First Mac hacked at CanSecWest

[kiwi-in-uk]

Story at Matasano.

"About an hour ago, security researcher Shane Macaulay leveraged a clientside exploit to bind a remotely-accessible shell on the fully-patched MacBook used by the PWN 2 0WN contest at CanSecWest.

The vulnerability and exploit were developed last night by Dino Dai Zovi, in the wake of an announcement by 3Com establishing a $10,000 bounty on successful exploitation of one of the contest MacBooks. Said Dino: “I think I may have set the land-speed record”.

Shane keeps the laptop, Dino keeps the reward.

Details about the specifics of the vulnerability to follow at a later date."

[johnee]

I knew someone would get in. but not sure if their solution is practical. can anyone elaborate on it?

[KurtangleTN]

Aww boo, was the firewall on it, as it's not on by default?

[Lancetx]

I know that they weren't using the latest Security Update 2007-004 since that was just released by Apple late yesterday.

Also note that since this was day 2 of the contest (from ZDNet story this morning)....

Quote:

On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac's built-in Safari browser.

EDIT: A link to a story describing how it was "hacked" is here.

Note how the bar was intentionally lowered however...

Quote:

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

[DeathChill]

Quote:

Originally Posted by Lancetx

I know that they weren't using the latest Security Update 2007-004 since that was just released by Apple late yesterday. Makes me wonder if this hacker simply got his clues from reading the list of fixes that were implemented in that update.

Also note that since this was day 2 (from ZDNet story this morning)....

It says that fully patched machines at this point (which would include the latest security fix) are still vulnerable.

EDIT: I'm just waiting for the people to say it doesn't count because they had to perform an action. That's how tons of Windows viruses/exploits work as well, and we don't say they don't count.

[Lancetx]

Quote:

Originally Posted by DeathChill

It says that fully patched machines at this point (which would include the latest security fix) are still vulnerable.

The contest started Thursday morning and the patch wasn't available until Thursday night. They didn't patch it on the fly once the contest began, so it wasn't on the hacked machine. However, we see how they pulled it off now, and the update would have had no impact anyway.

Considerably lowering the security bar to get in had everything to do with it. Either way, they've got quite a long way to go before they prove that OS X is anywhere near as insecure as Windows. Any OS can be hacked given certain circumstances, some are just immensely more difficult to hack than others.

Ah well, in the meantime, we shall continue to wait for the first ever Mac running OS X out in the wild to finally get hacked. It's been 6+ years and 20+ million users so far, and that still hasn't happened.....

[clevin]

am I surprised by ""OSX is not bulletproof"? no
am I surprised by double standard? no
every OS's security is relative, to regard OSX as bulletproof is wrong at first place.

[DeathChill]

Quote:

Originally Posted by Lancetx

The contest started Thursday morning and the patch wasn't available until Thursday night. They didn't patch it on the fly once the contest began, so it wasn't on the hacked machine.

However, we see how they pulled it off now, the update would have had no impact anyway. Lowering the bar had everything to do with it.

I didn't say that they patched the machine, I said that the patch did not fix the issue that the hackers used to get in.

[Lixivial]

Quote:

Originally Posted by Lancetx

Note how the bar was intentionally lowered however...

Yeah, I find the third day bar to be quite hilarious. "If, by the third day, no one has hacked a machine, we'll allow you to connect via USB or Bluetooth."

[Macheath_Messer]

We can probably expect to hear some smart*** remark from Ballmer or some other MS goon. What we'll most likely hear about is antivirus companies begging and pleading for Mac customers to purchase their products.

Windows Fanbois around the globe are going, "OMG, Macs are like, so vulnerable, and stuff."

I don't post enough in these forums for anyone to know my position on these things, but rest assured, I haven't been any of these types who are very arrogant about OS X's security. I do know, however, no one has written an exploit. "Small market share" is the most common response I hear when talking about this. It would seem to me some dude would want to gain the notoriety of being the "first to market" with really bad stuff for the Mac.

It'll be interesting to see what the aftermath of this contest will be. Oh, and will the guys over this contest really try to hide and protect the exploit? With Dino's bragging about "set[ting] a land-speed record", does anyone really feel he'll keep this information to himself? Just curious.

[johnee]

and so it begins:

http://news.yahoo.com/s/pcworld/2007...pcworld/131050

[xUKHCx]

Quote:

Originally Posted by johnee

and so it begins:

http://news.yahoo.com/s/pcworld/2007...pcworld/131050

Probably had that article written before the computer was actually hacked

[KurtangleTN]

Quote:

Originally Posted by xUKHCx

Probably had that article written before the computer was actually hacked

Yeah, and I like how they had to lower the bar, and yet they claim it's so easy to break into a Mac.

I'm not suprised there are vulnerablites to OS X, and I'm not suprised that a bunch of hackets with a lower bar could find it after a day.

Of course Microsoft does more for security because the entire base of the OS is crap, they HAVE to.

And was the firewall on or off? I know that it's off by default in Panther at least, and i've heard Tiger.

