March 6, 2006 6:38 PM PST

Winner mocks OS X hacking contest

Related Stories

Mac OS flaw exposes Apple users

February 21, 2006

Bluetooth worm targets Mac OS X

February 17, 2006

New worm targets Apple chat users

February 16, 2006
A clarification was made to this story. Read below for details.

update Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.

On Feb. 22, the Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Participants were given local client access to the target computer and invited to try their luck.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later, this poor little Mac was owned, and this page got defaced."

The hacker who won the challenge, who asked ZDNet Australia to identify him only as "Gwerdna," said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially, I tried looking around the box for certain misconfigurations and other obvious things, but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," Gwerdna told ZDNet Australia.

According to Gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple Computer.

"The rm-my-mac challenge was set up similar to how you would have a Mac acting as a server--with various remote services running and local access to users...There are various Mac OS X-hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access. There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches--good examples for Linux are the PaX patch and the Grsecurity patches. They provide numerous hardening options on the system and implement nonexecutable memory, which prevent memory-based corruption exploits," Gwerdna said.

Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.

"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," Gwerdna added.

Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker.

In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common Unix platforms...If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," Archibald said at the time.

An Apple Australia representative said on Monday that the company was unable to comment at this stage. Representatives at Apple's Cupertino, Calif., headquarters could not be reached for comment.

Munir Kotadia of ZDNet Australia reported from Sydney.

 

Clarification: The story has been updated to clarify that participants were given local client access to the target computer.

See more CNET content tagged:
Apple Mac OS X, vulnerability, hacking, Apple Macintosh, Apple Intel Mac Mini

77 comments

Join the conversation!
Add your comment
Is the World coming to the end?
All that we hear in the last few weeks are OS X viruses/trogens, bugs, security holes, hacks and "late" security updates!!
Apple seriously need to do a security review like what M$ did a few years back.
Posted by kish829 (1 comment )
Reply Link Flag
Review?
WHAT review?

By WHOM? 3rd party security companies that have proven to hack Windows time and time again?

HAH...
Posted by `WarpKat (275 comments )
Link Flag
re: Mac OS Hacked
You might want to add to the headline the fact that the contest's
first step involved setting up a valid user account on the system, a
process which the contest designer helpfully opened up to the
public. For this to mean something I would really like to see the
same contest results based upon a system where the user accounts
must be hacked first.

Mike
Posted by mike_ohanlon (2 comments )
Reply Link Flag
It's really quite pathetic
God, when will people get over the fact that OSX is - by its very
nature - extremely secure and stop jumping on every, half-
assed, unproved "hacking" of an OSX system.

From what I can see on the RM My Mac web site, not only was
root turned on (why would you do that unless you wanted a
mountain of trouble, you sure as hell don't *need* to do it to run
the machine) but the guy setting the "challenge" turned every
single service on to make the job easier.

And isn't it funny that the hacker who "cracked" the machine did
so with an exploit he won't outline, the web site appears to be
enjoying that it was "cracked" so easily (would a real Mac user be
joyful about this?) and - yet again - we get the old "well, if you
had decent market share you'd be toast" argument, as if
successfully proving you've hacked an OS deemed to be one of
the most secure wouldn't be incentive enough?

Please can c|net et al stop printing these "half stories" until
something real happens.

TIA
RB
Posted by ross brown--2008 (57 comments )
Link Flag
Bill Gates will be laughing about this one...
This just reminds us once again, that there is no such thing as perfect...

--

"If you think you know everything, you should know about <a class="jive-link-external" href="http://www.enthem.com" target="_newWindow">http://www.enthem.com</a> by now"
Posted by stansoft (16 comments )
Reply Link Flag
SO MUCH FOR JOURNALISM :-(
It's unfortunate that people will just read this headline and assume it means something.

MY HOUSE WAS ROBBED IN THIRTY SECONDS!!

