March 7, 2006 3:13 PM PST

Another Mac OS X hack challenge launched

A university systems engineer in Wisconsin is inviting hackers to break into his Mac.

Dave Schroeder, a senior systems engineer at the University of Wisconsin, launched his contest on Monday. An earlier challenge was too easy, he said.

Schroeder is asking hackers to alter the home page hosted on a Mac Mini that is running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and has SHH and HTTP open--"a lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.

Secure Shell, or SSH, is used for logging into and executing commands on a networked computer, and HTTP, or HyperText Transfer Protocol, is the method used to transfer information on the Web.

Originally, the online event was scheduled to end on Friday. But because of the enormous attention, the time for the challenge has been cut short and will now end Tuesday at 10 p.m. PST, Schroeder said.

"It has been pretty surprising how well the little Mac Mini has stood up. It has taken a pounding," Schroeder said in a telephone interview. "The attention (the contest) has gotten has just exploded. This isn't a real, official test: It is just kind of done in the academic interest."

First contest
In the earlier challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers were given user-level access to the system, rather than being shut out completely.

"The original challenge allowed any users to have local accounts to access the machine via SSH," Schroeder said in an interview via e-mail. "This is an important distinction, because if you have local--or physical--access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."

Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the Internet," he said.

Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he said.

It could also pose a problem for Web hosting providers that use Apple Computer's operating system, said Johannes Ullrich, chief research officer at SANS Institute. Customers on shared machines need access to update their Web sites. A privilege escalation flaw could let a malicious user with such access gain full control over a system, he said.

The hacker challenges come after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia. Security experts are also questioning the effectiveness of Apple's latest patch.

Schroeder plans to sift through the log files of the Mac and publish anything interesting, he said in the phone interview. "I know it is disappointing that it will be ending early to a lot of people."

Earlier Tuesday, Schroeder said that most of the hacking attempts were from scripts and tools attempting to use common Web exploits, dictionary attacks against SSH, port scans and scans by security tools such as Nessus. On Tuesday morning the site was down briefly due to a denial-of-service attack, he said.

The person who does successfully hack Schroeder's Mac Mini is requested to send him an e-mail describing the attack. Schroeder plans to report that to the appropriate software vendors and will post results after the close of the challenge, he said.

See more CNET content tagged:
SSH, challenge, Apple Mac OS X, contest, HTTP

43 comments

Join the conversation!
Add your comment
Message has been deleted.
Posted by ssidiouss (5 comments )
Reply Link Flag
This is Response to the previous "Story"
... So you should not be irked by this current contest. It is far more legitimate than the first "contest". Giving someone nearly complete access to your system is not a measure of security. In this instance, we will see well documented data collected, and be able to review it.

I look forward to the results of this competition. By the way, for those of you with fractioned grey matter, a denial of service attack is not hacking a computer.
Posted by Thomas, David (1947 comments )
Link Flag
Message has been deleted.
Posted by ssidiouss (5 comments )
Reply Link Flag
not non news, this is legit
<a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>

Is his link. He's taking it down earlier than what he posted: (tonight) according to his site.
Posted by techguy83 (295 comments )
Link Flag
Finally, A Reasonable Test, but Still Not a Typical Desktop ...
configuration. It's reasonable because it doesn't rely on an insider (e.g., a user allowed to create a "local" account via SSH as the "Gwerdna" attack used on the previous "test", which allows them to upload cracking tools). However, it's still not a typical out-of-the-box configuration, as SSH and HTTP access have been enabled, and a typical desktop user wouldn't immediately know how to do it, much less go to the trouble to accomplish it (including navigating a number of dialog boxes, acknowledging clear security warnings in enabling SSH and HTTP).

Of note, the "30 Minute Man" apparently hasn't managed to use his allegedly publicly-unknown exploit to break into this machine, so if it exists, it requires inside access to a system (the weakest part of any system is the "loose nut behind the keyboard"). It does suggest that there is a user-to-root escalation vulnerability that would need to be fixed.

We still need to hear what the bottom line is with Apple's latest security update vs. the recently-publicized vulnerabilities, but if history is any guide, they will be addressed within a week or so (if not already), and not the months it can take for some manufacturers to respond - if ever.

It would be interesting to hear what Apple uses to test the vulnerability of their code before it ships, and I'll ask my contacts in the OS X group to find out, so we can gauge how effective their internal testing should be.

