[ISN] Mac OS X hacker tale rebuked

[InfoSec News]

http://www.macworld.co.uk/news/index.cfm?NewsID=14029

By Macworld staff
March 07, 2006
 
A new Mac OS X hacker competition has been launched at the University
of Wisconsin.

The competition ends on Friday March 10. Hackers are being asked to
change the front page of a website that's stored on a Mac mini:  
"Running Mac OS X 10.4.5 with Security Update 2006-001, two local
accounts, and has ssh and http open - a lot more than most Mac OS X
machines will ever have open."

The competition is a response to a report on ZDNet news this week,
which claimed a hacker had managed to break into Mac OS X in under
half an hour.

What that report didn't explain was that anyone who wanted to try to
hack that test Mac was given a local account on the machine which
could be accessed using SSH. This effectively put the hacker in front
of the machine and made the exercise much easier to accomplish.

The organisers of the new Mac hack competition said: "Yes, there are
local privilege escalation vulnerabilities for OS X; likely some that
are 'unpublished'. But this machine was not hacked from the outside
just by being on the internet. It was hacked from within, by someone
who was allowed to have a local account on the box. That is a huge
distinction."

Most consumer Macs won't hold user accounts for unknown people, won't
have any ports open and will most likely be behind a firewall, making
the earlier Mac OS X hacking exercise unrepeatable.

Macs cannot be hacked "just by being on the internet", the competition
organisers stressed.