APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

A more realistic security challenge?

© May 2019 Anthony Lawrence

In response to the supposedly hacked Mac we mentioned at OS X security vs. Windows Vista, the University of Wisconsin has put up a test.doit.wisc.edu/ (link dead, sorry) Mac OS X Security Challenge that more accurately reflects what a typical Mac user's configuration is.

I certainly agree that the original "hack" is not realistic for most Mac users: we don't give away user accunts willy-nilly as was done at the first challenge. If someone has a legitimate account on your machine, they are half way to the goal, so the implication that most Mac usrs should be concerned is disingenuous at best. Few Mac users have strangers with accounts on their machines.

However: local provilege escalation is a subject that doesn't always get the respect that it should. I'm quite confident that most network admins, particularly in smaller businesses, pay much more attention to firewalls and external packet filtering than they do to locking down the system against internal users.

Local users can have the same motivations as some faceless black-hat geek in a foreign country. They can have the same knowledge, and have access to the same hacker resources. There are some major differences though: the local user may have additional motivation (didn't like their last raise), they almost certainly have additional knowledge about what you have of value and where it is, and they already have a local account on the machine.

I'll even go farther than that: at thousands and thousands of small businesses around the world, any employee can walk right into the server room (which is usually empty) and step up to a machine that is already conveniently logged in with an administrative account. How's that for privilege escalation?

I do think the original Mac challenge deserves less respect than the media gave it, but it shouldn't be entirely pooh-poohed either. It may not reflect the configuration most Mac users run under, but it does more accurately represent what could happen at many a server: Mac, Windows, Linux or Unix. There are lessons to be learned, and my bet is that few will learn them.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> A more realistic security challenge?

1 comment

Inexpensive and informative Apple related e-books:

Sierra: A Take Control Crash Course

Take Control of iCloud, Fifth Edition

Take Control of iCloud

Take Control of Parallels Desktop 12

El Capitan: A Take Control Crash Course

More Articles by © Anthony Lawrence

Fri Mar 10 11:32:51 2006: 1761   TonyLawrence

Apparently the University didn't like the extra traffic this attracted, so they shut it down: (link)

But it was not breached..


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Generally, old media don't die. They just have to grow old gracefully. Guess what, we still have stone masons. They haven't been the primary purveyors of the written word for a while now of course, but they still have a role because you wouldn't want a TV screen on your headstone. (Douglas Adams)

Linux posts

Troubleshooting posts

This post tagged:





Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode