Jump to content

Mac easiest to hack, says $10,000 winner


colinian

Recommended Posts

In the "PWN to OWN" hacker challenge at CanSecWest, a security conference that wraps up today in Vancouver, British Columbia. For his efforts, he got the computer and a $10,000 cash prize.

Here's the link to the print version of the story on the ComputerWorld Security website: http://www.computerworld.com/action/articl...ticleId=9072959.

Colin :shock:

Link to comment

There have been a number of security people pointing this out over the years. The primary reason the Mac has been more or less untouched by the hacker community was its market share relative to the Windows community. If you're going to spend time trying to rip people off or just be destructive for the heck of it, you'll want to get the most bang for your hacking buck, so to speak. As a result, Apple has gotten a bit of a free ride, relatively speaking, for a long time.

Abraxas

Link to comment

Naaa, all they did was hack into Safari on the web. It's just as easy to hack into IE7 and a dozen other browsers. This is old news.

This security hole has since been plugged, but there's always going to be security issues when you're on the net, and/or on a website. Once a port's open, scripts are running and so on, bad things can happen.

Hell, I just heard about a virus that can be spread through PDF files. That's pretty sad that you can't even trust one of those.

Link to comment
Naaa, all they did was hack into Safari on the web. It's just as easy to hack into IE7 and a dozen other browsers. This is old news.

This security hole has since been plugged, but there's always going to be security issues when you're on the net, and/or on a website. Once a port's open, scripts are running and so on, bad things can happen.

Hell, I just heard about a virus that can be spread through PDF files. That's pretty sad that you can't even trust one of those.

Well, I guess that Apple screwed up the fix because this was accomplished on Thursday of this week by hacking into a brand-new MacBook Air (hands-on and not over the web) running under the latest version of Mac OS X, 10.5.2, with the latest version of Safari, 3.1, and all the latest security patches applied.

What this shows is that once people decide that attacking OS X and Safari will be fun and/or profitable the Mac won't be any less vulnerable than Windows PCs.

Colin :razz:

Link to comment

One of the frustrations I've felt for quite a while now, is that the punishment and even recovery for crimes has not been commensurate with the cost to the victims, but only to the gain of the perpetrator. As an example, we had a church hall which was attacked by metal thieves. With the higher prices for metals, these are happening a lot. The church lost what amounted to about $50 worth of copper for the thieves, but it cost them something like $3000 to fix the damage to the walls, wiring, and plumbing. That was another case in which 100 meters of telephone cable was cut off some poles, and it plunged some 10,000 people, including 9-1-1 service and other emergency services into communications blackout. The damage was huge, but if they had been caught, they could have gotten off with a slap on the wrist, so to speak.

I think hackers need to be put into this same category. They should all be charged according to the cost of fighting them. In other word, add up the millions and even billions in security costs worldwide, and charge each perp with theft over $1M. Either that, or reclassify them as terrorists, because they truly are exactly that..

Link to comment
They should all be charged according to the cost of fighting them. In other word, add up the millions and even billions in security costs worldwide, and charge each perp with theft over $1M.

The only problem is, I think the reality is that most hackers causing this damage are nerds under 25 years old who have a lot of free time and very little money. The other reality is, if these guys were getting laid, they wouldn't be wasting their time hacking.

And to Colinian: if you follow Steve Gibson's Security Now podcasts, you would understand why Mac OSX is more secure than either Vista or XP. The underlying permissions structure of OSX helps a lot towards that, but any other vulnerabilities are tied to specific browsers. If you avoid dangerous browsers (and I would say IE is ten times worse than Safari), you're that much safer.

Gibson is a good arbiter of the relative strengths and weaknesses of Mac OSX and Windows, and his judgement is pretty sound (though some of his audio commentaries are as dull as dishwater). Both Steve and co-host Leo Laporte have championed the Mac as being much safer than Windows overall for years, and it's still true today. But the reality is that everything is ultimately vulnerable.

Also, keep in mind I own four or five Windows XP machines in my house and use them occasionally. It's just that we use the other five or six Macs more often. I don't consider myself prejudiced either way, and often hate them both. I just hate the Mac less.

Link to comment

Here's where I parade my ignorance for all to laugh at.

On this subject I'm the worst of forum posters: the man with little knowledge but much curiosity.

