24 replies to this topic

[buzzons]

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".

The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users… There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

Full story here :: http://www.zdnet.com...39241748,00.htm

[Tyler]

Well im not a big fan of Mac OS X but for him to hack it in 20/30 minutes is crazy, yeah i'll admit the private exploit helps and saves an incredible amount of time. I'm curious if they logged everything on the machine to see if they could potentially find out what the exploit is

[salik]

under 30 minutes is really fast. and people say that mac is unvulnerable,huh!

[Tyler]

well, think about it, it isn't that fast if you have a private exploit.. well actually i disagree, it depends on what type of exploit. If its one that worked as easy as mssql 30 mins is really slow etc.

[spic]

I'm enjoying the angry Mac users comments towards this ZDNet news article. Such as "Microsoft Setup!" etc etc...

[Tyler]

lol yeah , read a few of those myself found them quite entertaining as well spic

[sarkar112]

If I was the owner of the mac, I would use it as a honeypot, and if it was fully patched, find out the private exploit, And release it to the public, which the owner should have...but didn't.

And mac is more secure than windows, but not as secure as BSD, unix, etc. so someone shouldn't be obsessing over a mac.

[Tyler]

you think *nix is more secure then mac, because i would have to argue the amount of exploits out for *nix vs mac is a big difference.

[tshark]

anyone know of any good mac OS X hardening / security websites?

[Tyler]

I tend to use http://www.securemac.com/ which seems to work great.

[D-Tox]

It seems that the mac community doesn't agree, there's a new challenge, but from the University of Winsconsin and this time, no local ssh access (from ./ )

http://test.doit.wisc.edu/

[zorin-]

The competition was actually an escalation of privilages.

Source here

[boshcash]

mac os sucks in security , of course *nix based OSes would be more secure ..

the amount of exploits on an OS doesnt mean its not secure , but people put an eye on it so it looks weaker but if people concentrated on the mac os , u will find its much weaker than winblows i think ...

[Tyler]

:| i always thought that mac os had better security or at least had a more secure machine then a *nix based OS. :| (learn something new everyday)

or... is it that mac os is not secured very well but there are less exploits / vulns against the mac and *nix has more exploits / vuln but can be secured better?

[Edu]

all sound really amazing till I read about the private exploit stuff.
the exploit could be for the MAC OSX itself or perhaps for the webserver running there (very likely). any script kid with basic knowledge on MAC OS could do a lot using private exploits