Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307054
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: LMFAO
by pxa270 on Fri 28th Mar 2008 21:26 UTC in reply to "RE: LMFAO"
pxa270
Member since:
2006-01-08

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/

Reply Parent Score: 11

RE[3]: LMFAO
by Doc Pain on Fri 28th Mar 2008 22:21 in reply to "RE[2]: LMFAO"
Doc Pain Member since:
2006-10-08

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/


Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?

From the description above: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages." - Is this still hacking? Relying on user interaction can help you to compromize any system. I always thought this is nothing spectacular because nearly anyone can do such "easy" stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and "Vista" boxes as well, just if the user replies to a mail like "Dear Bob, please send me your root password back. thanks!" :-)

Reply Parent Score: 12

RE[4]: LMFAO
by sbergman27 on Fri 28th Mar 2008 22:29 in reply to "RE[3]: LMFAO"
sbergman27 Member since:
2005-07-24

I believe that the user had simply to visit the site with the exploit. That site might as well have been a Google search result.

Apple is already working on a fix, as they always do when these things come out so publicly.

"I'm a MAC"

"I'm, a PC"

"And I'm a cracker. Bang! Bang! You're dead!"

Reply Parent Score: 11

RE[4]: LMFAO
by pxa270 on Fri 28th Mar 2008 22:46 in reply to "RE[3]: LMFAO"
pxa270 Member since:
2006-01-08

Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?

Also from the description above: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages."

From the same link: "Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack."
Nobody even tried under 1st day rules, because exploits are were very unlikely. As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that.

Is this still hacking? Relying on user interaction can help you to compromize any system.

Yes it is. Because visiting an unknown website or opening an email is not supposed to be able to execute arbitrary commands on your computer.

I always thought this is nothing spectacular because nearly anyone can do such "easy" stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and "Vista" boxes as well, just if the user replies to a mail like "Dear Bob, please send me your root password back. thanks!" :-)

You though wrong, because the Ubuntu and Vista laptops were still being attacked under the same rules when the Mac was down (each had their own cash prizes), but they withstood the rest of the day.

Reply Parent Score: 22

RE[4]: LMFAO
by raver31 on Sat 29th Mar 2008 07:51 in reply to "RE[3]: LMFAO"
raver31 Member since:
2005-07-06

Of course it is still classed at hacking. How do you think a Trojan horse operates ? Exactly like the Trojan horse of legend. It would just sit there doing nothing until the people of Troy interacted with it, in their case, pulled it inside their town.

A computer Trojan horse is useless unless the user allows that into the system.

Reply Parent Score: 5

RE[3]: LMFAO
by wannabe geek on Sat 29th Mar 2008 18:15 in reply to "RE[2]: LMFAO"
wannabe geek Member since:
2006-09-27


The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "


If that is true, the following observations come to mind:

1) telnet itself is obsolete because of security reasons, and sshd should be off by default in desktop systems (and regular user should not be able to turn it on).

2)Only root should be able to open a port.

3) Even if arbitrary code is executed as regular user, it shouldn't be able to get root account, except, maybe , by privilege escalation. Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums), but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I'm assuming a user program can run a fake kde session fullscreen, but it can't capture CTRL+ALT+f8. I have to check that one, though.

So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives.

Reply Parent Score: 4

RE[4]: LMFAO
by Kokopelli on Sun 30th Mar 2008 00:02 in reply to "RE[3]: LMFAO"
Kokopelli Member since:
2005-07-06

If that is true, the following observations come to mind:

1) telnet itself is obsolete because of security reasons, and sshd should be off by default in desktop systems (and regular user should not be able to turn it on).

The telnet service is obsolete sure. Telnet as a client is an easy way to connect to an arbitrary service on an arbitrary port. Taking as a random example it is a good way to connect to an exploit that is listening on a port...


2)Only root should be able to open a port.


Uh... you are aware that if an Linux distro were so ill advised as to do this it would break many things? The idea is only root should be able to open privileged ports.

3) Even if arbitrary code is executed as regular user, it shouldn't be able to get root account, except, maybe , by privilege escalation.

That is the definition of privilege escalation yes...

Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums),

This has nothing to do with privilege escalation. this is malware.

but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I'm assuming a user program can run a fake kde session fullscreen, but it can't capture CTRL+ALT+f8. I have to check that one, though.

So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives.


It in theory will stop some privilege escalation attacks, but not all. In general setting up your system like that would be too inconvenient for most normal users (especially of OS X).

Reply Parent Score: 3