[insha]

Saw this article linked on MacSurfer. Apple is definetaly going to take some heat for this if this thing turns out be for real. WTF is happing.

To all the Mac OS X experts here. Can this be true?

[Big Mac]

I'm not an expert per se, but I would not discount the possibility of unknown vulnerabilities being exploitable. Apple has not faced nearly as much hacker scrutiny as M$ has, and we also know Apple's engineers can be rather sloppy at times as well as excruciatingly slow at fixing obvious bugs (e.g. the dial-up freeze that was not corrected well into 10.1, until an enterprising independent developer provided his own patch). However, I take issue with the quotation in the referenced article that claims OS X would be much worse off than other OSs if hackers were to target it seriously. Apple would have to be terrifyingly incompetent to allow OS X to sink below Windows in the realm of security.

[Chuckit]

As it doesn't explain exactly what happened, it's hard to say anything. It sounds like he probably had a pretty naive setup, though.

[JKT]

Given that this has been possible ever since Mac OS X 10.0 is there any surprise? Why - because the server side of OS X relies on *nix and OSS components that have known and unpublished exploits. What do people think 90% of the security patches for OS X have been for the past 5 years? The impression that the article gives is that this is something to do with OS X itself but without giving any details as to how, it is impossible for us to know if it is the OS X base or the *nix/OSS components or a mix of both that have been used to crack the box.

[Millennium]

Basically, people have finally learned that OSX is not invincible. It never was, and it never will be. This doesn't mean it's not better than Windows: it's still light-years ahead of Windows where security is concerned. But it has never been completely secure, because no operating system is. The NSA has operating systems whose names we've never heard, and they're far ahead of even OSX in terms of security, but even they aren't completely unbreakable.

Basically, it comes down to the users waking up. There are indeed some areas where Apple can improve its security, but in the end there's no substitute for a vigilant user. OSX has a great opportunity to become an OS which can teach its users security as they use it; Windows has dropped the ball on this, but OSX can step up to the plate. The question is, will Apple take that chance?

[Kate]

I admit to be in strong doubt whether Apple will change its sloppy stance with regard to security of Mac OS X or not.

There are lists with published securitiy flaws and Apples fixes tend to come after months if ever.
There are lists with unpublished security flaws where they might do something about if this gets finally published.

All in all Apple has no real record of timely fixes whatsoever in my opinion.

Look at Secunias statistics....

http://secunia.com/product/96/

Apple is usually more late than quick in fixing looking at the statistics.

While Apples stance and track record is undisputable not a very good one, the usual Mac user adds to this with his own wrong stance of feeling safe for Mac OS X's sake. Laziness and stupidity combined are a tough teacher for end users in such a case I think.

[JLL]

Originally Posted by Kate

I admit to be in strong doubt whether Apple will change its sloppy stance with regard to security of Mac OS X or not.

There are lists with published securitiy flaws and Apples fixes tend to come after months if ever.

Where? The page you link to has Unpatched: 0%

Most patches are out of Apple's hands btw. since many of the holes in Mac OS X has been in PHP, MySQL, SSH, Perl and so on.

21% percent of the advisories for Windows XP Pro haven't been patched yet, and some of them are over a year old.

[Kate]

Originally Posted by JLL

Where? The page you link to has Unpatched: 0%

Most patches are out of Apple's hands btw. since many of the holes in Mac OS X has been in PHP, MySQL, SSH, Perl and so on.

21% percent of the advisories for Windows XP Pro haven't been patched yet, and some of them are over a year old.

I didn't link to Secunia for the unpublished flaws, but for its statistics.
The unpublished flaws, well....that would be a question for e.g. "nemo" of felinemenace.org

[JLL]

Originally Posted by Kate

I didn't link to Secunia for the unpublished flaws, but for its statistics.

You said there were lists with published flaws.

And I still can't see why you think that Apple's track record is bad (undisputedly even).

[insha]

Originally Posted by Chuckit

As it doesn't explain exactly what happened, it's hard to say anything. It sounds like he probably had a pretty naive setup, though.

That's what I find weird about this article. They don't say if the Mac used had the out of box configuration or the confiuration was changed for this contents. That is why my initial reaction to this article was "BS!".

I wonder if Apple will issue an statement?

