APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

A more realistic security challenge?

In response to the supposedly hacked Mac we mentioned at OS X security vs. Windows Vista, the University of Wisconsin has put up a test.doit.wisc.edu/ (link dead, sorry) Mac OS X Security Challenge that more accurately reflects what a typical Mac user's configuration is.

I certainly agree that the original "hack" is not realistic for most Mac users: we don't give away user accunts willy-nilly as was done at the first challenge. If someone has a legitimate account on your machine, they are half way to the goal, so the implication that most Mac usrs should be concerned is disingenuous at best. Few Mac users have strangers with accounts on their machines.

However: local provilege escalation is a subject that doesn't always get the respect that it should. I'm quite confident that most network admins, particularly in smaller businesses, pay much more attention to firewalls and external packet filtering than they do to locking down the system against internal users.

Local users can have the same motivations as some faceless black-hat geek in a foreign country. They can have the same knowledge, and have access to the same hacker resources. There are some major differences though: the local user may have additional motivation (didn't like their last raise), they almost certainly have additional knowledge about what you have of value and where it is, and they already have a local account on the machine.

I'll even go farther than that: at thousands and thousands of small businesses around the world, any employee can walk right into the server room (which is usually empty) and step up to a machine that is already conveniently logged in with an administrative account. How's that for privilege escalation?

I do think the original Mac challenge deserves less respect than the media gave it, but it shouldn't be entirely pooh-poohed either. It may not reflect the configuration most Mac users run under, but it does more accurately represent what could happen at many a server: Mac, Windows, Linux or Unix. There are lessons to be learned, and my bet is that few will learn them.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> A more realistic security challenge?

1 comment



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Fri Mar 10 11:32:51 2006: 1761   TonyLawrence

gravatar
Apparently the University didn't like the extra traffic this attracted, so they shut it down: (link)

But it was not breached..

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





C++ is just an abomination. Everything is wrong with it in every way. So I really tried to avoid using that as much as I could and do everything in C at Netscape. (Jamie Zawinski)





This post tagged: