PDA

View Full Version : Hack a Mac, get $10,000


MacBytes
Apr 20, 2007, 11:33 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Hack a Mac, get $10,000 (http://www.macbytes.com/link.php?sid=20070420123351)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

gauchogolfer
Apr 20, 2007, 11:42 AM
From the article:

CanSecWest organizers have set up the MacBooks with all security updates, but without additional security software or settings. Attendees are able to connect to the machines via the access point through Ethernet or Wi-Fi.

So, does this mean the firewall is turned on or off? It's normally on by default, but I'm not clear as to what they've done here.

I'm interested to see how this pans out.

SPUY767
Apr 20, 2007, 11:53 AM
I have a feeling that this will be a better conpetition than the last Hack my Mac competition which was BS. I mean, people aren't going to be throwing around 10G's lightly, unless of course it's an anti-marketing ploy by Microsoft to make it just hard enough that it takes long enough to get exposure, of course, in that case I would expect to see a side-by-side test with a vista machine.

djstarrock
Apr 20, 2007, 12:05 PM
From the article:



So, does this mean the firewall is turned on or off? It's normally on by default, but I'm not clear as to what they've done here.

I'm interested to see how this pans out.
The firewall isn't on by default it never has been.

gauchogolfer
Apr 20, 2007, 12:11 PM
The firewall isn't on by default it never has been.

Are you sure? When you go into Preferences and look at what ports are open by default, there are no boxes checked for anything. You have to manually set the Sharing preferences along with the Firewall ports to be open. At least this is how I remember setting up my machine at first.

aranhamo
Apr 20, 2007, 12:20 PM
Are you sure? When you go into Preferences and look at what ports are open by default, there are no boxes checked for anything. You have to manually set the Sharing preferences along with the Firewall ports to be open. At least this is how I remember setting up my machine at first.

The services are all turned off by default, but that's not the same thing as having the firewall turned on.

mklos
Apr 20, 2007, 12:51 PM
The services are all turned off by default, but that's not the same thing as having the firewall turned on.

Exactly! The Firewall is its own seperate tab in the sharing system preference and its OFF by default.

mklos
Apr 20, 2007, 12:53 PM
I like how they show MacBook Pros in the pictures of the original article and say they have MacBooks setup. :D

And of course the story comes from Cnet, the most anti-Mac site out there!

gauchogolfer
Apr 20, 2007, 01:00 PM
The services are all turned off by default, but that's not the same thing as having the firewall turned on.

Fair enough. I guess it's been so long since I've installed OS X that I forgot how it came 'out of the box'.

Thanks.

Diatribe
Apr 20, 2007, 01:07 PM
Does anyone know whether the firewall is on by default in the Leopard beta? (If that doesn't break NDA)

nagromme
Apr 20, 2007, 01:07 PM
I always thought it was odd that the Firewall was off, since it seems harmless to have it on. But I know people with broadband already have a firewall in their router/modem anyway--protection that this contest doesn't seem to give the targets.

Note that a human expert sitting down and spending time hacking into one particular Mac is MUCH easier (assuming it's possible) than making malware that does so automatically and spreads itself across the Internet, Windows-style. It's a first step, though.

johnee
Apr 20, 2007, 01:15 PM
This will be VERY interesting!

sorry folks, but I believe someone will do it. There's a reason Apple provides Security updates!

SPUY767
Apr 20, 2007, 01:17 PM
Simple fact is, this hack only applies if you're using on the same network with the hacker considering how it's set up. The last Mac Hack BS was set up on a static IP without a firewall of any sort. Fact is, most ISP's don't let your computer receive anonymous packets anyway in order to prevent people from hosting a website or the like. In addition, most home networks are going to be behind 2 firewalls, the one in the DSL/Cable modem and the one in the router that they are likely using. So unless the hack takes a half hour or so, it's pretty much irrelavent because most of the time you're not going to be on a public network for all that long.

johnee
Apr 20, 2007, 01:21 PM
Simple fact is, this hack only applies if you're using on the same network with the hacker considering how it's set up. The last Mac Hack BS was set up on a static IP without a firewall of any sort. Fact is, most ISP's don't let your computer receive anonymous packets anyway in order to prevent people from hosting a website or the like. In addition, most home networks are going to be behind 2 firewalls, the one in the DSL/Cable modem and the one in the router that they are likely using. So unless the hack takes a half hour or so, it's pretty much irrelavent because most of the time you're not going to be on a public network for all that long.

