digg

Facebook Connect Join Digg About

False OS X hacking report prompts genuine challenge

vnunet.com The University of Wisconsin has launched a competition in which hackers are challenged to hack into an OS X system connected to the internet. The challenge is a response to the "woefully inaccurate" report on ZDNet Australia.

Who dugg this? Made popular Mar 7, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

153 Comments

show profanity settings
expand all
  • AndrewMayne, on 10/12/2007, -7/+40It's still up after 12 hours...I thought it was only supposed to take 30 minutes? By my calculations, if you don't give everyone who asks local user privileges it takes a *lot* longer to hack. Who'd have thought that?
  • ntrsfrml, on 10/12/2007, -12/+43How the hell this is retarted?! I think its a very good idea.. the user to claimed to hack mac mini under 30 mins was sitting physically infront of that mac mini.. I think any windows XP puter can be hacked by running an STD cd and decoding the sam file, exactly same what mac os x hacker did or claimed.

    Bookmarked the Univ of Wisconsin page, will check everyday...

    KOLJA:

    thanks for posting the news on digg :)
  • _skin_, on 10/12/2007, -11/+36Either way I will be happy. If it gets hacked... Apple will fix the issue... If it doesn't, then... Well we will see.
  • mrASSMAN, on 10/12/2007, -6/+28awesome, i read the retort by the college about the purported hacking of the mac mini yesterday, its fantastic that they are following up with it!
  • ThinkBox, on 10/12/2007, -5/+25It seems like the rise of Apple popularity has giving way to a rise in hacking and virus news - sadly there hasnt been any real news yet. The SSH was running and he was giving out accounts - it is hard to configure even straight up Unix to be completely secure when you have users with some sort of a shell account. If you want that kind of security you gotta have something like a complete system lockdown, reassignment of services to non-root accounts. Somehow this the first story just seemed to be some idiot guy who thought he could rely on Mac to accomplish his wildest dreams while he does no work at all to secure it (while giving out accounts) The original ZDnet article confirmed that he could have locked the system, but he decided he wouldn't... Q.E.D.
  • AndrewMayne, on 10/12/2007, -10/+27It made it past 10 hours two hours before your post...
  • bash, on 10/12/2007, -1/+17the whole warez scene is based on recognition (they don't get paid for getting suppliers, cracking, and releasing), and last time i've checked it's thriving.

    recognition is underrated, not overrated.
  • itistoday, on 10/12/2007, -8/+23"People claim that because they had shell access that getting root isn't a big deal?"

    No, that's not what they claim. They claim that saying OS X can be hacked in 30 minutes over the internet is horribly misleading, and basically a lie. From TFA:

    "The original article was not fair, because it did not note, or even imply, or hint in any way, that local account access was granted. The whole point of Apple using proven open source services like OpenSSH and apache on Mac OS X is exactly because of their secure nature as a result of years of scrutiny by the community. Most users of Mac OS X in a consumer or desktop setting will never even enable any of these services at all."
  • ForbesBingley, on 10/12/2007, -3/+17The problem for Apple here is the amount of unwanted attention they're getting.

    I remember this first happening a couple of years ago. Some software vendor offered up the the same challenge .. and then got a very persuasive call from Apple to make the challenge go away.

    I agree that this kind of thing can raise awareness in positive, productive ways, and highlight flaws and intrusion techniques that would otherwise go unnoticed.

    Problem start when the journalists get their hands on a fifth of the facts and then run with it, adding in their unique blend of false dilemmas, prognostications of impending doom and the usual hyperbole and verbiage...
  • cathode, on 10/12/2007, -4/+18Link to the news article claiming the hack:
    http://news.yahoo.com/s/nf/20060306/bs_nf/41948
  • toomuchgreentea, on 10/12/2007, -2/+16How many of you think Microsoft would setup a Vista box for the same purpose to prove it's safe? Any guess on how long that would last?
  • toomuchgreentea, on 10/12/2007, -5/+18http://test.doit.wisc.edu/
    Maybe we'll eventually digg it enough times to bring down the server before anyone could crack it. :D
  • prockcore, on 10/12/2007, -9/+22"False OSX hacking"? I don't think so. People claim that because they had shell access that getting root isn't a big deal? If that were the case, then no one could ever offer web hosting. If I can run a PHP script, I can do everything a user with SSH access can do.

    That's not to say that a genuine *remote* exploit contest isn't a good idea though.

    But since the only thing open is port 80 and port 22 (and I know, I ran a quick Nessus scan), they're really testing the security of Apache and SSH, not OSX.

    (Although the stock Apache and PHP on OSX is woefully out of date)
  • behemothaur, on 10/12/2007, -2/+14I think the statement that it is less important that a machine can be hacked from behind the firewall stands against the fundamental principles espoused by most security consultants.

    I do agree that the test of an OSX host as bastion is an important exercise - but pulling an SUID without auth on any box is an area for concern firewall or no. A good example of this would be what if, in the same zone, there was an unpatched server where root access was obtainable via exploit from the Internet - then the OSX box could be owned relatively painlessly.
  • neoform, on 10/12/2007, -0/+11what's to stop that person who ends up hacking the machine to kill the logs?
  • TheShrike, on 10/12/2007, -4/+14Hardened? Services disabled? Are you paying attention? He didn't harden it, he actually opened it up! OS X doesn't come out of the box set up for SSH and HTTP. You actually have to go into the preferences and set it up. If anything, he made it more vulnerable to attack than the average consumer's Mac.
  • Swift2, on 10/12/2007, -1/+11Escalation like this is a concern. But in order for it to hurt you, you'd have to have a real nasty "friend." This is the more real-world test. And yes, the real test is to get past Apache. That's the server inside every OS X installation.
    Saying that "isn't OS X" is bull. It is exactly OS X. And I don't know, when I go to grc.org and do a port scan, my whole machine comes up stealth.

    I think Apple should fix that privilege escalation flaw, sure. But users need to use some common sense about who they let on their computers.
  • muikano, on 10/12/2007, -2/+11dude, the average intelligence of digg and their skill set is nil. This aint slashdot. Most ppl that populate this digg site are laymen. Hell, IF that.

    What digg has is numbers, not intelligence.
  • behemothaur, on 10/12/2007, -0/+8I sent some tests at it and surprisingly (or not) noticed the machine at that end scanning me back and trying tests on the ports I have forwarded on my firewall for torrents (that listen on my XP partition which I wasn't booted into...) Think 30k plus random ports with them initiating connections.

    Not sure that they should be setting up a test server and inviting people to test and then testing them back, maybe it is some sort daemon that automatically logs listening ports on any machine that connects and then attempts to connect back through - anybody else seen this? Oh and a word of advice, I wouldn't trust them - uni networks are notorious for bad behaviour - so advise using all the normal security measures before initiating your tests.

    You know the ones, fresh unpatched version of any Windows OS with an IP stack, direct PPPoE to your ISP - all the good stuff.
  • Nimortal, on 10/12/2007, -1/+9OS X Doesn't start SSH by defult
  • Otto, on 10/12/2007, -2/+9ntrsfrml: The guy was not sitting in front of the thing, but he did have a local user level account. His hack was a "priviledge escalation" hack, meaning that he got access to things he shouldn't have, but he did start with limited access to the machine in the first place. This is a bit different than starting out with no access at all.

    Priviledge escalation is generally less of a threat, but it is still a threat because if you can gain limited access to the machine (non-root), then you can use this sort of thing to turn that into root and thus you pwn the box.
  • hardran3, on 10/12/2007, -2/+8SSH is disabled by default. It is opened for this test.
  • asdfer, on 10/12/2007, -0/+6The machine owner let people create local account on the Mac. Read the actual challenge page, ZDNet left out all the important details.
  • danielwsmithee, on 10/12/2007, -4/+10Read the article before you post! "The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."

    It is the most current version of OS X with two services enabled that on most machines would not be.
  • behemothaur, on 10/12/2007, -0/+6
    Oh - and no I didn't find anything so don't bother with the standard stuff (nessus/netcat etc) seems they have it fully patched. Over now to the OpenSSH & Apache coding types. I am seeing some kind of echo on TCP 427 which I don't understand if anyone has any ideas.

