I
take security exploits seriously. I'm responsible for many hundreds of Macintosh computers that reside in many
different environments, not to mention half-a-dozen X-Serves, several of which are production boxes open to the world.
When a security exploit is announced, I look to see if it will impact my workstations and servers and whether I need to
take immediate action. And with the exception of the recent Safari exploit that was patched last week by Apple's Security 2006-001
Update, there hasn't yet been a single vulnerability that significantly affects my computers' operations. [Note,
reader Brent points to a ZDnet article
just published a few hours ago that claims Apple hasn't adequately fixed the Safari exploit in question].So when an article claiming "Mac OS X hacked in less than 30 minutes" popped up on my news radar last night, I read through it and quickly dismissed it as a non-story, and a journalistically unsound one at that. Neither this article or any of its copycats (up to more than six now), has bothered to even attempt to actually explain the "hack" or the "exploit." Plain and simple, folks, these articles are full of hype, empty of facts, and are bunk:
1) the person who set up this "hacking challenge" set up a script that created a non-admin user and password for anyone who wanted to try. SSH was enabled for each of these users. I mean, of course someone was able to get access to the box--he allowed them in! After which the "hacker" then was able to take advantage of an unpublished exploit to escalate his non-admin account to execute administrative tasks. This violates the very first and most important rule of securing a computer, by giving external access to users who shouldn't have it and don't need it. I certainly don't go around enabling SSH for my Mac users, do you? For the record, SSH (called Remote Access in FileSharing System Preference) is disabled by default on Mac OS X workstations, and on Mac OS X Tiger Server, there's even a GUI for allowing or disabling SSH access to different users. Mac OS X workstation users can modify the sshd_config file in /etc.
2) the built-in firewall in Mac OS X doesn't appear to have been turned on. Nor was this machine reportedly behind any other kind of firewall. Yes, of course some people are going to connect their Macs directly to their broadband lines without any kind of firewall or NAT/router in between, but I bet it's a lower number than you might think. Even a simple layer of NAT is better protection than nothing. Go ahead, Mr. Hacker/Script Kiddie, you can pound on my router all you want, but without port forwarding, you're probably not going to get very far unless you hijack the router itself, and then the security flaw is with the router, not the OS.
Look, I'm not even trying to defend Mac OS X here. Yes, there are certainly some security vulnerabilities that Apple (and others) have uncovered and then patched. And there are definitely some that are undisclosed and undiscovered. However, this schmoe's "hacking contest" is ridiculous. It's like someone parked their car in a public lot and then taped keys to the car all over its hood.
I'm also not saying that us Mac users should ignore security measures. Of course we should pay attention to the security incidents that come about in Mac OS X, just as we should pay attention to the inevitable viruses and/or Trojans that will attempt to invade our computing platform. However, these articles are poorly-written and laughable jokes and now I'm seeing bloggers reposting that "Mac OS X can be hacked in less than 30 minutes" adding to the echo chamber of misinformation. This machine was compromised from the inside with a known user account and password and with a granted attack vector (ssh)!
Good sysadmins are paranoid and we're going to watch the development of our operating system and take measures to protect it as it grows in popularity. But when it comes to evaluating the security of this operating system, I'm going to pay attention to the people who work with it every day, not the PC-oriented technologist writers who've likely never even used Mac OS X, let alone configured its excellent built-in security measures. Such people can be found on the Mac Enterprise and Radmind mailing lists, AFP548.com, and Apple's Mac OS X Server mailing list, just to name a few. And so far, they're not running around screaming that the sky is falling (unlike some PC magazine "technologists"), so why should we.
In the meantime, Mac sysadmin Dave Schroeder at University of Wisconsin Madison has set up a Mac of his own as an "out-of-the-box" security challenge. You can read more about it here and even take a shot at compromising it. Note that Dave's Mac security challenge does not give you the crutch of a user account and ssh access, which is a much more realistic scenario.
Reader Comments (Page 1 of 1)
3-07-2006 @ 7:21AM
EJ said...
Well gee, if you hvae physical access...
1)Insert Linux Live CD
2) Mount Main HD
3) Navigate to etcpasswd.txt and copy it to a memory stivk, external HD, etc.
4) Unshadow the file by using UNSHADOW in john the ripper
5) Run john the ripper on the unshadowed Hash file
6) Enjoy your newly discovered Admin password for that machine.
Reply
3-07-2006 @ 7:23AM
William Jackson said...
I saw this listed on digg
http://www.rixstep.com/1/20060306,00.shtml
Has anyone checked it out? Does it have legs?
Reply
3-07-2006 @ 7:56AM
Goobimama said...
I use filevault on my account. I don't think anyone can get through that..
Reply
3-07-2006 @ 8:51AM
Joe said...
There are some reasons why Mac OS X might legitimately be set up to give local accounts ssh access. You can't dismiss local account escalations out-of-hand simply because 99% of configurations would not or should not be set up that way. The other 1% need to be secure too. And given how easy it is to turn ssh on (one click) and how useful it can be, I wouldn't be surprised if far more than 1% of Mac users have it turned on.
Reply
3-07-2006 @ 9:09AM
Brent said...
Speaking of hype, empty facts, and bunk - that Safari exploit isn't fixed yet, Chief:
http://news.zdnet.com/2100-1009_22-6046588.html?tag=zdfd.newsfeed
Reply
3-07-2006 @ 9:45AM
Damien Barrett said...
I've updated the article to point to the ZDnet story in question. And while this article makes some saliant and valid points about the Safari exploit, refuting one point of my TUAW article doesn't necessarily refute the entire thing.
