Submitted by Here are the results of the challenge launched by the Unversity of Wisconsin to test OS X against hacking. “The response has been very strong; traffic to the host spiked at over 30 Mbps. Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus. The machine was under intermittent DoS attacks. During the two brief periods of denial of service, the host remained up. The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations. There were no successful access attempts during the 38 hour duration of the test period.”
Where’s that lil’Hacker boy now? I’d think he’d like this challenge. Maybe he tried. Maybe he didn’t. Enquiring minds want to know.
Jb
That “lil’Hacker boy” used unpublished local exploits to gain root with a luser local account. All this test proves is OSX’s remote security/stability, still doesn’t address the fact that there’s unpublished/unknown/unpatched local vulns floating around.
Security is not about “fronting off”.
… why take it down? I think the test period has been a little too brief. If they kept it running, it could provide a nice security testbed, couldn’t it?
Well, considering that a XP box can’t be installed exposed to the net without being filled with crap this does prove the authors point. That MacOS X is a secure operating system. But it would be nice if they left it online until it was compromised.
Edited 2006-03-08 14:10
No, SP2 updated would probably pass this test also. SP1 with no firewall would not.
And Windows XP has the same relative security when sitting on the internet as long as its fully patched and updated, as the OSX box was. Now, browsing websites in IE vs. Safari is a different story but we’re talking about a box sitting on the internet, in the open.
Well being that a couple of days ago everyone was saying that MACs could be hacked in 30 minutes I think the point has been proven that the story was a hoax
Well being that a couple of days ago everyone was saying that MACs could be hacked in 30 minutes I think the point has been proven that the story was a hoax.
Why? Scientifically speaking, this test does not disprove that story at all. It makes it just a tad bit less likely– but not a hoax.
the thing that does make the 30 minute story look like a hoax is the complete lack of evidence and methodology presented in the story.
The original story it’s self was not scientific at all, it was just a story that got picked up on by a Microsoft friendly news source.
In reality anyone who invites people to come hack their Mac would be more scientific then the original story.
No, what this proves is that the previous testing of having a mac with local shell accounts avalible for anyone can be considered a “bad idea.” The new test doesnt really prove anything
Yes, it would be a good long-term test. However I don’t think they can afford the bandwidth
That was exactly my thoughts too. The hackii6.com site was running their contest for about 5 weeks or so. It would be interesting to see the Mac stay up for a 2 week or 3 week period. Dedicate a domain to it, call it HackMac.com or some other catchy title.
I just ran an old Windows 98 laptop and connected it to the internet for a day, and it didn’t get hacked. Does that now mean that Win 98 is unhackable?
Why dont you do it again, this time launch your IP on public websites with the challange. The only way that box wouldnt get backed is because it blue screened before it had the chance.
Instead of puttig your foot in your mouth, why dont you make it happen?
BTW: the mac mini had SSH & http servers running WITHOUT it’s firewall turned on.
Idiot.
woah, calm down.
Um, this test DID have the OSX firewall running. He was just leaving the SSH and HTTP ports open. This is the key line: “# The ipfw log grew at 40MB/hour and contains 6 million events logged.” Thats the log for the firewall.
No need to be insulting. I didn’t know that making a joke about this (IMO) poorly done test was like molesting your grandma to you. And no, it didn’t bluescreen, it just sat there, being all Win98ish and useless.
Did you also get half a million visits, like the Mac Mini did?
I just ran an old Windows 98 laptop and connected it to the internet for a day, and it didn’t get hacked. Does that now mean that Win 98 is unhackable?
Did you publish it’s address on OSNews and every major tech blog and news outlet, inviting hackers to try to break it? No. So it’s not remotely the same thing.
“Did you publish it’s address on OSNews and every major tech blog and news outlet, inviting hackers to try to break it? No. So it’s not remotely the same thing.”
If the hackers were really good, I wouldn’t need to.
