Comments: ThreatWatch - the Mac gets hacked

At 19:49 +0000 7/3/06, iang@iang.org wrote:


>>More substantial evidence that Mac OS X has a real problem with
>>security has surfaced. In the interests of fairness and seeing my own
>>predictions bite the dust, here's the news:
>>
>>http://www.zdnet.com.au/news/security/soa/Mac_OS_X_hacked_under_30_minu
>>tes/0,2000061744,39241748,00.htm


This was not a remote hack - it was from a local account, setup by the
'cracker' on an open access machine using ldap for authentication at the
owners behest. ie the owner lets anyone setup an account on the system
themselves so it is hardly yer regular Mac out of a box.

A couple of commnets from another mailing list in UK Academia

--

A guy at the University of Wisconsin is describing that ZDnet article as
'woefully misleading' and has set up his own hack challenge at
http://test.doit.wisc.edu/

From the site:
The ZDnet article, and almost all of the coverage of it, failed to
mention a very critical point: anyone who wished it was given a local
account on the machine (which could be accessed via ssh). Yes, there are
local privilege escalation vulnerabilities; likely some that are
"unpublished". But this machine was not hacked from the outside just by
being on the Internet. It was hacked from within, by someone who was
allowed to have a local account on the box. That is a huge distinction.

--

MacFixit goes even further...

Mac OS X hacked in under 30 minutes? Think again.

A highly questionable article on ZDNet claims that "Mac OS X was
hacked in under 30 minutes," in a Swedish contest. The article fails
to mention, however, that the Mac OS X system that was "hacked" had
an LDAP server setup which was linked to the Mac's naming and
authentication services, to let people add their own account on the
machine. So the contest allowed the user to create their own account
and local SSH access -- a precarious set-up to say the least.

--

and a couple of articles elsewhere:

http://www.macfixit.com/article.php?story=20060307084711743
url will require registration when it moves to Archived status in a couple
of days

Mac security challenges SecurityFocus notes a flawed contest we reported on
yesterday (where a Mac OS X system was allegedly hacked in thirty minutes)
which became the focus of controversy because it originally neglected to
mention that every attacker had been given an account on the system, making
the contest much easier than originally portrayed, critics maintained, and
reports on a new contest: "Later Monday, David Schroeder, senior Apple
systems engineer for the University of Wisconsin's IT Department, set up
his own contest inviting security researchers and hackers to attempt to
breach a Mac with open SSH and HTML ports and two user accounts. A critic
of the original contest, Schroeder stressed that his challenge is more
fair, but that most users will not likely even have those ports open." More.

&

http://www.securityfocus.com/brief/158
Referenced in the Macfixit news item.

Contests challenge Mac OS X security
Published: 2006-03-07

The security of Apple Computer's operating system remained a topic of
controversy this week, as one Mac hacking challenge got the thumbs down for
being too easy, spurring an Apple expert to kick off a more balanced
contest.
In an article published on Monday, News.com reported that a contestant in a
Mac OS X hacking challenge had breached the test system in 30 minutes. The
article quickly became the focus of controversy because it originally
neglected to mention that every attacker had been given an account on the
system, making the contest much easier than originally portrayed, critics
maintained.
Later Monday, David Schroeder, senior Apple systems engineer for the
University of Wisconsin's IT Department, set up his own contest inviting
security researchers and hackers to attempt to breach a Mac with open SSH
and HTML ports and two user accounts. A critic of the original contest,
Schroeder stressed that his challenge is more fair, but that most users
will not likely even have those ports open.
"Mac OS X is not invulnerable--it, like any other operating system, has
security deficiencies in various aspects of the software," Schroeder wrote.
"However, the general architecture and design philosophy of Mac OS X, in
addition to usage of open source components for most network-accessible
services that receive intense peer scrutiny from the community, make Mac OS
X a very secure operating system."
Flaw finders have focused on Apple's Mac OS X operating system in recent
years, and while Mac users argue that the system is more secure than
Microsoft's Windows XP, the operating system's security is under scrutiny
because of recent attempts to create malicious code for the platform.

