First Mac hacked at CanSecWest

[EagerDragon]

Hehe, at matasano site notice the latest picture, it has plug-ins turned off, javascript turned off, and java turned off.
http://www.matasano.com/log/wp-content/uploads/2007/04/scrshot.png

While the above will keep you safe ..... you may as well not use the browser.

All the features above are needed to get a decent "user experience" and web sites are designed to use them and as such you browser wont do much with them turned off.

To their credit, This is a decent work around, but ... the attack is not yet in the wild so it is not yet time to do this.

The best work around is know where you are going and why you are going there. Avoid sites you can not trust.

Apple should have a fix soon.

 

[Eastend]

They gave away $10,000 easily. I'm wondering did they gain route access, if not what did he steal icons, what? All it would really mean is no Browser is truly safe, then again if they were totally safe you probably could not get on the Internet.

 

[kroko]

habits

mmkay. supposingly this is not the only big hole in os+safari+inet security, there will be others discovered and... maybe even i accidentally visit such webpage...what would be the best practise to avoid my mac becoming pc??? i'm running mac as only user with admin privileges (for root always sudo). i need that admin access every day- experimenting with several apps, some terminal stuff, websharing, managing ftp access for friends to see my music library, remote ssh login, remote login for controlling private nicecast strem, net batch renders, bla blaa blabla blablabla and blabalalalalalalala... i NEVER would run as a standard user...
this question (naming shorter or longer arguments) in my opinion could be asked from many mac users "running in one admin usermode".
and i couldn't answer that question that easilly. njaaaa, this IS a bad exploid discovered. for me, i kow that i won't and even i'm not willing to change anything. just my thoughts
p.s. maybe i haven't read that carefully the info about hack, but i understood that if a standard user without admin privileges "clicks that link", then it "isn't that bad".

 

[Willis]

heh, not hacked in the time frame, allow them access by using an exploit from a URL and then its possible.. thats making it easier than what the first task was!!

 

[enda1]

Does a negative marking relate to the quality/validity of this story/rumour, or to the state of osx's/safari's security?

I am never sure with stories like this...

 

[EagerDragon]

mmkay. supposingly this is not the only big hole in os+safari+inet security, there will be others discovered and... maybe even i accidentally visit such webpage...what would be the best practise to avoid my mac becoming pc??? i'm running mac as only user with admin privileges (for root always sudo). i need that admin access every day- experimenting with several apps, some terminal stuff, websharing, managing ftp access for friends to see my music library, remote ssh login, remote login for controlling private nicecast strem, net batch renders, bla blaa blabla blablabla and blabalalalalalalala... i NEVER would run as a standard user...
this question (naming shorter or longer arguments) in my opinion could be asked from many mac users "running in one admin usermode".
and i couldn't answer that question that easilly. njaaaa, this IS a bad exploid discovered. for me, i kow that i won't and even i'm not willing to change anything. just my thoughts
p.s. maybe i haven't read that carefully the info about hack, but i understood that if a standard user without admin privileges "clicks that link", then it "isn't that bad".

correct, things can be worse if they gain admin priviledge. However .... as a Mac user I would be a little less worried than a PC user.

The more issues they find, the more Apple fixes and we end up with a better OS.

 

[dmelgar]

Vulnerable web pages will always be a problem. Apple can't do anything if the web site itself was designed in the wrong way which leads to buffer overflows, cross-site scripting, code injection or any other thing. The O.S. is "dumb", as it should be. It is the responsibility of the Web developer to have proper input validations before doing anything the user-supplied input. This is true for Windows, Macs, Linux, Unix, Mainframes, and Space stations alike .

Wow there are some really silly pro-Apple things being said around here.
You're blaming the website developer!? Thats the whole point. The website did it on PURPOSE to be able to take over your machine. You the user didn't realize that by just visiting a website your machine could be taken over.
Of course Apple CAN do something about it, in the same way that Microsoft tries to patch countless vulnerabilities in Windows. There's no reason why a buffer flow should happen. It can be protected against.

And this has NOTHING to do with a firewall either. They didn't break in through the network, the webpage was loaded and due to a Safari vulnerability, they were able to get a shell and presumably run whatever they wanted from within the userid running Safari. The shell can then communicate out. The Mac OS X firewall doesn't block outbound network connections.