My point remains: this "hacking" contest is laughable. Granting SSH access, a username and password to anyone who wants one, and not putting the machine behind any kind of firewall (not even a simple NAT layer) is giving the attackers far more information than would normally be available. Of course the machine was compromised.
Reply
3-07-2006 @ 10:03AM
Andrew Montgomery said...
William Jackson,
- Yes. It definitely has legs. And Apple certainly thought so. That's why they fixed it in Tiger. Older versions of Retrospect and Timbuktu used to install a startup item in /Library/StartupItems with the wrong permissions. Tiger would refuse to run them until you agreed to "Fix" them and restart.
Goobimama,
- MacKrack may be able to brute force the password on your .sparseimage (your file vault file). But even without that, a keystroke recorder loading in either /Library/StartupItems or /System/Library/StartupItems or more likely /System/Library/Extensions will have your password in a heartbeat.
Joe,
- I think your point is very valid. Even most IT people have this naive belief that a good password makes everything ok. I'm certainly included in that group more often than I'm comfortable admitting. As a Macintosh Administrator, the idea of account escalation by exploiting a bug in the code is such a Windows concept that I can barely believe it, much less anticipate it. And yet I read through those security announcements Apple sends out and blink in wonderment. If one guy was paying close attention and found an undocumented exploit (yes, this is an assumption, but bare with me), what's going to happen when Mac OS X really *does* become popular? And all those script kiddies - hundreds of thousands or even millions - are banging away through newsgroups, irc chat rooms, websites, etc., looking for (and now finding) exploitable code in our beloved Mac OS?
Don't confuse either my post or the original article as crying about the sky falling. But I'm going to make a concerted effort to turn off SSH on any workstations I control... and keeping them that way.
Reply
3-07-2006 @ 11:36AM
Pete said...
#1 Most hackers don't have physical access to your machine
Reply
3-07-2006 @ 11:48AM
sean said...
the whole thing smells too much like a stunt set up by the "anti" virus community.
isn't great when they ask the "expert" from norton to weigh in and he goes onto explain that both mac and pc's should keep their anti-virus software up to date. i might be a bit of conspiracy theorist, but i do believe that most virus' have been let loose by the same companies that protect us from them.
Reply
3-07-2006 @ 12:49PM
lieven Dekeyser said...
The biggest problem is the escalation.. if this security leak is combined with the harmless worms that have surfaced a few weeks ago, these could suddenly become quite harmful...
Reply
3-07-2006 @ 2:29PM
teece said...
Amen.
The hack in question was a LOCAL privilege escalation. Such things are serious. But it was marketed by idiot reporters as a REMOTE root exploit.
There is a world of difference.
Also, except for something like trusted Solaris or OpenBSD, local privilege escalation is a major, major problem that is very, very hard to stop. Hackers say the exact same thing about Linux and Windows -- give them access to the local machine, and they'll have root in minutes unless it's very hardened.
A final note: this hack most likely had nothing to do with SSH, and talking about enabling SSH as some great hole is silly. The unpublished exploit this guy used was not in SSH. It was something weird, probably like rcp or ntp or who knows what odd Unix utility that runs with root privileges on Mac OS X. And he was only able to exploit said vulnerability because HE WAS GIVEN AN ACCOUNT ON THE BOX.
Reply
3-07-2006 @ 2:49PM
Damien said...
Maybe I wasn't as clear as I thought I was being in the article. Despite what some people are saying in the comments and elsewhere, the vast majority of Mac OS X users don't have remote access (SSH) enabled. And therefore, can't really be seen as an attack vector for most users. Yes, of course there are people who enable it, but I'd be willing to argue that it's a lower number than most. And therefore, I feel it *is* an important point to make. This article was written as if Mac OS X "out-of-the-box" could be hacked and that's just not true.
Reply
3-07-2006 @ 3:15PM
teece said...
ssh is an *attack vector* only if ssh itself is attacked, at least in the way I would use that term. The fact that the guy accessed the hacked Mini remotely via ssh is completely ancillary. The salient issue is that he had an account on the machine. Maybe I'm just being pedantic, or the term is being used in a broader sense. (To me, the attack vector here was not ssh: the attack vector was some other bit of buggy software, that happened to be accessed via ssh, with an administrator granted, local account).
Enabling ssh opens you up to exploits in ssh. It does not open you up to people having local accounts on your machine, which is what the problem was here.
The problem was that this guy gave a malicious stranger an account on his machine (and that he didn't know squat about any other security measures, it seems. Hardening a system against local exploits is the most difficult of security tasks, and this guy doesn't seem to have been up to even the easiest of security tasks).
So sure, the average Mac user won't even have ssh turned on, but it doesn't matter (in this context) if they do. This was a local exploit, not a remote one. The difference is utterly crucial, and it was never mentioned in any of the articles I read on this hack.
Linux machine's were rooted by the hundreds a few years ago because of a buffer overflow in openssh that allowed remote attackers to gain root access (without any account or passwords for the machine). That is the kind of vulnerability that opening up ssh exposes you to -- there is absolutely no evidence that this was the kind of vulnerability exploited here, so ssh is ancillary, at best. That is also the kind of remote root exploit that this Mac OS X hack was billed as, and it is absolutely nothing of the sort.
Reply
3-08-2006 @ 5:42PM
Wouter said...
http://test.doit.wisc.edu/ was taken offline not more than an hour ago, apparently on the orders of the CIO of UW-Madison...
Reply