You do make an excellent point. I think this competition is only open for 2 days, and it was announced in late march, so not sure if that's enough time, but we'll see!

nagromme
Apr 20, 2007, 01:25 PM
Regardless of whether any hacks would work in the REAL world or not, if they reveal some previously unknown bug that Apple can then fix, then the contest is good in my book! (And if nobody succeeds, that's cool in a different way :) )

What exactly IS the timeframe? The only info I see online (which doesn't mention $10k) is:
http://cansecwest.com/post/2007-04-19-12:30:00.Gentlemen_Start_Your_PWNing

winmacguy
Apr 20, 2007, 01:54 PM
Here is an update article

MacBooks survive day one in hacker jungle
VANCOUVER, BC Two tricked-out MacBook laptops have survived the first day of a 'PWN to OWN' contest that dared hackers to take control of default Mac OS X installations.
The contest started around midday Friday Thursday, the second day of the CanSecWest conference here and triggered interest from hackers in attendance but it was not immediately clear just how many attempts were being made to break into the machines.

Organizers say they have seen "some activity" on the network set up with the two new MacBooks a 17" and a 15" but details remained scarce when the day ended. According to a report, Tipping Point's Zero Day Initiative has added a $10,000 bounty to the first hacker who launches a successful attack with a new, yet-to-be-patched vulnerability.
http://blogs.zdnet.com/security/?p=173

johnee
Apr 20, 2007, 01:55 PM
Regardless of whether any hacks would work in the REAL world or not, if they reveal some previously unknown bug that Apple can then fix, then the contest is good in my book! (And if nobody succeeds, that's cool in a different way :) )

What exactly IS the timeframe? The only info I see online (which doesn't mention $10k) is:
http://cansecwest.com/post/2007-04-19-12:30:00.Gentlemen_Start_Your_PWNing

Yeah, that's where they announced the challenge, and I think the conf. was April 18 - 20, so today is the last day! There's two possibilities at the close of the challenge: no/little news of no successes or news all over the place of a success.

winmacguy
Apr 20, 2007, 02:34 PM
According to the second article, they are going to lower the barriers to hacking the Macs on the second day if no one makes any progress. Sounds kinda lame if you ask me.

nagromme
Apr 20, 2007, 02:55 PM
They left these machines intentionally "vulnerable" in some ways, which is a good experiment to make.

But it would be a better experiment if they left ONE machine vulnerable like that, and made the other one more of a common REAL world scenario--with the full $20k as prize :)

The second machine would not give hackers the help this contest gives them:

* Firewall off

* No router/modem/gateway

* Known IP address

* Access given freely to a local network connected to the target

* Both wired and wireless connections allowed

I'm not an expert, but it seems to me that it would be more realistic (outside of hotspots) to make one machine a target where you have to find the IP address on your own, then get through OS X's firewall and a router/gateway like any broadband user has. No access given to the LAN, and no wireless (because that would require an attacker to be nearby).

mklos
Apr 20, 2007, 03:05 PM
Does anyone know whether the firewall is on by default in the Leopard beta? (If that doesn't break NDA)

In the Leopard beta that I have its not enabled by default. Apple is not Microsoft and doesn't turn every possible option on by default. Apple believes in choice...

Diatribe
Apr 20, 2007, 03:06 PM
In the Leopard beta that I have its not enabled by default. Apple is not Microsoft and doesn't turn every possible option on by default. Apple believes in choice...

The last sentence is the most ironic I have heard in a while. :p

nagromme
Apr 20, 2007, 03:12 PM
The last sentence is the most ironic I have heard in a while. :p

I'll give you a MORE ironic one: "Microsoft believes in choice." :o

nagromme
Apr 20, 2007, 03:59 PM
This link explains how they are making the contest easier over time if nobody succeeds:

http://blogs.zdnet.com/security/?p=173

"On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac's built-in Safari browser. If the machines survive this level, the attacker will be allowed to connect to over USB or Bluetooth."

