Gaining root access to a Mac is 'easy pickings', according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications. Within hours of going live, the 'rm-my-mac' competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".
To read all comments associated with this story, please click here.
Member since:2006-03-06
>> Doesn't OS X already have a firewall built in?
>> Which illustrate the ignorance of the average user, and the overblown media hype that's been given to firewalls the past few years.
Actually, if you looked at the post I was *replying* to, you would see that the poster was saying (in a tongue-in-cheek way) that Apple should include Apple Defender, Apple Spyware, and Apple Firewall. I was simply pointing out that Apple already includes the firewall.
Of course you can't block the port if you're actively using it (port 80 being a good example for webservers)...duh.
Member since:2005-07-12
Member since:2005-10-09
I'm sorry, but I must point out that you have the same "ignorant of the average user."
You really don't understand firewalling if you think it's just blocking some ports. Yes, that may be all your crappy linksys can do, but that's not all we do on the enterprise level.
As it's already put best, I will cite Wikipedia.
"Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).
A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules". Today network firewalls are built into most computer operating system and network appliances.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes."
- http://en.wikipedia.org/wiki/Firewall_%28networking%29
That article is pretty sparse, but I don't want to overload you with groundbreaking new information about what a firewall can do. I suggest you go check out pf sometime, if you've got a spare machine.
- http://www.openbsd.org/faq/pf/
It has the full functionality of most modern hardware firewalls at the better-than-consumer level. You can filter packets based on information in the header, or even in the payload itself.
I own a data center, so I work with this day in and out, we have extremely complex rules in place that do a _lot_. Everything from alerting us to incoming DDoSs (as well as actively attempting to drop the packets before it gets to our client's computers) to filtering out spoofed mail servers prior to the packets even touching our smtp agents. This is typically known as deep packet inspection.
Needless to say, those are only two small examples, there are thousands of other things you can do with a firewall. Please don't call people ignorant if you're ignorant yourself, and haven't bothered to research the topic you're writing about at least a _little_. Wikipedia is normally a good starting point! 
Member since:2005-07-12
>> You really don't understand firewalling if you think it's just blocking some ports. Yes, that may be all your crappy linksys can do, but that's not all we do on the enterprise level.
and what you don't seem to understand is your entire post and linked articles of which mean exactly {censored} when the attacks are coming in via normal traffic routes - if the attack is via port 80 against apache, or port 21 against ftpd, or some other port that is allowed for some program that has a vulnerability so it looks like normal traffic - ALL of that fancy firewalling means Jack.
Member since:
2005-07-12
>> Tell me, how do you intend to fix this 'bug'? Preventing users from using the computer?
A sad truth, and one people rarely get, is the only secure server is one that doesn't serve... so I get a real laugh out of that dig as it does illustrate the point rather well.
I also get a real kick out of is statements like:
>> Doesn't OS X already have a firewall built in?
Which illustrate the ignorance of the average user, and the overblown media hype that's been given to firewalls the past few years. Firewall on a server can only block accesses on ports NOT used for serving. What are you gonna do? Block port 80 (http), port 21 (ftp) and port 22 (ssh) on a SERVER? No, because they it wouldn't serve http, allow users to update their http sites via FTP, or do simple things like backing up their SQL databases via a 'secure' shell.
Firewall is useless if the attack is occuring on a port that can't be blocked - of course the converse is also true - blocking ports that there's no software installed to respond on just wastes overhead. The only reason Firewalls help in Windows as much as they do is all the crap services running in the background the average user doesn't need (Telnet server, Messenger, etc). This applies under other OS too. If there's no software running to REPLY on a port - you don't don't need to block it inbound, and generally speaking if you need to worry about blocking outbound, you probably installed something you shouldn't have. (like uhm, Internet Explorer or Outlook)
Everything that has access IN at some point, be it FTP, HTTP, what have you has a point at which an attack can be mounted - Which is why the statements about things like linux or OSX being 'more secure' always get a chuckle out of me as it's not a matter of security but effort... and with most of the die hard hackers out there being rabid anti-MS zealots, where do you think most of the effort ends up going?
So it's no wonder when you give people a reason to look at OS X, it only lasted 30 minutes. I'd be willing to bet a better documented OS like linux might even last LESS time - except that I doubt any self respecting hacker would put the effort in since linux is their pride and joy.