First Mac hacked at CanSecWest

Discussion in 'Apple, Inc and Tech Industry' started by kiwi-in-uk, Apr 20, 2007.

  1. kiwi-in-uk macrumors 6502a

    Joined:
    Sep 22, 2004
    Location:
    AU
    #1
    Story at Matasano.

    "About an hour ago, security researcher Shane Macaulay leveraged a clientside exploit to bind a remotely-accessible shell on the fully-patched MacBook used by the PWN 2 0WN contest at CanSecWest.

    The vulnerability and exploit were developed last night by Dino Dai Zovi, in the wake of an announcement by 3Com establishing a $10,000 bounty on successful exploitation of one of the contest MacBooks. Said Dino: “I think I may have set the land-speed record”.

    Shane keeps the laptop, Dino keeps the reward.

    Details about the specifics of the vulnerability to follow at a later date."
     
  2. johnee macrumors 6502a

    johnee

    #2
    I knew someone would get in. but not sure if their solution is practical. can anyone elaborate on it?
     
  3. KurtangleTN macrumors 6502a

    Joined:
    Apr 2, 2007
    #3
    Aww boo, was the firewall on it, as it's not on by default?
     
  4. Lancetx macrumors 68000

    Lancetx

    Joined:
    Aug 11, 2003
    Location:
    Texas
    #4
    I know that they weren't using the latest Security Update 2007-004 since that was just released by Apple late yesterday.

    Also note that since this was day 2 of the contest (from ZDNet story this morning)....


    EDIT: A link to a story describing how it was "hacked" is here.

    Note how the bar was intentionally lowered however... :rolleyes:

     
  5. DeathChill macrumors 68000

    Joined:
    Jul 15, 2005
    #5
    It says that fully patched machines at this point (which would include the latest security fix) are still vulnerable.

    EDIT: I'm just waiting for the people to say it doesn't count because they had to perform an action. That's how tons of Windows viruses/exploits work as well, and we don't say they don't count.
     
  6. Lancetx macrumors 68000

    Lancetx

    Joined:
    Aug 11, 2003
    Location:
    Texas
    #6
    The contest started Thursday morning and the patch wasn't available until Thursday night. They didn't patch it on the fly once the contest began, so it wasn't on the hacked machine. However, we see how they pulled it off now, and the update would have had no impact anyway.

    Considerably lowering the security bar to get in had everything to do with it. Either way, they've got quite a long way to go before they prove that OS X is anywhere near as insecure as Windows. Any OS can be hacked given certain circumstances, some are just immensely more difficult to hack than others.

    Ah well, in the meantime, we shall continue to wait for the first ever Mac running OS X out in the wild to finally get hacked. It's been 6+ years and 20+ million users so far, and that still hasn't happened.....
     
  7. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #7
    am I surprised by ""OSX is not bulletproof"? no
    am I surprised by double standard? no
    every OS's security is relative, to regard OSX as bulletproof is wrong at first place.
     
  8. DeathChill macrumors 68000

    Joined:
    Jul 15, 2005
    #8
    I didn't say that they patched the machine, I said that the patch did not fix the issue that the hackers used to get in.
     
  9. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #9
    Yeah, I find the third day bar to be quite hilarious. "If, by the third day, no one has hacked a machine, we'll allow you to connect via USB or Bluetooth."
     
  10. Macheath_Messer macrumors member

    Joined:
    Aug 14, 2003
    Location:
    Ringgold, GA
    #10
    Random Thoughts about this

    We can probably expect to hear some smart*** remark from Ballmer or some other MS goon. What we'll most likely hear about is antivirus companies begging and pleading for Mac customers to purchase their products.

    Windows Fanbois around the globe are going, "OMG, Macs are like, so vulnerable, and stuff."

    I don't post enough in these forums for anyone to know my position on these things, but rest assured, I haven't been any of these types who are very arrogant about OS X's security. I do know, however, no one has written an exploit. "Small market share" is the most common response I hear when talking about this. It would seem to me some dude would want to gain the notoriety of being the "first to market" with really bad stuff for the Mac.

    It'll be interesting to see what the aftermath of this contest will be. Oh, and will the guys over this contest really try to hide and protect the exploit? With Dino's bragging about "set[ting] a land-speed record", does anyone really feel he'll keep this information to himself? Just curious. :)
     
  11. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #12
  12. KurtangleTN macrumors 6502a

    Joined:
    Apr 2, 2007
    #13
    Yeah, and I like how they had to lower the bar, and yet they claim it's so easy to break into a Mac.

    I'm not suprised there are vulnerablites to OS X, and I'm not suprised that a bunch of hackets with a lower bar could find it after a day.

    Of course Microsoft does more for security because the entire base of the OS is crap, they HAVE to.

    And was the firewall on or off? I know that it's off by default in Panther at least, and i've heard Tiger.

    Edit- Looks like a Safari problem they said in an update to the OP's article.
     
