toggle

AAPL Stock: 431.77 ( -0.23 )

MacNN News

http://www.macnn.com/articles/06/02/08/hardened.pb.compromised/

'Hardened' PowerBook compromised

updated 02:55 pm EST, Wed February 8, 2006

Hardened PB compromised

A security researcher at the recent ShmooCon hacking conference was taken by surprise when an unknown hacker compromised his PowerBook running Mac OS X, disabling the firewall and starting up a file server. The PowerBook had been 'hardened' to all known attacks at the time, and future analysis of the PowerBook revealed nothing about how the attacker managed to penetrate the system. "The machine was as hardened as best practices could suggest for anyone," the researcher said. The researcher believes that a previously unknown exploit caused the compromise, and with Apple's switch to Intel-based Macs, crackers will feel at home with the memory architecture and other elements below the application level. The successful attack underscores a number of trends that has already caused a shift in focus amidst security analysts and could result in more attacks on Mac OS X, according to SecurityFocus.

by MacNN Staff

Post tools:

TAGS :

troubleshooting

toggle

Comments

mpbritt
Junior Member

Joined: Feb 2001

0

02/08, 03:21pm | report spam | close Reply |
Unattended

This guy most likely left his PowerBook unattended for a few minutes in a roomful of hackers. Of course someone is going to walk over and install a rootkit on it. Duh.

bokubob
Fresh-Faced Recruit

Joined: Aug 2001

0

02/08, 03:31pm | report spam | close Reply |
but maybe....

...he was wrong.

Let's all freak out anyway.

l008com
Addicted to MacNN

Joined: Jan 2000

0

02/08, 03:38pm | report spam | close Reply |
wtf

This is the most pathetic bullshit story i've ever seen. I can't believe macnn posted this. What is their goal, to simply post the most mac stories possible, regardless of quality?

Salmon
Fresh-Faced Recruit

Joined: Sep 2005

0

02/08, 03:49pm | report spam | close Reply |
Fair enough

Honestly, the article struck me as reasonably balanced. I can't substantiate this specific story, but it is common knowledge that UNIX has never been, and is not now, a perfectly secure operating system; there are viruses for it, there are exploits for it. I love my Macintosh, but all the folks who insist that the operating system is perfectly secure with its UNIX core are deluding themselves.

mr100percent
Forum Regular

Joined: Dec 1999

0

02/08, 03:55pm | report spam | close Reply |
Intel makes no difference

Using Intel chips won't make it any less safer. How come windows is more insecure than Intel on linux? It's the operating system, not whether a hacker can access the x86 architecture

UpQuark
Fresh-Faced Recruit

Joined: May 2005

0

02/08, 03:57pm | report spam | close Reply |
I agree...

Nothing is secure as soon as you put it on a network. There are just different degrees..

Lance Moody
Fresh-Faced Recruit

Joined: Dec 2001

0

02/08, 04:01pm | report spam | close Reply |
And hanging from the door

...was a bloody hook.

Doesn't get any closer to an urban legend than this. No names, or other facts that could be checked. Calling him a "researcher" instead of "this guy" does not make the story any more credible.

Pathetic.

VinitaBoy
Fresh-Faced Recruit

Joined: Oct 2001

0

02/08, 04:14pm | report spam | close Reply |
What A Load!

OK, so my ex-wife's third cousin's mother-in-law says she knows for certain that her butcher's youngest son has a friend whose step-brother belongs to a group somewhere in the midwest that knows how to hack OS X! REALLY! It's true!

redwood
Fresh-Faced Recruit

Joined: Oct 2003

0

02/08, 04:30pm | report spam | close Reply |
Give me a break..

First of all, "All known best practices" is way to general a statement. I just went through a hardining guide last night in fact that was 25 pages long and would take at least a couple of hours to complete properly. I would like to know what measures this guy took, was it simply to turn on the firewall? Did he have a password on startup? Was his open bios protected with a password? on and on and on...

Furthermore, many other people there with powerbooks at no problems. How likely is it that only one powerbook would be attacked.

Anyway, this is to quote the story comments "Long on FUD, short on facts."

porieux
Baninated

Joined: Mar 2001

0

02/08, 04:34pm | report spam | close Reply |
non-story

A roomful of hackers with physical access to the machine? Wow, that's really representative of the real world isn't it?

Not to mention this 'hardening' process is probably where he compromised his security in the first place...

