Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
- Subject: Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
- From: Brian Raymond <email@hidden>
- Date: Wed, 08 Mar 2006 17:21:31 -0500
- Thread-topic: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
I tried to track down the details regarding questions like this but had no
luck. Anyone who maintains a system with multiple levels of access (your
average corporate desktop, hosted shared server would include those) should
know to disable sudo tricks like that to prevent users from gaining root
access. In the case of this hack I was wondering how well the system was
tightened down given the fact that the contest allowed local user accounts.
Although it is not nearly as bad as the headlines made it out to be I do not
agree with the reverse, that it is no issue at all. If I am looking to
deploy OSX for shared hosting or push it into corporate environments I want
to make sure my users cannot escalate their privileges and circumvent the
access provided to them on their local machine and potentially network
servers (if their accounts extend to them as well)
- Brian
On 3/8/06 9:25 AM, "Joel Esler" <email@hidden> wrote:
> Just for sake of arguements sake..
>
> They have debunked the notion that this was a true "hack" and left out
> the important part about local priviledge escalation. Who says it was
> even that now?
>
> $ sudo su -
>
> oooohh.. no!
>
>
>
> On 3/8/06, Richard A. Kilcoyne <email@hidden> wrote:
>> Make no mistake -- this 30-minute hack business was a ridiculous
>> exercise. While Apple should be concerned that a hacker was able to
>> gain access to this computer through a local account privilege
>> elevation exploit, it's not a scenario that you'd see penetration-
>> tested very often.
>>
>> On Mar 8, 2006, at 9:14 AM, Billy Lenox wrote:
>>
>>> Check this story out.
>>>
>>> http://www.vnunet.com/vnunet/news/2151455/false-hacking-report-prompts
>>>
>>>
>>> On Mar 8, 2006, at 8:06 AM, Richard A. Kilcoyne wrote:
>>>
>>>> Something strange is definitely afoot. While the rash of recent
>>>> security articles are based on a handful of press releases, when
>>>> placed in the context of the computing industry things look
>>>> interesting:
>>>>
>>>> 1) Vista is coming with purported "enhanced security"
>>>> 2) For the first time in a long time (if ever), Macs are slowly
>>>> but surely eating into Windows market share
>>>> 3) For the most part, security in XP is a joke and this fact has
>>>> gone mainstream
>>>> 4) A/V vendors, under shareholder pressure to increase revs, are
>>>> looking for new customers outside a saturated market (Windows A/V)
>>>> 5) Linux is not a serious desktop contender
>>>> 6) If Macs catch on like iPods, MS could be in for a really tough
>>>> fight
>>>> 7) Large media outlets such as CNN are picking up these stories --
>>>> this doesn't happen by accident -- it takes momentum in its
>>>> various forms
>>>>
>>>> There are other points that I thought of on the way home last
>>>> night, but I can't recall at the moment. One thing is for sure --
>>>> more ridiculous press releases are to come.
>>>>
>>>> Here's a question for you folks: Have many of you moved family
>>>> members to Macs? After refusing to touch Windows PC anymore, just
>>>> about everyone in my family has a Mac and I no longer get silly
>>>> support calls. As a matter of fact, my father thinks his iBook is
>>>> "boring" because there's nothing to tinker with -- it just always
>>>> works as expected. :)
>>>>
>>>> Rick
>>>>
>>>> --
>>>> Richard A. Kilcoyne
>>>>
>>>> Network Security, Code 5544
>>>> Center for High Assurance Computing
>>>> U.S. Naval Research Lab
>>>> 4555 Overlook Avenue, SW
>>>> Washington, DC 20375
>>>>
>>>> TEL: 202-404-1770
>>>>
>>>> NIPRNET: email@hidden
>>>> SIPRNET: email@hidden
>>>>
>>>>
>>>> On Mar 8, 2006, at 4:49 AM, Michael Pike wrote:
>>>>
>>>>> ZDNet Reported it, and it was a bunch of misinformaiton.
>>>>> Thankfully a
>>>>> university did another study, and here are the results:
>>>>>
>>>>> http://test.doit.wisc.edu/
>>>>>
>>>>> Again, the A/V companies are trying to capitalize on A/V software.
>>>>>
>>>>> DO NOT GIVE INTO THE PROPOGANDA!
>>>>>
>>>>> If you feel you need A/V software (and you very well may), it's free
>>>>> and open source:
>>>>>
>>>>> http://www.clamxav.com
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>> 40nrl.navy.mil
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>> 40nrl.navy.mil
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden