"In response to the woefully misleading ZDnet article, 'Mac OS X hacked under 30 minutes', the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."
Post a Comment
Member since:
2006-03-06
Bullshit argument. Of course you should offer at least one or two services.
Remember Defcon 9? They couldn't even hack a OpenVMS system with telnet shell access, httpd, ftp and a admin account! Talking about security!
Of course you can't upgrade your Apple to OpenVMS, instead upgrade to OpenBSD - yes you can!
Member since:2006-01-12
However, OS X is generally used as a desktop OS and not as a Server. Most real world systems don't have any services turned on by default and many are behind NAT routers. This *mimics* (it's already more wide open than most OS X systems) the real situations better.
OpenBSD would be a fine choice for a server, but I don't people are purchasing Macs to use them as servers.
Member since:2005-07-06
Member since:2006-01-12
Member since:2006-01-24
All Xserves we are selling are running macosX, if they would not run macosX, why even sell them an mac???
Having ssh and httpd is VERY common on servers. Or at least httpd, ssh could be setup in an secure way by using vpn or something, but it is pretty common with servers accesting ssh for their users.
RE[5]: argument makes no sense
Member since:2005-07-12
Member since:2005-06-29
In order to make things fair then, when testing Windows the Remote Desktop Server and IIS software should be left running right? In which case you're not really testing the security of the operating system, but the software running on it IMO.
No OS fairs well under such conditions, whether it takes someone 10 minutes or an hour to break in really isn't even remotely a measure of how secure any of my boxes were yesterday, are today, and will be tomorrow. As for people who still associate computers with magic, if they care about security they should have someone who knows what they're doing install a hardware firewall between their modem and any computers (routers are great for this and provide other good features too) and they should have some kind of automated AV update and scan depending on the OS.
So really, security benchmarks are for the most part useless marketting ploys. Does everyone agree?
Member since:2005-07-06
Member since:
2006-01-08
Member since:2006-01-12
Member since:2005-07-02
Indeed, nmap reveals that ssh and http are open:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-06 18:33 EST
Interesting ports on test.doit.wisc.edu (128.104.16.150):
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
427/tcp closed svrloc
443/tcp closed https
Nmap finished: 1 IP address (1 host up) scanned in 35.609 seconds
Member since:2005-06-30
Member since:
2006-01-27
'"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .
According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.'
That's not misleading at all, he got root via unpublished local vulns. That's still insecurity, why isn't anyone jumping on Apple to step up the security process? Why are so many people quick to defend Apple, when there's a good amount of evidence security researchers are picking OSX (and it's open source subcomponents) apart?
Edited 2006-03-06 23:04
Member since:2005-11-10
Because it has not been proven that this is a true story!
It's prob about at real as weapons of mass destruction in Iraq. They could be there and people said they were there but NO one has proven it yet! But people were sure hooked when Powell went to the UN though and said they were there!
Same thing (Although much less serious) some guy says he did XYZ but yet no one is showing how it was done? The person won’t even give a credible name! Come on you must be kidding!
Until the facts show themselves, there is nothing to show that someone has hacked a current Mac, patched 100% in 30 min.
"Why are so many people quick to defend Apple, when there's a good amount of evidence security researchers are picking OSX (and it's open source subcomponents) apart?"
Do you know anyone who has gotten a Worm in OSX or a Virus or hacked? I doubt it.
Member since:2005-07-06
Member since:2005-11-10
I'm still waiting... People have been saying that about Linux, Unix, BSD's, Mac OS etc for ever and a day. Linux is growing by leaps and bounds, shoot companies like Google run their whole business on Linux and Bsd.
Hummm when is the last time you heard Google having to go to an outside company like Akamai to protect their network? Oh thats right Akamai uses all Linux all over the world also.
The internet is run by Unix type OS's not Windows. And the internet keeps humming along. Yes, you will have a few unpatched machines here and there that will get taken down. But I am still waiting for all the Linux and BSD web hosters like Yahoo to get taken down, waiting for the University of VA's Apple supper computer to get taken down. (It faces the net)
Yet NONE of this has happened. None.
Member since:2005-07-06
You missed the point.
The point was that Apple apologists are aplenty, and they're living up in the clouds. With every security issue raised about OS X, they have a cheap explanation.
The truth of the matter is that OS X got *owned*, regardless of how. I feel pretty confident about my Mac Mini/iBook setups, but I'm not blindly faithful -- I still keep tabs on the latest security patches, and I don't let anyone touch my Mac either locally or remotely.
