Internet Gale Warning Declared for March 9-17
The sponsors of #Pwn2Own haven’t learned a key lesson: when hosting a gunfight, keep the competitors happy.
Pwn2Own is a highly anticipated feature of the CanSecWest technology security conference, which opens March 9.
For those unfamiliar with Pwn2Own, it’s basically a white-hat (the good guys, in web parlance) hacking contest. Contestants line-up to defeat the security of say, an unmodified iPhone or a particular web browser. If the exploit successfully allows the contestant full access to the device, the contestant wins a cash prize (or in previous years, the compromised device itself) and the exploit is kept under wraps for six months. The exploit is privately shared by the contest’s sponsors with the owner of the software platform compromised giving them time to fix the security hole before its details are shared with a wider audience later in the year.
Three-year reigning winner Charlie Miller from Baltimore’s Internet Security Evaluators (actually there are multiple winners, but unlike Little League Baseball not everyone wins) is so agitated by the Pwn2Own sponsors that he has threatened to unleash his latest slew of exploits into the Wild.
His points are worthy of review by the event sponsors, but for the purposes of this conversation they are irrelevant. Any of the event’s competitors could unleash great harm to the Internet-using community by releasing their known exploits to the public directly.
Using these un- or under-vetted exploits, malicious hackers (“black hats” in web parlance) would find wide swaths of installed users whose computers, browsers or networks are ripe for the pickings. Security vendors such as McAfee and Norton would scramble to provide some coverage against this zero day attack, but the sheer volume of a mass attack would overwhelm their support lines even if they can provide protection, which is no sure thing.
There would likely be pockets of very unhappy computer users worldwide among both individual users and organizations unable to recover their systems quickly absent completely wiping hard drives. Data loss would be inevitable.
The reactions of the Pwn2Own sponsors over the next week are important. If they can accommodate Charlie Miller and his colleagues without compromising the competition, they may very well—as they usually do this time each year—provide more hints and tips to operating system, device and software manufacturers that lead to more secure computing.
If Pwn2Own’s sponsors fail to heed the call, our most conservative readers might be wise to power down for a few days starting March 9. Just in case someone gets grumpy at the OK Corral.
RIM: Disable JavaScript in BlackBerry Browser
zdnet.comIt was only a matter of time.
Research in Motion (RIM) is urging BlackBerry users to disable JavaScript in the smartphone’s browser to block exploits from a security vulnerability showcased at this year’s CanSecWest Pwn2Own contest.
The vulnerability, which exists in the open source WebKit browser engine provided in BlackBerry Device Software version 6.0 and later, was exploited to hack into a BlackBerry Torch 9800 smart phone to steal the contact list and image database.
[…]
The company suggests that users of the BlackBerry Device Software version 6.0 and later disable the use of JavaScript in the BlackBerry Browser to prevent exploitation of the vulnerability. The issue is not in JavaScript but the use of JavaScript is necessary to exploit the vulnerability.
I strongly agree with RIM’s decision to issue this notice to Blackberry users, especially when you take into consideration the following:
RIM said it is investigating the issue to determine the best resolution for protecting BlackBerry smartphone users but did not provide a timeline for issuing a fix.
Until users know for sure that a fix is on the way, they should disable Javascript. RIM provides details on how to do just that under the ‘Workaround’ section in the knowledge base entry.
First browser maker to fix a flaw exploited at last week's hacking contest
Google patches Pwn2Own WebKit bug in Chrome
Google has patched a WebKit flaw in its Chrome browser that was exploited by a multinational team to hack the BlackBerry Torch smartphone at Pwn2Own.
Although Chrome was unchallenged at Pwn2Own, the browser relies on the open-source WebKit browser engine, and so needed to be patched.
Friday’s Chrome update made Google the first browser developer to patch a vulnerability used at Pwn2Own, the hacking contest sponsored by HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program. Pwn2Own ran Wednesday through Friday and handed out $60,000 in prize money to four individuals or teams.
Last Thursday, Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann won $15,000 by hacking Research in Motion’s BlackBerry Torch with an exploit of a WebKit vulnerability in the BlackBerry’s browser. The same day, Dion Blazakis and four-time winner Charlie Miller exploited a different WebKit flaw in Apple’s Safari browser on the iPhone 4.
