you can still win those (which I think you can?) even though there's no longer a cash prize there's at least incentive for someone to hack them. If it were a case of people coming prepared with vulnerabilities on all three machines you'd expect one of the other two would have been brought down by now.
I do agree, though. The bottom line is that no OS is completely secure and this is essentially just a race to use a vulnerability. I've not found a good source on whether the other two machines are still uncompromised, though, which I think is the most interesting part of this.
Re:Owning Beauty (Score:4, Insightful)
"apt-get update; apt-get upgrade;" on a Debian Stable works like a charm (because they push ONLY security and major bugfixes). I manage a farm of 30 servers for about 2 years and Debian update ALWAYS worked without any problem.
Re:Alternate headline: Mac last hacked IRL (Score:3, Insightful)
Re:A real hero (Score:3, Insightful)
(Giving up my spent mod points to reply to this)
I agree, in principle.
From a practical POV though, who's to say this guy would even bother finding obscure (one hopes) security holes anyway, without the financial and other incentives offered by this contest?
Black hats are often funded by criminals. May as well offer a carrot to the White/gray hats so they don't get tempted by the dark side.
Re:Alternate headline: Mac last hacked IRL (Score:3, Insightful)
"I have no idea why some of my boxes fall prey to security holes, so I am just going to blindly assume that X operating system is more secure than Y operating system."
There is no such thing as a "secure OS". Security is a process that is ongoing and the principles of securing a system apply to ALL operating systems. If you want a real explanation as to why your Windows machines are attacked more often than your Macs or Linux machines, try the concept of "marketshare" out. Remember a few years ago when Mac only owned a percent or two of the desktop marketshare, and there were almost no exploits being written for them? Now fast forward to triple that market share and suddenly we are seeing Mac exploits. If you think this is merely a coincidence, you need to re-think your entire security strategy. Macs aren't magical, they are just computers. A poorly configured Mac or Linux box is more vulnerable than a properly configured Windows box, and vice-versa.
And to prove that an anecdote is not the best thing to judge by, I have 2 Windows boxes at home that have been connected to the internet continuously for over 3 years. They are running XP and the built-in Windows firewall. Never been compromised, never had a virus or a rootkit. And I do occasionally surf some questionable web sites and such, but have my browsers locked down pretty good as well.
Re:A real hero (Score:3, Insightful)
The government should have no part in regulating software. The government is utterly incompetent when it comes to tech issues, and they can't even fund their patent system with sufficiently technical people to reject frivolous patents. A specific software audit agency would do no better.
Nor should the government task a third party with such a task--who is going to vet *them*, make sure they're not taking bribes?
Then we get into the "who's fault is it, really?" with hundreds of interacting components--is it the hardware's fault, the OS's fault, or the third party software's fault? I've read about the fun people had trying to get tech support for Windows PCs, where they keep passing the buck on for more obscure problems.
No, I think government regulation for software should remain restricted to critical, life-or-death systems like airplanes, nuclear power plant systems, hospital systems, etc; anything directly affecting the principles of government (e.g. voting systems); and of course any project directly initiated by government (but any organization should do this with outsourced work anyway).
Governments should be able to impose fines on, or make it easier for injured parties to sue, large commercial entities with shoddy quality. This would take care of those who developed the banking system you mentioned. Smaller outfits and non-commercial software should be immune, or have liability limited on some sliding scale, based on how many declared projects use it, how many actual users of the derived project use it, etc.
(Incidentally, if I'm not mistaken this would work out great for GPL projects--if a commercial project is not a registered, declared "user" of a GPL project, it reduces the GPL project's liability. If they then try suing for damages, they admit to using code without providing source as mandated by GPL.)
Even then there are practical and jurisdiction issues--e.g. if it's coded and hosted in a European country, how's the US government going to prevent its use in software other than their own? And at what point in a project is it considered "auditable?" Make it version 1, and it'll remain in beta forever.
Subjecting small organizations to the same rigour as large ones only prevents innovative startups from happening, and ensures that only the lumbering megacorps will survive. They're the ones who could afford all the lawyers, "quality" coders, and necessary kickbacks. The last thing we need is for the software world to be turned into the fiasco that is the telecom industry; software patents are already making the software field a landmine.
The most audited, vetted software in the world is probably that which runs the space shuttle. Overall it's probably cost tens or hundreds of millions to program/audit, uses hardware components over ten years old (all of which underwent their own audits), and all told is probably small enough to fit on a 16 MB thumb drive.
There is no need to hold most software to the same degree of reliability. Does losing an hour's work because PowerPoint crash suck? Yes. Is it life-and-death? No (under normal circumstances). Is it worth having more government pork to audit Microsoft for security issues? No. And I despise Microsoft with a raging passion.