“To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar,” Arik Hesseldahl writes for Forbes. “The second potentially major Mac security incident in as many weeks has thankfully been debunked. Earlier this week I wrote a blog entry about a Mac Mini owner in Sweden who configured his machine as a server and challenged hackers to gain access to it. The Mini was — as hackers like to say — ‘owned’ only 30 minutes after the challenge started. By ‘owned,’ I mean rooted… If your Mac is connected to the Internet all day, as mine is, you can see the fright such news might generate… That is, if it were true. It turns out the original reports weren’t forthcoming with all the facts. The person who “rooted” the Mac already had a user name and password, as if he were a regular day-to-day user. In fact, having an account on this Mac was a prerequisite to taking part in the challenge. From there, the person used some method — most likely having to do with weaknesses in the Unix underpinnings of the Mac operating system — to gain escalated access.”
“These kinds of ‘privilege escalation’ vulnerabilities have cropped up on the Mac over the years and date back decades to FreeBSD, the variant of Unix on which Mac OS X is based. But remember, you can’t take advantage of this type of vulnerability unless you already have access to the machine — which implies having been given permission for that access in the first place,” Hesseldahl writes. “The pseudo break-in and misleading reports didn’t sit well with Dave Schroeder, a network systems engineer and Mac enthusiast at the University of Wisconsin in Madison. He’s been outspoken on the issue of Mac security, portraying recent reports as overblown. So he set up his own challenge, inviting the world to hack a Web page — the very page he used to tell the world about the challenge — running on a Mac Mini he set up as a Web server… For 38 hours, nothing worked. The Mac Mini held its ground against the worst that the multitudes could throw against it. The contest ended earlier than originally planned and even appears to have gotten Schroeder in trouble with his employer, since it wasn’t sanctioned by the university. I’m hearing he may face some kind disciplinary action. The University of Wisconsin apparently isn’t interested in such a real-world ad-hoc test, no matter how successful and harmless it proved to be. Schroeder wasn’t available for comment.”
“Uninformed media sources will do what they do best — sow fear, uncertainty, and doubt [FUD]. And the first time a really big Mac security incident occurs it will cause some people who are considering a Mac over a cheaper Windows-based system to change their minds,” Hesseldahl writes. “Vulnerabilities in Windows are so common they don’t really make the news anymore. But a large-scale, widespread incident on the Mac could badly wound Apple’s reputation. It’s for this reason that I think the time has come for Apple to consider doing what many other companies like IBM and Oracle have: create a position of chief security officer.”
Full article here.
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related MacDailyNews articles:
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
University of Wisconsin launches bona fide Mac OS X Security Challenge – March 06, 2006
Mac OS X ‘hacked in under 30 minutes?’ Why Mac OS X security is all the rage recently – March 06, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Apple Mac OS X clearly offers superior security over Microsoft Windows – March 02, 2006
Apple Mac OS X has a lot more vulnerabilities than Windows XP? – February 28, 2006
Enderle: Security vendors see Apple as next big opportunity – February 28, 2006
As Apple Mac grows in popularity, will security issues increase? – February 27, 2006
The Idiot’s Guide to Mac Viruses For Dummies 101 – February 24, 2006
Wired News: ‘Mac attack a load of crap’ – February 22, 2006
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Ars Technica: Fears over new Mac OS X ‘Leap-A’ trojan pointless – February 20, 2006
Atlanta Journal-Constitution asks: Is ‘Mac virus’ all just propaganda from Mac haters? – February 20, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – January 26, 2006 (Kotadia)
IDC: Apple Mac 2005 U.S. market share 4% on 32% growth year over year – January 20, 2006
Analysts: Apple Mac’s 5% market share glass ceiling set to shatter in 2006 – January 09, 2006
ZDNet Australia publishes latest Mac OS X security FUD article – September 09, 2005 (Kotadia)
Joke of the month: Gartner warns of Mac OS X ‘spyware infestation’ potential – March 30, 2005 (Kotadia)
Symantec warns about Mac OS X security threat – March 21, 2005 (Kotadia)