I don't have a great deal of personal understanding of the workings of OS's but I've read what other cleverer people think. I can well appreciate that Windows would not be particularly secure because of the haphazard way it's developed over the years, and the emphasis on function over security. Tracing the history of Windows from v1 to Vista shows it was originally bolted on to a single-tasking text-based OS that was hopelessly inadequate for the task. And subsequent versions retained sections of code from the earlier versions....

Similarly IE is full of security holes, but other browsers such as Firefox are less insecure.

I'm told Linux is a vastly more secure OS because it was developed from the ground up with 'proper' principles of security etc. And I'm told Mac OSX, like Linux, has its roots in Unix and is similarly secure. Not that either OS is proof against viruses, but that it's more difficult to write a virus that gets past the OS's defences.

So I guess there are two reasons that viruses (virii?) attack Windows. One is that Windows is an easy target - insecure - and the other is that 95% of the worlds computers are running Windows so you can do more damage by spreading a Windows virus.

Is it not logical, then, that both OSX and Linux need protection against viruses and other threats, just as much as Windows, on the basis that one virus can destroy your machine just as effectively as 100 virii?

Bruin who one day will dump Windows and put Linux on all his machines. One day...

Link to comment
Is it not logical, then, that both OSX and Linux need protection against viruses and other threats, just as much as Windows, on the basis that one virus can destroy your machine just as effectively as 100 virii?

At the moment, there's only been one or two major Mac OSX viruses, and Apple actually patched the holes before anything major happened. Keep in mind that OSX is built on Unix, so it has all of the safeties (and some of the flaws) of that older operating system.

One can make a good argument that the only reason Macs have had fewer viruses, trojan horses, worms and so on is simply because the nutcase hackers would rather terrorize 90% of the computer world (Windows) instead of less than 10% (OSX). Also, there are far more Windows-savvy programmers in the world than Mac. So it's not so much that Macs can't be hacked; it's that it's easier to do it in Windows.

BTW, note that a Mac running Windows (as I do all the time) can easily get infected. In our case, though, we can reformat the Windows partition and get back up and running in a couple of minutes, assuming we have backups.

Link to comment
On this subject I'm the worst of forum posters: the man with little knowledge but much curiosity.

Not so. The worst forum poster is the one with little knowledge but much TO SAY.

I was warned when I got my Mac that the greatest vulnerability known at that time was receiving and opening a doc file or xls file with the installed MS Word or MS Excel programs. That is was not the computer so much at risk as the MS programming in it. One more good argument for Open Office. Mind you, I'm quickly becoming attached to my "Pages" program, the latest Apple word processor.

Link to comment
I was warned when I got my Mac that the greatest vulnerability known at that time was receiving and opening a doc file or xls file with the installed MS Word or MS Excel programs.

Yeah, there's some Word and Excel macros that are cross-platforum. Go up to the Word Security settings menu, go to "Macro Security" and turn on "Warn before opening a file that contains macros." Ditto with Excel.

If you want to be really paranoid, you can also disable all Java scripts with web browsers, because those are a potential source of trouble, too, but that breaks a lot of websites.

As to Pages, choosing a word processing program for a writer is a religious issue. I tried Pages, but it was too damned weird for me. I opted back for Word, simply because it's familiar and it's "the devil I know." But I did take Word 2008 and change a lot of menus back to more closely-resemble the traditional Word's look. Tradition, you know.

Link to comment

Pages is more like the old MS Publisher, but much better, AND you can save in various formats, unlike Publisher. I have already disabled the macros, but thanks for the suggestion. :)

Link to comment

InfoWorld Today's Headlines [newsletters@ifwnewsletters.newsletters.infoworld.com]

Is there Mac Trojan malware?

SOPHOS WARNS OF MAC TROJAN MALWARE

Security consultant Sophos is warning of the appearance of

money-grabbing Trojan Horse malware aimed at Macs

More of this article at:

http://www.infoworld.com/article/08/03/31/...;cgd=2008-03-31

Colin :icon_geek:

Link to comment
  • 1 month later...

They fixed that issue with a patch after the contest, , Obviously apple needs to step up more

I have a firewall and a anti virus set up on my mac pro, cannot just have nothing to protect the computer.

Also when it comes to what Colin put above, look at the address, like with case where you go to your email account, people send you a thing saying there the bank, it's not at all, banks use https. for secure reasons.

I haven't used pages, but one thing, I hated publisher, it's no indesign or quark, doesn't have the right features.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...