    I liked the DDoS approach mentioned above - let's digg it to death - would prove that all OSes are inherently vulnerable to a coordinated attack. Also someone above mentioned the social engineering approach - call up and pretend to be the boss. More effective may be to call up and pretend to be from homeland security!
  • the1casey, on 10/12/2007, -1/+7First of all, it says questionable, not false. And no I'm not a fanboy as you all like to call it. I have both Apple and Windows PCs...
  • caldaean, on 10/12/2007, -1/+6If I'm not mistaken, port 427 is used for Bonjour (zeroconf) broadcasting of the services available.
  • craigtheguru, on 10/12/2007, -3/+8I'm excited to see the results. Either way this will only lead to answers. If the box can be cracked, a patch will be out soon and now we know. Meanwhile, if nothing happens it would say tons!
  • alexdagrate, on 10/12/2007, -2/+7Does anyone remember when that sketchy head of DVForge tried a virus challenge? He eventually pulled it once someone pointed out to him its illegal to encourage or facillitate someone's creating a virus.

    I wonder if the same is true for general intrustions?

    http://www.macobserver.com/article/2005/03/28.2.shtml
  • bbatsell, on 10/12/2007, -1/+5Frankly, I'm amazed that a G4 mini running Apache has withstood the digg effect without so much as a slowdown. Minis have their purposes, but the G4s in particular are a bit short on processing power (I own one). Granted, it's text-only and one page, but I've seen much more powerful servers brought down by less.
  • prockcore, on 10/12/2007, -6/+10I'm going to reply to my own comment because digg doesn't let me reply to replies.

    itistoday: you're right. The implication that desktop OSX was cracked is a lie. It was OSX acting as a server that has problems.

    Although if you look at what plagues windows, and it isn't open ports anymore. It's people running email attachments etc. Previously mac users would say "well, running an email attachment couldn't possibly hurt my system since I don't run wit root access".. that turns out to be a lie too, since the software can easily obtain root.

    Was the previous OSX hacking claim overhyped? I don't think so, it's a serious issue that will make previously small security violations more dangerous. Was it misleading? Yeah.
  • skinfitz, on 10/12/2007, -4/+8...how many people think Apple would do this? If you RTFA you will notice that it's not Apple running this.

    Only a total idiot of a CEO would claim that their software was hack proof and publically invite people to try. Look at Oracle for example. ('Can't break it, can't break in' - he ate his words.)
  • Solol, on 10/12/2007, -1/+5@neoform : Network traffic logging, obvioulsy.
  • zetsurin, on 10/12/2007, -0/+3This is good: free unit testing for Apple.
  • SkeletaLlama, on 10/12/2007, -0/+3Personally, I'm glad of this story. As a Mac user I was wondering about security when that other article was claiming I could be hacked in under 30 min over the web. That had me a bit worried. Now that I see it was only through a user account, I'm not so worried, as I would expect security holes through user accounts. I'm the only user on my computer, have a firewall, stealth mode etc. and I feel much safer. Though I know that no system is ever 100% safe from a determined hacker.
  • apoch, on 10/12/2007, -2/+5This is a bit of a joke. In any nontrivial system, the security weakness(es) are going to have nothing to do with the OS that's being run. Once you get past ignorant user error (read: sloppy configuration) and known software vulnerabilities, the real threat is - and always has been - the human element. Social engineering has always been the most capable tool for compromising a system, not prefabricated hack kits and privilege-escalation code. In a very real sense, the Gwerdna incident demonstrated this admirably - although I agree that the reporting was sloppy, and the lesson is not clearly visible on the face of it.
  • starmanjones, on 10/12/2007, -0/+3i think the comment system won't allow you to respond to someone responding to you. i guess its a flame thing. but ya, no reply link has shown up under your response to me. i guess.

    >Actually, I have a Mac, sitting here next to my Linux box. I run XP in a VM.. Part of what
    >concerns me is that when the Windows guys made a big deal about it, the Mac fanboys (I
    >like the Mac, but I'm not a fanboy) freaked out. So, Windows guys made a big deal? That's

    i agree totally. i use and service all of em. there are 3 XP boxes, 4 linux boxes, and
    3 macs on at my house 24/7. the computer on my desk is a 800 mhz. iMac FP with a gig of
    RAM. almost every other computer in the house is faster... or should be faster. right
    now, i’m running ical, azureus, iphoto, photoshop, bbedit, a blogging client, itunes,
    mail, terminal app tailing 3 logs on servers, adium, safari with 11 tabs, Firefox with...
    ***** 20 tabs? and i am transfering files to a PC down stairs via samba. they are all
    doing things, they aren’t just booted. if it was bogging down i’d change it for one of
    the computers that is faster in a flat second. but it doesn’t.

    personally, i wouldn’t waste a good mac using it as a server. thats why they make linux.

