MacDailyNews - Where Mac news comes first

Mar 27, 08 - 10:54 pm Comment from: silverhawk

Judges were "tricked into visiting the site." Give me a break. This is socially engineered BS that won't work "in the wild."

see?

Mar 27, 08 - 11:05 pm Comment from: El Guapo

I would like to know exactly how they were "tricked" into visiting a site. Did they think they were going to win a pink iPhone? Did they get a shaking pop-up window saying they have a virus? Or did they get an email saying that Visa needed to confirm their personal information?

Those are all VERY tricky (especially the pop-up window when it looks like it came straight from Win95).

I wonder if this is with the latest Safari that was just released 3.1??

Also I wonder how many people tried to have the Mac compared to the Linux and Windows machines?? Like was it 50 people tried to hack the mac and 5 tried to hack Linux and Windows over the 2 day period? Kinda hard to believe no one has hacked Windows yet!!

I figured the Mac would be the first one to go with all the security news and stuff that the Mac is the most secure......kinda a slap in the face to us Mac users!!

Mar 27, 08 - 11:15 pm Comment from: Brau

Maybe they were tricked into thinking it was an MDN article ... and then BOOM! Air foiled!

Seriously though, if it is invoked simply by visiting a site then Apple has a problem to solve. Good thing they'll know about it first.

Mar 27, 08 - 11:35 pm Comment from: MacSheikh

From what i've read, it seems this guy was the first to try to hack into ANY of the machines. Meaning the Windows and Linux machines were not being hacked into at all. This guy just happens to be the first one up and he chose to hack the Mac. And he had to get the organisers to go to a specific website for the exploit to work.

Also, i"m sure it took him much more than 2 mins to come up with the exploit in the first place. Reports so far have not been accurate at all, misleading at worst.

Well, lets hope Apple closes the bug asap. In the meantime, get ready for the "Macs are not secure" crap from losers everywhere.

maybe they visited a porn site LOL

Prior setup of the security exploit...

then two minutes to send the judges an email and get them to go to the site...

he didn't discover and create the exploit in two minutes.

Lets be real, during the prior day nobody achieved a break-in but just like last year everybody new the "conditions" would change.

bogus

Mar 28, 08 - 12:00 am Comment from: Rip Ragged

Oh for crying out loud. Be happy. This will improve Mac security. It's a good thing. I have declared myself the world's screechiest and most annoying fanboy. If you don't believe me, check rip-ragged.com. But I still think it's cool that hackers are trying to hack the Mac.

The best part is, with $10k on the table, smart hackers still needed social engineering to get the job done. One more reason to be glad I have Macs.

Well done, Charlie. Keep up the good work.

Question of MDN --- is your 'take' some sort of an acknowledgment that the days of Mac being immune from invasion are over?

Mar 28, 08 - 12:06 am Comment from: Jubei

Yep perfect take from MDN. Get Apple to see the problem now and fix it. So Macs are safer than ever. While Windows still has its big ass wide open, to match their big ass table.

Mar 28, 08 - 12:10 am Comment from: Rip Ragged

@ Just Wondering

Is your question an acknowledgment that you're really dumb?

No intelligent Mac user has ever (EVER) suggested that Mac is immune from invasion. It's just that there's nothing to be immune from, yet.

Fact: There is still no Mac malware in the wild that can be downloaded without social engineering.

None.

Obviously he wanted the MacBook Air, not the other two lap tops . . . .Maybe all three operating systems should have been natively set up on one of three MBA's.

From the first article:

As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I'll update later as the results come in over the rest of the afternoon.

Spin it anyway you want but that stings. Expect MS fanboys to be all over that one.

And a friend of mine who literally was angry at me for trying to convince him to go for a mac, will now probably say "See, macs are vulnerable too" and he will feel vindicated he went with Toshiba/Vista, and venture on in his malware infested world with a sense of satisfaction.

Mar 28, 08 - 12:38 am Comment from: mr_matalino

"after judges were 'tricked' into visiting the site"

I bet it was one of those pop-ups that said "Win a free MacBook Air" and had lots of flashing lights...

You won't find a bigger Mac fanboy than me. I have been advocating Macs for years and am typing this on my new MacBook Air. I have worked in the security industry for 15 years and all of you who say that social engineering doesn't count are morons. The biggest threats in all of security are due to social engineering. Phishing, e-mail attachments, free porn, any number of techniques can be used to trick someone to a site. That doesn't even count the fact that a hacker could simply take over a legitimate site and include this hack on their site.