Lemmy
Fresh-Faced Recruit

Joined: Feb 2006

0

02/08, 05:20pm | report spam | close Reply |
the real story�

"SecurityFocus was acquired by Symantec Corporation in the fall of 2002"

mouthster
Fresh-Faced Recruit

Joined: Dec 2005

0

02/08, 06:18pm | report spam | close Reply |
uhh ok..

what a lame story.. let me guess, the "researcher" works for microsoft and the "hardended" powerbook had a post-it note stuck on the monitor that said "pw: root" .. this is FUD

RetiredMidn
Fresh-Faced Recruit

Joined: Aug 2004

0

02/08, 06:36pm | report spam | close Reply |
Security researchers

This story says more about self-described "security researchers" than it does about OS X. "I thought it was secure and (I think) it got hacked (somehow); since I consider myself an expert, it must be OS X's fault!"

Long story: When I worked for a major software firm twenty-something years ago, I was approached by someone who had taken over some dormant MS-DOS code I had once maintained, and was agitated because he had found a "virus" in the code. The virus turned out to be a tiny program, written by my predecessor and executed by the build script to play a short tune on the PC to signify that the build was done. On newer machines, the music "program" crashed because of hardward incompatibility. I laughed the guy out of my office.

A couple of months later, he had a new job title as the first "security engineer" in the software development organization.

Bouba
Dedicated MacNNer

Joined: Jan 2001

0

02/08, 08:36pm | report spam | close Reply |
Bouba

If you don't want to have undesired remote acces to your mac, then control all ports with a firewall, and close the services which could allow undesired access to the machine: remote login, Apple Remote Desktop and Remote Apple Events - All of which are disabled by default (except remote login on os x server). Close these ports and you are sure that no one would ever activate filesharing through one of your services.. (how is it possible to enable filesharing through printer sharing??!)

So it comes down to 2 things: disconnect from the network (close your wifi link and disconnect your ethernet cable) and limit direct access to the machine.

the rest would depend on the user (the famous code 18 - 18 inches in front of the screen...)

cheers

Sondjata
Fresh-Faced Recruit

Joined: Oct 2000

0

02/08, 09:28pm | report spam | close Reply |
hardened

sooooo let's ge this straight. an OS that I've had many windows users complain about "asking for a password all the time" was compromised. We are to believe that the "researcher" had done all "hardening" including not being logged in as administrator eh? Every OS X user knows that unless you specified otherwise, you can't start filesharing without root or admin privs. So the real question is how did the "hacker" get this information. We'll assume that the root password was set and then the root account disabled soooo the machine wasn't remotely "rooted." This leaves one other option. "researcher" was logged in as an admin AND at some point during the conference used that account to authorize something.

I find it convenient that the "forensic" evidence showed that in addition to everything else, not a single file had a changed date and the logs were completely wiped of activity.

No word if any rootkit had been installed by said researcher, therefore having opened his own machine to hacking.

dBass
Fresh-Faced Recruit

Joined: Feb 2006

0

02/08, 10:39pm | report spam | close Reply |
$ymantec's behind the FU

FYI, the "story" first appeared on a site run by a company that sold out to $ymantec. They claim "journalistic independence" of course.

Let's see, $ymantec makes money with their protection racket and their "independent" rag runs this "story" with no verifiable sources or proof of any kind.

This is like someone poisoning Tylenol to short the stock.

dBass
Fresh-Faced Recruit

Joined: Feb 2006

0

02/08, 10:44pm | report spam | close Reply |
MacNN sloppy!

MacNN this is sure sloppy. Or were you just trying to get more hits by running that unconfirmed, sensational, bullshit headline?

gerbick
Fresh-Faced Recruit

Joined: Jan 2004

0

02/08, 11:27pm | report spam | close Reply |
It happens...

I just ended up wiping clean a fresh install of a company's Xserve because it had an IRCbot installed.

Most people don't think that OSX can be compromised. It can.

But not in the same way as you'd expect a Windows machine.

Regardless, the record for defaced websites belongs to Apache webservers and not IIS actually for the last year or so.

LouZer
Fresh-Faced Recruit

Joined: Nov 2000

0

02/09, 12:22am | report spam | close Reply |
Must be FUD

You can't crack an OS X box. Its impossible. So this must be false and we all know it. And if it was cracked, it must be because of some idiot user who didn't know what he was doing, left his computer running, let others touch it, etc.

Man, you guys will never believe that a mac can be cracked. Whatever happens, it'll be someone else's fault. Hey, Linux is cracked all the time. Why can't OS X?

LouZer
Fresh-Faced Recruit

Joined: Nov 2000

0

02/09, 12:32am | report spam | close Reply |
Re: hardened

Every OS X user knows that unless you specified otherwise, you can't start filesharing without root or admin privs.

Hmm, based on this garbage quote, you apparently have that "All mac users are really smart, and windows users are idiots" mentality. But just so that you know, not ALL mac users know this. Let's be truthful here. Most likely, like with Windows, most macs are used by sole users, are used as they're set up when you first turn the blasted thing on, which means most people run as an Admin, and thus don't realize they're 'admins'.