Oh yeah... forgot to mention that I unlocked my front gate and left a pile of front-door keys there next to my "please try to rob me" sign. So really the robber only had to figure out where my cookie-jar was. But still, I got ROBBED IN 30 SECONDS! Oh no!
Posted by open-mind (1027 comments )
Link Flag
Nobody ever said OS X was/is perfect.
However, it still beats the crap out of windows any day of the week when it comes to security. And as another user noted, the would-be hacker was given an SSH login and the Mac was setup as a server. By default, Macs do NOT enable SSH (remote login) or httpd (web server). This machine was hacked because it was set up to be hacked. End of non-issue.
Posted by Chrisnwokc (13 comments )
Link Flag
enthem
Enthem is really cool nice idea. All the best. Probably i would write an Enthem for Enthem.
Posted by itispals (56 comments )
Link Flag
Dont be fooled...
The owner running the mini allowed you to create an account
using a wab page which you could then log into using SSH.
Obviously this is not a situation a normal user would run into.
They fact that he allowed others to have access to the mini is
just stupid and proves that this is nothing other than someone
trying to get attention.

From the Owner's website: "That's why I set up an LDAP server
and linked it to the Macs naming and authentication services, to
let people add their own account to this machine. That way, they
will all be able to enjoy the beauty of Mac OS X Tiger. And, of
course, get a better chance of rm'ing it!"

go check it out for yourself....

<a class="jive-link-external" href="http://rm-my-mac.wideopenbsd.org.nyud.net:8090/" target="_newWindow">http://rm-my-mac.wideopenbsd.org.nyud.net:8090/</a>
Posted by (4 comments )
Reply Link Flag
No don't check it out.
Don't give the idiot any page hits.

Just ignore him and he'll go away.
Posted by privatec (75 comments )
Link Flag
FUD, 30 minutes is still better than 8 seconds for PC
Of course all computers OSs are hackable...OF COURSE! Much
like all cars can be pimped.


So please stop publishing reports that state the obvious and
then try to feed it to the masses as a "SHOCKER".


Here, let me help you with your next FUD:

Mac OS X can get viruses and worms...and spyware...just like any
other computer.
Posted by Tobyhamilton (4 comments )
Reply Link Flag
Sorry, not FUD, OS X too insecure
30 minutes is better than 8 seconds except for the fact that no fully patched Win 2000/XP/2003 pc can be hacked in 30 minutes or 8 seconds.

What is 8 seconds referring to? The last record break in to a patched OS X computer? lol

Continue crying Mac Zealots as OS X is hadily violated.
Posted by Maxwell Studly (97 comments )
Link Flag
Hackin' a Mac.
I have to agree with most Apple fans that this doesn't really constitute a good example of Mac's insecurity.

I would like to see a reputable security firm or group setup a Mac, Windows, Linux, Unix, and BSD system. Configure it the way a good administrator would. Then ask hacker to break into it.

Then have them detail how they did it and how long it took. It must be repeatable. After that we would have a better view of how easy or hard those systems are to break. Of course in reality it doesn't really make much difference because OS's change regularly so vulnerability changes regularly.
Posted by System Tyrant (1453 comments )
Reply Link Flag
My Thoughts Exactly
This is being reported as news with no validation. A reputable
third party (not an AV manufacturer) needs to set up the
machine and then there needs to be a detailed explanation for
the intrusion.

Two nobodies and a contest where the winner used
"unpublished weaknesses" do not a valid story make.
Posted by djemerson (64 comments )
Link Flag
Denial isn't a river in Egypt
This seems to be a very real world test to me. If any of the users who have accounts on a network gained root access to the server, the world would come to an end. This is true on any network. Networks have users. If you test without user accounts, you have left out a real life variable. Services must also be turned on in a real life situation. The Mac OS has a security flaw. Fix it and move on. I know this will come as a shock to many Mac users but Macs aren't perfect. No computer ever was and no computer ever will be. The sun will still come up tomorrow.
Posted by picklesdaddy (6 comments )
Reply Link Flag
Except that...
... I don't know any Mac user who has the root account enabled.
Posted by privatec (75 comments )
Link Flag
Also it was OS X not OS X Server
OS X is essentially the most successful gui to be placed upon a
Unix-type kernel. There's bound to be some bugs and
vulnerabilities but they will be very few compared to the amount
to be found in any Windows environment.

This contest was essentially 'rigged' from the beginning and
used the Mac OS X, essentially a single user version, in some
extended and non-standard ways to achieve a desired result.
Would the same have happened with OS X server?

