Late last month, a Swedish Mac fan posted a web site that challenged all comers to "rm my Mac," referring to the age-old Unix utility used to delete files. The machine was a PowerPC-based Mac mini. According to the site owner,
It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues. Yup, I should be pretty secure, shouldn't I?
Six hours later, the machine was hacked and the web page defaced. While the web site author said he was "quite confident this poor Mac will get rm'd at some point in time" the six hour time to hacking was quite a surprise to him. As there was no cash prize associated with the contest, just a friendly challenge by an enthusiast to the web community, the story gained very little traction. However, following a ZDNet interview with the hacker, the Internet was suddenly abuzz with people talking about the story. The hacker, known only as "gwerdna," explained what he did to gain root on the machine:
"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits—of which there are a lot for Mac OS X," the hacker said.
So is this a major story of a Mac OS X vulnerability, or a non-issue? The answer is that it's neither. To dig a little deeper, let's start by looking at the technical details of the hack.
Firstly, the hack was that of privilege escalation, not a pure remote exploit. The web site author had enabled SSH, the Unix "Secure Shell" tool that has replaced telnet as a means for accessing networked machines from the command line. He then configured an LDAP (Lightweight Directory Access Protocol) database and added a web-based interface so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.
Needless to say, most web servers are not set up with the ability to give out free shell accounts to anyone who wants one. SSH is not even enabled by default on OS X, although server administrators can choose to do so if they wish. So the "hacking" contest was not very indicative of the security of an OS X computer, even a web server, that is set up open to the Internet. However, this does not mean that the contest was of no significance whatsoever.
The Macintosh community has had a long fascination with "hacking contests." As early as 1997, Apple Europe endorsed a German-based "Hack-A-Mac" contest, where the winner had to deface a web page hosted on Mac OS 8 in order to win. That contest ended in controversy, with the site owner claiming that the winner, who did indeed modify the site's contents, exploited a vulnerability in a non-Apple third-party software package and so was not entitled to his reward. Ever since then, Macintosh owners have submitted dozens of hacking competitions, some of which have been hacked, and some of which have not. In fact, a new contest has just gone up in response to the one talked about in this story.
The real significance to this particular contest is not that the site was hacked (it was) or that the operator gave would-be hackers far more initial access than was necessary or even sensible (he did). It was not even that there are potential security holes in OS X, as this is well-known to any Macintosh user who reads the notes accompanying Apple's security patches in Software Update (the most recent of which fixed 20 known issues in the OS). No, the real lesson from this contest should be this: security is a non-trivial problem, and simply choosing one operating system or platform over another does not automatically solve the problem with no further thinking required.
Security has always been a balance between features and protection. After all, one can take any machine, disconnect it from the Internet and lock it in a steel safe, and have perfect security, but this would render the machine useless. The server operating system widely regarded as being the most secure, OpenBSD, gains much of its impressive record by merely not installing any services unless the administrator takes steps to deliberately enable them. Interestingly enough, the one remote hole found in the default install of OpenBSD over the last eight years was a flaw in OpenSSH. Yet despite the implications for security, SSH is a useful tool that many people wish to use on their servers to make their jobs easier.
And sometimes, security isn't even about the operating system at all. In 2004, a vulnerability in the popular PHPBB web-based bulletin board was exploited by a Google-using attack bot. Over 70 thousand systems were defaced by this worm, which slipped right through a hole in the PHP server. Windows, Macintosh, and Linux systems were affected equally. Security by obscurity did not help one bit, as Google leveled the playing field for everyone on the Internet. As our computing systems become more complex and we continue to layer more and more third party software on top of our operating systems, everyone needs to be aware of the issues and practice Skeptical Computing.
reader comments