But more importantly, you missed an important point. It doesn't say that file sharing was turned on. It says "starting up a file server", not file sharing. There are all sorts of file servers out there, not just apple's built-in version.

So the real question is how did the "hacker" get this information. We'll assume that the root password was set and then the root account disabled soooo the machine wasn't remotely "rooted." This leaves one other option. "researcher" was logged in as an admin AND at some point during the conference used that account to authorize something.

Of course. Because we know its impossible to exploit anything on OS X. So it must have been incompetence! Oh, and disabling 'root' only means you can't log in as root. But it doesn't prevent a user from using the root account (and, since Apple nicely sets up your root password as your first admin password, if you have one, you can usually log in as root).

Or, of course I'm sure this guy just left his computer running and available to all those other strangers in a conference. Yeah, I'd do that too with a $2500 computer. Just leave it for anyone to take...

jhorvatic
Fresh-Faced Recruit

Joined: Apr 2005

0

02/09, 02:03am | report spam | close Reply |
It's not the hardware yo

It's not the hardware you hack it's the OS. And when you have physical access to a machine is quite different then being half way around the world. What was the supposed hardening? Where's the details? I can say I hacked into a Mac and print it too. I've yet to hear of anyone getting into an OSX system since it has come out and I'm still waiting. Heck the screensavers did a test and no one got through even when the I.P. was given out.

gerbick
Fresh-Faced Recruit

Joined: Jan 2004

0

02/09, 05:16am | report spam | close Reply |
It's the OS and admin...

Just like any other POSIX/*nix based system, BSD systems have BIND exploits, just as well as other user exploits.

http://www.dshield.org/pipermail/intrusions/2005-April/008920.html

This is pretty much the scenario I ran into a month ago. There was an IRCbot installed on a freshly delivered MacOSX machine - psybnc had been installed on the machine.

There's a lot to say about the machine - it was not hardened until after I did some work to it. It was exploited because the local admin has no experience, and had not installed anything. Just as Linux webservers get defaced, so can a Mac. I've done enough white hat work to know that certain versions of Apache allow mods and updates before checking who's doing the request(s).

MacOSX virus? h*** no.

MacOSX exploits? Better believe it. They're minor, but they exist.

ezylstra
Fresh-Faced Recruit

Joined: Jul 1999

0

02/09, 10:58am | report spam | close Reply |
Must have been the AV

Consider the possibility the user was running an Anti-Virus, as they seem to have created the biggest holes on OS X lately.

winterlandia
Forum Regular

Joined: May 2001

0

02/10, 01:45pm | report spam | close Reply |
Security "Researcher"

I would think if they were really a security researcher, they'd have diagnosed exactly what the vector of the exploit was and how it worked. Without any detail it sounds like the person is just a whiner.

grener
Banned

Joined: Jul 2006

0

08/02, 09:42am | report spam | close Reply |
gg

54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 54gf 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1 123Bvr1

Show More Comments

Login Here

toggle

Network Headlines

06/18	Apple issues major update to iOS mass...
06/18	Apple issues Java updates for Snow...
06/18	Hidden iOS 7 beta settings point to...
06/18	Case for rumored low-cost iPhone shows...
06/18	A closer look: iOS 7 Safari mobile...

Show All

06/18	Sony Xperia Z shipping in US within...
06/18	Case for rumored low-cost iPhone shows...
06/18	A closer look: iOS 7 Safari mobile...
06/17	Apple TV gains iTunes Radio support...
06/17	Report: 'iPhone 5S' display assembly...

Show All

toggle

'Hardened' PowerBook compromised

updated 02:55 pm EST, Wed February 8, 2006

Hardened PB compromised

Unattended

but maybe....

wtf

Fair enough

Intel makes no difference

I agree...

And hanging from the door

What A Load!

Give me a break..

non-story

the real story�

uhh ok..

Security researchers

Bouba

hardened

$ymantec's behind the FU

MacNN sloppy!

It happens...

Must be FUD

Re: hardened

It's not the hardware yo

It's the OS and admin...

Must have been the AV

Security "Researcher"

gg

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

Most Read

10 Most Discussed

MacNN Marketplace

'Hardened' PowerBook compromised

updated 02:55 pm EST, Wed February 8, 2006

Hardened PB compromised

Related Articles

Recent Articles

Unattended

but maybe....

wtf

Fair enough

Intel makes no difference

I agree...

And hanging from the door

What A Load!

Give me a break..

non-story

the real story�

uhh ok..

Security researchers

Bouba

hardened

$ymantec's behind the FU

MacNN sloppy!

It happens...

Must be FUD

Re: hardened

It's not the hardware yo

It's the OS and admin...

Must have been the AV

Security "Researcher"

gg

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

Most Read

10 Most Discussed

MacNN Marketplace