Security is a serious challenge faced by all OS vendors and you won't hear Steve Jobs say any differently because he's not stupid. It's brainless fanaticism that prevents people from recognizing the real superiority of the OSX operating system.

"As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I'll update later as the results come in over the rest of the afternoon."

No one is interested to hack Vista. It's not challenging enough.

here's an interesting quote

"The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air."

From this it seems that the contestants who won came prepared for that day's round, and didn't spend any time crafting or looking for the exploit as they targeted a vulnerability in Safari that was already known; hence the small amount of time it took to take over the MBA.

I wonder if it would've taken 2 mins the take over had they been forced to look for the exploit and spend the day writing the code.

While I congratulate them on their work, it seems somewhat disingenuous. It would be more shocking if they had discovered a new vulnerability during the course of the day, and not had been prepped in some way.

Mar 28, 08 - 12:56 am Comment from: G4Dualie

"You kaint fix stoopid."

Mar 28, 08 - 12:59 am Comment from: Rip Ragged

Sure, social engineering counts. But it requires each machine to be infected independently, through misguided operation. It isn't a vulnerability of the machine, but a vulnerability of the user. Or as my sainted granddaddy used to say, "It's the loose nut behind the wheel."

You can't make cars or computers any safer than the people who operate them.

Here is a question I have been wondering about. Can simply going to a website open up terminal access to that website? I always thought terminal required a password to access.

My bad, I miss read the part about the Safari vulnerability, as the rules and the TippingPoint site blog states it has to be a "a brand new 0day vulnerability". That being said, I take back my statement of exploiting a known vulnerability.

I do still stand by my opinion regarding the amount of time it took to execute the exploit.

BTW, if you look at the pic on TippingPoint blog it appears that the contestants used a MBPro to construct or at least "trick" the contest to surf to there predesigned site.

Mar 28, 08 - 01:23 am Comment from: BC Kelly

Did read original article, and have a lot of questions.

What does it mean when they say:

"to gain access ... and retrieve a file ... a newly discovered vulnerability in Safari was used to gain control of the Air."

Did they gain "access" or did they gain "control" ?

And all they did was transfer a file ?

Which file, what kind, from where ?

If one of the obscure System/Safari files that might hold keychain info or a password in cache not yet dumped from a previous site, or something along those lines, then they might have something.

But if, say, an mp3 ... c'mon, we let folks have access to our computer all the time for those files everytime we fire up a p2p program. So there's a definition of how someone "gained access and retrieved a file."

Need to have some more info and details about this for me to buy it as a real problem and believe someone can truly gain "control" of my machine.

Anyone with insight in all this, please comment.

Thanks, BC in Tally

Hey MDN what the heck is that MS add at the bottom of the page? go green and stay green--I think that is for all the ITs working on window machines!

maybe they visited a porn site LOL

I visit porn sites. But only foreign ones so I'm pretty sure they're safe.

I don't know how many times MDN has posted this caveat for other reasons, but it applies here as well.

All computers have vulnerabilities and every Mac (probably) has 3rd party software from apps to plug-ins that potentially could be exploited. The Macintosh OS has tons of code from open source that has shown itself less than impenetrable.

Before you flame, I'm not dissing the Mac OS. I use it every day and only use Windoze when paid to (at work) or when bailing out someone I know with a virus-trashed or crashed PC.

Complex systems (and Mac OS X qualifies) open so many possible combinations and interactions of code that there are bound to be vulnerabilities. What is amazing is how well Apple has been able to stay ahead of the game.

Bottom line- although the Mac is a solid OS it is not invulnerable and use your head so as not to be a sucker for socially engineered malware. Nothing you can buy is a replacement for common sense.

Mar 28, 08 - 04:08 am Comment from: HMCIV

Remember Apple boys and girls to always use protection when surfing with strangers. Abstinence is still the best policy but if you must, proper protection and common sense will help protect you against many STDs (Safari Transmitted Diseases).

Gotta go. My PC just contracted Bird Flu.

Jiminy! The sky is falling!

No way would they have got into my Mac.

For example everyone should set up and use a non-Admin user account...

The proper analysis of what is really going on:

http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/

Whilst you can't argue that it was hacked, I find the repeated mention of the 2 minute time period interesting. The people who did this obviously new of the exploit beforehand, new how to make the page and then take advantage of it. I would guess that there was a lot more than 2 minutes work involved.

It's also a little vague as to what they achieved, I don't expect (and wouldn't want) them to release how they did it, but what did they do? Did they control everything, have access to certain areas, what?

I'm not trying to lessen the security threat, but these things are always so vague, yet very specific in their conditions.

