[Back in TidBITS-375, we noted the success of the "Crack A Mac" challenge held in Sweden for two months last February to April. The contest offered prize money - eventually more than $13,000 U.S. - to anybody who could alter the contents of a Web page served by a standard Macintosh-based Web server. Here's the story of the contest and the server setup, plus some of the break-in attempts and hoaxes the contest team encountered. -Geoff]
What We Did and Why -- To prepare for the Crack A Mac contest, we simply unpacked a standard Power Macintosh 8500/150 from its box. Then we installed WebSTAR 2.0 (the popular Macintosh Web server from StarNine), upgraded to Open Transport 1.1.2, connected the machine to the Internet, and put some Web pages on it. We didn't do anything special with the server - it wasn't behind a firewall, and we didn't make any other security arrangements. The entire setup took less than 30 minutes.
We publicized the challenge and Hacke (the name of our server) via the Web and email, and information about the contest was carried by many diverse venues, including Ric Ford's MacInTouch, MacWEEK, Wired, TidBITS (of course), along with several Swedish publications, the Wall Street Journal, and the New York Times. The contest reward was initially 10,000 Swedish kronor (about $1,350 U.S.), but during the challenge we were able to increase the amount of prize money a couple of times, thanks to nine Swedish Apple resellers. In the end, the contest reward was 100,000 kronor, or approximately $13,500 U.S.
Why did we do it? We wanted to prove there is an alternative to large and expensive Unix- and Windows NT-based solutions for secure World Wide Web services - a solution that doesn't require hundreds of hours to set up or need a separate firewall. We were not trying to prove a Mac OS-based solution is right for everyone, but we are saying it is exactly the right solution for many of us. We wanted to prove the Macintosh is an off-the-shelf system that allows safe, secure, and reliable presence on the Internet within 30 minutes. Since no one was able to claim the prize money, I think we proved our point.
For more detailed information on the contest, rules, and frequent questions and answers that came up during the contest, check out Hacke itself.
The Best Attempts -- In the early stages of the challenge, visitors were trying to exploit more or less known security issues under Unix. We also tracked news coverage on Windows NT security flaws by increased attempts to hack into our server using those flaws; each time a new article appeared about a security problem with Windows NT or NT-based server software, it was followed by a new set of attacks on our server. Many crackers seem to believe Windows NT and Mac OS have something in common. Needless to say, Hacke didn't respond at all to these attacks.
Would-be crackers also spent a lot of effort on trying to guess the password to pi_admin, an administration identity under WebSTAR 2.0 that enables webmasters to handle some core functions remotely. There were more than 220,000 attempts to guess the username and the password, but to the best of our knowledge, none were successful. However, even if someone had guessed the password, they would not have been able to change the content of the server; it simply wasn't possible through pi_admin using the set of WebSTAR plug-ins we had installed.
When guessing at the pi_admin password grew stale, crackers tried to break in to the machine providing our DNS service, with the goal of moving Hacke to another IP number, and then changing the content of the server. [DNS, or Domain Name Service, translates between IP numbers and the more-friendly names of Internet machines. -Geoff] But since our DNS service (provided via Men&Mice's QuickDNS Pro) is also running on a Mac, these attempts were destined to fail. The success rate was not any better for contestants that tried to get into Hacke via our mail server; it was running under Mac OS as well, so there was no Unix sendmail program to try to exploit.
Tired of all the Mac servers, would-be crackers tried to find something in our network that was not Mac-based. The only thing they found were the routers. Fortunately, the routers were secured, but breaking into them could have been a problem, since it could have taken part or all of our network off the Internet entirely. The question is, would that have counted as a hack that was eligible for the prize money? Successfully attacking a router would have merely revealed a security hole in our ISP's connection, and the idea of the challenge was to alter the contents of a Web page. In the end, I suppose it would have depended on the results of a successful router attack, but none were successful.
The most interesting attempts occurred near the end of the competition when people realized they needed a different solution. The best attack was pure social-engineering.
It started when <firstname.lastname@example.org> received an email message apparently sent by <email@example.com>. The message requested Christine put new text on the front page of Hacke because "I don't have the time to do it myself." We would probably have seen through this ruse anyhow, but it was even more apparent because the letter was written in English, and we normally communicate with each other in Swedish.
