Second hack-my-Mac compo goes ballistic

A senior systems engineer at the University of Wisconsin on Monday launched a Mac hacking contest.

Dave Schroeder's challenge asked hackers to alter the homepage hosted on a Mac mini running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and SHH and HTTP open - "a lot more than most Mac OS X machines will ever have open", Schroeder said on his website.

Originally, the online event was scheduled to end on Friday but the time for the challenge was shortened to end on Tuesday night, Schroeder said.

Speaking earlier on Tuesday, he said: "It has been pretty surprising how well the little Mac mini has stood up. It has taken a pounding. The attention [the contest] has gotten has just exploded. This isn't a real, official test: it is just kind of done in the academic interest."

A previous Mac hack challenge was too easy, he said.

In the previous challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers were given user-level access to the system, rather than being shut out completely.

Schroeder added: "The original challenge allowed any users to have local accounts to access the machine via SSH. This is an important distinction, because if you have local - or physical - access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."

Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the internet," he said.

Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he added.

It could also pose a problem for web hosting providers that use Apple's operating system, according to Johannes Ullrich, chief research officer at SANS Institute. Customers on shared machines need access to update their websites. A privilege escalation flaw could let a malicious user with such access gain full control over a system, he said.

Earlier on Tuesday, Schroeder said that most of the hacking attempts were from scripts and tools attempting to use common web exploits, dictionary attacks against SSH, port scans and scans by security tools such as Nessus. On Tuesday morning the site was down briefly due to a denial of service attack, he said.

Joris Evers writes for CNET News.com