Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac OS X Security Competition Ends in 30 Minutes

Hemos posted more than 8 years ago | from the how-secure-is-secure dept.

388

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

cancel ×

388 comments

Sorry! There are no comments related to the filter you selected.

Why keep SSH on? (4, Interesting)

tak amalak (55584) | more than 8 years ago | (#14858258)

That's one of the first things you turn off to protect the machine.

Re:Why keep SSH on? (3, Insightful)

good soldier svejk (571730) | more than 8 years ago | (#14858298)

Or at least restrict by host at the firewall. On OS X, remember to turn on ipfw's statefulness. [unimelb.edu.au]

Re:Why keep SSH on? (5, Informative)

Daedala (819156) | more than 8 years ago | (#14858311)

It's a Mac. You don't _keep_ SSH on. It's disabled by default. You have to turn it on deliberately.

Re:Why keep SSH on? (2, Informative)

Frangible (881728) | more than 8 years ago | (#14858433)

Excellent point, I'd mod you up if I had the points. I suppose it wasn't much of a true competition, then.

Re:Why keep SSH on? (2, Informative)

BrokenHalo (565198) | more than 8 years ago | (#14858503)

I turn SSH on on machines I routinely have to maintain. It's very useful. But I make damn sure I don't use an idiotic password crackable by any snotty-nosed little 11-year-old script-kiddie...

Re:Why keep SSH on? (0)

Anonymous Coward | more than 8 years ago | (#14858583)

That is the easy part: use a 4k-bit RSA key for identification. Generate the key on your remote machines, and sneaker-net the public keys (one per machine you want to authorize) onto your host machine. Pretty much puts password-forcing out of reach until a fast factoring method is found which can break down a large key in reasonable time. Although it doesn't do jack for any buffer vulnerabilities in SSH though.

Re:Why keep SSH on? (1, Redundant)

BrokenHalo (565198) | more than 8 years ago | (#14858641)

This is true, but you still have to have sshd running for that to be useful...

Perhaps with a desktop Mac (3, Informative)

Sycraft-fu (314770) | more than 8 years ago | (#14858616)

We have a Mac server here at work for testing, we set it up 100% default mainly because none of us are Mac people. A quick nmap (using just well known ports) reveals not only is SSH open, but several others. Also, non-open ports report closed, not filtered indicating no firewall, at least none with respect to it's local subnet.

Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.

Re:Why keep SSH on? (3, Informative)

foniksonik (573572) | more than 8 years ago | (#14858312)

in fact with OS X you have to turn it on... it's a Sharing preference called Remote Login... hello, yes I'd like people to remotely login to my machine.. I'll just start this right up. OTH there should be a little more help info on what SSH is for those who think being able to remotely login is a good idea even though they really don't know how to do it.

Re:Why keep SSH on? (2, Insightful)

leonmergen (807379) | more than 8 years ago | (#14858318)

That's one of the first things you turn off to protect the machine.

Because the goal was to test the mac mini's security, not the ability of the system administrator to secure the box...

Re:Why keep SSH on? (4, Insightful)

shotfeel (235240) | more than 8 years ago | (#14858439)

Or in this case, the ability of the system administrator to open up the box...

SSH is off by default, the admin had to turn it on.

Hackers don't generally have shell accounts -the admin had to set them up.

So if you take steps to make the Mac Mini less secure, then advertise you've done so, it gets hacked. Expect all major tech outlets to cover this new and amazing Mac vulnerability (you think I'm joking?).

Re:Why keep SSH on? (3, Insightful)

Golias (176380) | more than 8 years ago | (#14858478)

Why does the word "astroturf" slowly creep into my waking mind as I read more and more about this bogus contest.

Re:Why keep SSH on? (1)

LnxAddct (679316) | more than 8 years ago | (#14858529)

The guy who set up the server *enabled* the services like ssh, apache, etc... (they are off by default) The black hat who cracked it didn't specify whether the unknown vulnerability was for one of the services enabled (i.e. apache) or a local mac exploit, and there is a huge difference. If the server owner gave everyone some kind of guest account, then I can see this being an unpublished local exploit and a true problem for the mac. In any other case, the hacker probably used an unpublished vuln for one of the running services and the hacker is just making it seem like he knows an unpublished mac vuln to be "1337". The mac security by default is significantly better than the security on the box that was cracked. Regardless, I still prefer linux for my OS, I like the many security patches/options(exec-shield, SELinux, compiling with randomized memory mappings, virtualization -- not necessarily for security but can be, etc...), even if an attacker does find a way in, statistically it will give him no benefit in the majoirty of cases.
Regards,
Steve

Re:Why keep SSH on? (3, Interesting)

bombadillo (706765) | more than 8 years ago | (#14858336)

It doesn't really matter that SSH was left on. The thing that made this easy was that they were allowed a shell account. Getting shell access is the easiest way to compromise a system. Lets see how long it would take with out a shell.