All the Best,
Joe Blow
Posted by Joe Blow (175 comments )
Reply Link Flag
Reasonable?
I'm not sure this is reasonable either. If this were a business using a Mac as a web server is this how they would set it up? If this were a home user who wished to use a Mac Mini as a private home page is this a reasonable setup? If this were a business using a Mac as a file server is this a reasonable setup? Maybe it is I don't know, but the only way any Mac Hack is going to carry any weight is if it not setup to be hacked. In other words the target Mac system will have to be setup in a normal secure way that doesn't leave known doors open.
Posted by System Tyrant (1453 comments )
Link Flag
bah
its a NON-STORY.

His mac isnt set up like an out of the box setup. Its total fraud.

Let someone hack an out of the box mac set up on the net..
thats something.. all this open stuff is ridiculous and means
nothing.
Posted by ssidiouss (5 comments )
Reply Link Flag
A legit test
You're right. . . most out of the box mac mini's wouldn't be configured to allow HTTPD connections (hosting webpages) nor to allow SSH (to allow remote user login). . .

So, he's made it slightly less secure than a typical desktop mac. . . but it looks like the typical webhost configuration for OSX. Right out of the box.
Posted by wysiwyg22 (41 comments )
Link Flag
Truer Test
Agreed. . . the previous contest was a joke when I found out they gave user access. . . the system is half crippled that way.

I'm anxious to see the results here, knowing this configuration is a bit more typical.
Posted by wysiwyg22 (41 comments )
Reply Link Flag
The interesting thing
The interesting thing is that most of the elevation-of-privilege attacks on the Windows platform (most, not all) require either physical or logon access as well. But you never hear outcries about this being an "unfair" testing methodology; it's simply assumed that the system should be secure. Period. This is fair; but why isn't the Mac being held to the same standard?

If I had a day to lock down a Windows XP box (you know, firewalls, closing known exploits, shutting off unneeded or risky services, etc.) I could achieve similar results.

I dunno. I'm not holding my breath; if the Mac is hacked, I'm sure we'll hear some huge outcry about how the test wasn't fair and how it was all a conspiracy by someone to do something. If the Mac ISN'T hacked right away, there'll be a lot of smug back-patting as Apple enthusiasts congratulate themselves on being the only operating system in history without E.O.P. bugs.

I see this as a PR stunt, not any kind of valid test. I'd love to see a comparative study with hardened Windows, hardened Mac, and hardened raw Unix. I'm sure the Unix platforms (and yes, I know OS X is just a thin shell over Unix, but the point is that it's NOT Unix; not exactly...) would win, but I'd be curious to see by how MUCH...
Posted by prothe113 (32 comments )
Reply Link Flag
Umm. . . What?
Quoting "The interesting thing is that most of the elevation-of-privilege attacks on the Windows platform (most, not all) require either physical or logon access as well."

Umm. . . what? I personally can think of dozens of readily available windows attacks that can root out the box without the need of an established remote account or physical logon.

If you grant local access, a windows box is pretty much toast.

It's not even in the same catagory of protection. And they're not spending an hour hardening their systems, these are basic Mac OS configurations out of the box. . . the only difference is a basic configuration for hosting, (by default, the OSX firewall prevents this).

This is more like the Unix / Linux world. People take a wack at it from the outside and see if they can get in. You don't hand them the user access first then see what they can do.
Posted by wysiwyg22 (41 comments )
Link Flag
Funny...
"If I had a day to lock down a Windows XP box (you know,
firewalls, closing known exploits, shutting off unneeded or risky
services, etc.) I could achieve similar results."

This guy didn't spend a day locking down his Mac Mini. It
probably took him like 5 mins to connect to the ethernet
(internet), turn it on and go to System Preferences and click on
firewall.

I know that Mac's are vulnerable too somewhere and no one has
found that little pin hole yet. Let's be realistic though. I bet you
90% of Windows users don't even know what processes are. Let
alone throw them a box and tell them to seal it up for a mass
attack that this guys Mac Mini got.
Posted by pariank (12 comments )
Link Flag
The point is...
... Macs are vulnerable as well. Maybe not as easy or as common as with Windows, but the threat is there and present.

PERIOD.

:-p
Posted by Mendz (519 comments )
Reply Link Flag
A reasonable analogy?
As a non Apple user I'm taking a stab here in regards to the reduced security of the sacrificial mac mini.