According to Google, the WebKit bug exploited by Iozzo, Pinckaers and Weinmann was a “memory corruption in style handling.” Google rated the threat to users as “high,” its second-most-dire ranking.
As is Google’s practice, it locked access to its bug tracker to bar outsiders from viewing the technical details of the just-patched vulnerability. The company blocks public access to flaws for weeks or even months to give users time to update.
Apple, which will need to patch the same WebKit bug that Google addressed, as well as the one that Blazakis and Miller exploited, does not comment on its security update process.
Google also awarded Iozzo, Pinckaers and Weinmann $1,337 from its own bug bounty program, adding to their cash take for the Pwn2Own hack.
Neither Chrome nor Mozilla’s Firefox were challenged at last week’s Pwn2Own: Researchers who had earlier signed up to take on the browsers didn’t show or withdrew because they had failed to come up with reliable exploits in time for the contest.
Employees of both Mozilla and Google touted the browsers’ survival skills.
“Whew, Firefox survived #pwn2own 2011. This is not a laurel we are resting on, but I’m still happy about it,” said Brendan Eich, Mozilla’s CTO, in a tweet last week. “Congrats to Chrome surviving, too.”
“Both surviving browsers: open source, have bounty programs, have embedded security teams, better at faster fixes. Coincidence?” tweeted Chris Evans, an engineer on the Chrome security team.
Smartphones running Google’s Android and Microsoft Windows Phone 7 operating systems also escaped Pwn2Own unscathed.
Last week’s contest was the third consecutive Pwn2Own that Chrome was not exploited by researchers. It was the first time for Firefox since browsers were designated as targets in 2009.
Google $20.000 Veriyor
Ünlü arama motoru Google, piyasaya sürdüğü tarayıcı Chrome’da açık bulana tam tamına $20.000 veriyor. Bu yılki “Pwn2Own Hacking” etkinliklerinde yer alacak Google, bu sayede olası güvenlik açıklarını kapatmak istiyor.
Chrome’un en güvenilir hale getirimesini hedefleyen firma, para ödülünün yanında bir de laptop hediye ediyor. Chrome OS işletim sistemine sahip olan laptop, Windows 7 ve Mac OS X ile de uyumlu olacak.
Alem-i Cihan - http://alemicihan.com
Charles Miller is a computer security researcher with the consulting firm Accuvant LABS.
Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple. In 2008 he won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air—deploying an exploit in 2 minutes. The next year, he won $5,000 for cracking Safari in under 10 seconds. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones. In 2011 he found a security hole in an iPhone’s or iPad’s security, whereby an application can contact a remote computer to download new unapproved software that can execute any command that could steal personal data or otherwise using iOS applications functions for malicious purposes. As a proof of concept, Miller created an application called Instastock that got approved by Apple’s App Store. He then informed Apple about the security hole, who then promptly expelled him from the App Store
This is his Wikipedia page. After reading the linked BBC article, I think I’m about to become his stalker.
Mac hacked in 5 seconds, not as magical as previously thought.
engadget.com“Using a flaw in Apple’s pre-installed first-party Safari browser, it took French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting MacBook at the CanSecWest Conference’s pwn2own contest in Vancouver, British Columbia.”
Hackers backed out. Google's Chrome has not been cracked at Pwn2Own hack match
“Scheduled attackers don’t show, or pass on exploiting sandboxed browser”
Google’s $20,000 was as safe at Pwn2Own Wednesday as if it had been in the bank. The search giant had promised to pay $20,000 to the first researcher who broke into Chrome on the hacking contest’s opening day.
But no one took up Google’s offer.
“The first contestant was a no-show,” said Aaron Portnoy, manager of HP TippingPoint’s security research team, and Pwn2Own’s organizer. “And the other team wanted to work on their BlackBerry vulnerability. So it doesn’t look like anyone will try Chrome.”
Only two entries had pre-registered for Chrome: Moatz Khader and one or more researchers going as “Team Anon.” (Researchers may remain anonymous if they wish.) Based on a random drawing several weeks ago, Khader was to get first shot, with Team Anon second.
Team Anon is also slated to tackle RIM’s BlackBerry OS on Thursday.
Late Wednesday, TippingPoint provided a tentative schedule for today’s Pwn2Own; that schedule doesn’t show any planned Chrome exploit.