Re:Why keep SSH on? (2, Insightful)

falkryn (715775) | more than 8 years ago | (#14858346)

it was setup as a typical server. without ssh, how exactly would you propose enabling access to it? telnet?? unless you actually like having to console in to 100+ servers via a serial cable...

Re:Why keep SSH on? (5, Informative)

AKAImBatman (238306) | more than 8 years ago | (#14858406)

The problem wasn't even that he had SSH running. It was that he was giving out accounts [nyud.net] ! I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.

Re:Why keep SSH on? (4, Insightful)

falkryn (715775) | more than 8 years ago | (#14858451)

true, though a timeshare box on a college campus is somewhere you would easily see such a setup. remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.

Re:Why keep SSH on? (4, Insightful)

AKAImBatman (238306) | more than 8 years ago | (#14858563)

remember though, this is (supposed to be) a *nix we're talking about. local user accounts should not be able to inflict such damage due to better seperation of priviliedges that exist in this world.

But you need to remember that OS X is not designed for remote, multi-user usage. The features are there, but mostly for adminstrative purposes. The machine is first and foremost a Desktop machine that is intended to keep good guys in and bad guys out.

Also keep in mind that it is incredibly difficult to properly configure a Unix system to be completely secure against users with shell accounts. Such security requires a complete system lockdown, complex partitioning, reassignment of services to non-root accounts, jailing of priviledged services (or equivalent), and several other procedures that I sincerely doubt that this guy performed. (In fact, the article confirmed that he could have locked the system down further, but didn't.)

By handing out shell accounts, he might as well have been handing out the root password to his system.

RDF defeats all (4, Funny)

Brunellus (875635) | more than 8 years ago | (#14858457)

I have a feeling that the Reality Distortion Field has already cancelled whatever negative effect this has had

Re:Why keep SSH on? (0)

Golias (176380) | more than 8 years ago | (#14858502)

I don't know what this guy was trying to prove

Perhaps he was one of those people trying to "prove" that Macs are "not so secure after all."

Just a thought.

Re:Why keep SSH on? (1)

shotfeel (235240) | more than 8 years ago | (#14858515)

I agree its not much of a vulnerability, but it still may point to something Apple needs to fix in proofing the OS from local exploits.

Re:Why keep SSH on? (2, Funny)

Scrameustache (459504) | more than 8 years ago | (#14858573)

Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.

And somewhere in Redmond, someone is writing him a cheque.

Re:Why keep SSH on? (1)

ScriptedReplay (908196) | more than 8 years ago | (#14858588)

The problem wasn't even that he had SSH running. It was that he was giving out accounts! I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

Well, I do have shell access to the macs in my University's computer labs. Are you telling me that they're no better than Windows when it comes to privilege separation and preventing a low-privilege user account from taking control over the system? Seeing how many Macs are in multiuser University labs, this might strain the RDF a bit if exploits start circulating.

Re:Why keep SSH on? (3, Insightful)

jd142 (129673) | more than 8 years ago | (#14858485)

without ssh, how exactly would you propose enabling access to it?

Restrict the ip addresses of the computers that can access the ssh connection. Ah, you'll say, then all the attacker has to do is get access to the computer that is on the allowed ip address list. True, but let's say you are a company with the web server www.verigon.com. That's a nice public target running apache, mysql, php, etc. All the things a good lamp server should run. That's going to be the public target.

If I want to ssh in, I first have to connect to a different box. The thing here is that this ssh box (I'll just call it that to save typing) doesn't have to run anything but the os and ssh, thus lowering the number of software packages that can open a vulnerability. Remember, every daemon you run, every piece of software you install, every service that's enabled is another potential whole. The second part to this is that the ssh box is not a big target. It's dns name may be something like comp-1.it.verigon.com or ideally its name isn't even registered in dns. Either way, the bullseye is going to be on www.verigon.com for the casual cracker. Only someone who is specifically interested in my company is going to try to find a way in. The script kiddies will just see that ssh doesn't respond and go on to the next webserver.

Re:Why keep SSH on? (1)

Bert64 (520050) | more than 8 years ago | (#14858599)

A mac mini is *NOT* a typical server, it's intended as a workstation.

This would have made more sense if they'd installed the version of OSX which is designated as being for servers.

Re:Why keep SSH on? (3, Funny)

shotfeel (235240) | more than 8 years ago | (#14858351)

In other news, after giving burglers the first three of four numbers for your safe's combination, the fastest can open it in less than 30 minutes.

Re:Why keep SSH on? (0)

Anonymous Coward | more than 8 years ago | (#14858374)

Please elaborate on this. Since when is running SSH unsecure (assuming good passwords)?

fanboy (0)

Anonymous Coward | more than 8 years ago | (#14858377)

If it were windows, you'd not have seen this as an issue. Plus he was talking about default stuff. Windows is safe if you patch your system, leave the firewall on, and yeah and don't web browse ;).
Btw, Windows hasn't had a network based remote exploit since SP2 came out. That is, to get compromised you must either visit a malicious website or view an email that contains malicious code (Mac OS was vulnerable to this too until they patched it a couple weeks ago).

