Mac OS X hacked in 30 minutes?
08 Mar 2006 10:57 AM / Filed in: I.T.
According to ZDNet, a Swedish man set up a challenge inviting people to hack a Mac Mini. The challenge was over shortly after since someone succesfully gained root access to the machine and he did so, the report said, in 30 minutes.
If I stop here without giving you real meat to chew on, you'd end up thinking that Mac OS X is not secure and you'll be ill-witted to use this operating system for hosting your valuable data. But MacWorld gave a few more, very interesting details:
Anyone that wanted to hack the machine was given access to the machine through a local account (which could be accessed via SSH), so the Mac mini wasn’t hacked from outside — root access was actually gained from a local user account.
Aha! That's interesting. Anyone working in the I.T. Security field knows that, most of the time, when someone gain local access it's game over. Local exploits are often much more powerful and deadly than remote ones. That's why we have layered network security, security by default, and such. It's like giving access to as many strangers as possible to a besieged castle without knowing if they are enemies or foes. If only one stranger heads for the king's lair (which might not be that secret) and slays the poor man, what good would do your 2-mile thick walls, 250.000 soldiers, and all the other _external_ security measures you have put in place? If I were the stranger who slew the king, first thing I'd do is behead the security officer of the castle.
Mac OS X has reasonable protections against outsiders. But when you punch holes through these protections and let outsiders become insiders, what do you expect? How many operating systems are there that will do better?
I think the challenge was a very stupid move to attract attention. But it spreads FUD (Fear, Uncertainty and Doubt) as a side, maybe wanted, effect.
If I stop here without giving you real meat to chew on, you'd end up thinking that Mac OS X is not secure and you'll be ill-witted to use this operating system for hosting your valuable data. But MacWorld gave a few more, very interesting details:
Anyone that wanted to hack the machine was given access to the machine through a local account (which could be accessed via SSH), so the Mac mini wasn’t hacked from outside — root access was actually gained from a local user account.
Aha! That's interesting. Anyone working in the I.T. Security field knows that, most of the time, when someone gain local access it's game over. Local exploits are often much more powerful and deadly than remote ones. That's why we have layered network security, security by default, and such. It's like giving access to as many strangers as possible to a besieged castle without knowing if they are enemies or foes. If only one stranger heads for the king's lair (which might not be that secret) and slays the poor man, what good would do your 2-mile thick walls, 250.000 soldiers, and all the other _external_ security measures you have put in place? If I were the stranger who slew the king, first thing I'd do is behead the security officer of the castle.
Mac OS X has reasonable protections against outsiders. But when you punch holes through these protections and let outsiders become insiders, what do you expect? How many operating systems are there that will do better?
I think the challenge was a very stupid move to attract attention. But it spreads FUD (Fear, Uncertainty and Doubt) as a side, maybe wanted, effect.