updateGaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.
On Feb. 22, the Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
Participants were given local client access to the target computer and invited to try their luck.
Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later, this poor little Mac was owned, and this page got defaced."
The hacker who won the challenge, who asked ZDNet Australia to identify him only as "Gwerdna," said he gained root control of the Mac in less than 30 minutes.
"It probably took about 20 or 30 minutes to get root on the box. Initially, I tried looking around the box for certain misconfigurations and other obvious things, but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," Gwerdna told ZDNet Australia.
According to Gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple Computer.
"The rm-my-mac challenge was set up similar to how you would have a Mac acting as a server--with various remote services running and local access to users...There are various Mac OS X-hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access. There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches--good examples for Linux are the PaX patch and the Grsecurity patches. They provide numerous hardening options on the system and implement nonexecutable memory, which prevent memory-based corruption exploits," Gwerdna said.
Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.
"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," Gwerdna added.
In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.
"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common Unix platforms...If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," Archibald said at the time.
An Apple Australia representative said on Monday that the company was unable to comment at this stage. Representatives at Apple's Cupertino, Calif., headquarters could not be reached for comment.
All that we hear in the last few weeks are OS X viruses/trogens, bugs, security holes, hacks and "late" security updates!! Apple seriously need to do a security review like what M$ did a few years back.
You might want to add to the headline the fact that the contest's first step involved setting up a valid user account on the system, a process which the contest designer helpfully opened up to the public. For this to mean something I would really like to see the same contest results based upon a system where the user accounts must be hacked first.
God, when will people get over the fact that OSX is - by its very nature - extremely secure and stop jumping on every, half- assed, unproved "hacking" of an OSX system.
From what I can see on the RM My Mac web site, not only was root turned on (why would you do that unless you wanted a mountain of trouble, you sure as hell don't *need* to do it to run the machine) but the guy setting the "challenge" turned every single service on to make the job easier.
And isn't it funny that the hacker who "cracked" the machine did so with an exploit he won't outline, the web site appears to be enjoying that it was "cracked" so easily (would a real Mac user be joyful about this?) and - yet again - we get the old "well, if you had decent market share you'd be toast" argument, as if successfully proving you've hacked an OS deemed to be one of the most secure wouldn't be incentive enough?
Please can c|net et al stop printing these "half stories" until something real happens.
This just reminds us once again, that there is no such thing as perfect...
--
"If you think you know everything, you should know about <a class="jive-link-external" href="http://www.enthem.com" target="_newWindow">http://www.enthem.com</a> by now"
It's unfortunate that people will just read this headline and assume it means something.
MY HOUSE WAS ROBBED IN THIRTY SECONDS!!
Oh yeah... forgot to mention that I unlocked my front gate and left a pile of front-door keys there next to my "please try to rob me" sign. So really the robber only had to figure out where my cookie-jar was. But still, I got ROBBED IN 30 SECONDS! Oh no!
However, it still beats the crap out of windows any day of the week when it comes to security. And as another user noted, the would-be hacker was given an SSH login and the Mac was setup as a server. By default, Macs do NOT enable SSH (remote login) or httpd (web server). This machine was hacked because it was set up to be hacked. End of non-issue.
The owner running the mini allowed you to create an account using a wab page which you could then log into using SSH. Obviously this is not a situation a normal user would run into. They fact that he allowed others to have access to the mini is just stupid and proves that this is nothing other than someone trying to get attention.
From the Owner's website: "That's why I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine. That way, they will all be able to enjoy the beauty of Mac OS X Tiger. And, of course, get a better chance of rm'ing it!"
I have to agree with most Apple fans that this doesn't really constitute a good example of Mac's insecurity.
I would like to see a reputable security firm or group setup a Mac, Windows, Linux, Unix, and BSD system. Configure it the way a good administrator would. Then ask hacker to break into it.
Then have them detail how they did it and how long it took. It must be repeatable. After that we would have a better view of how easy or hard those systems are to break. Of course in reality it doesn't really make much difference because OS's change regularly so vulnerability changes regularly.
This is being reported as news with no validation. A reputable third party (not an AV manufacturer) needs to set up the machine and then there needs to be a detailed explanation for the intrusion.
Two nobodies and a contest where the winner used "unpublished weaknesses" do not a valid story make.