Parent is a troll. (1, Informative)

Anonymous Coward | more than 8 years ago | (#14858408)

SSH (secure shell) is one of the services that's relatively OK to keep on.


What's interesting in this case (and different from real world servers) is that they gave SSH login accounts to the people testing the system.


The idea was to test that even *if* someone had all the access that SSH allows, how easy it would be to get further.


(my guess is that the parent is a msft troll trying to suggest that windows terminal services is safer than ssh because ssh was enabled here)

Re:Why keep SSH on? (3, Funny)

BodhiCat (925309) | more than 8 years ago | (#14858450)

The article also failed to mention that the password to gain root access to the Mac was "password."

Re:Why keep SSH on? (3, Insightful)

Hrothgar The Great (36761) | more than 8 years ago | (#14858453)

I think you are missing the really obvious point here - the fact that granting shell access over SSH leads to a non-administrative user gaining root access in 30 MINUTES makes the OS entirely unsuitable in a server environment.

True, a Mac Mini isn't typically going to be used as a server, but if Apple decides to make some kind of Intel based server, this kind of thing is a HUGE problem.

Re:Why keep SSH on? (0)

Anonymous Coward | more than 8 years ago | (#14858518)

What does the hardware have to do with the security of the OS? It's the same OS on both chips.

Re:Why keep SSH on? (1)

Hrothgar The Great (36761) | more than 8 years ago | (#14858546)

True enough - my point was that at the moment, Apple doesn't seem to care about the server market. The announcement of an Intel-based server would indicate that they still want a piece of it.

Re:Why keep SSH on? (1)

jaywarrietto (720662) | more than 8 years ago | (#14858561)

I don't know what the differences are exacly but there is a version of OS X that is for servers - OS X 10.4 Server.

Re:Why keep SSH on? (4, Informative)

bombadillo (706765) | more than 8 years ago | (#14858585)

True, a Mac Mini isn't typically going to be used as a server, but if Apple decides to make some kind of Intel based server, this kind of thing is a HUGE problem.

Not necessarily. The mac mini is a desktop and has a lot of software installed on it that would be deemed a security risk in production environment. Ever hear of using a complier to shell out? That is why compilers are usually left off of servers for security reasons. Your average linux/bsd desktop box with all the goodies installed probably would not have lasted much longer.

Re:Why keep SSH on? (3, Insightful)

adolfojp (730818) | more than 8 years ago | (#14858604)

The safest computer that you can get is one that is not connected to the wall. Then again, it will not be very usefull.

Turning off functionality because of security is not acceptable. It the OS offers certain features, they should be secure, otherwise, they are flawed. Stop apologizing for Apple computer and its defects.

Cheers,
Adolfo

Re:Why keep SSH on? (0)

Anonymous Coward | more than 8 years ago | (#14858621)

It has nothing to do with SSH, it has everything to do with privilege escalation...

Email viruses are supposedly unlikely on a mac because you need the vital root privileges.

It is now proven that this protection can easilly be removed.

Re:Why keep SSH on? (0)

Anonymous Coward | more than 8 years ago | (#14858652)

The point is not whether SSH is on or not. The point is that he was able to get admin privileges. Now imagine some well crafted URL/webpage that is sent to an honest user. He clicks it, he gets overflowed without knowing, and the overflow now has a change to become root and install spyware/keyloggers/etc...

You should always worry about root exploits, even if you don't have servers running.

gwerdna? (5, Interesting)

Loconut1389 (455297) | more than 8 years ago | (#14858259)

I wonder if the hacker's name is Andrew G. by any chance?

What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.

If that's not his name, it's fairly random.

He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUserP ublicProfile?gid=gwerdna [ezboard.com]

Re:gwerdna? (0)

Anonymous Coward | more than 8 years ago | (#14858359)

It's not an anagram, it's andrewg backwards. Duh.

Re:gwerdna? (1)

Loconut1389 (455297) | more than 8 years ago | (#14858461)

really. I never noticed that.

Technically, it is an anagram, which is simply a rearrangement of letters. This particular rearrangement had some order to it. Perhaps he arrived at it by rotating through combinations of his name and stopped on gwerdna without realizing it. Either way, it remains an anagram- and like I said, a poor one at that (for protecting his identity at least).

from webster.com:
Main Entry: anagram
Pronunciation: 'a-n&-"gram
Function: noun
Etymology: probably from Middle French anagramme, from New Latin anagrammat-, anagramma, modification of Greek anagrammatismos, from anagrammatizein to transpose letters, from ana- + grammat-, gramma letter -- more at GRAM
1 : a word or phrase made by transposing the letters of another word or phrase
2 plural but singular in construction : a game in which words are formed by rearranging the letters of other words or by arranging letters taken (as from a stock of cards or blocks) at random

Re:gwerdna? (2, Informative)

maccalvin5 (455879) | more than 8 years ago | (#14858572)

additionally

gwendra [felinemenace.org]

Mac OS X Security Challenge (5, Interesting)

daveschroeder (516195) | more than 8 years ago | (#14858262)

Mac OS X Security Challenge [wisc.edu]

In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

- Not give any external entities access
- Not even have any ports open

The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.

