The Mac Security Challenge Fad
Computer security – or, rather, computer data security – is not a new idea. For as long as sensitive information has been stored on punch cards, tapes, and disks, money has been changing hands to make sure that information cannot be accessed without permission. Until recently, security tests were often expensive, contracted, protracted affairs conducted by professionals and consulting firms; however, the breakneck growth of the Internet has given rise to something new: public data security challenges. These events usually offer substantial cash prizes and are open to anyone with a machine and a net connection.
Public challenges usually have goals like demonstrating a technology, promoting products or services, and generating media coverage. TidBITS has covered two Mac-specific security challenges (see TidBITS-317 and TidBITS-378); these challenges helped establish the Mac OS as a secure and robust Web server platform, and gave Apple, the Mac, software developers, and the contest sponsors some good press when no one claimed the contests’ prizes. However, current public Macintosh security challenges seem more concerned with marketing than security, which does little to further test the limits of Macintosh security.
Apple Europe — The two previous Macintosh security challenges were conducted by private organizations; now, Apple Europe has thrown its hat in the ring, offering a brand-new 240 MHz PowerBook 3400 to anyone who alters the contents of a specific Web page hosted on a standard Apple Workgroup Server 9650 running Mac OS 7.6 and WebSTAR 2.0.
It’s nice to see Apple using new methods to promote the Mac OS as an Internet server platform, but this contest is only about promotion. On a technical level, this challenge imitates the Crack-A-Mac challenge conducted by Infinit Information AB in Sweden this spring – and its public face is a little rougher around the edges. For instance, the contest runs from 04-Jun-97 to 31-Jul-97, but you won’t find that information on the challenge server or in the challenge rules: you need a press release or article to uncover the contest dates and a few other pertinent details. Of course, you must read around mellifluous statements about Apple’s "complete confidence" in the server – small wonder, given that the prize money in Infinit’s contest went unclaimed just a few weeks earlier. There has also been some criticism of the contest prize: prices for 240 MHz PowerBook 3400s start around $5500, so it could be argued there’s less financial incentive to break into this server than there was in previous Mac security challenges. That might be true, but perhaps it’s more important that winning a PowerBook 3400 appeals to a smaller set of the server-cracking population than cold, hard cash. After all, few Windows or Unix loyalists will spend time trying to win a Macintosh.
VanHacking — Cash is not a problem for the VanHacking Challenge being hosted by VirTech Communications in Vancouver, British Columbia from 01-Jun-97 to 15-Jul-97. They’re offering $10,000 Canadian (about $7,200 U.S.) to anyone who can do two things:
Break into a protected Web page to find encrypted credit card information and a special phrase.
Decrypt the credit card information and alter the wording of the special phrase on the protected Web page.
The VanHacking server is a Power Mac 7200/120 running System 7.5.3, Timbuktu Pro 3.0.2, WebSTAR 1.3.2, and the challenge page is protected with WebSTAR’s Realms capability (so you’ll be prompted for a password if you try to access it with a Web browser).
On the face of it, the VanHacking Challenge is a new variation on the "alter a Web page" contest, and – by including an encrypted credit card number – the contest confronts the issue of secure electronic commerce on the Internet. VirTech’s press release (and Apple’s recent promotion of the contest on its corporate home page) plays up this factor: VirTech says it wants to refute the idea "plaguing the media today" that Internet commerce is unsafe and insecure.
Unfortunately, the VanHacking Challenge is aimed squarely at mainstream media and has little to do with electronic commerce. First, although earlier Macintosh Web server challenges have not directly tested WebSTAR’s Realms capability, it certainly played a factor in protecting Infinit’s server from attacks on WebSTAR 2.0’s remote administration features. And even if the Web page were unprotected, that cracker still has to figure out how to alter the contents of the contest page, which Infinit’s and ComVista’s contests essentially proved can’t be done for $10,000.
Then there’s the matter of the encrypted credit card information. According to the VanHacking contest rules, the credit card information is encrypted using PGP (Pretty Good Privacy), a strong public key encryption program developed by Phil Zimmerman and available for a variety of platforms.
There are essentially three ways to access encrypted data: decrypt the data computationally, find a copy of the unencrypted data, or somehow obtain the appropriate key or pass phrase to decrypt the information.
Despite (occasionally paranoid) speculation that PGP may have been cracked by the U.S. government, it’s highly improbable that someone will win the VanHacking contest by computationally decrypting the PGP data. Obtaining PGP keys by brute force is currently impractical, and to date there is no public evidence of weakness in PGP algorithms that would assist would-be decrypters. To put it bluntly, finding a method to quickly and reliably crack PGP-encrypted data is potentially worth tens of millions of dollars; it proves nothing if the VanHacking prize money goes unclaimed because PGP wasn’t broken.
It might be possible to find an unencrypted copy of the VanHacking credit card number: there have been instances where pass phrases or unencrypted copies of encrypted information have been found in RAM, unused disk sectors, virtual memory, or temporary files. However, since it’s been repeatedly demonstrated that the Mac OS is secure from most Internet attacks, it’s unlikely someone on the Internet will be able to examine these areas of the contest server or other VirTech machines.
Logistically, it’s easier for me to walk into the offices of VirTech Communications in Vancouver (or set up decent surveillance) than it is for me to break into its Web server. If I’m clever, I could pretend I’m a journalist and perhaps get someone to tell me what I want to know. If I’m willing to snoop, there’s probably a copy of the credit card number (or a clue as to where I could find it), a PGP pass phrase, a Timbuktu Pro password, or a sensitive email message or memo to be found. If I’m willing to break some laws – which isn’t an obstacle for parties interested in credit card fraud – I’m sure I could be more persuasive. VirTech has thought of this angle ("breaking into VirTech’s office building will also disqualify the participant"), and while they don’t mention fraud, extortion, or impersonating a law enforcement officer, the spirit of the rules is clear. Sure, these tactics sound like the stuff of corporate espionage and spy thrillers – and frankly a $10,000 prize doesn’t merit this sort of effort – but when millions of dollars hang in the balance, these things can happen.
The Agony of Self-Defeat — Are public security challenges pointless? Of course not! These contests demonstrate the integrity and value of the Mac OS and some of the excellent products available for the platform. I think that’s significant.
Nevertheless, it’s important to look at the objectives behind each event to separate technical merit from mouse-thumping partisanship. Challenges that merely repeat previous efforts speak more to the motivations of the contest organizers than the validity of the challenge. Similarly, contests that require circumventing technologies like PGP or Java security don’t necessarily say anything more about the Macintosh than a book says about its shelf.