Star CanSecWest: Countering Misinformation
Linked by Thom Holwerda on Sun 30th Mar 2008 20:35 UTC
Privacy, Security, Encryption As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe's Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds.
E-mail Print r 8   · Read More · 81 Comment(s) http://osne.ws/f2x
Thread beginning with comment 307286
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: OOooh Oooh Me first?
by kaelodest on Sun 30th Mar 2008 22:30 UTC in reply to "RE[2]: OOooh Oooh Me first?"
kaelodest
Member since:
2006-02-12

Back on the Topic securing it is easy, falling for this hack would be hard

Yup that confounded me a little at first too. As the first time I tried to sudo from a non-admin account I was given a terse security warning. Then I thought it through and had to nest one sudo inside of another. Well in the end I find few reasons (outside of work -- where I am the Mac systems admin for all north American Macs for a publishing co.) Outside of banging on some naughty or inefficient code that I wrote I find very little practical reason to drop to the CLI

And also aside from reputable installers from respectable vendors I am very rarely asked to enter my admin name and password.

So If I am at a web page and it asks me to enter my local admin name AND then my password. AND then I enter it was I really hacked?

Reply Parent Bookmark Score: 2

Earl Colby pottinger Member since:
2005-07-06

Social engineering is a useful tool in the world of crackers. So yes, you were hacked, but in this case it literally was *YOU* who was hacked.

Reply Parent Bookmark Score: 2