Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307050
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: LMFAO
by elsewhere on Fri 28th Mar 2008 21:04 UTC in reply to "LMFAO"
elsewhere
Member since:
2005-07-13

OSX the first to go down in flames, Vista and Linux standing strong thats just funny with all of OSX's flogging that its so safe and secure.


It's worth remembering that when it came to attacks based directly at the platform rather than applications running on it, there were no contenders which bodes well for the default security posture of all three platforms.

Was this a case of OSX really going down, or was it related entirely to the flaw in Safari that opened the system to remote access?

I think it's an important distinction because this is the direction the blackhats are moving in. The days of open ports in Windows are over, even Microsoft has taken to a more responsible security design. Linux and OSX already had a natural advantage in this area. So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.

It's good that we have a choice of secure platforms to use, but now there is the whole issue of needing ISV's to take the same security approach that the OS vendors have often been forced to take, otherwise it will all be for naught. The platform can certainly help minimize the damage a rogue app exploit can occur in a cross-platform app, but it's still an issue that will need to be addressed.

As much as I'm tempted to giggle at bit at the fact that OSX was the first to go down, I don't think it's Apple the OSX vendor that should be blushing. It's Apple the software company that should be concerned, but that could just as easily have been Adobe or someone else. In fact, I was kind of expecting it to be Adobe with all of the flash issues they've had lately.

Anyways, will be interesting to watch and see what happens over the rest of the contest.

Reply Parent Score: 20

RE[2]: LMFAO
by pxa270 on Fri 28th Mar 2008 21:26 in reply to "RE: LMFAO"
pxa270 Member since:
2006-01-08

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/

Reply Parent Score: 11

RE[3]: LMFAO
by Doc Pain on Fri 28th Mar 2008 22:21 in reply to "RE[2]: LMFAO"
Doc Pain Member since:
2006-10-08

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/


Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?

From the description above: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages." - Is this still hacking? Relying on user interaction can help you to compromize any system. I always thought this is nothing spectacular because nearly anyone can do such "easy" stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and "Vista" boxes as well, just if the user replies to a mail like "Dear Bob, please send me your root password back. thanks!" :-)

Reply Parent Score: 12

RE[3]: LMFAO
by wannabe geek on Sat 29th Mar 2008 18:15 in reply to "RE[2]: LMFAO"
wannabe geek Member since:
2006-09-27


The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "


If that is true, the following observations come to mind:

1) telnet itself is obsolete because of security reasons, and sshd should be off by default in desktop systems (and regular user should not be able to turn it on).

2)Only root should be able to open a port.

3) Even if arbitrary code is executed as regular user, it shouldn't be able to get root account, except, maybe , by privilege escalation. Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums), but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I'm assuming a user program can run a fake kde session fullscreen, but it can't capture CTRL+ALT+f8. I have to check that one, though.

So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives.

Reply Parent Score: 4

RE[2]: LMFAO
by linumax on Fri 28th Mar 2008 23:11 in reply to "RE: LMFAO"
linumax Member since:
2007-02-07

Latest update, from the third day:

"2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned..."

Check for more updates here:

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day...

Reply Parent Score: 4

RE[2]: LMFAO
by tomcat on Sat 29th Mar 2008 01:17 in reply to "RE: LMFAO"
tomcat Member since:
2006-01-06

So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.


Yeah, I agree, and this is a worse threat, in my opinion, because few applications have the scrutiny that the OSes have.

Reply Parent Score: 3

RE[2]: LMFAO
by google_ninja on Sat 29th Mar 2008 16:51 in reply to "RE: LMFAO"
google_ninja Member since:
2006-02-05

I don't know, when webkit is considered to be a core api, it needs to be treated as such. same with ie on windows. or with khtml on kde.

Firefox is just another app as far as the os is concerned.

Reply Parent Score: 2