04-22-2007, 11:13 PM

If you are aware of the PWN to OWN contest you may know about this already...

http://www.engadget.com/2007/04/22/s...acking-compet/

http://news.com.com/2100-7349_3-6178131.html

Any thoughts?

04-22-2007, 11:51 PM

Meh, something else for Apple to fix....

04-23-2007, 10:42 AM

That is pretty funny.

04-23-2007, 11:14 AM

Well, let's look at some key details for this "hack":

1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."

2. After nobody was able to successfully complete the task, the rules were then 'relaxed'. This was planned, as they expected failure. The original contest site states: "progressive rules over the three days". In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page" which allowed the hacker to gain shell access to the MacBook. In other words, they continually aided these "hackers" by gradually crippling the machines to a point where no conscientious person would have his system set up.

3. What exactly did he do? The details have yet to be published, and whether or not his "exploit" was malicious or not. Did he have root access? How so, the root user is disabled by default. If he had root, then he would have to have had access on a local level, not from a different machine. He would have also have needed the machine's password in order to activate the root user. The only way to have such information is to have exclusive knowledge of the machine, something your average hacker would not have.


After reading those articles and others related to this story, it would seem that the computer being "hacked", is the SAME computer that is being used by the "hacker"??? Sure, when you relax rules, allow a person to "hack" the very machine they are working on, thus giving them complete and total local access to the machine.... well, suddenly this doesn't seem so sensational or like much of a grand acheivement.

"I can hack my very own Mac, the one sitting in front of me...w00t r0X0rZZZZ!!!!111"

Give me a break.

04-23-2007, 11:31 AM

I don't think that was the case...

From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.

This is a fairly typical point of attack for many systems and is actually particulary dangerous in OS X mail as you can really easily disguise links and there's no way to see where the link actually goes before clicking on it.

Quote:

1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."

That would be the majority of OSX users out there - I doubt many members here run 3rd party firewalls or "security software".


I agree the the reporting surrounding the exploit has been very sensationalistic, (is that a word? ) but the hack itself seems legit. Nonetheless it isn't out there in the wild, should be easily fixable and doesn't really do much besides prove a point.

04-23-2007, 01:01 PM

Quote:

Originally Posted by Aptmunich

From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.

The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits.

Since no one will divulge the successful hack, no one outside of the principals, and perhaps by now, Apple, knows what it is. The method might be a stunningly easy, which is highly unlikely, or incredibly contrived, which is far more likely.

The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. InfoWorld is owned by IDG that regarding Apple has its own axe to grind.

The other Mac involved in the contest was not breached.

04-23-2007, 01:12 PM

Eh, I use firefox anyways....

04-23-2007, 01:26 PM

Quote:

Originally Posted by Brown Study

The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits......The method ... is highly unlikely, or incredibly contrived....

The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. ....

Precisely. This hole in Safari is nothing new. It has been shown before. However, the only way to 'exploit' it is to put the target machine in a very specific, contrived, and egregiously unsafe state for it to work. A state that is really only found in a lab or other similar, controlled situation. This is not likely to happen in any real-world scenario.

The story was meant to sensationalize and to blow out of proportion, a "lab only" situation. It still proves nothing new and it is still an unlikely event to happen to any normal user. It is merely "anti-Mac", Windows fanboy propoganda disguised as "informative news".
It is sort of ironic also, that the prize here was the Mac itself. :black:

04-23-2007, 05:09 PM

The flaw is with Java (not JavaScript) and includes Firefox, not just Safari, this article says. I suppose any other browser would be affected, as well. A posted comment on that site in an earlier story said the same thing, so this latest article supports that poster's contention.

After reading about Java's many flaws months ago, I turned it off and have never come across a website that requires it.

04-23-2007, 05:46 PM

OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.

04-23-2007, 05:47 PM

Quote:

Originally Posted by Zoolook

OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.

I always run mine, it is simple common sense to do so when you have a computer active on the internet.

04-23-2007, 09:59 PM

Lots of people running OS X haven't turned the software firewall on even when the machine's not behind a router, because Macs don't ship with it turned on.

I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.

I still run OS 9 on the web without a firewall because it's no less difficult for a virus to gain entry than it ever was. And with OS 9, especially now, security through obscurity is no myth, and it's growing more obscure all the time.

But in the case of this Java exploit, a firewall would have no affect, anyway.

04-23-2007, 10:04 PM

Quote:

Originally Posted by Brown Study

I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.

I never used a firewall pre-OS X either, but those two dozen or so "viruses" for the earlier Mac OSes were in reality, nothing more than bad macros for early versions of Word and Excel for Mac. If you never used or enabled macros in those apps, or if you had anything past version 5.0 for Word or Excel, then you had nothing to really worry about.:black:

04-23-2007, 11:30 PM

Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about. Truth be told, ALL browsers have flaws - and they always will. There's simply no way to absolutely lock down a versatile Internet-enabled portal, teeming with 3rd-party add-ons (Java, in this example) that give it even more functionality. This is just the "always-on, always connected" world we live in today. What I would find impressive would be a hack that doesn't involve a browser. There have been many Windows vulnerabilities discovered that were non-browser specific.

04-24-2007, 08:36 AM

Quote:

Originally Posted by cwa107

Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about.

According to this, Windows probably is affected, too.

Quote:

Gregg Keizer reports for Computerworld, "'Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability,' said Thomas Ptacek of Matasano on the group's blog."