Also OS X itself has very few of its own services open to
networks and most of it's networking is taking care of by open
source networking apps: Apache, SAMBA, SSH etc., so it benefits
from many eyes and much peer review.

If the supposed "undocumented vulnerability' exploited in this
case, turns out to be legitimate and becomes discussed openly,
it will probably turn out to be something that has been
overlooked at the local gui level and will be patched very quickly.
But this story has too little information and too much hype to be
believed and seems to be bent upon spreading nothing more
than FUD.

The University of Wisconsin is answering with a similar challenge
which you can read about here: <a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>

Let's all watch and see what happens. Let's get some real facts
on OS X security for a change.
Posted by lenrooney (42 comments )
Link Flag
A new security challenge
Dave Schroeder at the University of Wisconsin has set up a more
realistic security challege: simply alter a web page on a machine
that is configured more like a normal machine.

<a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>

He does leave ssh and http open, which most consumer Macs
will not have open. Unlike the "hacked in 30 minutes" machine,
potential hackers will not be given a user account on the
machine itself.

This is a far more realistic challenge. The Mac that was hacked
in this article was *not* hacked simply by being connected to the
internet -- it was done locally, essentially, since the hackers
were given accounts to ssh into the machine.

How about someone run a security challenge for XP? Give
someone an account on the machine and see how long it takes
for that person to bring the machine down.
Posted by Thrudheim (306 comments )
Reply Link Flag
We don't even know for sure it happened.
There's been no verification because the guy won't say how it
happened - it's just someone posting a website entry saying it
happened.

Come on guys, what happened to "don't believe everything you
read"?
Posted by privatec (75 comments )
Link Flag
Another Non-Story
This "experiment" was a sham. The "hacker" was given access to an
SSH account. He was already logged into the system when he
"hacked" the web page. This is a non-event. Every shipping Mac
has SSH disabled and its web server disabled. This is another
sensationalist story about Mac OS X and security.
Posted by (2 comments )
Reply Link Flag
But Was He Able to Install Windows??!!
*yawn*

Really, maybe you should title your "news" article "Mac OS X
allegedly hacked in under 30 minutes". Then you'd have a story.
A nice fluff piece.
Posted by djemerson (64 comments )
Reply Link Flag
Kinda surprising considering arml.mil's record
www.army.mil claims it is attacked "hundreds" of times a day, but hasn't been compromised since it switched from NT4 to OSX in 1999.

I wonder how it has stayed online?

<a class="jive-link-external" href="http://toolbar.netcraft.com/site_report?url=http://www.army.mil" target="_newWindow">http://toolbar.netcraft.com/site_report?url=http://www.army.mil</a>
Posted by rcrusoe (1305 comments )
Reply Link Flag
Kinda surprising considering army.mil's record
www.army.mil claims it is attacked "hundreds" of times a day, but hasn't been compromised since it switched from NT4 to OSX in 1999.

I wonder how it has stayed online?

<a class="jive-link-external" href="http://toolbar.netcraft.com/site_report?url=http://www.army.mil" target="_newWindow">http://toolbar.netcraft.com/site_report?url=http://www.army.mil</a>
Posted by rcrusoe (1305 comments )
Reply Link Flag
Army.mil doesn't give out user accounts.
Escalating priveleges from a user account is completely different
from hacking into some unknown system.
Posted by Macsaresafer (802 comments )
Link Flag
OS9, not OSX
Remember -- OSX wasn't available in 1999, even as a public beta.
But the Army DID switch to the Mac then, and they're using OSX
Server now. It's just unfortunate that Apple doesn't note the
original switch was to OS9.

<a class="jive-link-external" href="http://www.apple.com/itpro/profiles/army/" target="_newWindow">http://www.apple.com/itpro/profiles/army/</a>
Posted by JoeCrow (83 comments )
Link Flag
yet another reason for BeOS
This is yet another reason why Apple should have based their 10
operating system on BeOS. So sad the move was decided on by
politics instead of good ideas.
Posted by Hobyx (24 comments )
Reply Link Flag
BeReal
As advanced as BeOS was, it was not ready to fill Mac OS's shoes,
at least in terms of backwards compatibility.

