Univ. of Wisc. Madison Mac OS X Security Challenge Update
If you
remember, Mac sysadmin at University of Wisconsin Madison, Dave Schroeder, set up a
Mac mini as a type of honeypot to challenge the
"hacking" community to see if anyone could compromise a Mac OS X 10.4.5 system. The Mac mini in question was
set up as an "out-of-the-box" system with Apple's Security updates applied, and he turned on both SSH and
Apache, two common Internet services, but not ones that the average Mac OS X user would ever enable.Initially, the contest was set to end on Friday, March 10th, after which he would publish the details of his experiment. However, checking the site this evening, I see that he's scheduled it to end tonight at midnight (Central Time). Dave Schroeder also says that "the machine is under intermittent DoS attack. Most of the other traffic, aside from casual web visitors, is web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus."
Has the box been compromised? He doesn't say, but he will be publishing the results of the experiment (probably tomorrow). I'm very interested and intrigued to read what the end result will be, even if it the news isn't good (i.e. the machine was actually compromised). Whatever the results, it's sure to be a better analysis of Mac OS X security than the misleading and poorly-designed example making the news rounds yesterday.
Get a WordPress.com Blog
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
Derek said 7:43PM on 3-07-2006
The challenge was to alter the web page file. If he's closing it early that means someone at UW Madison (read: over 40,000+ students and faculty) got really mad over the DoS attacks going through their network.
Reply
dombi said 8:00PM on 3-07-2006
Derek: you are probably right. The university sys admins were probably not very happy with this... I will be curious to find out what happened.
Reply
Bill Ferrell said 10:21PM on 3-07-2006
I notice he took the picture off the page. That was probably to reduce the page file size for bandwidth issues. Users on Digg were talking of just doing a DoS attack even though it proves nothing.
Reply
Damien Barrett said 11:24PM on 3-07-2006
Well, a lot of Digg.com readers aren't necessarily known for their sparkling intelligence. I'm not surprised there'd be a motley crew climbing all over themselves to attempt something as pointless as a DoS.
Reply
Wheels said 12:53AM on 3-08-2006
Would anybody trust this guy to tell truth on whether or not the mini was successfully hacked into or not? I know my answer.
Reply
Preston said 1:58AM on 3-08-2006
From the site: "There were no successful access attempts during the 38 hour duration of the test period."
Reply
Alex Crouzen said 6:56AM on 3-08-2006
Wheels, why would he not be honest? Why would he go to the lengths he is to then just outright lie? Of course there is the possibility this is all a complex hoax, but the main reason I doubt it is, is a simple 'Why?'
There are no ads on the page, he won't be making a scientific journal with is findings, and Apple won't suddenly hire him as a 'security consultant' just because he put his Mini on the web and published his address.
Take his experiment with the correct amount of scepticism you need for reading anything on the web, and you're still left with a nice rebuttal of the earlier claims. If nothing else, it proves that people aren't sticking their head in the sand about Mac security issues.
Reply
ryan said 11:40AM on 3-08-2006
You wrote that this will be a better analysis of osx security than the previous example, but you seem to be confusing the original challenge with the shoddy coverage of it.
The coverage of the initial challenge made it seem as though there was a threat of osx boxes being compromised by simply being net-accessible, mentioning nothing about the fact that local account privlidges had been given.
This challenge attempts to test osx's vulnerability to net-accessibility *as it was represented* in the media coverage - i.e. leaving aside issues of having local accounts and just seeing if the box can hold up to attack with ssh and http open.
BUT... (and this is the important part) if you look at the previous challenge and not the erroneous coverage of it, then there is still a potential security issue - an issue which is more serious and interesting than simply testing ssh and apache in an osx install.
In the initial challenge someone with a local user account was able to achieve an escalation of user privledge via ssh. Given that much of osx's security depends upon the multiple users/different privlidges paradigm, this escalation DOES represent a serious security flaw. Compared to the known stability of ssh and apache, this escalation vulnerability is much more serious and worthy of being tested.
The second challenge is a understandable response to poor coverage, but it is hardly a cutting-edge test of security. This doesnt invalidate it, but neither does it make it the "better analysis"
Reply
MacGuy said 3:32PM on 3-08-2006
I think the point is that being hacked by some unknown hacker on the internet would be a much larger security problem than being hacked by someone you know, someone you have given a user accout to. A family computer doesn't generally run the risk of being hacked by your 8 year old daughter. But if OSX is vulnerable to hacking just by being connected to the web, that's a huge issue.
So in that sense it IS a better test and it is likely that his post challenge discussion will be a better analysis of OSX's security and vulnerabilities, because a. he won't gloss over the details(hopefully) b. he isn't someone with a history of shoddy reporting and bias specifically against OSX. This Munir guy at ZDnet Australia is an idiot and it's not the first time he's written ridiculous articles of half-assed research and outright lies.
Looks like the MacMini was not successfully hacked. But I wonder, wouldn't it be hard for a hacker to get to the MacMini with all the DoS attacks? Seems hard to rate the success of this hack challenge if the hackers couldn't hack because of all the script kiddie attacks.
Reply
Derek said 6:54PM on 3-08-2006
Earlier today the site said they had a load of over 30Mbps during the DoS attacks. Now it has this simple text:
Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site, test.doit.wisc.edu, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.
Reply