We're on the second day now I think. If they withstand this, then tomorrow we get attacks that require someone to be physically in the same room as the machine. Then on Sunday, I assume icepicks will be allowed :)

We can be pretty sure it's not just attendees whose expertise is being used in these attempts: with $10,000 at stake, you can be sure people are reaching out to hackers around the world for ideas. (I just hope they admit it's for a contest and share the prize!)

(Just imagined if they REALLY wanted to protect the file, and enabled OS X's File Vault.)

ogee
Apr 20, 2007, 04:23 PM
So unless the hack takes a half hour or so, it's pretty much irrelavent because most of the time you're not going to be on a public network for all that long.

Bull.

There are a vast number of people who have DSL flat rate and remain constantly connected to the internet at home, and of course all the business users on the net.

I know of only one person who still uses dial up, (my sister who is on ISDN dial up).

gauchogolfer
Apr 20, 2007, 04:31 PM
Bull.

There are a vast number of people who have DSL flat rate and remain constantly connected to the internet at home, and of course all the business users on the net.

I know of only one person who still uses dial up, (my sister who is on ISDN dial up).

I think the key in that phrase was 'public network'. You are describing someone on a private network, where they are behind a router.

Analog Kid
Apr 20, 2007, 05:43 PM
All this sounds perfectly fair to me. Not everybody uses a home router-- many just plug a cable into their DSL modem. Increasingly people are using public WiFi. Having a router in place, I think, might actually make the problem easier for the hacker-- a lot of routers have vulnerabilities of their own. Going from an unknown IP to a known IP is a pretty trivial step...

Not to mention that in the "real world" people have more than 2 days to work on a problem and can probably make more than 10k by finding one.

Seems to me that Apple would do well to have a couple machines connected this way full time and kick down 10k for each break in. I guess a problem with it is that most of the network interface is actually non-Apple code-- so when SSH gets cracked, OS X is vulnerable.

gauchogolfer
Apr 20, 2007, 06:41 PM
It looks like they got into the first one using a Safari exploit:

http://cansecwest.com/post/

Interesting to see the details as they emerge. User-level access was gained, according to the article. Root is the next challenge.

nagromme
Apr 20, 2007, 07:41 PM
Seems to me that Apple would do well to have a couple machines connected this way full time and kick down 10k for each break in.

I like that idea :)

It looks like they got into the first one using a Safari exploit:

http://cansecwest.com/post/

Interesting to see the details as they emerge. User-level access was gained, according to the article. Root is the next challenge.

Some good has come of the contest :) Let's hope they tell Apple the details before they tell us, as is good security practice (and unlike MOAB).

It's far from the first flaw found in OS X and it won't be the last. But it's one that can now be tracked down and fixed, thanks to this contest.

miniConvert
Apr 20, 2007, 07:44 PM
They shouldn't have changed the rules. Sure, the Safari/JavaScript exploit is bad - but make these folk work for the prize! I don't think I'll be impressed with anything less than full remote control with no user interaction. Now that's a hack!

SPUY767
Apr 20, 2007, 08:13 PM
Bull.

There are a vast number of people who have DSL flat rate and remain constantly connected to the internet at home, and of course all the business users on the net.

I know of only one person who still uses dial up, (my sister who is on ISDN dial up).

Can you actually read? Cause I don't recall saying anything related to what you said.

SPUY767
Apr 20, 2007, 08:18 PM
It looks like they got into the first one using a Safari exploit:

http://cansecwest.com/post/

Interesting to see the details as they emerge. User-level access was gained, according to the article. Root is the next challenge.

Wait wait wait, a safari exploit? So these douchebags changed the rules when the results of the contest weren't suiting them. Nice job. This test is dead to me. Second question, is this a problem in the Safari handling of javascript, or is it a bug in ALL of javascript that they just modified to open a user shell instead of doing something else?

nagromme
Apr 20, 2007, 08:41 PM
Wait wait wait, a safari exploit? So these douchebags changed the rules when the results of the contest weren't suiting them. Nice job. This test is dead to me. Second question, is this a problem in the Safari handling of javascript, or is it a bug in ALL of javascript that they just modified to open a user shell instead of doing something else?

Don't be too quick to insult: they said BEFORE "changing the rules" that if nobody succeeded, they'd open up a specific series of additional attack exposures. They did so, in accordance with the rules, because they apparently want someone to win--meaning the contest is serious, not just some stunt :)

Furthermore, the flaw they found is real, and therefore useful to know about. Only good for the Mac platform has come of this contest so far.

