In response to the supposedly hacked Mac we mentioned at
OS X security vs. Windows Vista, the University of Wisconsin
has put up a
(link dead, sorry)
Mac OS X Security Challenge that more accurately reflects what a typical Mac user's configuration
I certainly agree that the original "hack" is not realistic for most Mac users: we don't give away user accunts willy-nilly as was done at the first challenge. If someone has a legitimate account on your machine, they are half way to the goal, so the implication that most Mac usrs should be concerned is disingenuous at best. Few Mac users have strangers with accounts on their machines.
However: local provilege escalation is a subject that doesn't always get the respect that it should. I'm quite confident that most network admins, particularly in smaller businesses, pay much more attention to firewalls and external packet filtering than they do to locking down the system against internal users.
Local users can have the same motivations as some faceless black-hat geek in a foreign country. They can have the same knowledge, and have access to the same hacker resources. There are some major differences though: the local user may have additional motivation (didn't like their last raise), they almost certainly have additional knowledge about what you have of value and where it is, and they already have a local account on the machine.
I'll even go farther than that: at thousands and thousands of small businesses around the world, any employee can walk right into the server room (which is usually empty) and step up to a machine that is already conveniently logged in with an administrative account. How's that for privilege escalation?
I do think the original Mac challenge deserves less respect than the media gave it, but it shouldn't be entirely pooh-poohed either. It may not reflect the configuration most Mac users run under, but it does more accurately represent what could happen at many a server: Mac, Windows, Linux or Unix. There are lessons to be learned, and my bet is that few will learn them.
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
Increase ad revenue 50-250% with Ezoic