http://www.businessweek.com/print/technology/content/mar2006/tc20060308_032391.htm By Arik Hesseldahl Byte of the Apple MARCH 8, 2006 To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar. The second potentially major Mac security incident in as many weeks has thankfully been debunked. Earlier this week I wrote a blog entry about a Mac Mini owner in Sweden who configured his machine as a server and challenged hackers to gain access to it. The Mini was -- as hackers like to say -- "owned" only 30 minutes after the challenge started. By "owned," I mean rooted. An outside attacker, through a remote Internet connection, was able to get "root" access -- the highest and most powerful level of administrative access on a Unix-based computer (which Macs running OS X happen to be). Root access gives the bearer free reign on a machine, no questions asked. Files can be altered or deleted. Accounts assigned to other users can be changed or deleted altogether. The potential for misuse of the privilege has caused Apple to ship its machines with root access disabled by default. Root can be re-enabled only through a series of technical contortions understood by advanced users. Even so, the Swedish attacker said he succeeded with an "unpublished" exploit -- a method that hasn't been publicly documented. If your Mac is connected to the Internet all day, as mine is, you can see the fright such news might generate. It's like knowing a criminal gang has a master key to your home and thousands of others, and that the only defense you really have so far is that they haven't found you yet. BIASED STUDY. That is, if it were true. It turns out the original reports weren't forthcoming with all the facts. The person who "rooted" the Mac already had a user name and password, as if he were a regular day-to-day user. In fact, having an account on this Mac was a prerequisite to taking part in the challenge. From there, the person used some method -- most likely having to do with weaknesses in the Unix underpinnings of the Mac operating system -- to gain escalated access. These kinds of "privilege escalation" vulnerabilities have cropped up on the Mac over the years and date back decades to FreeBSD, the variant of Unix on which Mac OS X is based. But remember, you can't take advantage of this type of vulnerability unless you already have access to the machine -- which implies having been given permission for that access in the first place. The pseudo break-in and misleading reports didn't sit well with Dave Schroeder, a network systems engineer and Mac enthusiast at the University of Wisconsin in Madison. He's been outspoken on the issue of Mac security, portraying recent reports as overblown. So he set up his own challenge, inviting the world to hack a Web page -- the very page he used to tell the world about the challenge -- running on a Mac Mini he set up as a Web server. His challenge mirrored the one in Sweden, with one critical difference: No one would have an account on the machine. They'd be locked out and therefore would have to break in. His aim was to demonstrate the flaws in the Swedish test, and provide a more realistic test of Mac security. The tech news site Slashdot picked up news of the challenge and quickly spread the word. A NEW CHALLENGE. Attacks on the machine surged. It recorded more than 4,000 login attempts, and Web traffic to it spiked to 30 megabits per second. Half a million people visited the Web site (http://test.doit.wisc.edu/). That little Mac Mini was one busy server, but it remained online. Most of the network traffic conveyed attempts to break in: Web exploits seeking a wedge into the machine via the public page; dictionary attacks, which make repeated guesses at passwords at high speed; and a scanning tool known as Nessus, software that scans for known vulnerabilities. The machine even came under what's known as a denial of service attack, in which an attacker hammers a machine with thousands of requests for information in an attempt to overwhelm the server and thus create an exploitable weakness. For 38 hours, nothing worked. The Mac Mini held its ground against the worst that the multitudes could throw against it. The contest ended earlier than originally planned and even appears to have gotten Schroeder in trouble with his employer, since it wasn't sanctioned by the university. I'm hearing he may face some kind disciplinary action. The University of Wisconsin apparently isn't interested in such a real-world ad-hoc test, no matter how successful and harmless it proved to be. Schroeder wasn't available for comment. This illustrates changing perceptions about Mac security. The Mac is increasingly on the radar screen of people who have long ignored it and who, for whatever reason, want to find the chinks in as-yet virtually impregnable armor. And while it may indeed be a more secure system than anything put out by Microsoft (MSFT ) and its many hardware partners including Dell (DELL ), Hewlett-Packard (HPQ ), Gateway (GTW ) and others, the level of attention can only increase. Hackers love nothing more than a difficult challenge -- which Windows ceased to be a long time ago. SOWING FEAR And as Apple Computer (AAPL) gains attention for its innovation, superior software and so far relatively airtight security, people in the media -- including myself -- will be watching with interest and not a small amount of anxiety for the moment when the first really nasty and widespread Mac security vulnerability shows up. Until that happens, even little hiccups are going to trigger an avalanche of negative publicity. Uninformed media sources will do what they do best -- sow fear, uncertainty, and doubt. And the first time a really big Mac security incident occurs it will cause some people who are considering a Mac over a cheaper Windows-based system to change their minds. Vulnerabilities in Windows are so common they don't really make the news anymore. But a large-scale, widespread incident on the Mac could badly wound Apple's reputation. LOCK DOWN. It's for this reason that I think the time has come for Apple to consider doing what many other companies like IBM (IBM ) and Oracle (ORCL) have: create a position of chief security officer. This person would be a well-known computer security expert, ideally from outside Apple, who would wave the flag for all things related to Mac security, debunking myths, correcting the record, and providing a public face when issues crop up. And when something does go wrong -- and I think eventually something will -- he or she would be Apple's ombuds officer evaluating what failed, where, when and how, and then take responsibility for seeing that it's fixed, reporting on the matter to CEO Steve Jobs, Apple's board of directors, and (where appropriate) its shareholders and customers. I talked briefly with Apple's Bud Tribble, vice-president of software technology. He called my idea a "good suggestion" but said the company would be reticent to assign security issues to any single individual, and that the responsibility of a CSO instead tends to rest with everyone. "For pretty much all the senior people at Apple, security is one of the top jobs on their list," he says. "When we think about security and how we design software, the basic approach is to make it as secure as possible, because most people really aren't security experts. We try to make sure things are pretty well locked down out of the box." CONFIDENCE BUILDER. While the Mac's Unix underpinnings suffer from the occasional vulnerability, they still present a security advantage, Tribble says. "Unix is sort of a kid that grew up in a tough neighborhood," he says. That neighborhood was a networked environment where people were constantly trying to figure out tricks to log into the system. So over the decades, lots of holes have been plugged. You can't say that about Windows. And I admit, creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 09 2006 - 22:22:01 PST