And the successful hack is no landmark of any kind for Mac-bashers: such flaws have been found many times before. (This is not malware, it's a specific machine attacked.) And patched, as this one will be. OS X's security never was and never will be perfect--no OS is--but it's a WHOLE lot better than Windows, and efforts like this that find the bugs are a big help. SOME such efforts are pure publicity stunts mixed with Apple-bashing, but this one seems above-board to me.

(PS, check http://daringfireball.net for intelligent, balanced discussion of the contest.)

Diatribe
Apr 20, 2007, 08:42 PM
Don't be too quick to insult: they said BEFORE "changing the rules" that if nobody succeeded, they'd open up a specific series of additional attack exposures. They did so, in accordance with the rules, because they apparently want someone to win--meaning the contest is serious, not just some stunt :)

Furthermore, the flaw they found is real, and therefore useful to know about. Only good for the Mac platform has come of this contest so far.

And the successful hack is no landmark of any kind for Mac-bashers: such flaws have been found many times before. (This is not malware, it's a specific machine attacked.) And patched, as this one will be. OS X's security never was and never will be perfect--no OS is--but it's a WHOLE lot better than Windows, and efforts like this that find the bugs are a big help. SOME such efforts are pure publicity stunts mixed with Apple-bashing, but this one seems above-board to me.

If they would do that every month we would be pretty secure. :D

Snowy_River
Apr 21, 2007, 12:17 AM
I always thought it was odd that the Firewall was off....

Okay, so I'm confused. I just checked on my Mac Mini (which is our media computer, and I've never gone to the Firewall preference pane on it before), and the Firewall is on. It seems to me that every OS X based computer I've had has had the Firewall on by default. Anyone have any thoughts on this?

Analog Kid
Apr 21, 2007, 01:18 AM
Wait wait wait, a safari exploit? So these douchebags changed the rules when the results of the contest weren't suiting them. Nice job. This test is dead to me. Second question, is this a problem in the Safari handling of javascript, or is it a bug in ALL of javascript that they just modified to open a user shell instead of doing something else?
:D Don't think I've ever seen the word "douchebag" written out...

As for the rest, I consider an IE vulnerability serious and a Safari vulnerability equally serious. And I certainly hope it's Safari only-- if this were universal we'd be much more vulnerable.

I really find it disturbing how hard people here work to explain away every security violation in OS X. People act like they're trying to protect a lie, and the irony is that OS X security isn't a lie. It's significantly more secure than Windows. That doesn't mean holes can't be found in the armor. Trying to spin each new breach one way or another though looks petty and naive.

There's a hole in Safari that can hand your machine over to a random webmaster. Complain about changing rules all you like, but the hole is there. Glad I know about it. Look forward to a patch. Gonna be a little more careful in where I go and how I respond to random Safari crashes in the mean time.

nagromme
Apr 21, 2007, 01:45 AM
Okay, so I'm confused. I just checked on my Mac Mini (which is our media computer, and I've never gone to the Firewall preference pane on it before), and the Firewall is on. It seems to me that every OS X based computer I've had has had the Firewall on by default. Anyone have any thoughts on this?

My only thought is that I've never seen an OS X machine that didn't start with the Firewall OFF :) A mystery?

Diatribe
Apr 21, 2007, 09:41 AM
Okay, so I'm confused. I just checked on my Mac Mini (which is our media computer, and I've never gone to the Firewall preference pane on it before), and the Firewall is on. It seems to me that every OS X based computer I've had has had the Firewall on by default. Anyone have any thoughts on this?

Maybe you copied the preference folder when setting it up? ;)

Because no Mac comes with the firewall enabled.

Peace
Apr 21, 2007, 10:24 AM
This "contest" is as dumb as the other one from last year.

Diatribe
Apr 21, 2007, 10:28 AM
This "contest" is as dumb as the other one from last year.

What an insightful comment. Tell me more. :rolleyes:

Peace
Apr 21, 2007, 10:41 AM
What an insightful comment. Tell me more. :rolleyes:


Log into a Windows Vista machine that's connected via static IP to a DSL or cable modem.Turn off the firewall.Give me your IP addy and I'll leave an infected MS Word document on your desktop explaining it all. :p

nagromme
Apr 21, 2007, 12:27 PM
Log into a Windows Vista machine that's connected via static IP to a DSL or cable modem.Turn off the firewall.Give me your IP addy and I'll leave an infected MS Word document on your desktop explaining it all. :p

And how will that help make your Mac more secure?