Even if someone unexpectedly stepped up to take a crack at Chrome and exploited the browser, Google would be on the hook for just $10,000. As part of the deal it struck with TippingPoint, the two will split the $20,000 payment for a successful hack on the second or third days of the contest.
If Chrome comes out unscathed, as it now appears it will, the browser will have survived three consecutive Pwn2Owns, a record.
On Wednesday, researchers successfully exploited Safari and Internet Explorer. A team from French security company Vupen took down Safari 5 running on a MacBook Air notebook in five seconds, and independent researcher Stephen Fewer used a trio of vulnerabilities to hack IE8 on Windows 7.
Portnoy was impressed with Fewer’s work. “The most impressive so far,” said Portnoy. “He used three vulnerabilities to [not only] bypass ASLR and DEP, but also escape Protected Mode. That’s something we’ve not seen at Pwn2Own before.”
ASLR, for address space layout randomization, and DEP, or data execution prevention, are a pair of technologies baked into Windows that are designed to make it more difficult for exploits to reliably execute. Protected Mode is IE’s “sandbox,” which isolates the browser — and thus any attack code that manages to infiltrate it — from escaping to do damage on the system as a whole.
Pwn2Own continues today and Friday, when Mozilla’s Firefox and four smartphones running Apple’s iOS, Google’s Android, Microsoft’s Windows 7 Phone and RIM’s BlackBerry OS will be in researchers’ crosshairs.
Google Backs out of Pwn2Own
dvlabs.tippingpoint.comZero Day Initiative reacts:
Instead, the grand Google prize will go unclaimed and the great takeaway from Pwnium will be that Google Chrome is unhackable - even when 1 million dollars are at stake. Which is a shame, because that kind of sensationalism will not advance the state of browser security at all. In fact, it may just set us back a few years.
So Google will come out looking good while at the same time hindering browser security. Sounds like the opposite of “Don’t be evil”.
- Chris
Το Mac OSX 10.6.7 κάλυψε πολλά κενά ασφαλείας
Στο παρελθόν το Mac OS έχει υπάρξει αρκετά ευάλωτο σε επιθέσεις hacker. Ο Charlie Miller 4 φορές νικητής του Pwn2Own χρειάστηκε μόλις 2 λεπτά για να εισβάλει σε ένα Mac Book Air μέσω του Safari το 2008. Μην ξεχνάμε επίσης, πόσο μειώθηκε ο χρόνος εισβολής νωρίτερα αυτόν τον μήνα στο HP TippingPoint-sponsored hacking challenge όπου ο safari αποδείχθηκε και πάλι ευάλωτος καθώς αυτήν την φορά δεν χρειάστηκαν 2 λεπτά αλλά μόλις 5 δευτερόλεπτα.
Μπορεί η αναβάθμιση του OS της Apple να μην έφερε κάποια σημαντική αλλαγή για τον μέσο χρήστη παρόλα αυτά έκλεισε πολλά και σημαντικά κενά ασφαλείας, πλέον των 56 σύμφωνα με ένα άρθρο του computerworld.Με την τελευταία αναβάθμιση της η Apple περιόρισε, προς το παρόν τουλάχιστον τους επίδοξους hacker που μπορούσαν να εισβάλουν με κλειστά μάτια στο σύστημα.
На соревновании Pwn2own взломаны Safari и IE, браузер Chrome устоял
Завершился первый день соревнований Pwn2own по взлому типичных программных окружений, проводимых ежегодно в рамках конференции CanSecWest. В рамках соревнования были продемонстрированы … Читать далее…
Google updates Chrome to version 10 one day before Pwn2Own
Google announced that they will pay $14,000 to the one who breaks Chrome on the Pwn2Own contest which will start on March 9, funny enough, on March 8 they upgraded Chrome to version 10, patching many bugs right before the contest, usually people who will try to break it already know what to look for, but as this will force them to start from “scratch” it will be fun.
Chrome is not the only one who patched before Pwn2Own though, Apple patched Opera too, after beeing hacked by Charlie Miller (he did it in 2 minutes once, also the first person to hack an iPhone) over and over and over again, maybe this time it will take him a few more minutes to hack it ;)
Apple’s reputation is not very good on that contest, as opposite as Google’s, as Chrome has never been hacked there so far.
Google's paying $20,000 to hack Chrome -- any takers?
Amplify’d from www.engadget.com
See this Amp at http://bit.ly/g3gjuy