[insha]

Originally Posted by Big Mac

I'm not an expert per se, but I would not discount the possibility of unknown vulnerabilities being exploitable. Apple has not faced nearly as much hacker scrutiny as M$ has, and we also know Apple's engineers can be rather sloppy at times as well as excruciatingly slow at fixing obvious bugs (e.g. the dial-up freeze that was not corrected well into 10.1, until an enterprising independent developer provided his own patch). However, I take issue with the quotation in the referenced article that claims OS X would be much worse off than other OSs if hackers were to target it seriously. Apple would have to be terrifyingly incompetent to allow OS X to sink below Windows in the realm of security.

I didn't know about the dial-up freeze issue; but I agree with you. It would suck to see Apple screw-up an OS that based on an OS that was/is renowned for its security.

[Kate]

You said there were lists with published flaws.

And I still can't see why you think that Apple's track record is bad (undisputedly even).
__________________
JLL

Well, if sometimes months go by since a flaw has been made public until a fix is released, and that timescale is no single exception, I call that undisputably slow. Maybe we differ here in opinion?

Oh, and a list with published flaws is available at Secuna, follow the link.

[steve626]

The article and the original poster here did not provide important details, such as that this Mac was set up as a server that allowed users to create their own new accounts, set up ssh etc. Very unusual set up that is asking for trouble.

How about asking how long it takes to hack into a Macintosh with up to date software that is on a local network behind a NAT router, with the Mac OS firewall also turned on. And maybe has only music sharing and file sharing turned on. That would be a more typical scenario. I'll bet that would take a very long time to "hack."

[JKT]

Someone has set up a new challenge, this time with one where the keys haven't been left in the front door.

[insha]

Originally Posted by JKT

Someone has set up a new challenge, this time with one where the keys haven't been left in the front door.

ZDNet needs to crawl out of BG's @ss.

I don't think many people will attempt to "hack" the mini set up by UW. And if they do, what legal issues are we looking at here?

[tooki]

The "hack" ZDnet reported is a sham. It's no more a break-in than a house with a sign in front of it saying "kudos to the first person that breaks in!" when the front door is unlocked.

The people that ran that server gave people logins. Need I say more?!

tooki

[ghporter]

But... an account should NOT be able to get to anywhere like root access; the system should not allow that to happen. This is indeed a troubling development.

No, this is not a "horrible flaw, comparable to the appocolypse," but it does show, as Millenium has pointed out, that just running OS X does NOT make one invincible. And the more one depends on OS X "just working" to keep them safe, the more vulnerable they are. OS X is NOT as vulnerable as Windows, not at all; there are far too many parts of OS X made from whole cloth instead of patched and transcoded as much of Windows is-even XP and Vista. But that does not mean that it was handed down from Olympus as a perfect and unassailable operating system. We MUST be first on guard against social engineering (as with Oompa last month) and second, aware of what should ask for a password before we give it. After that, keeping the OS X firewall on and not looking for something for nothing help a lot.

[mpancha]

Interesting that it happened, and I'm glad it did as well. Hopefully it'll lead to Apple taking a few more steps towards security.

I've been reading a lot about how the user account shouldn't be Admin on the computer.... how do you un-Admin a user? I can't uncheck the "allow user to administer this computer" box.

[Brass]

Originally Posted by mpancha

Interesting that it happened, and I'm glad it did as well. Hopefully it'll lead to Apple taking a few more steps towards security.

I've been reading a lot about how the user account shouldn't be Admin on the computer.... how do you un-Admin a user? I can't uncheck the "allow user to administer this computer" box.

You need to have at least one admin account on the system. Create a new account, make it admin, and then you can make the other account non-admin.

[mpancha]

worked like a charm, thanks Brass.

[mduell]

Originally Posted by tooki

The "hack" ZDnet reported is a sham. It's no more a break-in than a house with a sign in front of it saying "kudos to the first person that breaks in!" when the front door is unlocked.

The people that ran that server gave people logins. Need I say more?!

Sure they gave out logins, but OSX still has the bugs that allow privelege escalation.

Couple a local privelege escalation with a vulnerability like this and you've got remote root.

[voth]

Maybe someone should attempt to write a security guide for OSX from a new user point of view. Include securing accounts, turning off un-used services, etc. Include some mid-to-advanced measures as well. Just a thought.

