By Arik Hesseldahl
Byte of the Apple
MARCH 8, 2006
To maintain public confidence in its operating system, Jobs & Co.
should consider hiring a security czar.
The second potentially major Mac security incident in as many weeks
has thankfully been debunked. Earlier this week I wrote a blog entry
about a Mac Mini owner in Sweden who configured his machine as a
server and challenged hackers to gain access to it. The Mini was -- as
hackers like to say -- "owned" only 30 minutes after the challenge
started. By "owned," I mean rooted. An outside attacker, through a
remote Internet connection, was able to get "root" access -- the
highest and most powerful level of administrative access on a
Unix-based computer (which Macs running OS X happen to be).
Root access gives the bearer free reign on a machine, no questions
asked. Files can be altered or deleted. Accounts assigned to other
users can be changed or deleted altogether. The potential for misuse
of the privilege has caused Apple to ship its machines with root
access disabled by default. Root can be re-enabled only through a
series of technical contortions understood by advanced users.
Even so, the Swedish attacker said he succeeded with an "unpublished"
exploit -- a method that hasn't been publicly documented. If your Mac
is connected to the Internet all day, as mine is, you can see the
fright such news might generate. It's like knowing a criminal gang has
a master key to your home and thousands of others, and that the only
defense you really have so far is that they haven't found you yet.
BIASED STUDY. That is, if it were true. It turns out the original
reports weren't forthcoming with all the facts. The person who
"rooted" the Mac already had a user name and password, as if he were a
regular day-to-day user. In fact, having an account on this Mac was a
prerequisite to taking part in the challenge. From there, the person
used some method -- most likely having to do with weaknesses in the
Unix underpinnings of the Mac operating system -- to gain escalated
These kinds of "privilege escalation" vulnerabilities have cropped up
on the Mac over the years and date back decades to FreeBSD, the
variant of Unix on which Mac OS X is based. But remember, you can't
take advantage of this type of vulnerability unless you already have
access to the machine -- which implies having been given permission
for that access in the first place.
The pseudo break-in and misleading reports didn't sit well with Dave
Schroeder, a network systems engineer and Mac enthusiast at the
University of Wisconsin in Madison. He's been outspoken on the issue
of Mac security, portraying recent reports as overblown. So he set up
his own challenge, inviting the world to hack a Web page -- the very
page he used to tell the world about the challenge -- running on a Mac
Mini he set up as a Web server.
His challenge mirrored the one in Sweden, with one critical
difference: No one would have an account on the machine. They'd be
locked out and therefore would have to break in. His aim was to
demonstrate the flaws in the Swedish test, and provide a more
realistic test of Mac security. The tech news site Slashdot picked up
news of the challenge and quickly spread the word.
A NEW CHALLENGE. Attacks on the machine surged. It recorded more than
4,000 login attempts, and Web traffic to it spiked to 30 megabits per
second. Half a million people visited the Web site
(http://test.doit.wisc.edu/). That little Mac Mini was one busy
server, but it remained online.
Most of the network traffic conveyed attempts to break in: Web
exploits seeking a wedge into the machine via the public page;
dictionary attacks, which make repeated guesses at passwords at high
speed; and a scanning tool known as Nessus, software that scans for
known vulnerabilities. The machine even came under what's known as a
denial of service attack, in which an attacker hammers a machine with
thousands of requests for information in an attempt to overwhelm the
server and thus create an exploitable weakness.
For 38 hours, nothing worked. The Mac Mini held its ground against the
worst that the multitudes could throw against it. The contest ended
earlier than originally planned and even appears to have gotten
Schroeder in trouble with his employer, since it wasn't sanctioned by
the university. I'm hearing he may face some kind disciplinary action.
The University of Wisconsin apparently isn't interested in such a
real-world ad-hoc test, no matter how successful and harmless it
proved to be. Schroeder wasn't available for comment.
This illustrates changing perceptions about Mac security. The Mac is
increasingly on the radar screen of people who have long ignored it
and who, for whatever reason, want to find the chinks in as-yet
virtually impregnable armor. And while it may indeed be a more secure
system than anything put out by Microsoft (MSFT ) and its many
hardware partners including Dell (DELL ), Hewlett-Packard (HPQ ),
Gateway (GTW ) and others, the level of attention can only increase.
Hackers love nothing more than a difficult challenge -- which Windows
ceased to be a long time ago.
SOWING FEAR And as Apple Computer (AAPL) gains attention for its
innovation, superior software and so far relatively airtight security,
people in the media -- including myself -- will be watching with
interest and not a small amount of anxiety for the moment when the
first really nasty and widespread Mac security vulnerability shows up.
Until that happens, even little hiccups are going to trigger an
avalanche of negative publicity.
Uninformed media sources will do what they do best -- sow fear,
uncertainty, and doubt. And the first time a really big Mac security
incident occurs it will cause some people who are considering a Mac
over a cheaper Windows-based system to change their minds.
Vulnerabilities in Windows are so common they don't really make the
news anymore. But a large-scale, widespread incident on the Mac could
badly wound Apple's reputation.
LOCK DOWN. It's for this reason that I think the time has come for
Apple to consider doing what many other companies like IBM (IBM ) and
Oracle (ORCL) have: create a position of chief security officer. This
person would be a well-known computer security expert, ideally from
outside Apple, who would wave the flag for all things related to Mac
security, debunking myths, correcting the record, and providing a
public face when issues crop up.
And when something does go wrong -- and I think eventually something
will -- he or she would be Apple's ombuds officer evaluating what
failed, where, when and how, and then take responsibility for seeing
that it's fixed, reporting on the matter to CEO Steve Jobs, Apple's
board of directors, and (where appropriate) its shareholders and
I talked briefly with Apple's Bud Tribble, vice-president of software
technology. He called my idea a "good suggestion" but said the company
would be reticent to assign security issues to any single individual,
and that the responsibility of a CSO instead tends to rest with
everyone. "For pretty much all the senior people at Apple, security is
one of the top jobs on their list," he says. "When we think about
security and how we design software, the basic approach is to make it
as secure as possible, because most people really aren't security
experts. We try to make sure things are pretty well locked down out of
CONFIDENCE BUILDER. While the Mac's Unix underpinnings suffer from
the occasional vulnerability, they still present a security advantage,
Tribble says. "Unix is sort of a kid that grew up in a tough
neighborhood," he says. That neighborhood was a networked environment
where people were constantly trying to figure out tricks to log into
the system. So over the decades, lots of holes have been plugged. You
can't say that about Windows.
And I admit, creating a CSO position may be viewed by some as an
admission of weakness. Still, I say it would be a good way for Apple
to inoculate itself against the perception -- warranted or not -- that
Mac security may be eroding, and get ahead of the curve for any
troubles that may be inevitable. That may not be the case, but in
matters related to product marketing, it's the public perception, not
the reality that really matters.
And once you've lost a user's confidence, it's hard to get it back.
Just ask Microsoft.
InfoSec News v2.0 - Coming Soon!