Re:Mac OS X Security Challenge (2, Funny)

byolinux (535260) | more than 8 years ago | (#14858319)

And when you're done there, connect to 127.0.0.1 and root me there. Be sure to delete any files you find.

Re:Mac OS X Security Challenge (0)

Anonymous Coward | more than 8 years ago | (#14858548)

Done! What do I get?

Re:Mac OS X Security Challenge (5, Funny)

Bromskloss (750445) | more than 8 years ago | (#14858326)

So, test.doit.wisc.edu is some guy you're having a war against, and now you want him to have an.. umm... unfortunate accident with his computer, right? With our help, sneaky. ;-) Mabye by the slashdotting alone. Welcome to the wild web.

Re:Mac OS X Security Challenge (2, Funny)

gasmonso (929871) | more than 8 years ago | (#14858332)

Does Slashdotting the site count ;)

gasmonso

Re:Mac OS X Security Challenge (0)

Anonymous Coward | more than 8 years ago | (#14858381)

You're port 110 is showing, zip up.

Re:Mac OS X Security Challenge (0)

Anonymous Coward | more than 8 years ago | (#14858537)

Your port [goatse.cx] is showing.

http://rm-my-mac.wideopenbsd.org (0)

Anonymous Coward | more than 8 years ago | (#14858384)

The contest mentioned in the article is available here http://rm-my-mac.wideopenbsd.org.nyud.net:8080/ [nyud.net]

Re:Mac OS X Security Challenge (5, Insightful)

tpgp (48001) | more than 8 years ago | (#14858389)

Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Whilst I agree that this is not the same as a remote exploit, do not underestimate the seriousness of local privilege escalation.

For instance, an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article [slashdot.org] could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)

I don't believe (as some pundits seem to) that Mac OS is a Microsoft style security disaster only awaiting the attention of hackers to happen - but I do believe that Mac owners are going to have to start paying a little more attention to security matters then they currently are.

Re:Mac OS X Security Challenge (4, Informative)

squiggleslash (241428) | more than 8 years ago | (#14858466)

On the other hand, it tells you what's possible if a user downloads a trojan and runs it. Despite the common argument that such hacks are, supposedly, impossible because "Only root is able to change critical files" and/or "Only admin users are able to do critical things and Apple does everything they can to encourage users not to set up their default accounts as "admin", explaining what an admin account is and the consequences of using it in their comprehensive, well written and easily readable user manual, shipped with every copy of OS X" (*snort*), it appears that, in actual fact, a trojan can escalate itself to root pretty easily.

I've always thought OS X was more hackable than its supporters tend to say. The very fact that, until recently (like, early 2005), you could set something like this up:

1. Set up page to "redirect" to a .sit or .zip if Safari is the browser.

2. Have trojan in .zip or .sit associate itself with many common types of file, especially uncommon variants of popular files (MPEGs, for instance, seem to randomly pick whether they're Quicktime, VLC, MPlayer, or just not associated with anything, files in OS X)

3. Wait (giggling with insane glee)

Apple fixed the bug exploited in (2) above sometime in early 2005 by having the OS warn you if it was running an application for the first time. For those who are scratching their heads though: Safari, by default, opens "safe" files. This means that step one would have caused the .zip or .sit to be downloaded and extracted on the user's desktop without any user intervention. Once an application is present on a hard drive, it's already installed. In OS X (as with previous versions of Mac OS), applications include associated metadata that tells the OS "I'm an application, and I open files of types JPEG, WDOC, and CARP." If the user hasn't already associated a specific application with a specific file (because, for instance, you just downloaded it from the Internet), then opening a new file will generally cause the OS to search for applications that can open that type, pick one, and open it.

Why am I talking about an old bug? Well, this was present in Mac OS for years, and nobody did anything about it, nobody even considered it a bug until relatively recently. Despite all the crap that's leveled against Microsoft on the same subject, some justified, much not, Apple's attitude towards security is not much better.

If you can get a user to open an application, then you have some access to their machine. If root privileges are gainable from a regular account, then you have root access to their machine.

And all this time I thought you'd have to do the social engineering step of, perhaps, waiting for an application that causes the "Type in an administrator username and password" dialog to come up (perhaps Installer.app, or.. perhaps... Software Update...) and throw a dialog over it that looks identical. It's easier than I thought.

Re:Mac OS X Security Challenge (1)

Bert64 (520050) | more than 8 years ago | (#14858527)

Actually OSX has a number of UDP services open externally by default, but no TCP.