This seems to be a very real world test to me. If any of the users who have accounts on a network gained root access to the server, the world would come to an end. This is true on any network. Networks have users. If you test without user accounts, you have left out a real life variable. Services must also be turned on in a real life situation. The Mac OS has a security flaw. Fix it and move on. I know this will come as a shock to many Mac users but Macs aren't perfect. No computer ever was and no computer ever will be. The sun will still come up tomorrow.
OS X is essentially the most successful gui to be placed upon a Unix-type kernel. There's bound to be some bugs and vulnerabilities but they will be very few compared to the amount to be found in any Windows environment.
This contest was essentially 'rigged' from the beginning and used the Mac OS X, essentially a single user version, in some extended and non-standard ways to achieve a desired result. Would the same have happened with OS X server?
Also OS X itself has very few of its own services open to networks and most of it's networking is taking care of by open source networking apps: Apache, SAMBA, SSH etc., so it benefits from many eyes and much peer review.
If the supposed "undocumented vulnerability' exploited in this case, turns out to be legitimate and becomes discussed openly, it will probably turn out to be something that has been overlooked at the local gui level and will be patched very quickly. But this story has too little information and too much hype to be believed and seems to be bent upon spreading nothing more than FUD.
The University of Wisconsin is answering with a similar challenge which you can read about here: <a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
Let's all watch and see what happens. Let's get some real facts on OS X security for a change.
Dave Schroeder at the University of Wisconsin has set up a more realistic security challege: simply alter a web page on a machine that is configured more like a normal machine.
He does leave ssh and http open, which most consumer Macs will not have open. Unlike the "hacked in 30 minutes" machine, potential hackers will not be given a user account on the machine itself.
This is a far more realistic challenge. The Mac that was hacked in this article was *not* hacked simply by being connected to the internet -- it was done locally, essentially, since the hackers were given accounts to ssh into the machine.
How about someone run a security challenge for XP? Give someone an account on the machine and see how long it takes for that person to bring the machine down.
This "experiment" was a sham. The "hacker" was given access to an SSH account. He was already logged into the system when he "hacked" the web page. This is a non-event. Every shipping Mac has SSH disabled and its web server disabled. This is another sensationalist story about Mac OS X and security.
Remember -- OSX wasn't available in 1999, even as a public beta. But the Army DID switch to the Mac then, and they're using OSX Server now. It's just unfortunate that Apple doesn't note the original switch was to OS9.
This is yet another reason why Apple should have based their 10 operating system on BeOS. So sad the move was decided on by politics instead of good ideas.
As advanced as BeOS was, it was not ready to fill Mac OS's shoes, at least in terms of backwards compatibility.
Also, with the NeXT acquisition came the return of Steve Jobs. This, more than anything else, has been the MOST influential element of Apple's rebirth and renaissance. no argument there. With Be, who would they have got?? Jean Louis Gasse??! PASS!!
The proof is in the pudding. Mac OS X is awesome. There is very little wrong with Apple's products and ongoing strategies for the past several years. The company implemented several MAJOR transitions (68000x0 CPU->PPC, Mac OS Classic->OS X, PowerPC->x86) with each one better than the last and they've never executed as well as they are right now. Thank Steve jobs for that.
The machine was set up to be hacked. No story here.
The would-be hacker was given an SSH account (remote login) and the Mac was set up as a server to be hacked. As another user noted, default setup on all non-server Macs does NOT enable SSH (the remote login service Secure Shell that was used by the would-be hacker). The fact remains that OS X still beats all available windows operating systems hands down any day of the week when it comes to security.
If you set up any machine to be hacked and someone hacks it, how is this news?
This is the most stupid comment I have heard. It would have made more sense if you had said. A 13 year old hacks into a Honda Civics computer, gets full "root level" access and then drives the car into a pole destroying the car, which would make Honda as vulnerable as Mac OS X. Moral of this example, thank goodness cars don't run on Mac OS X ;)
If that's the result of this story, to drive down Apple's stock price, then go for it. I want to buy some more.
Only joking - I find the stock manipulation techniques of wall street and financial reporters heinous. Yet another example of one technique used to do this... <a class="jive-link-external" href="http://news.com.com/2008-1030-6046300.html?tag=yt" target="_newWindow">http://news.com.com/2008-1030-6046300.html?tag=yt</a>
Certainly this article could be classed as an attempt to do this since it is almost criminal that they don't mention anywhere in the article that this machine was setup to eb hacked by giving hackers the ability to create user accounts and thereby hack form within, whereas no other Mac on the internet provides that access, or has that vulnerability.- read here for more info: <a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
Accusing a company or person of stock pumping is a VERY serious accusation...do you have any evidence vis-a-vis C:net's trading positions? If not, you may wish to rethink such statements.
