March 7, 2006 3:13 PM PST
Another Mac OS X hack challenge launched
- Related Stories
Mac OS X patch faces scrutinyMarch 7, 2006
Winner mocks OS X hacking contestMarch 6, 2006
Apple patches serious Mac OS flawsMarch 1, 2006
Is Mac OS as safe as ever?February 27, 2006
Mac OS flaw exposes Apple usersFebruary 21, 2006
Bluetooth worm targets Mac OS XFebruary 17, 2006
Dave Schroeder, a senior systems engineer at the University of Wisconsin, launched his contest on Monday. An earlier challenge was too easy, he said.
Schroeder is asking hackers to alter the home page hosted on a Mac Mini that is running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and has SHH and HTTP open--"a lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.
Secure Shell, or SSH, is used for logging into and executing commands on a networked computer, and HTTP, or HyperText Transfer Protocol, is the method used to transfer information on the Web.
Originally, the online event was scheduled to end on Friday. But because of the enormous attention, the time for the challenge has been cut short and will now end Tuesday at 10 p.m. PST, Schroeder said.
"It has been pretty surprising how well the little Mac Mini has stood up. It has taken a pounding," Schroeder said in a telephone interview. "The attention (the contest) has gotten has just exploded. This isn't a real, official test: It is just kind of done in the academic interest."
In the earlier challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers were given user-level access to the system, rather than being shut out completely.
"The original challenge allowed any users to have local accounts to access the machine via SSH," Schroeder said in an interview via e-mail. "This is an important distinction, because if you have local--or physical--access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."
Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the Internet," he said.
Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he said.
It could also pose a problem for Web hosting providers that use Apple Computer's operating system, said Johannes Ullrich, chief research officer at SANS Institute. Customers on shared machines need access to update their Web sites. A privilege escalation flaw could let a malicious user with such access gain full control over a system, he said.
The hacker challenges come after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia. Security experts are also questioning the effectiveness of Apple's latest patch.
Schroeder plans to sift through the log files of the Mac and publish anything interesting, he said in the phone interview. "I know it is disappointing that it will be ending early to a lot of people."
Earlier Tuesday, Schroeder said that most of the hacking attempts were from scripts and tools attempting to use common Web exploits, dictionary attacks against SSH, port scans and scans by security tools such as Nessus. On Tuesday morning the site was down briefly due to a denial-of-service attack, he said.
The person who does successfully hack Schroeder's Mac Mini is requested to send him an e-mail describing the attack. Schroeder plans to report that to the appropriate software vendors and will post results after the close of the challenge, he said.
43 commentsJoin the conversation! Add your comment