[Big Mac]

Unused services are off by default, voth - there's nothing to turn off. The greatest vulnerability will always be social engineering, and no one can come up with much of a solution for that.

[tooki]

Originally Posted by voth

Maybe someone should attempt to write a security guide for OSX from a new user point of view. Include securing accounts, turning off un-used services, etc. Include some mid-to-advanced measures as well. Just a thought.

For what it's worth, Mac OS X meets DoD guidelines for security, once locked down using their security guide. No, it's not designed for the regular user, but if you want to lock down OS X, they tell you how!

But I agree, for the most part, OS X is already damned well secure out of the box. Considering how many holes they had to open to even allow a privileges escalation, I think it's still fair to say that we have the most secure mainstream desktop OS out there.

tooki

[JoshuaZ]

Honestly, this past month has been an online media fest about `OS X Security Flaws.` A lot of hype over nothing. So far the only security flaws out there that have been exploited are user errors. But nothing we can do to stop people from downloading and installing something....

(This is why I wouldn`t give my younger sister permission to install things on my parents computer. Man, was she ticked off)

[mduell]

Originally Posted by tooki

For what it's worth, Mac OS X meets DoD guidelines for security, once locked down using their security guide. No, it's not designed for the regular user, but if you want to lock down OS X, they tell you how!

How about one for securing a verion of OS X from the last couple years?
The one you linked to is for Jaguar.

[OreoCookie]

Just a follow-up on the story. Some guys from the university of Wisconsin have repeated the test after applying Apple's latest security patch (2006-001, I believe) and the Mac mini withstood 38 hours without being cracked. The test finished with the mini's OS X installation fully intact.

Apparently, the hacker who cracked the mini first time around knew exactly what he was looking for.

On a personal note, I think this is good news for Mac users, because it gives Apple incentive to fix security issues quicker than they sometimes did in the past.

[Kate]

Originally Posted by OreoCookie

Just a follow-up on the story. Some guys from the university of Wisconsin have repeated the test after applying Apple's latest security patch (2006-001, I believe) and the Mac mini withstood 38 hours without being cracked. The test finished with the mini's OS X installation fully intact.

Apparently, the hacker who cracked the mini first time around knew exactly what he was looking for.

I'd like to correct that statement. They did not repeat the same test. They put a Mini on the net with Apache and ssh active. Nothing more, while the machine mentioned in the ZDnet article offered any inerested person a user account!

The hacker seems to have used a privilege escalation flaw in X to gain admin status from his normal user account.

You therefore cannot really compare the two "tests".

The first machine has been exposed to types of hacking from inside, while the other was exposed to remote attacks. And the ZDnet articel and the follow-up stories gave everyone the false impression that a Mac out of the box, exposed to the net, could be hacked in 30 min remotely.

The results from neither side are truly reflecting any kind of security measure for Mac OS X.

Originally Posted by OreoCookie

On a personal note, I think this is good news for Mac users, because it gives Apple incentive to fix security issues quicker than they sometimes did in the past.

[moodymonster]

yeah, well, they still need to sort it out so that I can't launch a terminal doc without realising it - unsanity have a fix, why can't Apple?

[JKT]

Originally Posted by Kate

The hacker seems to have used a privilege escalation flaw in X to gain admin status from his normal user account.

Given the paucity of actual information about the original test, it could just have easily been because the person who allegedly ran the test had a username = admin and a password = password.

However, you are right - the two tests were not identical.

[SirCastor]

Originally Posted by Kate

I'd like to correct that statement. They did not repeat the same test. They put a Mini on the net with Apache and ssh active. Nothing more, while the machine mentioned in the ZDnet article offered any inerested person a user account!

The hacker seems to have used a privilege escalation flaw in X to gain admin status from his normal user account.

You therefore cannot really compare the two "tests".

The first machine has been exposed to types of hacking from inside, while the other was exposed to remote attacks. And the ZDnet articel and the follow-up stories gave everyone the false impression that a Mac out of the box, exposed to the net, could be hacked in 30 min remotely.

The results from neither side are truly reflecting any kind of security measure for Mac OS X.