Re:Mac OS X Security Challenge (1)

noz (253073) | more than 8 years ago | (#14858552)

Be sure to deface the web server running on a system with no ports open. *grin*

Re: first thought... (0)

fshalor (133678) | more than 8 years ago | (#14858285)

"Let the flood of *I challenge you to hack me* ip posts begin...

You can start with this one: XX.XX.XXX.XXX.

(Man... I just didn't have the heart to post it. :( )

I challenge you to hack me! (2, Funny)

Demon-Xanth (100910) | more than 8 years ago | (#14858307)

My IP is 127.0.0.1. :)

Re:I challenge you to hack me! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14858385)

You Sucker, thats my address!
Please ignore this address and let me life.

Re:I challenge you to hack me! (1)

byolinux (535260) | more than 8 years ago | (#14858432)

That's my IP you insensitive clod! I'm going DMCA on you.

Re: first thought... (1, Funny)

opwierde (639081) | more than 8 years ago | (#14858330)

Oke, I'm game. This OS X has every port open, no firewall so go ahead! 81.68.209.58 aka kilburn.nl

Here's one for you... (0, Offtopic)

meringuoid (568297) | more than 8 years ago | (#14858424)

127.5.240.96

Come and get it, kids...

considering (1)

minus_273 (174041) | more than 8 years ago | (#14858297)

how many local privilege elevation exploits exist, why am I not surprised. They should have mentioned it was NOT a remote exploit

you insensitiVe clod! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14858303)

Lord, save us from morons (4, Insightful)

AKAImBatman (238306) | more than 8 years ago | (#14858331)

What was this fool trying to prove? He allowed direct SSH access to the machine! Of course someone is going to hack it! Once you're inside the system, it becomes incredibly easy to find configuration mistakes, and exploit holes in priviledged programs. Remember, this system runs much of the same software as Linux and FreeBSD. Much of that software hasn't been properly audited and locked down. Why? Because this is a desktop machine.

Mac OS X security primarily stems from not doing anything stupid by default. Which means that there are no remote services enabled, the system tries to be intelligent about handling executable files (like most Unixes), and super-user functionality is handled by Sudo. But that's not a bullet-proof vest. There's nothing in the system that makes it automagically secure against all attacks. So if you want security, don't turn on those remote services, and don't give out SSH accounts!

Re:Lord, save us from morons (2, Informative)

AKAImBatman (238306) | more than 8 years ago | (#14858477)

BTW, in case I wasn't clear enough above, his automated webpage to create SSH accounts is here [nyud.net] . That will allow you to remotely login to his machine within minutes of entering your information. (Assuming he hasn't disabled it by now.)

The guy should feel thankful that the hacker (gwerdna) was nice enough to only deface his site rather than actually "rm -rf /" his box. (Which was what this guy was asking people to do, "if they can".) :-/

Re:Lord, save us from morons (3, Insightful)

Bogtha (906264) | more than 8 years ago | (#14858569)

Mac OS X security primarily stems from not doing anything stupid by default.

And, apparently, the assumption that you trust all of your local users. So what if most people use Macs for desktops? Plenty of people use them for servers as well, and apparently OS X isn't secure by default for them.

Even in the desktop case alone, you can't seriously consider denying local access to be enough as far as security is concerned. Decent security has multiple levels, and this is a case where one of those levels has failed in a very public way. Spinning it as "oh, but he shouldn't have done that" ignores that failure.

Local access IS important! (5, Insightful)

Chemisor (97276) | more than 8 years ago | (#14858598)

Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.

Re:Lord, save us from morons (1)

fireboy1919 (257783) | more than 8 years ago | (#14858622)

You seem to take it as self-evident that there should be ways to escalate privileges, and that this is to be expected. This is most of the problem that causes nightmares for Windows users, and its not supposed to be a problem for OSX or any other form of Unix.

If I bought OSX, I'd do it so that I could have a server, and maybe give things out to other people. If all it takes is one remote exploit (such as, for instance, giving out ssh accounts) to allow any manner of local exploit, then its not secure! Security has to happen at every level. The escalation of priveleges is supposed to be one of the most highly protected things. There shouldn't be any programs running in privileged mode that haven't been audited, period.

Sure, it's going to hurt Apple's rep. But it looks like they deserve it, if separation of privileges is that bad.

Re:Lord, save us from morons (1)

prockcore (543967) | more than 8 years ago | (#14858664)

So if you want security, don't turn on those remote services, and don't give out SSH accounts!

Funny. Sourceforge gives out SSH accounts to anyone and their dog.

The whole *point* of unix permissions is to allow local users a shell account without worrying about your webtree etc.

OSX is not fit to be a server.. that's about the long and short of it.

Silly (1)

entrex (580367) | more than 8 years ago | (#14858333)

This contest would be much more relevant if the machine was remotely exploited. Few OSs in their default configuration would be able to stand up to an attacker with local access.