Do you work for Apple or do you have an interest in maintaining its stock price? Because you've spent your time posting 2 sentence accusatory comments lacking any substance. Is that the work of a chicken with his head cut off or an interested party?
Normal people don't set up their computers for hacking!
I have been using OS X for about a year. No anti-spyware software, no extra security software- and I have not experienced any problems such as viruses, hackers, or spyware. As a matter of fact, I have not had any problems.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
Apple seriously need to do a security review like what M$ did a few years back.
By WHOM? 3rd party security companies that have proven to hack Windows time and time again?
HAH...
first step involved setting up a valid user account on the system, a
process which the contest designer helpfully opened up to the
public. For this to mean something I would really like to see the
same contest results based upon a system where the user accounts
must be hacked first.
Mike
nature - extremely secure and stop jumping on every, half-
assed, unproved "hacking" of an OSX system.
From what I can see on the RM My Mac web site, not only was
root turned on (why would you do that unless you wanted a
mountain of trouble, you sure as hell don't *need* to do it to run
the machine) but the guy setting the "challenge" turned every
single service on to make the job easier.
And isn't it funny that the hacker who "cracked" the machine did
so with an exploit he won't outline, the web site appears to be
enjoying that it was "cracked" so easily (would a real Mac user be
joyful about this?) and - yet again - we get the old "well, if you
had decent market share you'd be toast" argument, as if
successfully proving you've hacked an OS deemed to be one of
the most secure wouldn't be incentive enough?
Please can c|net et al stop printing these "half stories" until
something real happens.
TIA
RB
--
"If you think you know everything, you should know about <a class="jive-link-external" href="http://www.enthem.com" target="_newWindow">http://www.enthem.com</a> by now"
MY HOUSE WAS ROBBED IN THIRTY SECONDS!!
Oh yeah... forgot to mention that I unlocked my front gate and left a pile of front-door keys there next to my "please try to rob me" sign. So really the robber only had to figure out where my cookie-jar was. But still, I got ROBBED IN 30 SECONDS! Oh no!
using a wab page which you could then log into using SSH.
Obviously this is not a situation a normal user would run into.
They fact that he allowed others to have access to the mini is
just stupid and proves that this is nothing other than someone
trying to get attention.
From the Owner's website: "That's why I set up an LDAP server
and linked it to the Macs naming and authentication services, to
let people add their own account to this machine. That way, they
will all be able to enjoy the beauty of Mac OS X Tiger. And, of
course, get a better chance of rm'ing it!"
go check it out for yourself....
<a class="jive-link-external" href="http://rm-my-mac.wideopenbsd.org.nyud.net:8090/" target="_newWindow">http://rm-my-mac.wideopenbsd.org.nyud.net:8090/</a>
Just ignore him and he'll go away.
like all cars can be pimped.
So please stop publishing reports that state the obvious and
then try to feed it to the masses as a "SHOCKER".
Here, let me help you with your next FUD:
Mac OS X can get viruses and worms...and spyware...just like any
other computer.
What is 8 seconds referring to? The last record break in to a patched OS X computer? lol
Continue crying Mac Zealots as OS X is hadily violated.
I would like to see a reputable security firm or group setup a Mac, Windows, Linux, Unix, and BSD system. Configure it the way a good administrator would. Then ask hacker to break into it.
Then have them detail how they did it and how long it took. It must be repeatable. After that we would have a better view of how easy or hard those systems are to break. Of course in reality it doesn't really make much difference because OS's change regularly so vulnerability changes regularly.
third party (not an AV manufacturer) needs to set up the
machine and then there needs to be a detailed explanation for
the intrusion.
Two nobodies and a contest where the winner used
"unpublished weaknesses" do not a valid story make.
Unix-type kernel. There's bound to be some bugs and
vulnerabilities but they will be very few compared to the amount
to be found in any Windows environment.
This contest was essentially 'rigged' from the beginning and
used the Mac OS X, essentially a single user version, in some
extended and non-standard ways to achieve a desired result.