Member since:2005-11-10
I didn't miss the point. My point was please show me where Mac OS got "Owned" ??? I am not seeing it. If you take this story with nooooo proof as law then I guess you are right.
I can say I hacked norad and if I can get someone to reprint the story I guess that makes me true to my word also. LOL!
Member since:2005-07-06
Member since:2005-11-10
The "GUY" ??? LOL! Are you on crack? Who is this guy, does anyone know him, are there any other witnesses like on this forum tonight?
I mean did you even look at what you wrote "The Guy" Didn't even put "The Guy"'s name. LOL!
Oh yea this same guy broke into my VAX machine tonight in under 30 minutes. LOL! Now I guess I can be the guy also. I will get my cousin to come on and be the hacker guy and use a cool undercover name like "supercrack" and say yea he hit my Vax machine hard! LOL!
Come on how gullible can people be. LOL!
Member since:2005-07-06
Member since:2005-11-10
Member since:2005-07-06
Member since:2005-07-06
Member since:2005-11-10
Ummmm, Akamai handles 4 of MS's 8 DNS servers!
Also : http://www.crn.com/sections/breakingnews/dailyarchives.jhtml;jsessi...
"Akamai runs a service to help boost Web site performance by caching copies of Web sites on many servers in many locations. Akamai can help defend against denial-of-service attacks by spreading the attack among many servers. Just as a distributed denial-of-service attack enlists large numbers of systems to attack a single server, Akamai presents a distributed defense against denial-of-service attacks."
Sounds like network protection to me. But maybe I can't read.
Come on it's just the same as Microsoft using several parts of BSD in Windows, like Telnet, the FTP client, the IP stack etc. It's well known, old news!
Edited 2006-03-07 00:18
Member since:2005-11-11
You do realize taht Akamami isnt a company you hire to "protect" your network. It's a global caching service that allows a company to provide fast, streaming content regionally without having to establish their own satellite DC's in those regions.
You also seem quite misinformed about how corporate level networks are setup, let alone how someone would find vulnerabilities within a software package let alone exploit them.
So, fanboy, go talk on slashdot.
Member since:2005-09-03
You are right it must be patched but people are saying that it is not a realistic test and it s not. Also people are running al kinds of scripts with cron as root that may write files that are all security risks when i have a local account even I can do some damage to a lot of machines and i am no security expert and no hacker i am a simple system administrator. You have to be always alert you have to always keep security as tight as posible only alowing ssh some ip's for example inpecting log's ,......that is true for all operating systems also for os-x.
Member since:2005-07-11
"Why are so many people quick to defend Apple, when there's a good amount of evidence security researchers are picking OSX"
I remember the first editions of OSX where one could take ‘root’ and take down the kernel with simple commands (http://www.google.co.uk/search?hl=en&safe=off&q=osx+privilege+escal...).
Despite this there are many in the apple community continually promoting the idea that OS X is practically invulnerable.
Edited 2006-03-06 23:31
Member since:2005-11-10
Wow, I remember when there were viruses in Dos? LOL!
Question is, can you do that now? You for sure can do that in Windows. There is no question about it. Almost ALL windows worstations run with the "root" admin account as the current user. No work there.
You can rootkit the heck out of Windows machines and 99% people out there would not even know and would never find out.
Show me where someone can take root and take the Kernel down with a simple command. Shoot I will put my own Mac up for that challenge!
Member since:2005-11-11
You truely are dillusional. Rootkits exist for Unix/Linux/OSX just as well as they exist for Windows. If you're in the right circles, you'll have easy access to them.
Also, the point of a rootkit is to make detection difficult if not impossible in some situations. The same, suprise suprise, can happen in Unix. In fact, rootkits existed on Unix before Windows. Hmm.
So to your final point, if Im in user mode in Windows XP (which I am) show me the simple command to take root and take down the kernel. Other than Ctrl+Alt+Del which doesn't give you root access.
Member since:2005-09-03
Member since:2006-02-28
Member since:2005-07-06
Member since:2005-07-06
Member since:
2005-07-06
The guy was given "local" access through SSH.
What validates THIS challenge, is that you are NOT handed a local account. Therefore, you do not have a local account to work your way from the inside out.
Not to because I want to "validate" the original claims, but I too would like them to offer up some real proof and methods of attack. What vulnerabilities were actually used.
The reason everyone is defending Apple in this matter is the same reason people defend the *nixs and BSDs, this was done using local (ssh accounts are considered local not remote, for those who do not know) exploits and not remote vulnerabilities.
