Topic: Laptops wait for attackers in hacking contest

[Samker]

Vancouver, CANADA – Hundreds of security professionals and hackers flowed through a smallish room overlooking the harbor at the Marriott Renaissance Hotel on Wednesday, where three laptops wait to be compromised by some ingenious attacker in the second annual PWN2OWN contest.

Rather than heading for the table with the notebook computers, however, the attendees of the CanSecWest Conference headed for the drinks and snacks.

Perhaps the first day's rules are too onerous: Attackers must use a remote exploit that does not require any user interaction. Or perhaps the reward of $20,000 is too small, since any vulnerability that can be exploited remotely could potentially be sold for a much higher amount to a private third party.

The contest organizers expected little action on the first day, according to Terri Forslof, manager of security response for TippingPoint, which is sponsoring the competition.

Under the first day's rules, "that is not an easy target," she said.

This year's PWN2OWN competition allows contestants the chance to attack one of three laptop computers. ("Pwn" -- slang which means to compromise a system -- is pronounced like "pon" in pony.) Compromise any of the computers -- running the latest versions of Apple's Mac OS X, Microsoft Windows Vista and Ubuntu Linux -- and the attacker gets both the system and a cash prize depending on the type of vulnerability they used. Last year, when the contest offered up two MacBooks as targets, researchers Shane Macaulay and Dino Dai Zovi teamed up to use a vulnerability in the way QuickTime handles Java to compromise one of the machines, taking home $10,000 and the MacBook.

On Monday, security firm Tipping Point boosted its top bounty in the contest to $20,000 for contestants that exploit a remote vulnerability in a way that does not require user interaction. The boost in the bounty came after researchers criticized the company for the more modest prizes announced last week.

Some security researchers have already signed up to try to compromise the systems on the second and third days, when the rules allow lesser attacks and the contestants are rewarded with lesser prizes.

"There are people who have exploits and are ready to use them," said Dino Dai Zovi, the security manager who won the contest last year.

If a security researcher uses a more severe exploit to compromise a laptop on Day 2 or Day 3 of the competition, they will still get the larger cash prize, Forslof said.

(Copyright by SecurityFocus)

[Samker]

Vancouver, CANADA -- In the first attempted attack in the PWN2OWN contest, a security analyst breached the defenses of Apple's Mac OS X using a bug in the Safari browser and won $10,000 as well as the computer that he compromised.

Charlie Miller, principal analyst with Independent Security Evaluators and the researcher who found some significant flaws in Apple's iPhone last summer, compromised the Apple MacBook Air in less than a minute. While he refrained from describing the flaw, SecurityFocus learned that the issue affected the Safari browser. Contest officials said that the MacBook Air was running the latest version of Mac OS X, version 10.5.2 or "Leopard."

Miller -- and two colleagues from ISE, Jake Honoroff and Mark Daniel -- worked on the code for exploiting the security issue for about three weeks, he told SecurityFocus.

"I was sort of looking for a while, but as soon as we started looking in a particular (code) area, it didn't take too long," Miller said.

This year's PWN2OWN competition allows contestants the chance to attack one of three laptop computers. ("Pwn" -- slang which means to compromise a system -- is pronounced like "pon" in pony.) Under the competition rules, the attacker selects one of the systems -- running the latest versions of Apple's Mac OS X, Microsoft Windows Vista and Ubuntu Linux -- and gets 30 minutes to compromise the computer. The attacker gets both the system and a cash prize depending on the type of vulnerability they used. The vulnerability exploited by Miller required some user interaction, so he did not qualify for the highest prize of $20,000.

The bug is still very serious, however, resembling the vulnerabilities currently used by many fraudsters to infect the systems of unwary victims with bot software and root kits. The vulnerability requires the same amount of interaction as the flaw in QuickTime's handling of Java that allowed researchers Shane Macaulay and Dino Dai Zovi to win the competition last year. They also got to take home $10,000 and a MacBook.

Terri Forslof, manager of security response for TippingPoint, which sponsored the competition, stated that the company would post more information about the vulnerability on its blog.

(Copyright by SecurityFocus)

[Samker]

Vista hacked on 3rd day thru Adobe Flash. Linux Undefeated



After Mac was hacked in 2 minutes at the CanSecWest Conference, it was now the time for Vista to get hacked on the 3rd day. Vista's security was compromised through the popular 3rd party software, Adobe Flash.

"The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall through the OS X operating system."

The MacBook Air went first; a Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.

(Copyright by NeoWin)