 

[dmelgar]

Sorry, but IT IS FUD. They clearly set up "a specially constructed page" for that to happen. If there were no "special pages", there would be NO hack, end of story.

It's obvious that if the exploit in sent out, people may use it for evil purposes; but it's CLEARLY a custom-built security issue, and not a natural one that you can find in any honest website out there. Again: they HAD to set up a special page containing explicit access possibilities to the local machine. This simply does NOT exist in the normal world.

Wow. I am really impressed with these blind apparently unable to read posts showing Apple fanboyism. I had heard of this but never experienced it in such blatant form. Maybe the Mac community really does need a kick with a virus to make them not be so blinded. Apparently the Mac community is too complacent.

I like Mac OS X a great deal. It is a very secure operating system, much better designed than Windows.

But you can't stick your head in the sand and try to ignore a real exploited vulnerability that ships standard with Macs. Its a real exploit, its serious, its very easy to occur if you just browse a website.

Blindly stating nonsense that this isn't a real for whatever reason reduced the credibility of the poster and of the Mac community overall.

 

[hagjohn]

In other words, this is just a NON-ISSUE...they HAD to lower the bar in order to allow a bunch of hacking kids to enter the machine...read it as "it DOESN'T HAPPEN in the normal world".

Macs remain practically impervious to any attacks in the wild, without need for antivirus or anti-whatever crap. So this news is just ******** FUD, as usual.

GO APPLE!

Just in the past several of months.

2007-004 - Apple plugs 25 Mac OS X flaws (the day of the contest)
2007-003 - Apple megapatch plugs 45 security holes
iPhoto 6.0.6 - Subscribing to a maliciously-crafted photocast may lead to arbitrary code execution
QuickTime 7.1.5 - Apple plugs eight QuickTime holes
2007-002 - AirPort Extreme Update
QuickTime 7.1.3 hole(s)

 

[dmelgar]

I love my MacBook but it has problems just like any other OS.

Actually thats where I'd disagree. All OSes has problems yes, but that doesn't mean you can discount the difference in number and severity of problems.
Just because one vulnerability has been found in Mac OS X doesn't make it as big a security risk as Windows. Thats that the Windows folks will say, but they're overblowing it.

Generally Mac OS X is a much safer operating system especially if run as non-admin user than Windows. Its much more difficult to realistically run Windows as a non-admin userid.

 

[ortuno2k]

It's foolish to think that all OS's are immune to any sort of attack.
I'm not surprised by the news; I guess if this MacBook was fully updated (up to the last security update) we'll see another security update soon addressing this.
Despite the discoveries, the Mac is STILL WAY better by miles and miles than Windows.

 

[EagerDragon]

Yes, the majority of the sites that infect you have been design that way.

There are other sites however that due to security flaws, get modified by hackers to acomplish the same end.

A lot of the issues you see are due to bad programming habits and rushing to market. Most programmers also have not taken courses on how to write safe code. This is not their fault, there are not many classes on this. We offer our programmers internal classes and if they follow what they learned they do well.

Most attacks can be prevented. buffer overflows result because people do not check the length of their inputs before they try to store it in a smaller buffer. This results in overwritting other areas of memory, which sooner or later result in a failure. The failure, if studied by a hacker may result in the hacker finding out what exactly to write into memory to take over the process.

Cross site scripting and many other issues result because the programmer does not check its inputs to only contain valid and expected characters. Some cheracters like <>/%;'\"@#$!^&(){} can be used to construct scripts that your customers browsers end up processing. Sometimes theses characters are needed by the application and some must be allowed in, but you can encode them so they lose their meta character value and become inefective.

Most problems you see are vulnerabilities put there by the programmers that later are taken advantage by the hackers.

If the weakness was not there, the hacker could not use it.
If you follow the following you eliminate the majority of the issues:
1) Allways perform data validation on all inputs that could have been modified by a hacker, for example: http headers, cookies, hidden fields, drop down boxes, type in fields, the query string, post paramaeters, etc.
2) Do not assume that the hacker is outside, he could be inside your internal network also.
3) When conducting data validation always perform the following steps in order:
a) null check
b) minimum length check
c) maximum length check
d) Optional (range check)
e) character checks like for example [a-zA-Z0-9]{5,12}

To use SSN as an example .... it could be null (not entered), it could have a min lenght of 0 or 9 and it could have a max length of 9 or 11 if - is allowed, and it should only be numeric unless - is allowed.