& finally a clarification in the original story

http://news.com.com/2100-1002_3-6046197.html#clarification

--

Of course this is not say that Apple couldn't do a better job regarding
patching holes etc & interacting with the community, but they are better
than SUN, HP et al used to be when they released *nix clonesten 10+ years
ago full of holes....

Posted by f at March 17, 2006 06:30 AM

FYI U of Wash is claiming the article is bogus... and have issued their own challenge... (see digg.com/slashdot.org etc)

Posted by Duane at March 17, 2006 06:32 AM

http://news.com.com/University+nixes+Mac+hacker+contest/2100-7349_3-6047735.html

By Joris Evers
Staff Writer, CNET News.com
March 8, 2006

A Mac OS X hacker challenge apparently got a systems engineer at the
University of Wisconsin-Madison into trouble with university
administrators.

Dave Schroeder on Monday invited hackers to break into a Mac Mini he
attached to the university network. The challenge would last until
Friday, he announced. The contest was in response to an earlier
challenge, which Schroeder criticized as too easy.

But the event ended early--Tuesday night. On Wednesday, information
emerged that the contest had drawn the scrutiny of the university's
chief information officer, Annie Stunden.

"The Mac OS X 'challenge' was not an activity authorized by the
UW-Madison," Brian Rust, a university spokesman, said in an e-mailed
statement. "Once the test came to the attention of our CIO, she ended
it...Our primary concern is for security and network access for UW
services."

The same statement also appeared on Schroeder's challenge Web site
Wednesday afternoon. "Dave was well-meaning, but he did the test
pretty much on his own," Rust said in a phone interview.

Universities are often the target of cyberattacks. The academic
institutions face the challenge of balancing the need to share
information on large networks with the need to secure data.

The Mac OS X contest ended without a negative impact on the University
of Wisconsin-Madison's network, Rust said. "We were able to handle the
traffic, and there were no compromises to university systems," he
said. The university apologized for any inconvenience its action
caused to the Mac community.

The university is distancing itself from the challenge. "If Dave wants
to continue this test, he has to do that privately, not using
university systems," Rust said.

Schroeder had said he wants to publish some details on the attempts
that were made to hack his Mac. The computer was connected to the Net
for more than 30 hours, apparently without being compromised. In the
earlier challenge, an anonymous hacker claimed he was able to
compromise OS X within 30 minutes using an undisclosed vulnerability.
However, attackers in that case had been given user-level access to
the system rather than being shut out completely.

These hacker challenges came after weeks of scrutiny of the safety of
OS X, prompted by the discovery of two worms, and the disclosure of a
serious vulnerability. Security experts are also questioning the
effectiveness of Apple's latest patch.

Posted by f at March 17, 2006 06:44 AM

>>Ah. You have to have a shell account on there in the first place. That's
>>different. To counterbalance that, CS news reports:
>>"In response to the woefully misleading ZDnet article, 'Mac OS X hacked
>>under 30 minutes', the academic Mac OS X Security Challenge has been
>>launched. The ZDnet article, and almost all of the coverage of it, failed
>>to mention a very critical point: anyone who wished it was given a local
>>account on the machine (which could be accessed via ssh). The challenge is
>>as follows: simply alter the web page on this machine, test.doit.wisc.edu.
>>The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security
>>Update 2006-001, has two local accounts, and has ssh and http open - a lot
>>more than most Mac OS X machines will ever have open."


Actually although none of the services are not running - the firewall is shipping as open.

Verified recently on

10.4.3 OSX retail
10.4.4 OSX on a MacTel iMac
10.4.x OSX on a PPC iMac
10.4.3 OSX on PPC G4 PB 15"
10.4.3 OSX Quad G5

All since 12/05

Now where is my OpenBSD paid for CD... which is actually the only OS cd I have bought - the rest have come from the Apple Dev Connection or new machines...

Posted by f at March 18, 2006 05:36 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x555d0bd86c50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.