Winner mocks OS X hacking contest

A clarification was made to this story. Read below for details.

update Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.

On Feb. 22, the Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Participants were given local client access to the target computer and invited to try their luck.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later, this poor little Mac was owned, and this page got defaced."

The hacker who won the challenge, who asked ZDNet Australia to identify him only as "Gwerdna," said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially, I tried looking around the box for certain misconfigurations and other obvious things, but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," Gwerdna told ZDNet Australia.

According to Gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple Computer.

"The rm-my-mac challenge was set up similar to how you would have a Mac acting as a server--with various remote services running and local access to users...There are various Mac OS X-hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access. There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches--good examples for Linux are the PaX patch and the Grsecurity patches. They provide numerous hardening options on the system and implement nonexecutable memory, which prevent memory-based corruption exploits," Gwerdna said.

Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.

"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," Gwerdna added.

Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker.

In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common Unix platforms...If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," Archibald said at the time.

An Apple Australia representative said on Monday that the company was unable to comment at this stage. Representatives at Apple's Cupertino, Calif., headquarters could not be reached for comment.

Munir Kotadia of ZDNet Australia reported from Sydney.

 

Clarification: The story has been updated to clarify that participants were given local client access to the target computer.

[kish829]

Is the World coming to the end?

All that we hear in the last few weeks are OS X viruses/trogens, bugs, security holes, hacks and "late" security updates!!
Apple seriously need to do a security review like what M$ did a few years back.

[`WarpKat]

Review?

WHAT review?

By WHOM? 3rd party security companies that have proven to hack Windows time and time again?

HAH...

[mike_ohanlon]

re: Mac OS Hacked

You might want to add to the headline the fact that the contest's
first step involved setting up a valid user account on the system, a
process which the contest designer helpfully opened up to the
public. For this to mean something I would really like to see the
same contest results based upon a system where the user accounts
must be hacked first.

Mike

[ross brown--2008]

It's really quite pathetic

God, when will people get over the fact that OSX is - by its very
nature - extremely secure and stop jumping on every, half-
assed, unproved "hacking" of an OSX system.

From what I can see on the RM My Mac web site, not only was
root turned on (why would you do that unless you wanted a
mountain of trouble, you sure as hell don't *need* to do it to run
the machine) but the guy setting the "challenge" turned every
single service on to make the job easier.

And isn't it funny that the hacker who "cracked" the machine did
so with an exploit he won't outline, the web site appears to be
enjoying that it was "cracked" so easily (would a real Mac user be
joyful about this?) and - yet again - we get the old "well, if you
had decent market share you'd be toast" argument, as if
successfully proving you've hacked an OS deemed to be one of
the most secure wouldn't be incentive enough?

Please can c|net et al stop printing these "half stories" until
something real happens.

TIA
RB

[stansoft]

Bill Gates will be laughing about this one...

This just reminds us once again, that there is no such thing as perfect...

--

"If you think you know everything, you should know about http://www.enthem.com by now"

[open-mind]

SO MUCH FOR JOURNALISM :-(

It's unfortunate that people will just read this headline and assume it means something.

MY HOUSE WAS ROBBED IN THIRTY SECONDS!!

Oh yeah... forgot to mention that I unlocked my front gate and left a pile of front-door keys there next to my "please try to rob me" sign. So really the robber only had to figure out where my cookie-jar was. But still, I got ROBBED IN 30 SECONDS! Oh no!

[Chrisnwokc]

Nobody ever said OS X was/is perfect.

However, it still beats the crap out of windows any day of the week when it comes to security. And as another user noted, the would-be hacker was given an SSH login and the Mac was setup as a server. By default, Macs do NOT enable SSH (remote login) or httpd (web server). This machine was hacked because it was set up to be hacked. End of non-issue.

[itispals]

enthem

Enthem is really cool nice idea. All the best. Probably i would write an Enthem for Enthem.

Dont be fooled...

The owner running the mini allowed you to create an account
using a wab page which you could then log into using SSH.
Obviously this is not a situation a normal user would run into.
They fact that he allowed others to have access to the mini is
just stupid and proves that this is nothing other than someone
trying to get attention.

From the Owner's website: "That's why I set up an LDAP server
and linked it to the Macs naming and authentication services, to
let people add their own account to this machine. That way, they
will all be able to enjoy the beauty of Mac OS X Tiger. And, of
course, get a better chance of rm'ing it!"

go check it out for yourself....

http://rm-my-mac.wideopenbsd.org.nyud.net:8090/

[privatec]

No don't check it out.

Don't give the idiot any page hits.

Just ignore him and he'll go away.

[Tobyhamilton]

FUD, 30 minutes is still better than 8 seconds for PC

Of course all computers OSs are hackable...OF COURSE! Much
like all cars can be pimped.


So please stop publishing reports that state the obvious and
then try to feed it to the masses as a "SHOCKER".


Here, let me help you with your next FUD:

Mac OS X can get viruses and worms...and spyware...just like any
other computer.

[Maxwell Studly]

Sorry, not FUD, OS X too insecure

30 minutes is better than 8 seconds except for the fact that no fully patched Win 2000/XP/2003 pc can be hacked in 30 minutes or 8 seconds.

What is 8 seconds referring to? The last record break in to a patched OS X computer? lol

Continue crying Mac Zealots as OS X is hadily violated.

[System Tyrant]

Hackin' a Mac.

I have to agree with most Apple fans that this doesn't really constitute a good example of Mac's insecurity.

I would like to see a reputable security firm or group setup a Mac, Windows, Linux, Unix, and BSD system. Configure it the way a good administrator would. Then ask hacker to break into it.

Then have them detail how they did it and how long it took. It must be repeatable. After that we would have a better view of how easy or hard those systems are to break. Of course in reality it doesn't really make much difference because OS's change regularly so vulnerability changes regularly.

[djemerson]

My Thoughts Exactly

This is being reported as news with no validation. A reputable
third party (not an AV manufacturer) needs to set up the
machine and then there needs to be a detailed explanation for
the intrusion.

Two nobodies and a contest where the winner used
"unpublished weaknesses" do not a valid story make.

[picklesdaddy]

Denial isn't a river in Egypt

This seems to be a very real world test to me. If any of the users who have accounts on a network gained root access to the server, the world would come to an end. This is true on any network. Networks have users. If you test without user accounts, you have left out a real life variable. Services must also be turned on in a real life situation. The Mac OS has a security flaw. Fix it and move on. I know this will come as a shock to many Mac users but Macs aren't perfect. No computer ever was and no computer ever will be. The sun will still come up tomorrow.

[privatec]

Except that...

... I don't know any Mac user who has the root account enabled.

[lenrooney]

Also it was OS X not OS X Server

OS X is essentially the most successful gui to be placed upon a
Unix-type kernel. There's bound to be some bugs and
vulnerabilities but they will be very few compared to the amount
to be found in any Windows environment.

This contest was essentially 'rigged' from the beginning and
used the Mac OS X, essentially a single user version, in some
extended and non-standard ways to achieve a desired result.
Would the same have happened with OS X server?

Also OS X itself has very few of its own services open to
networks and most of it's networking is taking care of by open
source networking apps: Apache, SAMBA, SSH etc., so it benefits
from many eyes and much peer review.

If the supposed "undocumented vulnerability' exploited in this
case, turns out to be legitimate and becomes discussed openly,
it will probably turn out to be something that has been
overlooked at the local gui level and will be patched very quickly.
But this story has too little information and too much hype to be
believed and seems to be bent upon spreading nothing more
than FUD.

The University of Wisconsin is answering with a similar challenge
which you can read about here: http://test.doit.wisc.edu/

Let's all watch and see what happens. Let's get some real facts
on OS X security for a change.

[Thrudheim]

A new security challenge

Dave Schroeder at the University of Wisconsin has set up a more
realistic security challege: simply alter a web page on a machine
that is configured more like a normal machine.

http://test.doit.wisc.edu/

He does leave ssh and http open, which most consumer Macs
will not have open. Unlike the "hacked in 30 minutes" machine,
potential hackers will not be given a user account on the
machine itself.

This is a far more realistic challenge. The Mac that was hacked
in this article was *not* hacked simply by being connected to the
internet -- it was done locally, essentially, since the hackers
were given accounts to ssh into the machine.

How about someone run a security challenge for XP? Give
someone an account on the machine and see how long it takes
for that person to bring the machine down.

[privatec]

We don't even know for sure it happened.

There's been no verification because the guy won't say how it
happened - it's just someone posting a website entry saying it
happened.

Come on guys, what happened to "don't believe everything you
read"?

Another Non-Story

This "experiment" was a sham. The "hacker" was given access to an
SSH account. He was already logged into the system when he
"hacked" the web page. This is a non-event. Every shipping Mac
has SSH disabled and its web server disabled. This is another
sensationalist story about Mac OS X and security.

[djemerson]

But Was He Able to Install Windows??!!

*yawn*

Really, maybe you should title your "news" article "Mac OS X
allegedly hacked in under 30 minutes". Then you'd have a story.
A nice fluff piece.

[rcrusoe]

Kinda surprising considering arml.mil's record

www.army.mil claims it is attacked "hundreds" of times a day, but hasn't been compromised since it switched from NT4 to OSX in 1999.

I wonder how it has stayed online?

http://toolbar.netcraft.com/site_report?url=http://www.army.mil

[rcrusoe]

Kinda surprising considering army.mil's record

www.army.mil claims it is attacked "hundreds" of times a day, but hasn't been compromised since it switched from NT4 to OSX in 1999.

I wonder how it has stayed online?

http://toolbar.netcraft.com/site_report?url=http://www.army.mil

[Macsaresafer]

Army.mil doesn't give out user accounts.

Escalating priveleges from a user account is completely different
from hacking into some unknown system.

[JoeCrow]

OS9, not OSX

Remember -- OSX wasn't available in 1999, even as a public beta.
But the Army DID switch to the Mac then, and they're using OSX
Server now. It's just unfortunate that Apple doesn't note the
original switch was to OS9.

http://www.apple.com/itpro/profiles/army/

[Hobyx]

yet another reason for BeOS

This is yet another reason why Apple should have based their 10
operating system on BeOS. So sad the move was decided on by
politics instead of good ideas.

[MacDuff]

BeReal

As advanced as BeOS was, it was not ready to fill Mac OS's shoes,
at least in terms of backwards compatibility.

Also, with the NeXT acquisition came the return of Steve Jobs.
This, more than anything else, has been the MOST influential
element of Apple's rebirth and renaissance. no argument there.
With Be, who would they have got?? Jean Louis Gasse??! PASS!!

The proof is in the pudding. Mac OS X is awesome. There is very
little wrong with Apple's products and ongoing strategies for the
past several years. The company implemented several MAJOR
transitions (68000x0 CPU->PPC, Mac OS Classic->OS X,
PowerPC->x86) with each one better than the last and they've
never executed as well as they are right now. Thank Steve jobs
for that.

[Chrisnwokc]

The machine was set up to be hacked. No story here.

The would-be hacker was given an SSH account (remote login) and the Mac was set up as a server to be hacked. As another user noted, default setup on all non-server Macs does NOT enable SSH (the remote login service Secure Shell that was used by the would-be hacker). The fact remains that OS X still beats all available windows operating systems hands down any day of the week when it comes to security.

If you set up any machine to be hacked and someone hacks it, how is this news?

[shanewalker]

Honda crashes after 30 mins...

After keys were openly offered to any passers by, a 13-year-old
managed to wreck the 2006 Honda Civic by ramming it into a
telephone pole.

This proves the Honda Civic is less safe than previously imagined.

[FutureGuy]

what???

This is the most stupid comment I have heard. It would have made more sense if you had said. A 13 year old hacks into a Honda Civics computer, gets full "root level" access and then drives the car into a pole destroying the car, which would make Honda as vulnerable as Mac OS X. Moral of this example, thank goodness cars don't run on Mac OS X ;)

[open-mind]

Future Guy does not understand SSH

If he did, he would also understand your car analogy.

[privatec]

Don't forget...

... that your accident report is unsubstantiated and that the 13
year-old used an undisclosed technique to reach the pedals.

Proof positive. Bad Honda, everyone should buy Ford instead.

[open-mind]

NEWS.COM Stock Fraud

Maybe news.com is deliberately spreading this bogus story just to drive down AAPL. Seems to be working.

Hurry news.com, the market closes in 15 minutes!

[gpenglase]

If that's the case, go for it!

If that's the result of this story, to drive down Apple's stock price, then go for it. I want to buy some more.

Only joking - I find the stock manipulation techniques of wall street and financial reporters heinous. Yet another example of one technique used to do this...
http://news.com.com/2008-1030-6046300.html?tag=yt

Certainly this article could be classed as an attempt to do this since it is almost criminal that they don't mention anywhere in the article that this machine was setup to eb hacked by giving hackers the ability to create user accounts and thereby hack form within, whereas no other Mac on the internet provides that access, or has that vulnerability.- read here for more info: http://test.doit.wisc.edu/

[KsprayDad]

Yikes

Accusing a company or person of stock pumping is a VERY serious accusation...do you have any evidence vis-a-vis C:net's trading positions? If not, you may wish to rethink such statements.

[nhandler]

Do you work for Apple or something?

Do you work for Apple or do you have an interest in maintaining its stock price? Because you've spent your time posting 2 sentence accusatory comments lacking any substance. Is that the work of a chicken with his head cut off or an interested party?

[TravisHB]

Normal people don't set up their computers for hacking!

I have been using OS X for about a year. No anti-spyware software,
no extra security software- and I have not experienced any
problems such as viruses, hackers, or spyware. As a matter of fact,
I have not had any problems.

[FutureGuy]

So what's the point...

..I run XP and it has never been hacked or have any spyware/viruses on it.