Would the same have happened with OS X server?
Also OS X itself has very few of its own services open to
networks and most of it's networking is taking care of by open
source networking apps: Apache, SAMBA, SSH etc., so it benefits
from many eyes and much peer review.
If the supposed "undocumented vulnerability' exploited in this
case, turns out to be legitimate and becomes discussed openly,
it will probably turn out to be something that has been
overlooked at the local gui level and will be patched very quickly.
But this story has too little information and too much hype to be
believed and seems to be bent upon spreading nothing more
than FUD.
The University of Wisconsin is answering with a similar challenge
which you can read about here: <a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
Let's all watch and see what happens. Let's get some real facts
on OS X security for a change.
realistic security challege: simply alter a web page on a machine
that is configured more like a normal machine.
<a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
He does leave ssh and http open, which most consumer Macs
will not have open. Unlike the "hacked in 30 minutes" machine,
potential hackers will not be given a user account on the
machine itself.
This is a far more realistic challenge. The Mac that was hacked
in this article was *not* hacked simply by being connected to the
internet -- it was done locally, essentially, since the hackers
were given accounts to ssh into the machine.
How about someone run a security challenge for XP? Give
someone an account on the machine and see how long it takes
for that person to bring the machine down.
happened - it's just someone posting a website entry saying it
happened.
Come on guys, what happened to "don't believe everything you
read"?
SSH account. He was already logged into the system when he
"hacked" the web page. This is a non-event. Every shipping Mac
has SSH disabled and its web server disabled. This is another
sensationalist story about Mac OS X and security.
Really, maybe you should title your "news" article "Mac OS X
allegedly hacked in under 30 minutes". Then you'd have a story.
A nice fluff piece.
I wonder how it has stayed online?
<a class="jive-link-external" href="http://toolbar.netcraft.com/site_report?url=http://www.army.mil" target="_newWindow">http://toolbar.netcraft.com/site_report?url=http://www.army.mil</a>
I wonder how it has stayed online?
<a class="jive-link-external" href="http://toolbar.netcraft.com/site_report?url=http://www.army.mil" target="_newWindow">http://toolbar.netcraft.com/site_report?url=http://www.army.mil</a>
from hacking into some unknown system.
But the Army DID switch to the Mac then, and they're using OSX
Server now. It's just unfortunate that Apple doesn't note the
original switch was to OS9.
<a class="jive-link-external" href="http://www.apple.com/itpro/profiles/army/" target="_newWindow">http://www.apple.com/itpro/profiles/army/</a>
operating system on BeOS. So sad the move was decided on by
politics instead of good ideas.
at least in terms of backwards compatibility.
Also, with the NeXT acquisition came the return of Steve Jobs.
This, more than anything else, has been the MOST influential
element of Apple's rebirth and renaissance. no argument there.
With Be, who would they have got?? Jean Louis Gasse??! PASS!!
The proof is in the pudding. Mac OS X is awesome. There is very
little wrong with Apple's products and ongoing strategies for the
past several years. The company implemented several MAJOR
transitions (68000x0 CPU->PPC, Mac OS Classic->OS X,
PowerPC->x86) with each one better than the last and they've
never executed as well as they are right now. Thank Steve jobs
for that.
If you set up any machine to be hacked and someone hacks it, how is this news?
managed to wreck the 2006 Honda Civic by ramming it into a
telephone pole.
This proves the Honda Civic is less safe than previously imagined.
year-old used an undisclosed technique to reach the pedals.
Proof positive. Bad Honda, everyone should buy Ford instead.
Hurry news.com, the market closes in 15 minutes!
Only joking - I find the stock manipulation techniques of wall street and financial reporters heinous. Yet another example of one technique used to do this...
<a class="jive-link-external" href="http://news.com.com/2008-1030-6046300.html?tag=yt" target="_newWindow">http://news.com.com/2008-1030-6046300.html?tag=yt</a>
Certainly this article could be classed as an attempt to do this since it is almost criminal that they don't mention anywhere in the article that this machine was setup to eb hacked by giving hackers the ability to create user accounts and thereby hack form within, whereas no other Mac on the internet provides that access, or has that vulnerability.- read here for more info: <a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
no extra security software- and I have not experienced any
problems such as viruses, hackers, or spyware. As a matter of fact,
I have not had any problems.