The point of the latter test was to establish that OS X isn't extremely invulnerable just sitting on the internet (which is what the first article implied. In it's early running they had not mentioned that a local account was created)

This is an example of bad press. This second test gives a more "fair" approximation of the situation, and a more honest explanation to the public. Unfortuantely, it's likely that damage has already been done.

[tooki]

Originally Posted by mduell

How about one for securing a verion of OS X from the last couple years?
The one you linked to is for Jaguar.

That's the last one that has been issued (at least as declassified). It's the one linked both from NIST and Apple's own federal computing page.

Considering that OS X's built-in security has only improved with time, it's unlikely that the guide would result in an insecure system.

tooki

[OreoCookie]

Originally Posted by Kate

I'd like to correct that statement. They did not repeat the same test. They put a Mini on the net with Apache and ssh active. Nothing more, while the machine mentioned in the ZDnet article offered any inerested person a user account!

The hacker seems to have used a privilege escalation flaw in X to gain admin status from his normal user account.

The information on how the `Swedish' Mac mini is scarce (I haven't found any details). If somebody has any links regarding the exact security flaws that were used to gain access, please post them. If the user account they had access to was an admin account, all they needed was a sudo -s to get a root shell. And THEN your system is screwed

Originally Posted by Kate

You therefore cannot really compare the two "tests".

I have not claimed both tests to be comparable. However, the impression people had from the first test was that OS X was a joke to hack. The follow-up experiment disproved that.

Originally Posted by Kate

The first machine has been exposed to types of hacking from inside, while the other was exposed to remote attacks. And the ZDnet articel and the follow-up stories gave everyone the false impression that a Mac out of the box, exposed to the net, could be hacked in 30 min remotely.

The results from neither side are truly reflecting any kind of security measure for Mac OS X.

No, but I find the second scenario more likely for a random attack: the firewall is active and the attacker does not have access to a user account on the machine. I also think that this puts the concerns of average users at rest, i. e. that their Mac may be hacked effortlessly. That was the reason I have posted the link.

[ghporter]

Reading the site that hosted the "contest" it looks like the only thing they did was allow outsiders to set up their own accounts. It seems to have been all about the "rm." I have not been able to find anything about whether or not they had changed the admin username and/or password, but from the rest of the site, I believe that they didn't make it that easy... Further, the successful hacker stated that he'd used "unpublished vulnerabilities" to worm his way in. If it had been as easy as a default or stupid username/password bit, I think he'd have said "what a joke! I tried three passwords off the top of my head and I was in!"

Obviously this "contest" was not a typical real-world situation, but it did show that not everything is sweetness and light in OS X land. There are holes and some folks know where they are.

[mduell]

Originally Posted by tooki

That's the last one that has been issued (at least as declassified). It's the one linked both from NIST and Apple's own federal computing page.

Considering that OS X's built-in security has only improved with time, it's unlikely that the guide would result in an insecure system.

The NSA has released their guide to securing Panther.

Originally Posted by OreoCookie

Just a follow-up on the story. Some guys from the university of Wisconsin have repeated the test after applying Apple's latest security patch (2006-001, I believe) and the Mac mini withstood 38 hours without being cracked. The test finished with the mini's OS X installation fully intact.

Apparently, the hacker who cracked the mini first time around knew exactly what he was looking for.

On a personal note, I think this is good news for Mac users, because it gives Apple incentive to fix security issues quicker than they sometimes did in the past.

Bruce Schneier addressed the topic of cracking contests over 7 years ago in his Crypto-Gram. They're just as useless today as they were then. Snippet:

You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.

It doesn't.

Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.

[ghporter]

Originally Posted by mduell

The NSA has released their guide to securing Panther.

There is a reason NAS has not published a standard for securing Tiger; it takes a LONG time to evaluate something as complex as an OS to see what needs securing, what needs locking and what can be left alone. They are thorough in the extreme; their objective is to secure a Mac that might be processing classified information. This is not trivial.

Originally Posted by mduell

[URL="http://www.schneier.com/crypto-gram-9812.html"]Bruce Schneier addressed the topic ... Snippet:

You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure.

It doesn't.

Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so.

While an experiment cannot prove something CAN'T be done, it CAN prove that it CAN be done. Experiments prove rather than disprove. Within the limits of the "contest"/experiment, someone proved they could take over root control of an OS X machine. Scientifically, the organizer of this little demonstration should publish how (down to the last setting) the Mini in question was configured so that the experiment can be replicated. But on its face, it looks like the successful hacker did prove he could get in.