This contest helps achieve that :)

cwt1nospam
Apr 21, 2007, 04:26 PM
They did so, in accordance with the rules, because they apparently want someone to win--meaning the contest is serious, not just some stunt :)
How does wanting someone to win make it not a stunt? I see the results being good for the platform in the long run, but easing the rules so you can claim that somebody hacked into the Mac sounds an awful lot like a stunt to me.

nagromme
Apr 22, 2007, 12:30 AM
How does wanting someone to win make it not a stunt? I see the results being good for the platform in the long run, but easing the rules so you can claim that somebody hacked into the Mac sounds an awful lot like a stunt to me.

(bold mine)

What evidence to you have that their motivation was to put down the Mac? Assuming that without reason is the kind of thing a few Mac users do that give the majority a bad name.

It makes perfect sense to have a series of phases that open up new avenues of attack, if they want someone to win. (And in addition, it increases the chances of the contest actually doing some good for the Mac. Which is exactly what it did.)

By your reasoning, the only Mac security contest you would consider fair is one that has no chance of success. But that wouldn't make a lot of sense.

Now, if they have used Mac-bashing language or other signs of an anti-Mac bias, then I'll blame them for it. But I have seen no such language so far. If you have, I'd be interested to see it.

Note that the prize winner is a Mac fan: he's getting an 8-core Mac Pro with the winnings, and is being very responsible about not letting out the details until after Apple patches the hole. He has good things to say about Mac security, but says he "got lucky." We all did, since he found something that can now be fixed :)

http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/

PS, Turning off Java in your browser (any browser) blocks this exploit, if you're paranoid.

EDIT: I've run across some statements from the contest organizer that do seem misguided/misinformed about Mac security. But not slanted the way many articles are. The contest seems to be a responsible one. And hey, it sold 3 high-end Macs :)

Peace
Apr 22, 2007, 11:26 AM
And how will that help make your Mac more secure?

This contest helps achieve that :)

My statement doesn't help make your Mac more secure.It was dripping with sarcasm and was meant to show that this contest was rigged like the last one.
My point was practically anyone with computer savvy can "break in" to any computer O/S with the opportunities presented by this contest.Except for the likely more secure systems like the DoD etc.

Pressure
Apr 23, 2007, 04:36 AM
MacBook Pro security toasted (http://www.theinquirer.net/default.aspx?article=39093) at the TheInquirer.

THE MAKER OF maker of entertainment gear, Apple has had its MacBook Pro turned over by a hacker at a security conference held in Vancouver.

CanSecWest had a competition to break into a pair of MacBook Pros, the prize was a MacBook Pro.

Apparently there was very little interest in hacking the MacBook, as no one was going to get too famous from doing it. There were some pretty tough rules as to how the hack had to be done too. In the end 3Com's TippingPoint Division stumped up $10,000 bounty and hackers became more interested.

Dino Dai Zovi managed to do it, although details of how are sketchy. It seems to be based around exploitable flaw in Safari.

However it does mean that every copy of OS X out there now is vulnerable to this. So it looks like Apple users will have to join their Microsoft friends in the trek to download Firefox until Jobs' Mob gets around to fixing it.

Last week the outfit released a patch to fix twenty-five holes in its leaky software.

A shame they forgot to mention they had to lower the protection in order to compromise the Mac.

gauchogolfer
Apr 23, 2007, 11:07 AM
MacBook Pro security toasted (http://www.theinquirer.net/default.aspx?article=39093) at the TheInquirer.



A shame they forgot to mention they had to lower the protection in order to compromise the Mac.

They didn't have to 'lower the protection', all they did was allow Safari to browse to a webpage. This is a real exploit, people, and I hope that Apple can get it patched quickly.

Firefox is affected also, FWIW.

I think it's time we get our heads out of the sand on this one and hope that Apple can come up with a fix.

I'm not sure if the user was logged in as administrator when the exploit took place; that would be an interesting piece of information. Also, it looks like the more serious exploit of gaining root access was not achieved, thankfully.