Mac Book Air PWNED in hacking contest
 

I remember this last year, and it was a big challenge and took 9 hours of hacking to beat the mac and they even had to reduce the rules, this year it was hacked in 2 minutes flat although they did reduce the rules to the local network again this year aswell.


"Mac gets hacked first in contest
Robert McMillan
Thu Mar 27, 4:25 PM ET
San Francisco - It may be the quickest $10,000 Charlie Miller ever earned.

ADVERTISEMENT

He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign, and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible by, or possibly inside, Apple's Safari browser.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win."


http://news.yahoo.com/s/infoworld/20...nfoworld/96676

interesting news, will keep in mind not to use safari

lol I love it.. now maybe those Mac users can quit being so uppity about how much better and more secure they are.

Nothing really special in that report.

Windows: Idiots use IE.
MacOS: Idiots use Safari.

It's the standard thing installed on both OS', so in turn if the user had a clue, they would install something that wouldn't be targeted first by exploits. I use both OS' and I don't use either of those browsers.

Currently there's a few exploits going around that involve little to no user interaction on behalf of IE's wide variety of exploitable holes. I'm not saying that either OS is better than the other, it's more a scary fact that a majority of surfers (the ones that we target) have next to no idea about browser/OS security and are running around with hijacked machines.

In other words the more out of the spotlight your browser is, and the more the developers fix and update their software, the chance of your machine getting exploited due to some well known unpatched hole.

Random trivia: Back in the day, due to certain IE vulnerabilities you were able to grab a surfers complete MSN contacts list (emails and all) just from them surfing to your page. What a wonderful world we lived in.... not!

guess its time to THINK DIFFERENT..... just a little more

Safari? I thought Leopard was installed on all new macs?

Safari=browser Leopard=OS you're thinking of Tiger.

I like safari, but am getting pretty used to Camino aswell...
For the most part I've been using Webkit but I'm not sure if it can be targeted the same as safari or not.

I expect any OS or browser to have holes in it really, no matter who coded it, there's someone smarter out there somewhere

Wonder if Apple will end up hiring this guy.

Well if you keep yourself up to date, then any browser is fine. My beef is more with IE since it ties into the OS more than what Safari does.

There's a chance they might hire, but also, if you look at it a different way and wave a carrot infront of his face, $10,000 for each major exploit you find... you would have a loyal employee for life busy at messing with the OS. I think that if you are there with the developers you might overlook something, but if you are on the outside trying to get in, your efforts to find the holes are more thorough.

You're right thanks (and I'm staring right at it) :thumbsup

sucks for that dude. He hacked piece of shit computer and got a piece of shit as his prize.

I'm curious to know eventually what the disclosed attack was. Until it's actually reported I'm not going to read to much into this.