If you perform checks (very specific to the fields and how they are used) like this your applications will have a lot less weaknesses.

Obviously this does not cover other issues but it does cover the #1 issue found in code.

Hope this helps.

 

[SMM]

Wow. I am really impressed with these blind apparently unable to read posts showing Apple fanboyism. I had heard of this but never experienced it in such blatant form. Maybe the Mac community really does need a kick with a virus to make them not be so blinded. Apparently the Mac community is too complacent.

I like Mac OS X a great deal. It is a very secure operating system, much better designed than Windows.

But you can't stick your head in the sand and try to ignore a real exploited vulnerability that ships standard with Macs. Its a real exploit, its serious, its very easy to occur if you just browse a website.

Blindly stating nonsense that this isn't a real for whatever reason reduced the credibility of the poster and of the Mac community overall.

First of all, there is no 'Mac community'. There are many Mac users, but they are all individuals with their own lives and opinions. Perhaps, they share some things in common (most use Macs), but to lump them into a single common entity is shortsighted.

I do not know where the term 'fanboy' came from, but I wish it would go back there. Its use is right out of Fox News.

I have read many of the posts under this thread, and similar ones before. Most people (not trolls) have a pretty realistic view of Unix/Mac security. I cannot speak for anyone except myself. But, I do not understand the motives for having a $10K reward, with dynamic system environments, to see who/when the Mac can be exploited. I understand it even less when it becomes a gleeful public proclamation that a significant earth-shattering event has taken place. Why?

If this is a way to raise awareness of system vulnerability, why not just go to Apple, and the other manufacturers involved? They are the only ones that can resolve the issue. That would be of benefit to everyone, and would not be a platform attack. It would also not provide any ammunition for the loathsome garbage involved with exploits.

I remember when the first Vista exploit was announced. I had the same opinion then. I have issues with MS, but I certainly do not want Windows users to suffer from attacks either.

All computer users are in the same boat. When our computers are exploited, we are being assaulted and victimized. Some of the perpetrators are just pimply-faced, snot nosed punks. They cannot score with women, so they take it out on everyone. The rest do it for profit.

There are many bad people in the world. There is a very old saying, "People will do anything for money". I suspect this was coined within a week of there actually being money. My gut feeling is that 99% of the money involved with computer security actually goes to preventing it. I doubt that the damage is 1%, or less. It is a multi-Billion dollar industry. That is where the money is.

So, if someone is profiteering on exploits, it is the SW security companies; MacAfee, Norton, CA, Trend Micro and the rest. Then there are the quiet, behind the scenes, network security companies. These are the ones who actually have provided code, and programs, for at least one of the Rootkits. Of course they did all this in SE Asia, away from US law.

Bottomline: We users should be fighting exploits as a unified group. It is already out of hand and is getting worse. We need to get some of our sharpest minds working on this. We need to get some better control over this before the government comes in and does it themselves.

 

[winmacguy]

Well said.

 

[winmacguy]

update VANCOUVER, B.C.--Shane Macaulay just got himself a free MacBook.

Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
MacBook hacker
Credit: Joris Evers
Hack-a-Mac winner Shane Macaulay
attacks a MacBook at the
CanSecWest conference.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.

"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."

Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Now on News.com:

Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
http://news.com.com/2100-7349_3-6178131.html

 

[hagjohn]

There has been at least 80 vulnerabilities plugged by Apple this year alone.

Does OSX have better record than MS or Linux.. sure, but then again a vulnerability is a vulnerability in my book and it only takes 1 to get you. Just because something is safer doesn't make you safe.

Actually thats where I'd disagree. All OSes has problems yes, but that doesn't mean you can discount the difference in number and severity of problems.
Just because one vulnerability has been found in Mac OS X doesn't make it as big a security risk as Windows. Thats that the Windows folks will say, but they're overblowing it.

Generally Mac OS X is a much safer operating system especially if run as non-admin user than Windows. Its much more difficult to realistically run Windows as a non-admin userid.