JRM7
Member since:
2005-10-09
Member since:2005-07-02
Member since:2005-10-09
Member since:2005-07-02
Member since:2005-10-09
Member since:
2006-01-11
I am amazed at the number of Mac zealots who want to plug their ears, cover their eyes, and insist that all talk of exploits in Mac OS X are lies, despite the claims of reputable computer security researchers to the contrary.
Yes, it is true that this was not a remote exploit. But privilege escalation is half of what you need for a remote exploit: if you can trick an ordinary user into executing arbitrary code, and that arbitrary code has a root exploit, the remote attacker gets root.
If I were a paying Apple customer, I would lean on the people I'm paying money to to do a better job of patching the already-known exploits. Remember, the bottom layer of MacOS X (Darwin) is available in source form for the black hats to inspect; Mac users need to be just as careful as everyone else to keep their patches up to date.
There are real architectural reasons for better safety on Unix-like systems, but it is no excuse for complacency.
Member since:2005-11-09
Member since:
2005-07-06
Member since:2005-11-11
Member since:2005-11-09
Member since:2005-11-11
Member since:
2006-01-15
Umm...the article is about a challenge to hack Mac OS X because of an article that said it can be done in 30 minutes.
The discussion of Akamai and Microsoft is totally irrelevant. Though I personally find it interesting, it is completely off topic.
Can we return to the issue at hand?
BTW - As someone else pointed out, the Mac OS X challenge web site is still running. If OS X is so easy to break into, then why is a web site challenging the public to hack it, still up? Its been several hours since the challenge was made. I thought OS X could be hijacked in 30 minutes. If that is the case, why is the page still up?!
Member since:2005-11-10
Member since:
2005-08-20
The problem I see with this is that, when it doesn't get hacked, too many people will rejoice and once again claim that os x is invulnerable.
But they're testing such a small part of it here. If you're going to talk about desktop machines then you have to acknowledge that most exploits will involve something other than just opening ports to fairly secure applications. Frequently it will involve getting the user to accept some form of data, getting the exploit code in just far enough to open a much wider range of code to attack. Things like the viewing of maliciously crafted files (to use a nice media term). This new challenge simply doesn't acknowledge those attack angles.
While the recent 30-minute exploitation was portrayed in entirely the wrong way by zdnet, it does highlight a critical problem: all these claims about how not running as root is more secure are a little weak. Compromise the user account and you're in the same situation as the rm-my-mac exploit (the attacker is going to get root). Don't compromise the user account and point not running as root doesn't even come into play.
I'm not saying it's pointless to restrict the default user account, just that the presence of privilege escalation holes is still a very serious thing for a desktop machine.
Member since:2005-11-09
Member since:2005-08-20
hmmm... so, basicly, if you can gain a local account on a Mac, then you can hack it.... just like all the Unix type systems out there.
Yeah, that's exactly what I'm saying, except it's not supposed to be so easy on all the unix type systems out there. I have access to at least one system with several thousand users running solaris. I'm not a cracker so I don't know how easy it would be to get root but I don't think the admins would consider using os x for this machine for one second.
peice of cake.... I will just call up teh sys admin and as for a local account.... oh wait.
Or you could use some other exploit to gain access to a local account. People have never claimed that wasn't possible, only that the damage done would be minimized due to the lack of root access. This proved that once you get a local account, not running as root doesn't matter.
Member since:
2005-06-29
So basically people don't want to believe that you can't crack a MacOSX machine that has ssh and http services available? That's ridiculous! Many many people including me run a MacOSX server with http and ssh, iChat, IMAP, POP3 services available to the outside world yet nothing extraordinary happens. You people, just subscribe to macos-x-server list to get the proof. Local account is one thing, open ports are quite another.
Member since:
2006-01-04
I respect ZDnet test and this test.
However, those kind of tests are progressively loosing significance.
Now we have fairly secure OSes, whidely and extensively tested and fairly simple to manage, we have secure crypto primitives with provable security and robust protocols based on them.
Real pains now comes form other things.
Applications:
even if built and run on a secure framework, a custom application is more subject to bias, bugs, security misconceptions etc than an OS or a protocol that's much more extensively tested and examined. Simply, there is no easy way to make a non-trivial application x that's used and tested by 100 end users as secure as application (or system, or protocol) y that is used and tested by 100 millions of users, even if real testers would just be 100 thousands.