Seriously, what I said was a joke. It’s funny how people have taken it. To clarify: I think the test period was too short. Even hackers have jobs to go to, and maybe the good ones were busy that day.
nothing is really secure these days. I formated my 2 computers the other day: the workstation running Window$ and my PowerBook with mac os X 10.4.5.Once I configured on them the internet connection, within 2 mins I’m receiving all sorts of pop-ups and self-installing spywARE crap… on windows only. and yeah, it has SP2, by default, but you can never really protect a machine with the “default” things…
However… my mac os computer… well, there’s no spyware on sight. even though soon, those stoopid companies will start making spyware for mac os x…
However, and here, is my point… with this transition to intel from mac… and the OS X running on x86 machines… looks like now, apple is in the sights of everybody. Every little flaw, is all of the sudden a HUGE security gap!… The media does their job pretty good…
however, windows users as well! I guess it’s fair though for everybody. We never had too much to worry about mac os x security, it’s from the start a stable and secure OS. But mac Users, are now paying a price… I guess it’s fair… we used to laugh about windows patches for… the security patch released a day or two before… lol
Still, common sense is cool about installing things we don’t know who’s the source. But people opening JPEGs and instead, end up running some mallicious apple script… that sucks, since icon’s can be deceiving and you don’t allways see the object’s properties to see if it’s trully a JPEG or something else. you just click it… that hasn’t got much ways of beeing prevented…
there are articles for helping people about these “Hackers attacks” and computers owned in 30mins lol… but like the article said and for me to conclude:
“most Mac OS X “vulnerabilities” to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities”
Edited 2006-03-08 14:44
I am wondering how come you have decided to format your PB.
It is not difficult to protect yourself from spywares in case they come up on OS X. Just create another admin account and disable the admin privilege for your present account. Also, disabling the open “safe” file option in Safari also helps. Lastly, you can enable the display of file extensions under Finder’s preference (Yes, this will display the .app extension)
Once I configured on them the internet connection, within 2 mins I’m receiving all sorts of pop-ups and self-installing spywARE crap… on windows only. and yeah, it has SP2, by default, but you can never really protect a machine with the “default” things…
However…
Give me a friggin’ break. If all you did was install WinXP with SP2, and connected to the internet, you’re either:
A. full of crap
B. going to questionable sites you shouldn’t be going to.
You don’t just connect a PC to the internet and instantly get infested with spyware.
um…. false!!!
this goes back a few years, but when XP had just come out…actually, about 6 months after it had come out. I installed a copy on my dell 400mgz pentium, launced IE, downloaded mozilla (from their site), then closed IE once Moz was DLed…. then… i went to sleep…. thats it!. Due to work and every day life, it took me about week to get back downstairs and get in front of this PC. well, i sat down, went to the desktop and launced the Moz installer… created a folder for my new apps on D:/, and went to install the app… when i created the folder, i noticed a wierd little file was already in the brand new folder. it had an IE icon. I was a bit puzzeled, i examined the file… and it appeared to be a .VBS file… I deleted the folder, and created a new one… and again, there was this .VBS file… at that point… i created a few new folders… every one of them, had this very same .VBS file….
at that point, i was like…. “WTF!!! did i get hacked? i must of… this is a brand new installation… and it was not a cracked version of windows.” any way… since this was not my only box, nore was it connected to any other machine at this point…, i figured i would click on the vbs file to see what it did…. well… IE opened, and took me to a porn like web site…. i say porn like cus there was more than just nude girls on the index page… there were links to downloads for weird stuff like spyware protection and plugins and interface “enhancements” for IE….
with out clicking on any links… AT ALL… i just scrolled up and down the page looking at the ads and links trying to figure out were the hell i was… and while i was doing that, IE was busy doing stuff… new IE windows were poping up…. enlarging to full screen… then more would pop up…. then IE restarted…. and when it did… the interface was different… it looked like a few “enhancements” had self installed…and restarted IE for me….
i just sat back and watched at that point! as some one, or some thing “owned my PC” it was almost like magic! …and was quit amusing!!!!
any way… to make a short story shorter… after a few shits and giggles from my BRAND NEW XP PC getting hacked… i F-Disked the box and installed red hat… 6 i belive….
so…. dont tell me you CANT just plug a windows box in to the interweb and get hacked! I diid!!!!
like i said this was XP… and yea… i know SP2 closes lots of holes…. bla bla bla…. that is not the point! the point, is the for YEARS…. for damn near a decade…. hell since the advent of the web…. the 3 billion MS customers have been left WIDE OPEN to an OS the was build from the ground up to be what MS calls “developer friendly” which has in turned made is fantasticly easy to develope spy ware, viruses, trojens and get one some one elses machine…UNINVITED!!!!
god you fanboys from both sides are so sickening.
