but notice the "under 30 minutes" one was for users who already had
local non admin accounts on the target machine with attacks launched
via ssh terminal sessions on a mac OSX server.
the successful attacker found a way to escalate their account
privileges up from a standard (non admin) user to admin privileges
(or at least privileges high enough to get write access in to the web
sites directory. These sort of loopholes and backdoors have been
found in all multi user systems and should not be a major chore to
fix.
most desktop users would not have enabled SSH sharing anyway (which
is off by default) so 99.99% non OSX Server macs should be totally
immune to said attack .
This is obviously a security issue but an issue only with malicious
current users or hacks by outsiders who use dictionary attacks when
you have admins who allow users to have use non secure passwords
(like "Password" "Monday") and simple user ID's (like "bob", "john"
"Jane") - this approach being a time intensive script bassed raw
force attack launched from a single (or a number of "zombie bots")
should generate enough alarm bells about excessive log in attempts
from certain narrow range of IP addresses in the servers log
transcripts to notify the administrator/owner worth their pay/salt to
notice them.
the mac server in the second challenge, without local SSH user
privileges, has as at time of the articles publication, yet to be to
be compromised beyond being bombed off line by a denial-of-service
attack - something that in most secured sites would be prevented by
routers and firewalls running to a null address any attack once
suspicious activity is detected (though this of course has the same
effect to legit users outside of the secure perimeter of making the
machine appear to be offline).
Interesting article "Mac OS X hacked in under 30 minutes" and
"Another Mac OS X hack challenge launched".
http://www.zdnet.com.au/news/security/
--
Regards,
Ray Forma
Tel & Fax 61 (0)8 9335 6568
Mob 61 (0) 428 596938
-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>