Here, just a couple of cases where best systems + good programmers + good admins == quite a mess
http://www.theregister.co.uk/2005/07/06/usc_site_cracked/
http://www-tech.mit.edu/V124/N20/20ssn.20n.html
Consumer electronics security, c.e. users:
what's the point to have super-duper strong encryption, or bug-free, absolutely secure operating system on a PC, a machine that's not built for top secret level security and it's usually not managed to even fairly good security?
Circuits are not shielded and some really good opponent can bypass any of your contermesoures reading the EM path radiated from your machine, from CPU to monitor, with a TEMPEST equipement.
Or someone may tamper your machine, as credit card readers and bancomat are tampered, in order to bypass anything you are supposing to do to secure your data.
Or simply most people will chose guessable or easy to bruteforce passwords, or leave sensitive data on non ecrypted media, or even don't care of anything.
IMHO, security at OS level will become progressively a PRErequisite for security rather than a subject to security analysis itself.
Member since:
2005-07-13
Well, now, here's CNet's latest Apple security warning:
http://news.com.com/Mac+OS+X+patch+faces+scrutiny/2100-1002_3-60465...
Is it another Chicken Little scenario or is it a cause for concern?
If I'm reading it correctly (and I'm not an OS X user so I'm not entirely familiar with the workings of the OS, and my gf refuses to let me "experiment" with her powerbook), then the flaw with file content issue wasn't actually repaired, Apple only put a stop gap into their own net apps like Safari and iChat. But since the flaw still exists at the OS level, if users of something like firefox are tricked into downloading a masqueraded file they could still wind up with a nasty payload, one that could theoretically be combined with a privilege escalation vulnerability and cause some serious grief.
Yes, yes, I know, Mac users know better than to click on links, right? So yes, I know, why worry about such a trivial flaw existing, right?
If I was a Mac user and reading between the lines, this is the quote that would concern me:
However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. "The tools most people use (now) have built-in validation for things before they even get to the desktop," Schiller (Michael Schiller, Sr VP for Worldwide Product Marketing, Apple) said. "The point of where people get the file is often through the browser and mail and instant messaging."
So basically, they don't need to worry about the flaw existing in a core OS component because they believe they can block it at the application level. Assuming you only use their applications to access the net.
To reinforce that:
"If the method we use works for most people most of the time and some people use some other tools and would like to have some more support for validation, we think that's good feedback we'll consider for the future," he said. "We always try to make this better and stronger."
Huh? If this method works for most of our customers using our own apps, we'll consider building this security into the OS to protect users of other applications.
And one more:
This vulnerability has actually existed for years in Mac OS, Long said. If attackers really were targeting Mac users, numerous examples of malicious code taking advantage of the flaw would be in circulation. "In fact, that is not the case," he said. "While it can be a factor in a system being compromised, this vulnerability by itself does not justify panic."
So again, the argument, is OS X secure because it can't be compromised or secure because nobody's really made a serious effort to compromise it?
Yes, Apple is based on BSD and uses well proven OSS tools like OpenSSH and Apache for network services. I won't argue that properly deployed, an OS X system is fairly secure. In the context of this example, I doubt the machine will get compromised but I don't think it proves anything.
Can you be as confident that those parts of the OS that are not "proven" OSS technologies, all those little proprietary bits built on top of it, are just as secure? I guess time will tell, but the fact is that Apple has yet to face a serious security breech with OS X and only then, by their reaction, will you be able to judge how seriously they're taking platform security.
Security is a mindset; ignoring vulnerabilities because you can't envision an obvious attack vector ("Oh sure it was compromised, but it was done over SSH using a local account, so what do you expect?" Huh? That's ok, then?) isn't appropriate, you need to assume vulnerabilities CAN and WILL be exploited by attack vectors you may not have yet anticipated. You don't just reduce the vectors, you reduce the vulnerabilities themselves.
Remember macro viruses in Office? Back then, did anybody anticipate opening a word file in Windows could launch a covert virus attack against everyone in your address book? Hindsight is 20/20 and we can argue now that was simply poor design on Microsoft's part, but at the same time there didn't exist precedent to believe that two unrelated desktop components would be linked and compromised so effectively. Microsoft took a long time to learn that lesson the hard way, if they truly have yet. Apple should and must do better. There's only so much an OS can do to secure the apps running on top of it, but it should still do whatever it can.
We can argue all day long about the nature of OS X security, and certainly much of it is academic for now, but remember that denial ain't just a river in Egypt.
Member since:
2005-12-31
Member since:2005-07-30