Would it be fair to compare the mini's state to a home that still has the windows and doors locked but the steel bars have been removed? The security is reduced, but there's still a requirement to get a brick through the glass or kick the door down to gain access.
Posted by j3st3r (70 comments )
Reply Link Flag
Yes...
The brick to the glass window would do it fair justice to the first
"hacking."
Posted by Deelron (60 comments )
Link Flag
CONTEST CLOSED. RESULTS??
Nothing.

After traffic spiking at 30Mbps...
After two concentrated DoS attacks where the host remained
up...
After numerous web exploit scripts, ssh dictionary attacks and
having its rear probed by scanning tools...
After OVER FOUR THOUSAND login attempts...

ALL ATTEMPTS FAILED!
(unless he's lying)

Next??

PS: I LOVE the "Objections to this test" section of the page. It
shows perfectly how Mac users truly have the best of both
worlds. At its core, Mac OS X enjoys the benefits of using open-
source technologies (Apache, OpenSSH). And yet, OS X users
also benefit from the concerted effort and vision of ONE
COMPANY designing and implementing these and many other
technologies, both open and closed-source. This is a benefit
that neither Linux (fully open source but "headless" in it's
implementation -- and challenging to implement across the
hardware "soup" of the x86 PC platform) nor Windows can offer
(totally a closed technology, requiring all that it is to emanate
from a single source or brain/talent pool: Microsoft... and ALSO
subject to the hazards of doing so in the "soup" of the x86
hardware platform).

To all of this, I say GO APPLE!!! I GOT FOUR WORDS FOR YA: I...
LOVE... THIS COMPANY!!! EEEEEYYYYYEEEAAAAHHHHHHHH!!!!!!
Posted by MacDuff (62 comments )
Reply Link Flag
A more reasonable test
I agree the conditions set forth this time were more reasonable. I don't think the time allowed was. I would have liked to see the computer up for a month verus hours. It gives the test more credibility. If it doesn't get hacked in that time, it would dispell the claim there wasn't enough time to find an exploit. After all, many computers are online for weeks at a time.

I doubt it would get hacked but I still would have liked to see more time than a day. By the time I found out about it, the test was over. To me, this makes it about as bogus as the first test.
Posted by Seaspray0 (9714 comments )
Link Flag
Ballmer??
Is that you?
Posted by (43 comments )
Reply Link Flag
LMAO! :D
I was wondering if somebody'd pick up on that ;)
Posted by MacDuff (62 comments )
Link Flag
Interesting
I have learnt a lot about security lately.

1. Privledge escalation is not a big deal.
2. If there are no attacks in the wild it does not count.
3. Attacks on a unpatch OS are unfair.
4. It is not a fault of the OS if an expliot involves user interaction.
5. Adding a warning is a good solution to a core OS fault.

Think Different.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
English lesson time
"Learnt" is not a word.

"Irregardless" (from a previous post of yours) is also NOT a word.

What grade are you in?
Posted by keyboard55 (11 comments )
Link Flag
Not all wrong -- but wrong enough
1. Privledge escalation is not a big deal.

Actually, privilege escalation is a big deal. But does it mean that
widespread raping and pillaging can take place on a typically
configured Mac by a stranger? Like say, my Mac and the Mac of
most every OS X user? No. So far, no one has proven beyond
Trojan programs propagated via social engineering that Macs
can be CONTACTED and infected with impunity across the
internet. And unfortunately, NO OS can prevent social
engineering (i.e.: stupid end-users putting in their admin
password).

2. If there are no attacks in the wild it does not count.

No. They do indeed count. And there are weaknesses in OS X.
But how bad (a Bluetooth exploit?? Gimme a break), but how
many and how bad? Who knows? And in reality given Apple's
market-share? Who cares? Apple will cover them off and will
always try to maintain security, but THIS is not the embattled,
beleaguered OS platform of the world, my friend. No, the war is
elsewhere; somewhere over the horizon.

3. Attacks on a unpatch OS are unfair.

Given how fast Windows systems can be detected and exploited,
unpatched systems seem to be fair game.

4. It is not a fault of the OS if an exploit involves user
interaction.

Unfortunately, it's not. And that goes for any OS at the hands of
a stupid or careless end-user.

