OS X hacked in under 30 minutes

[cute fuzzy bunny]

http://www.zdnet.com.au/news/securit...9241748,00.htm

Interesting article. I wasnt aware that OS X was that swiss cheese holey...

[justin]

OS X = POS ?

[cute fuzzy bunny]

Well, from what i understand one of the biggest problems with it is that it was derived from some older version of unix that didnt get all the good and more recent security fixes.

I was surprised a couple of times yesterday while doing some googling for baby toys to hit some goofy sites that try to invent their content based on your search, that my virus scanner picked up and stopped trojan/exploits that appeared on the pages. Havent had that sort of thing too much over the years, usually just stuff when I'm downloading 'questionable' applications and other executable content.

I wish they'd just make doing this stuff a basic felony and make it easy for people to report it for prosecution.

[Cool Dood]

I don't know why they don't just make Apple a bunch of skins and some extra apps and stuff for Linux... the whole thing would be a helluva lot easier for them...

[ERD50]

http://tinyurl.com/ovwc5

Turns out there were some non-default setups on that Mac OSX server. And remember, these were attacks on a server, not a client (like most of us are when we are on the web):

The web site author had enabled SSH, the Unix "Secure Shell" tool .... so that visitors to the site could add their own shell accounts to the system.

Needless to say, most web servers are not set up with the ability to give out free shell accounts to anyone who wants one. SSH is not even enabled by default on OS X, although server administrators can choose to do so if they wish. So the "hacking" contest was not very indicative of the security of an OS X computer, even a web server, that is set up open to the Internet.

... the real lesson from this contest should be this: security is a non-trivial problem, and simply choosing one operating system or platform over another does not automatically solve the problem with no further thinking required.

So, I'll keep my ears open for reports of actual attacks on users. Until then, I'm feeling pretty safe by just using common sense on the web.

-ERD50

[cute fuzzy bunny]

Thats a good PR story, but the 'hacker' used a not well known hole in OSX to get his access. The SSH availability and the fact that it was a server werent relevant. He also said he had several other plausible approaches to get access if that one was closed.

I hope this isnt taken as some anti-mac attack. I just still keep hearing mac folks saying they dont need firewalls, virus scanners or spyware protection. Read the materials, follow the links, and act prudently.

Plus I havent had a good argument with ladelfina lately.

[ERD50]

Quote:

Originally Posted by Cute n' Fuzzy Bunny I just still keep hearing mac folks saying they dont need firewalls, virus scanners or spyware protection. Read the materials, follow the links, and act prudently.

Well, I have enabled the firewall in OSX, I have a wireless router (which I understand provides some protection in and of itself), but currently, I don't feel any need for virus scanners or spyware protection on OSX. The only people that I know on OSX that do are the ones that are trying to avoid passing Windows viruses to other Windows users.

That could change in an instant though

Act prudently is a requirement indeed - phishing is something that can catch someone regardless of OS - heck, the bad guys can pull that one off over the telephone. No computer required. "Hello, this is your bank calling, and we noticed a problem in your account...."

-ERD50

[Yipee-Ki-O]

While this story doesn't really affect me as I'm still using Windows 98 on an old Dell computer, I wonder about the reliability of the source(s) of this story. CFB has often warned us to look at who has a financial interest in whatever research or study is being touted. I'm not saying that it's not true or that Apple might not have security issues (as I'm the guy that still uses a rotary dial phone I realize technology matters are a bit out of my league ), but the article about this on Yahoo has a lot of quotes from a senior director with Symantec. And I think Symantec has stuff that they'd like to sell to Apple owners.

[cute fuzzy bunny]

Its easy. Every complex machine, especially computers...have exploits and problems.

To think that because you paid extra or that the product is bulletproof or that security through obscurity is a good way to go...do so at your own peril.

In particular with the boatload of press lately on the macs relative obscurity and the low market share not drawing a lot of attention from hackers and whatnot, I would sense a great opportunity for some 15 year old to 'rise above the masses' and be the hacker who 'wiped out the mac community' overnight...

As far as the virus people having a financial angle...yep, you're right...but on the other hand I've never paid for a virus product and given that the virus companies offer essentially free upgrades every year...nobody needs to really buy it more than once.

And it is true that sometimes the virus s/w or firewall s/w itself can be a problem, and sometimes moreso than an errant virus itself. I'd rather my damage be self inflicted most of the time.