  13. SMM macrumors 65816

    SMM

    Joined:
    Sep 22, 2006
    Location:
    Tiger Mountain - WA State
    #14
    We will not have to wait for Ballmer. There are enough 'goons' on this forum. In fact, I saw one just a few posts up. But, it was no shock that he chimed in. I find it depressing that MS would sponsor a contest to bring good technology down to their level, rather than spend the resources to raise the quality of their software up. I think that pretty much draws the line between the philosophies of the two companies.
     
  14. pseudobrit macrumors 68040

    pseudobrit

    Joined:
    Jul 23, 2002
    Location:
    Jobs' Spare Liver Jar
    #15
    That this is at all newsworthy makes it the exception that proves the rule.

    Can you imagine a tech headline screaming out: "Windows machine hacked at expo"? Me neither, because it happens thousands of times in the wild every day.
     
  15. furious macrumors 65816

    furious

    Joined:
    Aug 7, 2006
    Location:
    Australia
    #16
    Hacks and viruses are different that is all I have to say. ;)
     
  16. pseudobrit macrumors 68040

    pseudobrit

    Joined:
    Jul 23, 2002
    Location:
    Jobs' Spare Liver Jar
    #17
    Would you prefer I call them "self-replicating, automatic, assembly-line hacks?"
     
  17. Scarlet Fever macrumors 68040

    Scarlet Fever

    Joined:
    Jul 22, 2005
    Location:
    Bookshop!
    #18
    so macs are as (in)secure as computers running Windows? which is why it is news when a Mac gets hacked? ah well... i suppose ignorance is bliss...:rolleyes:
     
  18. solvs macrumors 603

    solvs

    Joined:
    Jun 25, 2002
    Location:
    LaLaLand, CA
    #19
    Who said it was? :confused: Artie MacStrawman again? Can't stand that guy. He just ruins it for the rest of us. ;)

    For those of us in the reality based community, we know that no OS is perfect. We also know that OS X is more secure. They could hack it a thousand times, it still wouldn't be as bad as Windows (still) is. And for all of those lame arguments about marketshare, we're forgetting that OS 9 and below had viruses despite a much lower marketshare (not to mention user base) and wasn't as much in the press as OS X is. OS X is a media darling right now, and who wouldn't love to knock us smug users down a couple of pegs. Or attack companies that use it, like the one I work for (a little company called Disney). Even Linux on iPod had a virus, and how many people actually use that?

    I was worried when I first read this, but upon further inspection, as usual, it's a lot of fluff over nothing that will actually affect any of us.
     
  19. DeathChill macrumors 68000

    Joined:
    Jul 15, 2005
    #20
    Just curious if you were talking about me, because I'm certainly no Microsoft advocate. I don't even use my Windows-based PC, it's my Mac Mini and Macbook with Mac OS X Tiger for me.

    I just simply stated that it's fair to classify it as an exploit with potential problems because a lot of Windows exploits were spread in this fashion and no one's arguing that they don't count. If it screws up my computer, I count it ;).
     
  20. nplima macrumors 6502a

    Joined:
    Apr 26, 2006
    Location:
    UK
    #21
    oh well

    it seems to me that OS X secrity record has been more than good enough through the years and there aren't any gaping holes that can be easily exploited by not doing the basic security measures we all shoud have in place (we do know them, don't we? :rolleyes: ). If this exploit gives way to many relevant threats, we just have to defend our computers a bit better.

    On my windows box my HOSTS file is duly managed by these nice folks here:
    http://www.mvps.org/winhelp2002/hosts.htm
    it could easily be on a proxy server for a LAN.

    Oher people who are more paranoid use this to kill all scripts except the ones they explicitly trust:
    https://addons.mozilla.org/en-US/firefox/addon/722

    so... it's all been invented before. and not a single € cent goes to anti virus companies.
     
  21. dazzer21 macrumors 6502

    Joined:
    Oct 18, 2005
    #22
    "As originally planned, the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days."

    The above would suggest to me that OS X is pretty much as bomb-proof as OSs get? The only way the MacBook could be hacked is without all the security features switched on!!! :D
     
  22. Jimmni macrumors member

    Joined:
    May 1, 2003
    #23
    If a web page visited with Safari led to a machine being entirely compromised then this is a far more serious issue than people here seem to be willing to admit. This is the sort of exploit that would cause serious headaches for average users.
     
  23. adrianm macrumors member

    Joined:
    Oct 31, 2005
    #24
    I love the way they maintain credibility...

    ... by changing the rules when it looked like no one was going to succeed.
     
  24. bigandy macrumors G3

    bigandy

    Joined:
    Apr 30, 2004
    Location:
    Murka
    #25
    absolutely what i was thinking.

    and this isn't what their original goal was, is it? they wanted to do it without any user input, but this way, you have to get the user to the webpage...

    yawn, move along people.
     

Share This Page