5. Adding a warning is a good solution to a core OS fault.

No matter what an OS does, an end-user can still command the
system to fry itself. It's just the way it is. (in fact, be very scared
if this changes ;) )
Posted by MacDuff (62 comments )
Link Flag
ugh...
Best stop using the internet until after the Mac-heads are done patting themselves on the back after this test.
Posted by dragonbite (452 comments )
Reply Link Flag
Might want to stop using it anyway
If you're on Windows. Less than 1 minute being hacked on a Windows machine just being on the internet. This proves that an OS X machine with very, very basic setup is damn near impervious.

Us "Macheads" know something you don't: Your f*****.
Posted by (461 comments )
Link Flag
New Article Mocks C|Net "Journalistic" "Standards"
What is this article supposed to do, redeem c|net's woefully inadequate reporting of the earlier "test"?

And I'm in total shock: Mr Gwerdna or Gondwanaland or whatever, from the first test, didn't win in this one?

Hmm. Didn't the updated C|Net article of the earlier test have him boasting about how easy it was to crack into an OS X machine, and that it didn't matter if more strengthening was made to the target Mac? Why didn't he prove that conclusively by breaking into this system then?

More importantly: why has C|Net - rather, ZDnet Australia (same thing) - not done a follow-up interview with Mr Anonymous Hacker to challenge his assertion?
Posted by Xiaxua (20 comments )
Reply Link Flag
Makes One Suspicious
I agree Irma. If guano, or whatever his name is, really did what
he said he did, I'd like to see some proof. And the guy who
initiated the first test is almost as suspicious, since all those
Windows programming books on his bookshelf (in the
background of his picture of the Mini) strongly suggest a certain
amount of affiliation with a certain company having a dubious
reputation for playing fairly in business. Why couldn't he have
provided some proof of the attack? All we have is his word that
his web page was altered.

Which brings up another point. I thought the first "contest" was
to see if anyone could delete enough files to render his system
useless (that's what he was preparing for anyway). You know, it
was an "rm my mac" contest. He never said any files were
removed, only that his web page was altered. So doesn't that
mean that guano never did get root access?
Posted by Wingsy (22 comments )
Link Flag
Attn: English Majors
OK, all you English majors out there, kindly disregard my misuse of
the word "suspicious" in the 1st paragraph. Supposed to have been
"suspect".
Posted by Wingsy (22 comments )
Reply Link Flag
It's okay
That usage of "suspicious" is okay as far as I can see. It gets the
point across. "Suspect" might have been a better choice, but
"Suspicious" does work.
Posted by nightveil (133 comments )
Link Flag
LOL! Hide the beer! The folks are home!
WOW! I cannot believe this! While you can if you go to <a class="jive-link-external" href="http://" target="_newWindow">http://</a>
test.doit.wisc.edu/ (the big hacker test at University of
Wisconsin), you are greeted with this plain text message:

"Yesterday we discovered the Mac OSX "challenge" was not an
activity authorized by the UW-Madison. Once the test came to
the attention of our CIO, she ended it. The site,
test.doit.wisc.edu, will be removed from the network tonight.
Our primary concern is for security and network access for UW
services. We are sorry for any inconvenience this has caused to
the community."

So... the guy staged this challenge on the university bandwidth
-- and network -- without proper authority! Bad move! Like,
what IF someone got through? How much collateral damage
could have been done? In the back of my mind I wondered if this
was sanctioned by the university, but then I thought the guy
couldn't be THAT dumb! Turns out he was! It doesn't negate the
results... but it could negate his employment!
Posted by MacDuff (62 comments )
Reply Link Flag
Annie is the winner!
She took down the system, and I think she did not make much of
an effort to do it, she found some vulnerabilities in Dave
Schroeder`s contract and took the Mac Mini in few minutes.

Anyway, Annie has no blame for doing her job, Dave was the one
who should have ask for authorization on his test.

But if all of you send me one dollar each, I would buy a MacMini
and do the test my self ;)
Posted by rleon (111 comments )
Reply Link Flag
ROFLMAO!
"Annie is the winner".

Good one :D

(took her MORE than 30 minutes, though ;) )
Posted by MacDuff (62 comments )
Link Flag
thebignoticeboard.com
still the best os around. i didn't buy it because it didnt have viruses,
that was just a bonus. i bought it because it is the most stable os
i've ever used.
Posted by thebignoticeboard.com (23 comments )
Reply Link Flag
Have any of you guys been to the...
Web address for the test?
<a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
Posted by rockstarstatus (70 comments )
Reply Link Flag
i have
He's closing the test tonight and has put up some information for the media to use to contact the university.
Posted by techguy83 (295 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.