Article:
http://www.zdnet.com.au/news/security/soa/Mac_OS_X_hacked_in_less_than_30_minutes/0,2000061744,39241748,00.htm

In the words of Homer Simpson:
"Do'h"

The time of the Apple Hacks is at hand. Dun-Dun-Dun.

Ack! That's 2, no 3 times in the past 10 years! Hmm what to compare this to...

Actually Mark, it's two, three times in the last 2 months...

you guys have the wrong idea...

this isn't something people should be concerned about. it was a competition for anyone to gain root access on a mac mini that was acting as a server.

it isn't a security vulnerability or virus or spyware or anything

but it is an interresting article

Exactly. It was just an interesting article. He hacked it in 30 minutes! In anycase I would disagree in terms of "this is nothing to worry about." Considering said hacker mentioned there are a great many holes in mac security that have not be disclosed, patched, and or otherwise fixed.

*Gently pats macintosh*
"Its going to be ok"

Are Mac users in denial? I'm just curios...

And a follow up challenge:
http://test.doit.wisc.edu/

Interesting Read as well. UofWisconson is now holding a "Hack this mac" challenge. Neat.

No, Mac users are not in denial. It'd be foolhardy to be so in this day in age. However, yeah, there are 2-3 viruses out there for people who chose to make them, probably because they were pissed off that people said it couldn't be done. But I don't think my machine is any less secure because a dude was able to hack into a mac in a half hour.

Can it be done? Of course and this story was a proof of concept. Does it worry me? Not really. If a person wanted to target me for identity theft or whatever, they'd get what they want. I just make my mac and my network the more unappealing than another one around my neighborhood.

To me this is kind of like a dude who is on fire laughing at a guy who burned his fingers. They're both hurting, but the dude on fire is in worse shape.

Ironically, I'm betting mac users are more likely to go to Burning Man.
[/bad pun]

If this is the same article I read earlier, the guy that hacked the mini did so by getting in via SSH and promoting himself to superuser - seeing as many mac users (or PC users) don't enable SSH into their computers, I don't think this particular exploit will be happening to a majority of users any time soon.

//probably going to disable SSH on my iBook and PC once I get off out of paranoia

http://apple.slashdot.org/apple/06/03/07/1324256.shtml
http://test.doit.wisc.edu/

I guess the article hit a nerve with the University of Wisconsin.

EDIT: I missed Amit's post about the exact same thing a bit higher

Lars,
Great analogy man.

My apologies for not jumping in earlier. It would have stopped the spread of disinformation that seems to have become a hobby.

Look people, nobody in a professional Mac position, and that includes Apple, has ever stated that OS X is un-hackable, immune to security flaws, or anything of the like. Everybody agrees that sooner or later somebody will find a way without social engineering to spread some Mac OS X malware. BUT IT AIN'T HAPPENED YET! And we are doing no good for the University of Arizona students and other community members to be spreading FUD and disinformation around because we didn't bother to really look into it before repeating the supposed information. And when it does happen, Mac users will have heard "Wolf" cried so many times they will ignore the real threat when it does get here.

Let's take all these terrible, deadly, critical items one at a time:

Leap-A - this isn't a security hole in any manner whatsoever. It is simply old style social engineering at work. I would imagine that most of you learned long ago, perhaps about the age of 5, that you don't open files that you know nothing about. This thing even has to be opened twice! If you are in the habit of opening files that you didn't expect, you don't know how they got there, you don't know what's inside, but it has a cool name (maybe something like nakid_amit.gz), it's hard to feel too sorry for you. And twice as hard if you work for OSCR. However, I don't know any professional IT people who would consider this any kind of security threat. At least, not those who aren't in the business of making money off of malware.

The oh-so critical "Safari Vulnerability". Do you people realize that this was addressed over a year ago??? It gets "found" every so often. By companies who sell AV software and self-described security detectives. A single click setting in the browser, one well published by Apple, solves the whole problem. And has for a long time. And even more, and once again, it also is spread not by viral action, but by social engineering. You have to deliberately download the malware file. Even though you have no clue what is really inside. Jeez.

30-minute Hack - which is obviously not a hack at all. It was an unauthorized escalation of privilege level. Which is serious of course, and a problem found in all OSs. But did you see that the alleged compromise didn't include a break-in through SSH? But that they were actually given an SSH account from the admin of the machine, and then escalated the privilege level??? Whole different slant on that one.
But this is the best part: it appears that the escalation wasn't even through the standard OS X software. The owner of the mini had setup some custom ldap software and config to allow people to create their own account. Yeah, you heard that right. Anybody could setup their own SSH account remotely. Gee! and that caused a bit of a problem. Who would'a guessed!