NO OS is 100% secure, but their is indeed different levels. The simple fact is that the user model that Unix/Linux/BSD OSes use do restrict access over the default Windows setup.
Yes, we know a knowledgable hacker can still work around this, yes we know users shouldn’t be running Windows as the default Administrator, but a large percentage do. Hence why MS is going to LUA controls.
If some access control only thwarts 5% of noobie hackers and they give up, this is still a valuable thing and better than a OS without.
Windows, Mac OS, Linux, BSD, I don’t care. I think every home/business should have a hardware based firewall also instead of relying on just the OS for protection.
Are you a complete muppet or are you just a little bit dim ?
Windows, Mac OS, Linux, BSD, I don’t care. I think every home/business should have a hardware based firewall also instead of relying on just the OS for protection.
You do know that if you download malware, and run it on your computer, it will use the open ports that your browser/email client/IM/p2p programs already have open, whether you have a hardware firewall or not ?
yes, some people should not be left alone with a computer, especially those blockheads who think nothing bad will happen if Mr Hardware Firewall is protecting them
I hate all the Apple bashing, specially the ZDnet stuff, let’s not turn into that.
Originally, the person said he was going to run the test until Friday, but then he decided to end the contest last night.
I am wondering what’s behind this decision.
Well I would assume they didnt like having their bandwidth eaten away with a 30Mbps spike and DoS attacks.
They gave the experiment more time and with a more realistic setup than the original and people did try to gain access or nock it down but it didnt happen. I am sure there is someway that it could have been done just no one was able to do it yet.
From what I’ve read, it’s as simple as the fact that the person’s employer was not happy at all with what he’d done. You know, all that bandwidth, the publicity, hackers trying to get into the box perhaps by compromising other machines on the network, etc.
would pass this test, be it mac os x, windows xp, linux, bsd, whatever…
now put an average user on the machine, and that’s a different story… a windows machine would probably be compromised in minutes, and the only reason os x, linux, and the bsds are safer is because spyware writers don’t think they’re worthwhile targets.
This doesn’t prove that Mac OS X is secure. Well you cant term a system secure if it cant be compromised remotely without any local access.
What if a user gets tricked into downloading a file (I mean a standard user not root) and suppose the file’s a script which uses the privelege exuction vulnerabilities or other unpublished vulnerabilities and is disguised as say a program (or injected onto some fully running installer or let it be a picture file for that matter), so the user would get tricked into running a script that wacks his system off and also hijacks other communication apps (remember the script has root access) to wreck havoc with all people who come in contact with this clueless user.
Well ofcourse someone would come and reply that its the users fault but hell it isn’t : It’s Apple’s fault for not having fixed known vulnerabilties as has come up in a recent post.
So how secure is Mac OS X?
Please remember that:
– The very first challenge as reported by ZDnet was a FAILURE for the so-called unknown magic hacker, the goal was to “rm -rf” the mac mini… he only defaced a website… –> 100% Failure !!!
– The guy clearly said he installed “Fink” and “decent version of Apache, mySQL….” Thus Apple cannot be held for responsible if someone installs third party software.
– Knowing that the “Academic Challenge” had hardened configuration of the mac mini, I can’t see how someone could have succeeded on that one…
Let’s be honest, as many of you know ther are NO “Fortress like” OS nowadays, they ALL got bugs, weaknesses that real talented people can use to gain more privileges that they should.
Please don’t talk about OpenBSD (which is a great OS BTW) because it would be like you don’t know of the Security Patch page available on http://www.openbsd.org
please forgive my english
– The very first challenge as reported by ZDnet was a FAILURE for the so-called unknown magic hacker, the goal was to “rm -rf” the mac mini… he only defaced a website… –> 100% Failure !!!