/ waits for *OMG NOT JOO NEWB

The only way.. (1, Funny)

PeterSomnium (954672) | more than 8 years ago | (#14858342)

To fully protect a Windows/Linux/BSD/OS X box, is to plug out the network-cable
But since that's not worth much, I suppose you can say a total secure box, isn't something from the near future.

Re:The only way.. (2, Insightful)

ArcherB (796902) | more than 8 years ago | (#14858438)

To fully protect a Windows/Linux/BSD/OS X box, is to plug out the network-cable

You forgot to lock the door and remove the keyboard, mouse and monitor.

Re:The only way.. (1)

PeterSomnium (954672) | more than 8 years ago | (#14858509)

You're totally right about that, and I also forgot to mention to switch of the power, and while ur at it, make yourself a cup of coffee!

Re:The only way.. (1)

Eccles (932) | more than 8 years ago | (#14858650)

You're missing the vital step of embedding it in cement and dumping it in an active volcano.

Security in small numbers (2, Interesting)

Opportunist (166417) | more than 8 years ago | (#14858344)

Don't feel lonely, Mac-geeks, you're in the very good company of Linux users. The benefit of your security: You're uninteresting.

Since "hacking" and all the other activities that end in "-ing" and often start with a "ph" are no longer fun pastimes for geeks but actually became a hunting ground for very money oriented very well organized criminal organisations, security is in small numbers: An attack has to hit as many targets as possible. Maximize your output. And, well, if there are potentially 100 Linux boxes out there with a blatant security hole or 10.000 boxes running Windows with an obscure and hard to exploit hole, the latter will be chosen.

Not (only) because the respective users usually also employ a very different attitude towards security and because they usually have very different levels of understanding concerning the abilities and liabilities of their machines. But simply because you can hit more targets with your attack.

Plain and simple as that.

You can run the most insecure, most open system you want, as long as you're the only one using it you're safe. Unless hacking you alone already warrants the cost associated with it.

Yes, hacking has become a matter of cost/benefit calculation.

Re:Security in small numbers (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14858404)

Slashdot's editorial quality is rapidly fading. "Mac OS X Security Competition Ends in 30 Minutes" is one of the worst headlines I've seen on a site with this large a regular readership. This heading suggests the contest is still going on. I've seen numerous errors of the sort recently with unclear or irrelevent descriptions of articles, biased and bizarre pieces, and simply nonsensical headlines. The blurb even uses a clearer wording saying the competition ended "after" 30 minutes.

Will someone around here start paying attention and maintain a certain level of quality and rudimentary comprehensibility.

This is rediculous.

Re:Security in small numbers (1)

falkryn (715775) | more than 8 years ago | (#14858405)

except for the fact that the really "interesting" boxes out there for crackers are (most?)often linux/solaris/*nix boxes. it ain't grandma jones' windows 95 compie that she plays solitaire on, it's that sunfire running oracle with the employee payroll database they'll be after.

Re:Security in small numbers (1)

lukewarmfusion (726141) | more than 8 years ago | (#14858434)

"...as long as you're the only one using it you're safe..."

Or if you have information that someone else wants. Or you've made enemies with someone who wants to cause you harm. Or if your system has common vulnerabilities that might be exploited by bots, viruses, or worms. Or...

Re:Security in small numbers (1)

Opportunist (166417) | more than 8 years ago | (#14858654)

Common vulnerabilities are exactly what you won't have if you don't have anything in common with other systems. :)

Re:Security in small numbers (1, Funny)

Anonymous Coward | more than 8 years ago | (#14858481)

Yeah, it's not like most of the Internet is running on Linux and Unix... oh wait...

Re:Security in small numbers (0)

Anonymous Coward | more than 8 years ago | (#14858538)

although this has been modded as troll, it has a very valid point, i just think the zealots are offended. linux and Macs are relatively few and far between, . picture it in terms of bank robbing on a street full of banks...you have time to learn how to compromise one and than do your business on however many banks of that kind are on the street. now on this street there are 50 banks, 45 are all one kind, 5 are the bank of Mac, bank of Linux, bank of bsd, etc. now why would you even bother with the banks of Mac or Linux here, there is no profit, even if you are successful you have just wasted your time and lost. the people out to find exploits in linux and mac are mostly hobbyists, the majority of people out to do something bad are going to look at Windows because of its widespread acceptance.

that's, of course, not the only reason, but it is one of the main reasons.

people say windows is security through obscurity, but Mac has security through why bother.

disclaimer: i am a linux desktop user and i am looking forward to getting a Mac

Mac user ignorance (-1, Flamebait)

EraserMouseMan (847479) | more than 8 years ago | (#14858375)

That's the double-edged sword of user-friendliness. Stupid users can happily be productive. At the same time stupid users are still stupid. Linux users are very savvy. They'd know what security defaults to change to make their system more hacker-proof. Windows users are much less savvy. And Mac users are 99.9% blissfully ignorant.

