Blue Crab Boulevard

Feel Safe?

The folks who believe their Apple computers are much safer than computers running Microsoft operating systems might want to take note of this item. At the latest CanSecWest security conference it took someone exactly two minutes to break through Apple's much vaunted security and take control of the computer.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

(Charlie) Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Interesting that they did not try to offer to give prizes for hacking a Linux system. I'd be interested if they did. But this does show that there is a real crisis coming in computing whether people realize it or not. It is coming very quickly, too.

Geek Stuff | Gaius March 27, 2008

By bill-tb, March 28, 2008 @ 3:55 am

UNIX/Linux requires you grant permissions to execute a program, any program. When you set up the user space, you can further restrict those execute permissions. Like with global warming, ignorance of the user is the key to exploitation..When I set up a computer for just a user, that users execute permissions are limited to user space, so no system functions are exposed to that user. There is Security Enhanced Linux that will further restrict user operations with mandatory access controls.I usually have multiple accounts on the same machine, one with a user restricted, and the other for system maintenance with less restrictions. I then switch back and forth. Most Linux systems have a ‘fast user switch’ mechanism, but I doubt many use it.All of my systems have secure passwords, another secret to security, proper passwords.You can also set user programs to run in "security walled gardens" with programs like AppArmor. AppArmor represents one of several possible approaches to the problem of restricting the actions that installed software can take. I use AppArmor for Firefox and Thunderbird to restrict these programs so even if I go to a web page or get an email with buried security compromises, they cannot execute.Part if the problem is manufacturers don’t want to burden users with Security, so they ship the OS with most of the security features disabled. Apple does this for the most part — But no reason they can’t lock the system down.UNIX-BSD generally has the best security features … The differences are small, but important. But I do agree, we are so screwed here.
By bill-tb, March 28, 2008 @ 6:19 am

I wonder why your WP does not recognize paragraph breaks … odd. Sorry for the big mess.Here is a new line, see what happens.
By crosspatch, March 28, 2008 @ 8:56 am

Apples were more secure until they switched to the same Intel processor that Windows machines use. Not many hackers wanted to learn machine language programming in a different processor. It was the alternative microprocessor that gave Apple it’s security.
By martian, March 28, 2008 @ 12:59 pm

Anything one man can devise, another man, somewhere, can hack. This is a simple truth. Nothing is 100% secure unless it has no connections – not with a network of any kind, not with the internet. Only complete isolation will ever make a computer completely safe – until someone breaks into the room where it sits and hacks it manually.
By sam, March 28, 2008 @ 3:44 pm

I got a laugh when I read about the Apple hack, but it was a fatalistic laugh. I run XP and Firefox at home, so I’m probably even more hosed than the Mac folks are.
By Gaius, March 28, 2008 @ 4:43 pm

Bill, it’s a WYSIWYG editor – it doesn’t take html code at all. If you want to paragraph break, just do a return.

like this.

or this. <p> (i inserted a html paragraph code just before I typed this part.)
By Steev, March 28, 2008 @ 4:44 pm

Crosspatch-
The processor argument is flawed. It’s the OS not the processor that sets the security.

Anyway-
Nobody is claiming OS-X is invulnerable. But the fact remains, it’s still a much safer OS than windows or Vista.

Here’s a good article on this subject-
http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/#more-1670

“It is an uncontroversial fact that Windows PCs suffer under the threat of tens of thousands of real world viruses, are routinely infected by malware and often unwittingly participate in spam and adware botnets, while Mac systems have no viruses, and no significant real world malware, spyware or botnet problems.”