I’m gonna assume (and hope) that you’re just joking here. But I’ll point out anyway that the guy simply chose not to ‘rm’. He had root (assuming the story is true) so there was nothing stopping him. It just would have been pointless.
“It just would have been pointless”
Except that it would actually have proven that he had root.
Come on, it’s a test by wideopenbsd.org, just another total bullshit (to be quite frank) FUD site. If you’ve ever looked at their main site (wideopenbsd.org) you’d know.
You assume that the story is true , I don’t.
Then, you assume that the guy was nice enough to not “rm -rf” the whole system, I don’t. It’s you right to believe unknown/untrusted sources…
Now let’s consider the facts:
– NOBODY “rm -rf” the system.
– ZDnet article IS 100% FUD since NOBODY has demonstrated the ability to hack OS X under 30 min.
The Academic Challenge shew that:
– NOBODY could get privilege escalation during the 38 Hrs it was online despite many, many attempts.
Do you have facts that would prove me wrong ?
From the site:
# There were over 4000 login attempts via ssh.
So what? You don’t have to put up a contest to get dictionary attacks on ssh. Put up your own server on port 22 and allow password login. Check your authlogs. It’s not uncommon to get somebody trying a password every few seconds for hours on end.
After 5 years of trying, we now see that hackers have discovered 4 exploits in a short period. Of these, I would argue only the Safari exploit is scary– the rest are publicity stunts. The new found attention is a GOOD thing in a way. It means that when OSX hits 9% marketshare, as it is projected to do in the next 12 months, it will be thoroughly pressure-tested in the real world.
It means that when OSX hits 9% marketshare, as it is projected to do in the next 12 months…
Is there a reference to who is predicting this, and whether it is worldwide or US only?
In 2005 the world market was about 205 million machines. Apple seems to have shipped 4.7 million. So if the world market stays roughly the same or grows a bit, and Apple gets 9% of it, shipments will have to rise to about 20 million. Presumably Apple revenues will rise to match, ie the computer part of the revenues, currently about 50% or so of the total, will quadruple?
In 2005 Apple turned over 14 billion. So this would mean going from roughly 7 billion dollars to around 28 billion from computers alone.
It would indeed be insanely great. If it happens.
The Mini was running a fresh install of 10.4.5, the one that was hacked earlier was on 10.3.4
Since 99% of Mac users upgrade their previously insecure operating system instead of a fresh install, that leaves a substantial amount of Mac’s with nice little backdoors open for hackers to return.
For instance, I used to be a Apple online support tech, I can tell you that during the URL Handler exploits, most users just updated their OS, instead of doing a fresh install.
As you know the URL handler exploits were widespread in the underground community for many months even after Apple was notified, they were even posed on Slashdot.
Many many users warned Apple, but they ignored them, they have since changed that behavior. Like they are now taking a closer look at all this automation they created for ease of use, which makes it easy to get tricked.
Apple can be a pompous ass sometimes.
nore was it connected to any other machine at this point…, i figured i would click on the vbs file to see what it did…. well… IE opened, and took me to a porn like web site….
if it wasn’t connected to any other machine, it wouldn’t have been able to take you to any web site.
come on!!!! i ment another computer AT MY HOUSE… …i beleive that was obvious!
it WAS pluged in to my cable model
this goes back a few years, but when XP had just come out…
And this relates to Windows XP Sp2 available today as a free download in what way?
If you’re going to post, at least reference something from modern day, not 5 years ago.
Notice how I said Windows XP WITH SERVICE PACK 2
Bummer… looks like the site has been removed.
“…still doesn’t address the fact that there’s unpublished/unknown/unpatched local vulns floating around.”
And you BELIEVE that this mysterious hacker KNOWS for a fact of such unpatched, unpublished vulns? Of course, common sense will tell you that they can’t be “unknown”, if this guy know about them.
You shouldn’t blindly believe everything you read, sir.
I requested the log files and the root shell history from the host. He refuses to share them and claims there’s nothing in them.
This whole thing is a fraud. Until he begins to disclose information about the system and share with the rest of the world, his claim can only be assumed to be bullshit.