 

[EagerDragon]

But, I do not understand the motives for having a $10K reward, with dynamic system environments, to see who/when the Mac can be exploited. I understand it even less when it becomes a gleeful public proclamation that a significant earth-shattering event has taken place. Why?

I have been to many of these type of conferences, I usually go to the BlackHat conference which is attended by a very large comunity.

At the blackHat conference, you pay in cash for the conference, they do not take or log your name, it is attended by Security professional, Bad hackers (crackers), the FBI, CIA, NSA, you name it. Some are good guys some are bad guys.

Over 60 percent of the participants are using a Mac, a lot of those walking around with PC laptops end up having to reload windows becuase the parcitipants are hacking for fun.

Some of the individuals speak and demo new hacks, each of them have been already revealed to the product vendor shortly before the conference. Then they are presented to the rest of the conference. I was there when they were demoing the wireless one last year.

They have all sorts of competition like hacking electronics, hacking OS, making a computer into a beverage (beer) cooler, and a fun one called "spot the fed" where you state who do you think is a federal agent and you proceed to present your evidence.

It is a very wacko and fun conference, over 60 percent of the participants are under 30, and the conference starts at 10 am and runs until midnight. There is very little sleeping. long hair, bears, beer guts, sandals are the norm.

There are ussualy 1 or 2 rooms with a bunch of computers, routers, switches and stuff all set up for you to hack into. There are alsomonitoring systems recording all the packets so they can study how you did your hack.

Observing what a hacker did (forensics) to get to the goal is a well worth it experience as it shows his approach and you can start getting an idea of how his mind works. It is a great learning experience.

They pay to create an incentive for hackers to hack and demo their technique so they can learn, so that products line Norton and others can build protection for it (before it goes in the wild). People that sell IDS systems and Application firewalls love these conference and consider them a way to learn and a way to make their products better.

If you ever go to the conference bring your Mac and shutdown your virtual windows or you will be own as soon as they discover you.

In summary, hackers (good and bad) get together to have fun, learn from each other and compete.

Im going to try to go this year again.

PS. If you want to go: http://www.blackhat.com/html/bh-link/briefings.html

 

[bretm]

This kind of stuff makes me laugh.

Ok people, try and break into the house. By the way, we've left this window open and the alarm is switched off.

RULE CHANGE:

If thats too hard for you theres a key under the doormat.

And if by the 4th day the computer hasn't been hacked, filesharing will be turned on with no passwords applied.

 

[EagerDragon]

And if by the 4th day the computer hasn't been hacked, filesharing will be turned on with no passwords applied.

Hey they need to claim sucess somehow, LOL.

 

[SC68Cal]

No root = no win.

 

[Shanesan]

At least there aren't any flaws in the mouse pointer which let hackers take control of your computer.

Am I right or am I right?

 

[Ries]

Thank you. This is exactly how I feel about the contest.

Step 1: All windows and doors are locked. Alarm is activated.

What? Nobody broke in?

Step 2: Alarm is now off and at least one window or door is now unlocked.

Hahahaha!!!!! We broke into your precious Beverly Hills home!! You said nobody could break in.

I always knew OS X would be vulnerable to some degree if I turned any or all security off. That's just stupid.

They didn't turn off the alarm or unlock anything. They kept the house fully alarmed, locked and added the owner inside opening his newspaper which causes the front door to unlock.

 

[ppnkg]

So now there are mac hacking contests. I think this business is going to be futher fuelled by apple's ad campaign about mac's security strengths, and this is only bad news to me.

 

[SPUY767]

We don't know if this hack is effective across the firewall in your router, or the firewall provided by your ISP, so this test is null and void. Of course, if you have a rogue in your business, and he puts this hack on a page that resides on your companies intranet, you're screwed!

 

[Ries]

We don't know if this hack is effective across the firewall in your router, or the firewall provided by your ISP, so this test is null and void. Of course, if you have a rogue in your business, and he puts this hack on a page that resides on your companies intranet, you're screwed!

ITS A FRIKIN' WEB PAGE. Unless your router or firewall blocks ALL your access to the internet so you can't visit a web page in the first place, you'll get infected with whatever the hacker wants. A router routes traffic and a firewall block connections. This is no different than the IE's bugs that caused millions of spyware and other infections. So please STOP using words you have no idea of what means.