Inqtana - this is the Bluetooth Disaster. Do any of you actually sit around your Bluetooth device and, when queried by your device, calmly OK the downloading of a file from some stranger that happens to walk by? You have to actually accept the data transfer manually!
"Hi there! Yeah, sure, I'd love to download some malware from you! What was your name? Want to go out for a drink?"
The only really bad thing about Inqtana was the corrupt IDE file that Sophos distributed a couple weeks ago, causing the loss of LOTS of work and files after misidentifying 100s of non-existant Inqtana infections on individual machines on a global basis, and then deleting perfectly good files on machines configured according to Sophos instructions. Thankfully, most Mac users were wise enough to not trust the software or software company that wants so desperately to sell their unneeded product to them.

Yes, that's right, UNNEEDED! As of this point, and yes, it will change, the only real good you get out of Mac Sophos (or whatever AV for Mac) is to be a good citizen and not spread the Windows malware you get from your Windows friends.


As I recall from my student days, critical thinking was a trait that they tried hard to impress into students. I doubt that has changed. Check the facts out, thoroughly, and impartially, before jumping on the wagon with all the rest of the choir members who dearly love to hear themselves sing.
And try and remember that is quite immature to gain happiness from others pain, and even look forward to the day it happens, just because you have made personal computing decisions that inflict you with pain on a daily basis. It takes a really mature person to rise above the "misery loves company" syndrome.

Trees

:-X

I just thought it was a cool article, and challenge...but ok :)
---
Edit:
Before I forget. If you didnt happen to visit the UW page before tonight, you would have seen the challenge was closed and that in the 30ish hour period no one who attempted to hack it was able to.

As of a few hours ago:

Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.


Yikes!

My main benchmark has been: from the time of a new OS installation, how fast can I patch the machine up to be 'safe' before it's WTFPWND by countless exploit scanning bots. Currently today, it's still a risky proposition to install anything below Win XP SP2 on a fresh computer and plug it into a network. Macs on the other hand simply don't have huge numbers of bots attacking it.

Does this mean the Mac OS is inherently more secure? No.
Does this mean I am less likely to be infected when I plug my new un-patched mac into a network? Yes.

Patching is absolutely required, and not to be taken lightly. However there have been times where its simply impossible to get a windows machine patched before it gets infected. It has to be patched by downloading the updates on an already safe computer, and then transferring them to the new computer while it is still offline.

If the roles were reversed somehow, and Mac OS X suddenly became 95% of the computers in the world, I think the situation would be different. That just simply isn't the case right now.

Granted, it has been 8 months or so since I had to do this. Has the situation improved much? How does OSCR Underground handle fresh installs of the OS?

The marketshare argument against OS X security is a rather questionable one IMHO - not to say that a larger marketshare wouldn't make OS X a much more interesting target to potential hackers (if this is indeed the year of Apple taking over the desktop computer world, we'll see a number of exploits popping up), but the roadblocks to getting into an OS X system are far different and greater than the roadblocks to getting into a Windows box - if for no other reason than the fact that,as a *NIX derivative, it's designed for multi-users with limited permissions (Edit: limited permissions - a policy Windows Vista is adopting with good reason).

Actually, the guy that started the University of Wisconsin challenge succinctly spelled out OS X security in his comment here:
http://slashdot.org/comments.pl?sid=143848&cid=12055587

That's not to say that I don't install all security updates for all OSs on all of my computers, including OS X (I also wish that OS X would ship with the firewall already enabled and set to anonymize) - regardless of the operating system or track record, nobody's ego should get in the way of good security.

I think the core that Mac OS is built on is inherently more secure than Windows. The current and past NT kernel and core software are consistently at fault. Microsoft has admitted as much in interviews talking about the reasons for a ground-up rewrite for Vista. The XP/2k kernel was not designed with security in mind.

As to giving Microsoft a pat on the back for staying on top of their security issues, that's just nonsense. I don't get all giddy when Ford does a recall on Explorers and think to myself how great it is that they still keep up with the Explorers considering all the other cars they make. It's just flawed reasoning. Sure it's a big job, but they gave it to themselves through weak coding and testing at the outset.

Much as Tom said though, what I'm most sick of is this despicable schadenfreude from every Windows pundit in the world every time an uninformed techno-rag finds any reason to shoot their mouth off about Mac OS security. Summarily, grow up. Security is a problem that affects everyone, and the worst you can be in this climate of FUD is a mouthpiece for every bit of drivel published on the web. Due diligence is the name of the game. I guarantee the tech sites aren't doing their homework, which means we have to. As IT professionals, it behooves us, staff and student-staff alike, to make understanding these issues a priority. Users look to us for guidance and opinion in technology, and for most, we're an authoritative source so what we say will stick. That settles the responsibility on us to make our best effort to put good information in their hands and not promote confusion and misunderstanding.

Right here, if this were a movie, it'd be the scene where Adam gave an impassioned speech in front of a kind of hostile audience. He finishes his speech and there is silence. But then one person stands up and starts clapping, and one by one other people start clapping until the auditorium is in raucous applause. That first person would be me. Way to go Adam.

When I visit the U of A for spring break, I'll buy you a cold one of whatever one you want.

I'm hoping for the OSCR in 2007.
*ba-dum dum*

But seriously, unencumbered, chilled libation is something of a passion of mine. If you're on campus, 626-2700 is my office, Frog's a short walk. :D