Also, with the NeXT acquisition came the return of Steve Jobs.
This, more than anything else, has been the MOST influential
element of Apple's rebirth and renaissance. no argument there.
With Be, who would they have got?? Jean Louis Gasse??! PASS!!

The proof is in the pudding. Mac OS X is awesome. There is very
little wrong with Apple's products and ongoing strategies for the
past several years. The company implemented several MAJOR
transitions (68000x0 CPU-&gt;PPC, Mac OS Classic-&gt;OS X,
PowerPC-&gt;x86) with each one better than the last and they've
never executed as well as they are right now. Thank Steve jobs
for that.
Posted by MacDuff (62 comments )
Link Flag
The machine was set up to be hacked. No story here.
The would-be hacker was given an SSH account (remote login) and the Mac was set up as a server to be hacked. As another user noted, default setup on all non-server Macs does NOT enable SSH (the remote login service Secure Shell that was used by the would-be hacker). The fact remains that OS X still beats all available windows operating systems hands down any day of the week when it comes to security.

If you set up any machine to be hacked and someone hacks it, how is this news?
Posted by Chrisnwokc (13 comments )
Reply Link Flag
Honda crashes after 30 mins...
After keys were openly offered to any passers by, a 13-year-old
managed to wreck the 2006 Honda Civic by ramming it into a
telephone pole.

This proves the Honda Civic is less safe than previously imagined.
Posted by shanewalker (57 comments )
Reply Link Flag
what???
This is the most stupid comment I have heard. It would have made more sense if you had said. A 13 year old hacks into a Honda Civics computer, gets full "root level" access and then drives the car into a pole destroying the car, which would make Honda as vulnerable as Mac OS X. Moral of this example, thank goodness cars don't run on Mac OS X ;)
Posted by FutureGuy (742 comments )
Link Flag
Future Guy does not understand SSH
If he did, he would also understand your car analogy.
Posted by open-mind (1027 comments )
Link Flag
Don't forget...
... that your accident report is unsubstantiated and that the 13
year-old used an undisclosed technique to reach the pedals.

Proof positive. Bad Honda, everyone should buy Ford instead.
Posted by privatec (75 comments )
Link Flag
NEWS.COM Stock Fraud
Maybe news.com is deliberately spreading this bogus story just to drive down AAPL. Seems to be working.

Hurry news.com, the market closes in 15 minutes!
Posted by open-mind (1027 comments )
Reply Link Flag
If that's the case, go for it!
If that's the result of this story, to drive down Apple's stock price, then go for it. I want to buy some more.

Only joking - I find the stock manipulation techniques of wall street and financial reporters heinous. Yet another example of one technique used to do this...
<a class="jive-link-external" href="http://news.cbsi.com/2008-1030-6046300.html?tag=yt" target="_newWindow">http://news.cbsi.com/2008-1030-6046300.html?tag=yt</a>

Certainly this article could be classed as an attempt to do this since it is almost criminal that they don't mention anywhere in the article that this machine was setup to eb hacked by giving hackers the ability to create user accounts and thereby hack form within, whereas no other Mac on the internet provides that access, or has that vulnerability.- read here for more info: <a class="jive-link-external" href="http://test.doit.wisc.edu/" target="_newWindow">http://test.doit.wisc.edu/</a>
Posted by gpenglase (87 comments )
Link Flag
Yikes
Accusing a company or person of stock pumping is a VERY serious accusation...do you have any evidence vis-a-vis C:net's trading positions? If not, you may wish to rethink such statements.
Posted by KsprayDad (375 comments )
Link Flag
Do you work for Apple or something?
Do you work for Apple or do you have an interest in maintaining its stock price? Because you've spent your time posting 2 sentence accusatory comments lacking any substance. Is that the work of a chicken with his head cut off or an interested party?
Posted by nhandler (79 comments )
Link Flag
Normal people don't set up their computers for hacking!
I have been using OS X for about a year. No anti-spyware software,
no extra security software- and I have not experienced any
problems such as viruses, hackers, or spyware. As a matter of fact,
I have not had any problems.
Posted by TravisHB (11 comments )
Reply Link Flag
So what's the point...
..I run XP and it has never been hacked or have any spyware/viruses on it.
Posted by FutureGuy (742 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.