Re:Mac user ignorance (2, Insightful)

shotfeel (235240) | more than 8 years ago | (#14858636)

Yep, cuz' we know stupid Mac users are always going around enabling SSH and giving shell accounts to total strangers.

Oh, wait, 99.9% of Mac users are blissfully ignorant of what security defaults to change to make their system more hacker-friendly.

Confused About Their Motives (3, Insightful)

RichDiesal (655968) | more than 8 years ago | (#14858383)

I'm not really sure why this competition happened in the first place. If you were a Mac OS X enthusiast wanting to show the "amazing" security of your OS, why would you leave the first major door wide open?

And who gains from this publicity? It would seem like sponsoring a hacking competition that took MORE than 30 minutes (seemingly the goal of such an event) would be good for Apple, but then why leave the system more vulnerable at the start of the contest? And if it was really sponsored by an anti-Apple group posing as an pro-Apple group, why have the hacker claim that Macs are essentially "small pickin's"?

It just doesn't make sense...

If you want a secure computer... (2, Interesting)

kidjan (844535) | more than 8 years ago | (#14858388)

...consider disconnecting your Internet connection. Duh.

The only trend to security is that there isn't any financial motivation to hack small-potatoes.

Re:If you want a secure computer... (1)

Yahweh Doesn't Exist (906833) | more than 8 years ago | (#14858494)

>...consider disconnecting your Internet connection. Duh.

you don't understand why the Mac got hacked. even disconnecting the internet does not help if you're giving people accounts on your machine, it just means only people in the same room as you can take part in the competition instead of anyone else on the internet.

if you want a secure computer without learning how to be a linux admin, then just buy a Mac and don't go out of your way to have it hacked.

local account = assumed root access (4, Interesting)

acomj (20611) | more than 8 years ago | (#14858403)

This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.

It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)

local SSH is probably more common than we think (1)

fermion (181285) | more than 8 years ago | (#14858418)

much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

Didn't we just have a discussion over how people leave their wireless AP open for anyone to use? I don't think the SSH agent is on by default, and I think that the firewall blocks it by default, but that doesn't mean this is always the case. Given the reality of modern setups, where cable modems and wireless gives untrusted parties direct acess to the computer, I hardly see this hack as having no practical implications.

Of couse such contents are of no practical use. Either they end with the machine hacked, which is simply to be expected, or they end with the machine not hacked, which proves nothing.

Re:local SSH is probably more common than we think (1)

Helios1182 (629010) | more than 8 years ago | (#14858504)

Being on a cable modem puts your machine on the same network as others, but it does not give them an account on your machine. This hack would be no different than the person sitting down in front of the actual mini and logging in there. He already had some permissions on the machine and used a local exploit.

It would be like asking the Pentagon for a username on their server, because hey, it isn't root, you can't do any damage. No admin in their right mind would do it.

Stock Mac OS has never once had remote exploit! (2, Informative)

Anonymous Coward | more than 8 years ago | (#14858423)

This "30 min" contest was for people with an actual SSH account given to them for a LOCAL exploit, so its not a remote exploit, it also is not the most secure version of the Mac OS, but for SERVERS, nothing is as secure as MacOS.

Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.

Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinly using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.

The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.

http://uptime.netcraft.com/up/graph/?host=www.army .mil [netcraft.com]

http://www.google.com/search?q=army+webstar+ [google.com] "os-9"

Check it out yourself. This entire post is full of factual citations and 100% facts.

No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers

This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing, nor are there lame single 'x' executable bits! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.

6> Stack return address positioned in safer location than some intel OSes. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.

7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool in 1995.

8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2005 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.

I think its quite amusing that there are over 300 or 400 known vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack ever existed for even a moment. There are even 5 vulnerabilities in the past four years in default install of OpenBSD! The OpenBSD marketing claim of only one hole in 9 years is not a reality. They forget about at least 2 OpenSSH server bugs, one OpenSSH client bug, and 2 DNS client bugs! And anyway nobody uses an OS in its default install, once you add apache forget it! Forget to apply the numerous OpenBSD patches and your system will be hacked, no remote exploit patches were ever needed for any version of classic (non-unix os x) mac OS ever in over 9 years.

Not one exploit. And that includes Webstar and other web servers on the Mac.

A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX. but all of his unix methods will find little to exploit on a traditional MacOS server.

BTW this is NOT an add for Webstar. The recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X, includeing some webstar 5 exploits. I predict that MacOS X will have far more than the 150+ known weaknesses for exploits over the next year.

--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.

BugTraq concurs! As does the WWW consortium. Just use a Mac, as many colleges, military branches, and large media sites do, and many commercial airlines for their in-house security.

Its the only SECURE web server and SECURE os in internet history. It has never been broken into and this platform is one of 400 servers in use according to Netcraft, despite it costing about 400 dollars per copy.

