Russ wrote:
>
> Forgive me for asking, but who gave the Mac OS platform its "position"
> as the "most secure platform...for Web serving"?
>
> The thing has been around on the Internet for two years and days within
> offering compensation to hackers for cracking it, it gets cracked, and
> they say its been the most secure platform for 2 years??
Well, Russ...that is not entirely accurate. I believe that they are
leveraging earlier contests into the equation. So the story goes, in a
new book on Internet security, it says:
On October 15, 1995, a challenge was posted to the Internet: A Macintosh
Web server running WebStar was established and offered as a sacrificial
host on the Net. If anyone could crack that server, that person would be
awarded $10,000.00. The challenge was a demonstration of the theory that
a Mac would be more secure than a UNIX (or NT) box as a Web server
platform.
Chris Kilbourn, the president and system administrator for
digital.forest, an Internet service provider in Seattle, Washington,
posted a report about that challenge. In it, he explains:
"In the 45 days the contest ran, no one was able to break through the
security barriers and claim the prize. I generally ran the network
packet analyzer for about 3-5 hours a day to check for interesting
packets destined for the Challenge server. I created packet filters that
captured all TCP/IP network traffic in or out of the Challenge server.
One of the more amusing things was that even with all the information
about the technical specifications of the Challenge server posted on the
server itself, most of the people who tried to bypass the security
thought that the server was a UNIX box! TCP/IP services on a Macintosh
lack the low-level communications that is available on UNIX systems,
which provides additional security. If you are careful to keep your
mail, FTP, and HTTP file spaces from overlapping, there is no way to
pipe data from one service to another and get around security in that
manner."
The previous paragraph is excerpted from Chris Kilbourn's article titled
"The $10,000 Macintosh World Wide Web Security Challenge: A Summary of
the Network and the Attacks," and can be found online at
http://www.forest.net/advanced/securitychallenge.html
The preceding three paragraphs were taken from a recent book on Internet
security. (The author goes on a bit more about it, but that's the
relevant stuff.) Interestingly, the author also predicted this latest
outcome, though his prognostication of HOW it would be acheived is
(probably) largely inaccurate:
"Part of the security gained by the Mac is in the fact that there is no
widely understood command interpreter that is well known by UNIX or IBM
users behind the Web server. However, there is a way to crack such a
server. Here's a report from an Apple Technical article:
"Through the power of AppleScript and Apple events, WebSTAR can
communicate with other applications on your Macintosh to publish any
information contained in those programs. For example, if your company
information is in a FileMaker Pro database, Web client users can query
it via HTML forms to get the data using the FileMaker CGI (Common
Gateway Interface) for WebSTAR. It's powerful and easy to use."
The AppleScript engine is indeed an interpreter; it's just not one known
intimately by a large population of non-MacOS users. The problem must
therefore be approached by someone who is deeply familiar with TCP/IP,
AppleScript, and cracking generally...these are the elements that would
be required."
In any event, as that author ALSO notes, the machine offered up for
attack (at least in the 1995 challenge) was running only very limited
services. Naturally, if you run nothing but a web server, it's very easy
to say you are "completely secure," providing that the server was coded
cleanly and was configured correctly. So, the challenge really isn't
relevant when measured against the security of a machine supporting
dozens of protocols. This was yet another example of individuals taking
advantage of the poor knowledge of security amongst the user population.
The user thinks thusly:
"If it is a web server and it's on the Internet, then it is an Internet
server. Gee. All the other servers are getting cracked on a fairly
regular basis, so Mac must be the most secure platform."
Nonsense, of course, but great marketing fodder. What I found
particularly amusing was this snippet:
"...TCP/IP services on a Macintosh lack the low-level communications
that is available on UNIX systems, which provides additional security.."
We all know what they *really* means. :-) Though, I have no problem with
Mac. OpenTransport is decent, I readily admit. Anyway, there is the
answer to the question. Rather, the way it SHOULD have been measured was
this:
The 45 days of the original contest PLUS the few days that the current
contest ran. In other words, to be fair, if MacOS was called the most
secure platform, that period in which it reigned as such was
approximately (to be generous) 60 days. In a real contest - that ran
indefinitely - that would mean very little. (In fact, in such a contest,
I would put my money on an XTS STOP 4.x system.) But, to measure that
more fairly, we would have to go back to the Internet security book I
was talking about and add in the fact that Macs have been proven to be
vulnerable to DoS attacks as well. (e.g., StarNine's WebStar + NetCloak
2.1. Under this config, just the right string would bring down the
server and pronounce it as dead as any other system similarly vulnerable
to DoS. Whether this discovery occured during the 45 day challenge is
unclear, but if it did, that would knock those 60 days down some.)
I suspect that certain distributions of UNIX (and perhaps even NT) have
had runs for longer than 60 days where everything seemed "a-okay." In
the end analysis, it amounts to this: the Mac consortium must now face
the same experience that all the other crowds have for years: go back to
the drawing board, because y'all got cracked!
O.
References:
|
|
