The weakest link

Matthew JC. Powell
28 March, 2008
View more articles fromthe author

Yet again this morning the blogosphere is alight with the news that a Mac has been hacked. Those safe-as-houses, indestructible, impregnable, unsinkable Macs have been shown yet again to be riddled with holes so big and so obvious a child could drive a truck through them. Yet again the long-suffering Windows apologists take heart, poke their tongues and say "nyeah" while they download today’s patches for their systems.

The cause of this derision? A hacking contest in Canada, in which three laptop computers were on offer to whomever could hack into them (along with $10,000 cash and of course the admiration of your peers). The cleverly-named "pwn to own" competition (using l33t-speak is guaranteed to keep away n00bs) offered a Sony VAIO runing Windows Vista SP1, a Fujitsu A810 running Ubuntu Linux and an Apple MacBook Air running 10.5.2 as prizes. Competitors had to gain access to a file on the hard drive of the computer and discover its content — remotely. All of the systems were fully up to date, fully patched with all security updates and with a range of popular web browsers and e-mail applications installed. Gaining access to the file required the execution of code on the machine, not just navigating directories. It’s a little unclear whether the execution of code required the competitors to gain admin-level privileges or not.

On the first day, there were no winners. Not one of the presumably accomplished hackers (sorry, hax0rz) at the competition managed to compromise the security of any of the machines. Come on, guys! One of these boxes is running Windows! Surely you know some Windows exploits!


On the second day, the rules were changed ever so eensy-weensy slightly, such that competition organisers sitting at the machines could be directed to visit web sites or open e-mails. Within two minutes, the MacBook Air was gone. Observers speculated that the winner had used a flaw in Safari, but the winner isn’t allowed to disclose how he won until Apple has had a chance to fix the flaw he exploited.

The winner, one Charlie Miller, gained access to the computer by directing one of the competition organisers to a web site he had set up which contained malicious code. Note that prior to his being allowed to do that, even this l33t hax0r was unable to crack the Mac. Even someone capable of writing code and embedding it onto a web site such that it would break through Apple’s many defences on its operating system and allow a remote user to execute code and thereby gain access to confidential data was unable to do so without inside help.

Note that no-one was able to do so on the Sony and Fujitsu machines either.

It’s almost a truism these days that the problem with any computer system resides between the keyboard and the chair. A properly-maintained and secured system is a pretty solid beast and difficult to compromise, even when placed in a room with a bunch of people whose sole intention is to do just that, and who are given carte-blanche to do with it what they will (short of actually physically touching it). When a hack happens, you can pretty much bet that somewhere along the line someone clicked on something they oughtn’t.

So far every single bit of malware that has appeared for OS X has been of this form. Every one has required user interaction in order to install, execute and replicate. Even the sneakiest one had to fool users into installing a non-existent video codec in order to see Britney Spears naked. (Seriously folks you can see Britney Spears naked with no additional software required.) Without user naivete, it’s unlikely there would be much serious malware in the world at all these days. The competition organisers in Canada clearly knew they were being directed to malware sites, so they didn’t even get fooled — they actually had to be wilfully compliant with hacking the MacBook Air. See, it wasn’t such a small change to the rules after all, was it?

But naivete does seem to be in ready supply these days, and it’s on all sides of the OS divide. And, quite possibly, the most naive of all are Mac users who think that because there are no true viruses for Mac OS X their computing habits are immune. Read this carefully: viruses aren’t the problem — you are.

Most Windows users are used to living in the shadow of insecurity. they’re battle-hardened. There’s enough new ones around that the malware writers know they can still make a quid by exploiting silliness, but for the most part Windows users have a high awareness of security. Linux users used to be the most security-conscious of all, because mostly they were particularly geeky types who knew the insides and outsides of their machines upside down and backwards. With the advent of easily-installable Linux distributions like Ubuntu, though, that’s changing.

The pick of the crop, though, are Mac users, who are now pretty numerous and have not yet had a serious security scare. A lot of them, indeed, have been lured to the Mac by the promise of a secure, worry-free world of milk and honey where hackers don’t try to steal your online banking password by directing you to a fake web site. The malware authors are, no doubt, licking their chops as they circle around us.

Are you scared yet? Well, don’t be. Be smart instead. Don’t open e-mail attachments unless you know precisely what they are beforehand. Don’t click on random web site links. If someone promises you something that sounds too good to be true — free cash, privileged information or pictures of Britney Spears with her clothes on for a change — don’t believe them. And if anyone asks for your passwords, usernames, credit card numbers or other confidential information, triple-check their credentials.

Here’s a quick hint: banks will never send you an e-mail that requires you to click a link. Never. You get one that does, it’s a fake. See how easy this can be?

Anyway, back to "pwn to own". That MacBook Air was not compromised by Charlie Miller. It was not compromised by his malware-ridden web site. It was not compromised by whatever obscure flaw he exploited. The machine was compromised by the competition organiser who suspended his normal disbelief and clicked on a link that he knew he shouldn’t. Chances are reasonable that if your machine ever gets hacked, it’ll happen much the same way.

At this stage I don’t know if the Sony and Fujitsu machines have been compromised or not. If not, I suspect the reason isn’t greater security. I strongly suspect it’s because everyone there wanted the MacBook Air.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us