    :)

    >He's not a security guy. Alot of Mac owners aren't. Don't give people accounts who don't need them. Etc.
    >And just ignore the MS fanboys who are pointing and laughing. You end up lowering yourself
    >when you respond to that type of post, whether it's from a MS, Mac, or Linux fanboy.

    right. it is a valid test of what it tested. it is lowering yourself but... im anonymous so
    if im in a bad mood i’ll go a couple rounds. :D
  • zippo512, on 10/12/2007, -1/+4i can't believe my school is doing this!! but now that i think about it, a lot of my professors have ibooks.
  • defectDS, on 10/12/2007, -0/+3Well if it is considered an "competition" in the first place, it just goes to show you that it's gonna be a challenge to do such a thing, right?
  • drakethegreat, on 10/12/2007, -1/+4Just curious.. Are we gonna sit here and talk about how lame that first article was (which is old news) or are we gonna take this guy up on the new challenge? This is digg people! We should prove to him that no matter how secure Mac OS X is, its no match for the combined for of geeks spanning across all OSes and skill levels.

    Just to get people started I have heard something about a sshd flaw that affects most standard preinstalled copies. I had to update my RHE4 server just to compensate for thsi problem. Anyone care to investigate?
  • tirion, on 10/12/2007, -1/+4Erm I maybe a mac user but I really have to point out blind, parochial support of something ain't the way to go about doing things. Even if you are vindicated in your opinions does not mean that gloating is the right thing to do. Chill dude.
  • escheppa, on 10/12/2007, -0/+3I doubt it that digging the server will take it down I have worked side-by-side with DoIT and they know what they are doing.
  • chadseld, on 10/12/2007, -0/+3With a local account, you can get root no problem.
    - On windows, run sam spade on the SAM file.
    - On Mac OS X, run strings on the VM file and look for the last admin login. the password appears in plain text. (This is why there is a security option to use 'secure vm' for those running secure machines)
    - If you have a look at the script kiddie web sites there will be a few remote user or remote root exploits and many times more local root exploits.
  • pierre, on 10/12/2007, -0/+3A proper test would be:

    Do a clean install of OS X. Leave default config. Connect to internet.

    Then invite hackers to try and gain control.
  • sonyoak, on 10/12/2007, -4/+7I don't think the site will get hacked, for a simply reason:

    "Contestants who claim they have succeeded at hacking the system have to provide details about how they breached the system's security walls, which will be provided to Apple."

    Even if the hackers don't provide the details, most of their actions will probably be logged by the server, so the server and thus Apple can know how they broke in and what needs to be fixed.

    Now imagine yourself as the hacker and you know a not-yet-public vulnerabilty of OSX, will you be kind enough to hack that site and tell Apple?
  • chickentonight, on 10/12/2007, -0/+3On the other hand security researchers in a similar situation certainly might tell Apple.
  • jav1231, on 10/12/2007, -1/+3"The point is: He doesn't have the right to authorize "permission" to break a company's intellectual property? I hope Apple sues him."
    They can't unless perhaps he published to findings in great detail. He's perfectly within his rights to say, "Here's a machine, come hack it. BTW: Here are the specs." Your understanding of IP is skewed. He's not having someone view code. Nothing illegal here.
  • JNitz36, on 10/12/2007, -2/+4This is great. I have been following these articles on digg and slashdot. I have read so many misinformed posts its actually getting a bit old. I am just waiting for those digg users that commented on yesterdays articles claiming it takes them less than 2 minutes to implement a few undocumented exploits and overruns that will enable them to root the box. I won't mention names, but you know who you are. Now is your chance to shine! Or just keep reading and hope nobody remembers. Creeps like me like to survey as people make fools of themselves. I don't doubt the existence of said exploits, but I want to see it in 2 minutes. Tick Tock. Unleash your skills! I guess you posted thinking that this test was all done but didn't expect someone else to launch a new test.
  • malkav, on 10/12/2007, -1/+3This test is flawed as well. If you put a linux or a windows box up with only the latest versions of ssh and apache running it would be very hard to attack successfully. In a real world situation the website would be much more complex and perhapse open to some application level attack. There are no users to social enginner either.

    And btw the local exploit is big news, it means that any attachments/downloads you open do not need to ask for access to install themselves!
  • danielwsmithee, on 10/12/2007, -1/+3It's usually an ISP bandwidth issue not the actual server that can't handle the requests.
  • Fetching more discussions...
    Show 51 - 100 of 153 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.