Dave Schroeder, a senior systems engineer at the University of Wisconsin, launched his contest on Monday. An earlier challenge was too easy, he said.
Schroeder is asking hackers to alter the home page hosted on a Mac mini that is running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and has SSH and HTTP open. "A lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.
Secure Shell, or SSH, is used for logging into and executing commands on a networked computer, and HTTP, or HyperText Transfer Protocol, is the method used to transfer information on the Web.
In the earlier challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers were given user-level access to the system, rather than being shut out completely.
"The original challenge allowed any users to have local accounts to access the machine via SSH," Schroeder said in an interview via e-mail. "This is an important distinction, because if you have local -- or physical -- access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."
Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the Internet," he said.
Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he said.
It could also pose a problem for Web hosting providers that use Apple Computer's operating system, said Johannes Ullrich, chief research officer at SANS Institute. Customers on shared machines need access to update their Web sites. A privilege escalation flaw could let a malicious user with such access gain full control over a system, he said.
The hacker challenges come after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia. Security experts are also questioning the effectiveness of Apple's latest patch.
Schroeder's Web site was untouched as of midday on Tuesday. "It's getting hit pretty hard," he said, but the bulk of the traffic is Web site visits.
"Most of the hacking attempts are from scripts and tools attempting to use common Web exploits, dictionary attacks against SSH, port scans and scans by security tools such as Nessus," Schroeder said. On Tuesday morning the site was down briefly due to a denial-of-service attack, he said.
The person who does successfully hack Schroeder's Mac mini is requested to send him an e-mail describing the attack. Schroeder plans to report that to the appropriate software vendors and will post results after the close of the challenge, he said.
Linkedin 
RSS Feeds 
Newsletters 
Alerts