Edit- Looks like a Safari problem they said in an update to the OP's article.

[SMM]

Quote:

Originally Posted by Macheath_Messer

We can probably expect to hear some smart*** remark from Ballmer or some other MS goon. What we'll most likely hear about is antivirus companies begging and pleading for Mac customers to purchase their products.

Windows Fanbois around the globe are going, "OMG, Macs are like, so vulnerable, and stuff."

I don't post enough in these forums for anyone to know my position on these things, but rest assured, I haven't been any of these types who are very arrogant about OS X's security. I do know, however, no one has written an exploit. "Small market share" is the most common response I hear when talking about this. It would seem to me some dude would want to gain the notoriety of being the "first to market" with really bad stuff for the Mac.

It'll be interesting to see what the aftermath of this contest will be. Oh, and will the guys over this contest really try to hide and protect the exploit? With Dino's bragging about "set[ting] a land-speed record", does anyone really feel he'll keep this information to himself? Just curious.

We will not have to wait for Ballmer. There are enough 'goons' on this forum. In fact, I saw one just a few posts up. But, it was no shock that he chimed in. I find it depressing that MS would sponsor a contest to bring good technology down to their level, rather than spend the resources to raise the quality of their software up. I think that pretty much draws the line between the philosophies of the two companies.

[pseudobrit]

That this is at all newsworthy makes it the exception that proves the rule.

Can you imagine a tech headline screaming out: "Windows machine hacked at expo"? Me neither, because it happens thousands of times in the wild every day.

[furious]

Hacks and viruses are different that is all I have to say.

[pseudobrit]

Quote:

Originally Posted by furious

Hacks and viruses are different that is all I have to say.

Would you prefer I call them "self-replicating, automatic, assembly-line hacks?"

[Scarlet Fever]

Quote:

Originally Posted by Yahoo News

Macs haven't been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. That's in part because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used PCs.

so macs are as (in)secure as computers running Windows? which is why it is news when a Mac gets hacked? ah well... i suppose ignorance is bliss...

[solvs]

Quote:

Originally Posted by clevin

every OS's security is relative, to regard OSX as bulletproof is wrong at first place.

Who said it was? Artie MacStrawman again? Can't stand that guy. He just ruins it for the rest of us.

For those of us in the reality based community, we know that no OS is perfect. We also know that OS X is more secure. They could hack it a thousand times, it still wouldn't be as bad as Windows (still) is. And for all of those lame arguments about marketshare, we're forgetting that OS 9 and below had viruses despite a much lower marketshare (not to mention user base) and wasn't as much in the press as OS X is. OS X is a media darling right now, and who wouldn't love to knock us smug users down a couple of pegs. Or attack companies that use it, like the one I work for (a little company called Disney). Even Linux on iPod had a virus, and how many people actually use that?

I was worried when I first read this, but upon further inspection, as usual, it's a lot of fluff over nothing that will actually affect any of us.

[DeathChill]

Quote:

Originally Posted by SMM

We will not have to wait for Ballmer. There are enough 'goons' on this forum. In fact, I saw one just a few posts up. But, it was no shock that he chimed in. I find it depressing that MS would sponsor a contest to bring good technology down to their level, rather than spend the resources to raise the quality of their software up. I think that pretty much draws the line between the philosophies of the two companies.

Just curious if you were talking about me, because I'm certainly no Microsoft advocate. I don't even use my Windows-based PC, it's my Mac Mini and Macbook with Mac OS X Tiger for me.

I just simply stated that it's fair to classify it as an exploit with potential problems because a lot of Windows exploits were spread in this fashion and no one's arguing that they don't count. If it screws up my computer, I count it .

[nplima]

it seems to me that OS X secrity record has been more than good enough through the years and there aren't any gaping holes that can be easily exploited by not doing the basic security measures we all shoud have in place (we do know them, don't we? ). If this exploit gives way to many relevant threats, we just have to defend our computers a bit better.

On my windows box my HOSTS file is duly managed by these nice folks here:
http://www.mvps.org/winhelp2002/hosts.htm
it could easily be on a proxy server for a LAN.

Oher people who are more paranoid use this to kill all scripts except the ones they explicitly trust:
https://addons.mozilla.org/en-US/firefox/addon/722

so... it's all been invented before. and not a single € cent goes to anti virus companies.

[dazzer21]

"As originally planned, the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days."

The above would suggest to me that OS X is pretty much as bomb-proof as OSs get? The only way the MacBook could be hacked is without all the security features switched on!!!

[Jimmni]

If a web page visited with Safari led to a machine being entirely compromised then this is a far more serious issue than people here seem to be willing to admit. This is the sort of exploit that would cause serious headaches for average users.

[adrianm]

... by changing the rules when it looked like no one was going to succeed.

[bigandy]

Quote:

Originally Posted by adrianm

... by changing the rules when it looked like no one was going to succeed.

absolutely what i was thinking.

and this isn't what their original goal was, is it? they wanted to do it without any user input, but this way, you have to get the user to the webpage...

yawn, move along people.