Gone in 2 minutes: Mac gets hacked first in contest

[Dashken]

Quote:

It may be the quickest $10,000 Charlie Miller ever earned.

He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.

Miller, a former National Security Agency employee best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was pre-installed on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple's Safari browser.

By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.

Miller's $10,000 payday may sound sweet, but it's not the most Miller has been paid for his work. In 2005, he earned $50,000 for a Linux bug he delivered to an unnamed government agency.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.

Shane Macaulay, who was Dai Zovi's co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.

But it was all in vain.

"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.

Forslof said that a number of "high quality" researchers have said that they will attempt to hack the machines on Friday, the last day of the conference.

She expects both systems to be hacked on Friday, when contest rules will be further eased, and hackers will be able to attack popular third-party software that can be installed on the systems. "I don't think we'll have to take any home," she said.

Source: Gone in 2 minutes: Mac gets hacked first in contest | IDGNS | News | March 27, 2008 | By Robert McMillan, IDG News Service

[Mac Daddy]

Saw the title and was hoping it wasn't me lol

Is it just me or is there something a little off about awarding prizes to hackers

[Chai]

Quote:

Originally Posted by Mac Daddy

Saw the title and was hoping it wasn't me lol

Is it just me or is there something a little off about awarding prizes to hackers

lol...

Interesting to have such contest...

[aKho]

it's good la, help expand the minds of us users and at the same time, fixing loopholes and ensuring our privacy. especially when most of us have "pink folders" we don't wish people to know about.

[Dashken]

Quote:

Vista notebook falls in hacker challenge

March 30, 2008 (Computerworld) A security researcher on Friday exploited a critical bug in Adobe Systems Inc.'s Flash Player to hack a notebook running Windows Vista Ultimate, the second machine to fall in this year's "PWN To OWN" challenge.

The only unclaimed laptop of the original trio by the contest's end was a Sony Vaio running the Ubuntu distribution of Linux.

Shane Macaulay, a consultant with Security Objectives, claimed the $5,000 cash prize by breaking into a Fujitsu U810 running Windows Vista Ultimate SP1 late Friday. According to 3Com Inc.'s TippingPoint, which put up the prizes for the three-day hacker challenge at CanSecWest, Macaulay exploited an unidentified zero-day vulnerability of the ubiquitous Flash Player.

Macaulay, who was assisted by Derek Callaway, also of Security Objectives, and Alexander Sotirov, an independent researcher, was the second PWN To OWN winner. Thursday, Charlie Miller from Independent Security Evaluators hacked a MacBook Air using a vulnerability in Apple Inc.'s Safari browser to win the notebook and a $10,000 check from TippingPoint.

The Austin, Tex.-based security company, perhaps best known for its Zero Day Initiative (ZDI) bug bounty program, announced Macaulay's win in a post to its blog.

Like Miller, Macaulay was bound by a nondisclosure agreement with TippingPoint, which under the PWN To OWN rules acquired the vulnerability its ZDI. TippingPoint said it has reported the bug to Adobe. "Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability," the company said in the blog post.

The hack challenge, which kicked off last Wednesday, expanded the notebooks' exposure to attack after the first and second days. No one, for example, walked away with the first day's $20,000 prize, which had required that researchers break into one of the laptops using a remote code-execution exploit that didn't rely on any user interaction. Miller won his $10,000 and the MacBook Air after attacks were allowed on installed-by-default applications, and user action could be replicated.

On Friday, when Macaulay took down Windows Vista, contest organizers added a number of popular third-party client applications to the remaining two notebooks, including Adobe's Acrobat Reader and Flash Player, the Firefox browser, and Skype, a voice-over-Internet program.

Adobe patched Flash Player several times last year. The most recent large-scale security update was issued last December to plug nine holes in the software.

Macaulay also had a part in 2007's inaugural PWN To OWN contest, which pitted a single computer, a MacBook Pro, against all comers for a $10,000 prize. Although Dino Dai Zovi provided the QuickTime exploit that hacked the machine last year, Macaulay served as his on-site partner.

Source: Vista notebook falls in hacker challenge