[Big Mac]

Originally Posted by mduel[i

Contests generally don't produce useful data. There are three basic reasons why this is so.[/i]

Where are the reasons?

[cybergoober]

Originally Posted by Big Mac

Where are the reasons?

Click the link, maybe?

[mduell]

Originally Posted by ghporter

There is a reason NSA has not published a standard for securing Tiger; it takes a LONG time to evaluate something as complex as an OS to see what needs securing, what needs locking and what can be left alone. They are thorough in the extreme; their objective is to secure a Mac that might be processing classified information. This is not trivial.

I know; I was just pointing out the Panther guide that Apple, NIST, and tooki were unaware of.

Originally Posted by Big Mac

Where are the reasons?

In the article I linked to.
Sneaky, I know.

[el chupacabra]

Most computers can be cracked if your sitting at them. Now if someone got access to my computer over the net that would be concerning.

[ghporter]

Originally Posted by mduell

I know; I was just pointing out the Panther guide that Apple, NIST, and tooki were unaware of.

Cool. But not everyone knows why it takes time to do this.

Originally Posted by el chupacabra

Most computers can be cracked if your sitting at them. Now if someone got access to my computer over the net that would be concerning.

The one "easy piece" to this "contest" was that the owner of the Mini allowed people to set up user accounts on the machine-effectively the same thing as sitting in front of it. But there are techniques for getting past such things as NAT routers, which is a concern for anyone who's online. A hardware firewall is better defense, but nothing is perfect, thus a need for defense in depth.

[ApeInTheShell]

The more popular an operating system becomes the more viruses, trojans, and security releases will appear. Microsoft owns the biggest peice of the pie for operating systems so it is attacked the most. I could argue that the reason for this is not only the user base but also because of the bugs in the system and in applications made for the system. However, this is the same for Mac OS X but on a much smaller scale. If you fix one bug eventually there will be another and another and another. The solution to the problem is for application developers to release their own security fixes with each release. Maybe the application scans the file you are importing for viruses and the like.

[msuper69]

Originally Posted by ApeInTheShell

The more popular an operating system becomes the more viruses, trojans, and security releases will appear. Microsoft owns the biggest peice of the pie for operating systems so it is attacked the most. I could argue that the reason for this is not only the user base but also because of the bugs in the system and in applications made for the system. However, this is the same for Mac OS X but on a much smaller scale. If you fix one bug eventually there will be another and another and another. The solution to the problem is for application developers to release their own security fixes with each release. Maybe the application scans the file you are importing for viruses and the like.

I had to laugh at this. Every developer should include routines in their applications to check for malware? Talk about inefficiency and duplication of effort.

No. Security should be the responsibility of the user, aided by the operating system and perhaps a dedicated malware detection application (virus scan, et. al.).

If you fix one bug eventually there will be another and another and another.

Where in the world did you come up with this? Just because a bug in a program is fixed doesn't necessarily mean another one will appear.

[ApeInTheShell]

Sounds plausible to me. You overthink the problem msuper69.
Look at the real world, we have health insurance, car insurance, life insurance, flood insurance, security systems in our homes, hire detectives, and so on. None of these services work if we don't pay into them every month/year.
I would like the same to work for applications. When I purchase Adobe Photoshop it has a security system built in to prevent me(the user) from crashing the application. When I buy the update the next time I get the new tools in Adobe Photoshop to make things safe.

HAHAHAHAHAHAHAHAHA HA! You're funny.

[CharlesS]

ApeInTheShell, if you think that every application developer is going to implement a virus scanner for every single app he/she writes, and that you'd be able to rely on this, you're nuts.

[alphasubzero949]

Originally Posted by ApeInTheShell

Sounds plausible to me. You overthink the problem msuper69.
Look at the real world, we have health insurance, car insurance, life insurance, flood insurance, security systems in our homes, hire detectives, and so on. None of these services work if we don't pay into them every month/year.
I would like the same to work for applications. When I purchase Adobe Photoshop it has a security system built in to prevent me(the user) from crashing the application. When I buy the update the next time I get the new tools in Adobe Photoshop to make things safe.

HAHAHAHAHAHAHAHAHA HA! You're funny.