The next perpetrator was a Norwegian who claimed he had broken Hacke but he had been thrown out before he was done. He couldn't prove that he had been there but he threatened us with lawyers if he didn't receive the prize money. He even called us and told us that he had 3,000 witnesses because he'd accomplished the feat on a big screen during a conference in Norway. However, no evidence or witnesses have materialized.
On the last day of the contest, we received email from two people that seemed to be very polite and helpful. They told us that they had found some information that could be very useful for us. Their enclosures looked like documents but they were, in fact, small AppleScripts that could have changed Hacke's front page had they been launched on the server. They were easy to spot, but it was a good try! The people who wrote the scripts probably realized they would not be successful, since in the middle of the code we found "Rats! No $13,000 for me today."
Performance & Reliability -- It is well known that the Mac OS is currently sensitive to Ping of Death attacks, and that Open Transport and WebSTAR do not have functions to handle SYN attacks. We were largely spared the latter, and while Ping of Death attempts did not seem to knock out the server every time, Hacke was crashed three times by Ping of Death attacks. Since our idea was to conduct the challenge on an easy-to-set-up server, we did not try to defend against these attacks. Instead, we installed the widely-used shareware programs Keep It Up and AutoBoot to restart the server automatically if it crashed.
[For background, Ping of Death attacks involve sending large data packets (usually over 64K) that get re-assembled by the receiving machine into a block of data larger than the original, often causing an overflow and hence a crash. The attack is usually carried out via ping, but in theory the technique can be applied to any IP datagram. A SYN attack is a denial of service attack that involves sending a flood of SYN packets (which are always used to start a TCP transaction) that contain faked source addresses. The receiving machine then spends a lot of its time and resources trying to send and receive acknowledgments to and from machines that don't exist. SYN attacks can be used to block individual TCP ports (or entire machines) from real users. Macs aren't the only machines susceptible to these attacks, but most other platforms have patched vulnerabilities to the Ping of Death, and Apple plans to do so in a future update to Open Transport. -Geoff]
Our philosophy was that crashing a Web server only to have it reboot a minute later was not as severe a problem as an attack which alters the content of a Web page. For example, it is far more serious for a firm like Telia (the Swedish telecommunications company) if their home page is altered to read "Felia" (which, in Swedish, could mean "something that is consistently done wrong") than it is for their Web site to be down temporarily.
Additionally, the Macintosh server was incredibly dependable. As noted above, it went down just three times, and in each case we were able to trace the cause to oversized ping packets. We had expected that. This reliability was also demonstrated by our other Mac servers - Web, Mail, and DNS - that were exposed to attacks and inquiries during the contest. Further, the performance of the server was never a problem. Although Hacke was often very busy (with over 50 simultaneous connections), it sent out a single "busy" message. Some challengers may have had problems connecting to the server, however, since we're located in the southern Swedish countryside and our connection to the world is only 64 Kbps. Also, users from overseas undoubtedly experienced some connectivity problems getting through to us at all.
Some Statistics -- During the competition's two months, Hacke's English and Swedish entry pages logged more than 650,000 hits, and over 100,000 unique IP addresses were logged. The server sent out over 8,000 MB of data. Approximately 75 percent of Hacke's visitors came from the United States, 20 percent from Sweden, and the remainder were spread throughout the world. Many companies and organizations expressed interest - we logged several visitors from IBM, Hewlett-Packard, Cray, Digital, SGI, Novell, Boeing, AT&T, and Netscape. In addition, NASA and the U.S. military were frequent guests.
The Next Step -- Hacke will not disappear. We plan to announce future contests using more sophisticated setups, to address common criticisms of the Macintosh as a Web server platform (including handling several domains, remote administration, high levels of interactivity, access to databases, and so forth). We need to contact sponsors, define a stable and interesting concept, and ensure all criticisms about inadequate features or capabilities are addressed. We also need to do our real jobs: we haven't earned a single krona for the time we spent on the Crack A Mac competition. It should also be noted the Crack A Mac challenge was in no way affiliated with Apple Computer. We just feel we have a vision that should make it possible for more organizations to take the leap toward the Internet.