Mar 28, 08 - 06:45 am Comment from: R

Yup, RoughlyDrafted explains things very well.

Little has changed, except now the media with drum up their feeding frenzy based on this "independent academic research."

Much money is envolved: Apple has to be retained from taking the whole marked in control!
;X This sort of announcement gives some more years to Windows, Linux and PC sales to go on.

Mar 28, 08 - 09:15 am Comment from: ragarcia

Social engineering that lead to exploits certainly does count as a security threat.

Or, if it doesn't count for OS X then it should not count for Windows either.

Anyway, the question left unanswered is if they are able to gain access to the computer, are they doing so in a way that allows them to destroy/modify its content or is it a simple, "I'm in" kinda thing?

Mar 28, 08 - 09:15 am Comment from: Follower

Why is it that every time I read about one of these contests, there's always something like the line "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed..."

How about, just once, establishing the rules and sticking to them..? If no one can compromise a computer remotely, then the contest ends with no winners.

But it always becomes "After contestants were allowed to sit in front of the Mac..." This doesn't really impress me. If I have direct access to a Mac, I can see and manipulate its contents using an OS X install disc, and so can everyone else on this forum.

Here we go again with another supposed hacking contest of a Mac. How many times have we heard this story only to find out later that they all CHEATED!!!! I put this story under a BIG FAT FUD ALERT!!!!

Based on what was reported, there is way to much excuse-making on this thread by Apple fans. I'm a fan too, but this is clearly a problem for Apple/Safari that must be fixed. It is simply not acceptable for a hacker to either "gain access" or "take control" of a Mac just because it visits a website. Period.

Mar 28, 08 - 09:40 am Comment from: MacLovin

what? no BS from ZuneTang? I figured he'd have the first post!

Mar 28, 08 - 10:15 am Comment from: JAYGEE

@ MacSheikh - In the meantime, get ready for the "Macs are not secure" crap from losers everywhere.

Yes, lets start now. Macs are not secure!

Mar 28, 08 - 10:34 am Comment from: Reality Check

Spin whatever way like guys. On the first day, no one was able to hack the Windows, Linux or Apple machine. On the second day, with relaxed rules which applied to all three platforms, people could only hack the Apple machine. Whether the hack was pre-prepared or not is immaterial - if they pre-prepared for MacOS they could also pre-prepare for Windows and Linux.

Face facts. MacOS is not immune to attack and this should serve as a warning to us all. But it should also teach us to stop being so smug about Windows - God knows, Vista has its faults, but in the area of security Microsoft has made great strides compared with earlier versions.

Time to smarten up.

Mac heads are going to try to brush this aside like they always do (particularly on this site), but listen to what the winner said: Leopard was CHOSEN because it was the EASIEST to hack. Hear that? EASIEST. "Every time I look for [a flaw in Leopard] I find one." said Miller. "I can't say the same for Linux or Windows."

Hey MDN, what's your smug "take" on that one?

Mar 28, 08 - 11:08 am Comment from: feral

some context

http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/#more-1670

Whatever. Still, in 24 years no security breaches on any of my Macs.

None.

I won't be hacked and I damn sure won't be tricked.

Amen, Mac Fanboy! Well said indeed.

I gotta say, I am worried about Leopard. Tiger is so rock solid. And it was so much more stable and secure on release. I keep hearing and experiencing problems on Leopard that are not consistent will any of my OSX experience beyond 10.1. Now this...

This guy just happens to be the first one up and he chose to hack the Mac.

While that may be true, this wouldn't have worked on a PC. No additional software is allowed to be installed on the computers to be hacked. Since PC's aren't preinstalled with Safari, the vulnerability wouldn't be present on PC's. One quick way to make your Mac safe would be to run Firefox.

MDNMW: own. Are you kidding??

Here's something for the chicken littles to chew on... This isn't the first time that a mac has been overtaken at an event like this or in a lab... But has any mac user just surfing the web ever reported an attack like this? No. I'm thinking "congrats to this guy, but I won't worry about mac security until I get hacked/exploited/whatever by just getting on the web." besides, you know apple will fix it pretty quickly.

Sent from my iPod

Mar 28, 08 - 11:40 am Comment from: Mac-nugget

Every year it seems we get the same old story. First day nobody is able to do it. So they relax the rules the second day to insure some level of success. Where is the excitement and more importantly, the news coverage if no one wins.

Mar 28, 08 - 12:02 pm Comment from: Cubert

As a regular visitor to shady internet sites, this has me worried.

Oh, well. At least my right arm will finally get some rest.