OSX Hacked in 30 minutes

[chutem]

This article is somewhat interesting. Although it was a bit like it was a car stolen with the doors unlocked and the keys in the ignition (ssh on and allowed users to create their own accounts).

[tlarkin]

It sounds to me like the hacker didn't exploit anything the user had configured.

Quote: "It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

There are security flaws in mac os x just like any other operating system. Some hackers are just that good and you will never be able to prevent them from exploiting your machine. You may be able to remove them from your network/machine once they are discovered but some of the elite hackers will probably never be stopped. Heck, some of the kids at the school district I work for amaze me sometime when I stumble onto an obviously hacked system loaded with games and such.

now what needs to be done is have some macs running os x on a secure network with good hardware secure hardware (switches and firewalls, proxy servers, etc) then have some good hackers try to exploit it. I am willing to be the hackers will always win, even if it were a different OS. I am not saying that windows or novell, or linux are any better per se, I am saying the hackers will always win until someone actually creates an operating system that is impervious to such things.

[Raven]

As you said... He kind of invited them in... A normal server is behind a firewall, should be in stealth mode (if you want better protection) and locked down so no one can add users, including root. Come on... leave any server open on the web and some one will find vulnerabilities... And the guy who setup the contest, is he a qualified when it comes to computer security or OS X server standard security measures to prevent such things ? If they want the test to be well understood, they should pubish the original system setup after the contest is over so we can know about it.

[tlarkin]

Quote: Originally Posted by Raven As you said... He kind of invited them in... A normal server is behind a firewall, should be in stealth mode (if you want better protection) and locked down so no one can add users, including root. Come on... leave any server open on the web and some one will find vulnerabilities... And the guy who setup the contest, is he a qualified when it comes to computer security or OS X server standard security measures to prevent such things ? If they want the test to be well understood, they should pubish the original system setup after the contest is over so we can know about it.

Yeah I agree this sounds like a hacker publicity stunt.

[MBHockey]

In response to that borked article, and all the misinformation surrounding it, check this out:

http://test.doit.wisc.edu/

[Raven]

Thanks for posting this link. Its a very intelligent answer to that suspicious test posted on ZDNET.

[MilDoc]

One thing I do wonder about now that Apple is moving to Intel chips. Hackers have much more experience writing assembly code for Intel chips then Power PCs since that's what most of them have. Many are experienced in Linux or Unix. And there are security holes in OSX just as in Windows. And Apple products are becoming more popular.

I expect this will soon be a hacker challenge, and most really good hackers can't resist a challenge, especially when they hear that "We've never been attacked! We're invulnerable!"

All I can say is I've given up being smug. Be prepared.

[MBHockey]

Well certainly nothing is impervious to those really smart computer guys. But, i think we can all agree that OS X is a much more secure alternative than Windows.

[voldenuit]

Quote: Originally Posted by MBHockey But, i think we can all agree that OS X is a much more secure alternative than Windows.

Hacking a box logged in and with physical access is certainly shooting fish in a barrel.

But we hopefully all can agree as well that the sorry state of the competition security-wise is no reason to let stupid mistakes such as the shell-script-execution in Safari and Mail slide through.
The huge amount of available shellcode-know-how for x86 out there makes buffer overflows even riskier than before.

Apple would be well advised to include effective security QA at every stage of their development-effort and seriously audit their code that is certainly not even remotely close to the quality of for example OpenBSD when it comes to security. These days the bugfixes they constantly need to publish are not a lot less embarassing than those of that other big competing OS, the only thing that is left is that OS X and Macs in general still look better.

That might not be good enough in the long run...

[DarkSaint]

More ZDNet bullshieße. Any OS would be hackable under those conditions.

*Promo* Vista! *Promo*

Whatever happened to non-biased news sites?

[chabig]

Someone else summarized this "news" story thusly:

"An anonymous hacker, by unanounced means, has hacked os x by way of an unpublished and unidentified security hole."

That about says it all. No respectable journalist should have published this story.

[cwtnospam]

I think the so-called "computer security" companies are so scared that they're desperate enough to be behind these articles. It seems they'll do anything to convince Mac users that their systems are just as unsafe as Windows. This is the third "exploit" reported in the last month and all three have turned out to be lame.

[Raven]

It would make sense... Though for PC they still don't realy want people to know that even Windows XP and server versions can be logged into (I admit with physical presence, but serioulsy alot of places are almost as easy to get into than a Walmart) with a simple linux disk.

[tlarkin]

Quote: Originally Posted by Raven It would make sense... Though for PC they still don't realy want people to know that even Windows XP and server versions can be logged into (I admit with physical presence, but serioulsy alot of places are almost as easy to get into than a Walmart) with a simple linux disk.

Yeah I am not a hacker, but if you give me physical access to a machine I don't care how locked down it is, I will be in the machine and have privledges pretty quickly. That goes with any type of machine.

from the OS X Tiger DVD you can reset and create an admin log in. Once you have an admin log in you might as well have root access since you can sudo command all day long and only need an admin password to do so and not the root. Where as in linux if you try to sudo command it requires the root password, not the admin.

I am sure you can change that, I just have not had a need too since we lock everything down from the open firmware level where I work, and simplified users accounts is all that users get. Still with physical access to a machine open firmware passwords don't mean much anyways.

[yellow]

AppleMatters should never, ever, ever, ever, ever, ever, ever, ever be read by anyone who has a brain larger than a walnut.

[cwtnospam]

Quote: Originally Posted by yellow AppleMatters should never...

Here's an antidote:

http://www.dtgeeks.com/index.php/blo..._macs_in_2010/

[tbsingleton73]

Just came accross this on CNet about another Mac OS X hack challange.

[cwtnospam]

He says the response has been strong. I would think that an attempt to hack into that system would be like lawyers asking questions. They don't ask a question they don't know the answer to, so why would a 'hacker' take a stab at somebody else's system unless they knew a way in? I guess a lot of people are just hoping to get lucky.