No one should have to read 0-day exploit email lists every hour just to keep a server running. Nowadays "black hats" have goodies for 44 days to 6 months before large corporations respond with patches and reveal defects to the public.

A trusty install of Mac OS 9 never ever needs patching. BugTraq concurs.

Don't proof anything (1)

michelcultivo (524114) | more than 8 years ago | (#14858436)

This hacking contest don't proof anything to security, I saw that the user don't applied the recomended guidelines to secure a system. This contest will be more funny if it was with an OpenBSD system installed by default.

RTFM guys... (2, Informative)

d3ac0n (715594) | more than 8 years ago | (#14858448)

Before the Mac-o-philes here start getting all bent out of shape, perhaps reading the article in question would be a good start...

Here's a salient quote:

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users... There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.

Bad anagram for a name or not, the guy sounds like he knows what he is talking about. There is a link to another article as well that talks about Apple's lack of diligence on security issues. Here's a link:
http://zdnet.com.au/news/security/soa/Ancient_flaw s_leave_OS_X_vulnerable_/0,2000061744,39234678,00. htm [zdnet.com.au]

The point is that Security is everybody's business, and no company can afford to slack. Not even the lily-white Apple is immune.

Re:RTFM guys... (1)

Urza9814 (883915) | more than 8 years ago | (#14858581)

See...to me...he sounded like a script kiddie.
"Nothing they could've done would have stopped the 1337 xploits I used!!!1!1"

Doors unlocked, windows open (5, Funny)

Dekortage (697532) | more than 8 years ago | (#14858497)

So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."

But maybe people WANT something to be stolen. Many years ago, the garbagemen (sanitation workers) in NYC went on strike, and garbage was piling up in the streets. A relative of mine in Brooklyn still managed to get rid of his: he put it in big boxes, wrapped the boxes in gift paper with bows, and left them in his car with the doors unlocked. They always got stolen.

How this applies to the story, I dunno, but I still think it's funny.

This one time at band camp (1, Funny)

The evil non-flying (947059) | more than 8 years ago | (#14858510)

A lot of hoopla and it's over in a very short period of time. Kinda reminds me of the first time I had sex. Note: to most slashdot users, this sex thing I refer to is like compiling a kernel on Gentoo using -O3 and having it be stable.

andrewg = gwerdna (3, Informative)

numacra (805808) | more than 8 years ago | (#14858540)

Andrewg does know what he talking about. andrewg has published papers (not on mac security) and is part of some wonderful communities pulltheplug.org [pulltheplug.org] and felinemenace.org [felinemenace.org] . I assure you that this machine would of been hacked... with SSH access or not. I think it shows the importance of having patches that minimize possible exposure (i.e grsec/pax etc) that would of decreased the chances of successful exploitation dramatically.... but then again nothing is bullet proof

Start your biased counters now... (2, Insightful)

JustASlashDotGuy (905444) | more than 8 years ago | (#14858592)


What to have some fun? Count how many post show up that try to make excuses
for the Mac. Man, if this were a windows box, I assure you that 99% of the
the post would be slamming MS w/o a second thought.

Although people want to point out that they shouldn't have allowed people to
have a SSH connection, you need to keep in mind that an SSH connection was
allowed because they thought the config was secure enough to handle it.

I do give them kodos for allowing the hack contest to take place. The best
way to test your software is to allow others to try and break it. Hopefully
they will fix the exploit and run the contest again.

Re:Start your biased counters now... (0)

Anonymous Coward | more than 8 years ago | (#14858665)

Agreed. Elevation exploits are nasty little critters and are as important to crush as external vulnerabilities, IMO. They are flaws in the security model which bypass the mechanisms the model uses to keep the system 'secure' in the first place. What this really means is, if I don't know you, then you don't get an account on my machine. And if you want remote access, you are gonna have to get an SSH client that can use /encrypted/ RSA keys to authorize yourself (so it is still a something-you-know + something-you-have system). Oh, and you will have to deliver the public key in person as well. USB flash drives work nicely for this.

This was of very little worth (2, Funny)

shatfield (199969) | more than 8 years ago | (#14858605)

The first thing that I'm going to do as a "normal user" is turn on SSH and Personal Web Sharing. Then I'm going give anyone who wants access to my machine an SSH account.

This "test" was silly and unrealistic, at best.

Here's a "real" test:
1) Turn on brand new Mac Mini
2) Update to latest rev of OS
3) Try to hack it from the Internet, without knowing its IP address.

Good frackin' luck!

Why so many apologists? (2, Insightful)

Jack Johnson (836341) | more than 8 years ago | (#14858626)

This is hardly irrelevant.

I'm disturbed by the attitude that anything but a remote exploit against an ideally (not typically or justifiably) configured box is meaningless or misleading.

What good is a door if it's welded shut? Wouldn't a proper lock be more useful?

Security should be about maximizing functionality securely, not limiting it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>