toggle

AAPL Stock: 502.21 ( + 4.54 )

Mac mini weathers 38hrs of attacks

updated 06:15 pm EST, Thu March 9, 2006

Mac mini weathers attacks


A university systems engineer who presented a "hack-my-Mac" contest closed down his own challenge on Tuesday, saying that even after 4,000 log-in attempts and two denial-of-service attacks, his Mac mini remained untouched. In a previous challenge, one attacker claimed he had breached security in less than 30 minutes, but later it was noted that this individual had an account on the machine. "This machine was not hacked from the outside just by being on the internet," Dave Schroeder, a senior systems engineer at the University of Wisconsin wrote. "It was hacked from within, by someone who was allowed to have a local account on the box." The professor set up a fully-patched Mac mini hosting a Web page on Monday, challenging attackers to breach security, according to InformationWeek. "It [left] people with the impression that a Mac OS X machine can be 'hacked' just by doing nothing more that being on the internet. That is patently false," Schroeder added.

Schroeder connected the PowerPC Mac mini to the internet running Mac OS X 10.4.5 with the latest security updates. The Mac held two local accounts, while both SHH and HTTP were left open. Schroeder said the system drew attention and lots of traffic, with 4,000 attempts logged. The Mac withstood two denial-of-service attacks, brute-force SSH dictionary attacks, numerous Web exploit scripts, and uncounted probes by scanning tools.

"There were no successful access attempts of any kind during the 38 hour duration of the test," Schroeder said. "Apple is responsive to security concerns with Mac OS X," he continued. "[That's] one of the most important pieces of the security picture."


by MacNN Staff

print
email
(16)

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. sertian

    Fresh-Faced Recruit

    Joined: Aug 2001

    0
    03/09, 07:00pm | report spam | Reply |

    test done already?

    dang And I was soooo close to hacking that baby!

  1. super_steak

    Fresh-Faced Recruit

    Joined: Dec 2005

    0
    03/09, 07:11pm | report spam | Reply |

    Good job

    The other "hack" story was so bad I deleted my RSS feedto CNET. It's good to hear a rational story about this issue.

  1. I.P. Freely

    Fresh-Faced Recruit

    Joined: May 2003

    0
    03/09, 07:17pm | report spam | Reply |

    anti-FUD

    I beat this story will get less than 10 percent of coverage that the original bullshit story got. CNET will probably not even run it on their site.

  1. LouZer

    Fresh-Faced Recruit

    Joined: Nov 2000

    0
    03/09, 07:22pm | report spam | Reply |

    Oooh

    38 hours? That's all. Yeah, I guess if that's what you want to hang your hat on. I guess as long as you don't keep your computer up for more than 38 hours at a time, I guess you're fine!

    And I don't know how he gets "Apple is responsive to security concerns" from the fact that no one hacked it. Of course, if I were someone who could hack a mac, I certainly wouldn't waste such knowledge on some stupid contest like this. I'd wait until no one was looking, hack in, and grab some decent personal data off the machine.

  1. erictheb

    Fresh-Faced Recruit

    Joined: Aug 2005

    0
    03/09, 07:41pm | report spam | Reply |

    38 hours

    my understanding is that the university forced him to close the contest.

  1. das

    Fresh-Faced Recruit

    Joined: Jan 2001

    0
    03/09, 07:42pm | report spam | Reply |

    re: oooh

    Try it in context:

    Mac OS X Security Test

    6 March 2006 10:00 AM CST

    In response to the woefully misleading ZDnet article , Mac OS X hacked under 30 minutes, the academic Mac OS X Security test has been launched.

    The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    Almost all consumer Mac OS X machines will:

    - Not give any external entities local account access - Not even have any ports open - In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure

    The test is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

    Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system. There have been serious vulnerabilities in Mac OS X that could be taken advantage of; however, most Mac OS X "vulnerabilities" to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities. The recent Safari vulnerability was promptly addressed by Apple, as are any exploits reported to Apple. Apple does a fairly good job with regard to security, and has greatly improved its reporting processes after pressure from institutional Mac OS X users: Apple is responsive to security concerns with Mac OS X, which is one of the most important pieces of the security picture.

    The "Mac OS X hacked under 30 minutes" story doesn't mention that local access was granted to the system. While local privilege escalation exploits can certainly be dangerous - and used in conjunction with things like the above Safari exploit - this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet.

  1. das

    Fresh-Faced Recruit

    Joined: Jan 2001

    0
    03/09, 07:42pm | report spam | Reply |

    re: oooh (cont)

    Update

    ZDnet added a sentence to their article that says, "Participants were given local client access to the target computer and invited to try their luck."

    Might it have been interesting to explore:

    - What are the implications of local account access, and under what conditions might a computer be used in that way? How can such access normally be obtained? Do home users behind firewalls and with no ports open need to worry?

    - How can a vendor fix the claimed local privilege escalation vulnerabilities when they are not informed of the issue? What are the moral and ethical implications of knowing about allegedly severe vulnerabilities in products, like the "hacker" they interviewed, and actively choosing to NOT give the vendor an opportunity to fix the problem(s)?

    - How might a Linux or BSD distribution, other commercial UNIXes, or Windows stand up to a similar test, where anyone who wishes is given local account access?

    - A discussion about how since much of OS X is closed, this might make it more difficult for the community to discover - and report and fix - potential vulnerabilities in the closed pieces

    ...and things of that nature, instead of leaving people with the impression that any Mac OS X machine connected to the Internet can be taken over in 30 minutes.

  1. njfuzzy

    Fresh-Faced Recruit

    Joined: Apr 2001

    0
    03/09, 07:45pm | report spam | Reply |

    Article Wrong

    There were two different tests.

    The 30 minute breach was a different test, that challenged the hackers to gain root access when they already had (non-administrative) access via an SSH account.

    The 38 hour test started only with the information that such an account existed, and the address and specs of the machine.

  1. cgc

    Mac Elite

    Joined: Mar 2003

    0
    03/09, 07:59pm | report spam | Reply |

    Naysayers

    Everyone was quick to point out the erroneous "Mac hacked in 30 minutes" but I bet this isn't "newsworthy."

  1. mmmdoughnuts

    Fresh-Faced Recruit

    Joined: Feb 2006

    0
    03/09, 08:48pm | report spam | Reply |

    This one's not fair too

    This conclusion only proves that OSX can last 38 hours when connected to the net. This is only one out of millions of possible chinks in the armor. The original test only showed that local users can gain root access.

    Both are part of real world tests and valid. At the same time one must conceed that neither proves or disproves the other. One thing that apple has is the external audit (through open-source community) of only some of the tools it chooses to use in default install. The rest of their code should get a big question mark just like microsofts!!! It is unvetted and should be treated as an unknown.

    The only judge of security should be the kinds of expolits that are discovered. If there is consitent lack of good programing technique then there can be a conclusion and a tally of errors. And only then can a judgement be declaired as one OS is programed with security in mind.

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

10 Most Read

Recent Reviews

Powerbag Business Class Bag

Many companies currently offer battery packs and various accessories to keep smartphones and other gadgets charged when away from an o ...

Logitech Cube

The world of mice could often be described charitably as stagnant: it's an endless sea of ergonomic shapes that assume you're sitting ...

NewerTech and Targus USB Hubs For Gifts

A useful holiday present to resolve an ongoing frustration is a multi-port hub. Whether as a stocking stuffer, Chanukah present, or an ...

toggle

Most Commented

10 Most Discussed

 

Popular News