Επαναλαμβάνω κάποια γενικά πράγματα για το διαγωνισμό για όσους δεν έχουν διαβάσει το προηγούμενό μου post ή δεν παρακολούθησαν γενικότερα την εξέλιξη του διαγωνισμού:
Οι διαγωνιζόμενοι έπρεπε να προσπαθήσουν να αποκτήσουν τον έλεγχο ενός από τα τρία notebooks χρησιμοποιώντας μια 0day αδυναμία. Τα notebooks: VAIO VGN-TZ37CN με Ubuntu 7.10, Fujitsu U810 με Vista Ultimate SP1 και ένα MacBook Air με OSX 10.5.2. O νικητής παίρνει το notebook δικό του και ένα χρηματικό βραβείο. Σκοπός του διαγωνισμού...κυρίως η ανακάληψη νέων 0day αδυναμιών.

Πώς πήγε ο διαγωνισμός:
Την πρώτη ημέρα κανείς δεν κατάφερε να χακάρει κάποιο από τα τρία noteboοκs. Φταίξιμο, ίσως, του βαθμού δυσκολίας που είχαν αρχικά θέσει οι διοργανωτές. Πράγματι, κατά τη διάρκεια της πρώτης ημέρας οι επιθέσεις και προσπάθειες χακαρίσματος ήταν δυνατό να γίνουν μόνο διαμέσω δικτύου (στην πραγματικότητα ο υπολογιστής του hacker και το προς χακάρισμα notebook ήταν συνδεδεμένοι με ένα καλώδιο δικτύου crossover).
Την δέυτερη ημέρα, αποφασίστηκε η χαλάρωση του βαθμού δυσκολίας. Έτσι, επιτράπηκε στους διαγωνιζόμενους να μπορούν
να ζητούν από τους διοργανωτές να εκτελέσουν κάποιες ενέργειες, όπως το άνοιγμα ενός email ή την επίσκεψη σε κάποια σελίδα. Τη δεύτερη,λοιπόν, μέρα είχαμε το πρώτο θύμα. Το MacBook Air χακαρισμένο μέσα σε δύο λεπτά. Το χακάρισμα επιτεύχθηκε χρησιμοποιώντας μια 0day vulnerability του browser Safari. Μπορείτε να διαβάσετε περισσότερα στο post μου MacBook Air…2 hard 2 hack…για 2 λεπτά.
Την τρίτη ημέρα και τις πρώτες ώρες της, τα δύο εναπομείνοντα notebooks στεκόταν ακόμα περήφανα για την αντοχή τους όρθια στο χώρο του διαγωνισμού. Οι διοργανωτές αποφάσισαν να χαλαρώσουν και άλλο το βαθμό δυσκολίας, επιτρέποντας την εγκατάσταση κάποιων από τις πιο γνωστές εφαρμογές. Στην ουσία αυτή που θα ζητούσε ο διαγωνιζόμενος αρκεί να ήταν μια γνωστή δημοφιλής εφαρμογή και φυσικά αν ήταν σύμφωνοι οι κριτές.

Είχε φτάσει η ώρα να "πέσει" το δεύτερο notebook. Είχε φτάσει η ώρα για τον Shane Macaulay. Έκανε δικό του το Fujitsu U810 laptop που έτρεχε Vista Ultimate SP1 και 5.000$. Ο Macaulay εκμεταλλέυτηκε μια 0day αδυναμία του Adobe Flash και κατάφερε να αποκτήσει τον έλεγχο των Vista SP1.

Κερδισμένος του διαγωνισμού...η Ubuntu φυσικά που κανείς δεν κατάφερε να χακάρει και εννοείται οι δύο νικητές που έφυγαν από το διαγωνισμό με χρήματα και ένα notebook.

Τόσο χρόνο χρειάστηκε ο Charlie Miller για να σπάσει τις δικλείδες ασφαλείας του λειτουργικού συστήματος της Apple, σε διαγωνισμό στο Βανκούβερ.

Οι συμμετέχοντες του ετήσιου διαγωνισμού CanSecWest έπρεπε να σπάσουν τα μέτρα ασφαλείας σε τρία διαφορετικά laptops με λειτουργικά συστήματα Vista Ultimate SP1, Leopard OS X 10.5.2 και Ubuntu 7.10. Στόχος του διαγωνισμού είναι να εξακριβωθεί έστω και ανεπίσημα πίο λειτουργικό σύστημα είναι πίο ασφαλές ή πιο ευάλωτο.

Ο Charlie Miller, αναλυτής ασφαλείας που έγινε πρόσφατα γνωστός με το σπάσιμο του iPhone (φαίνεται πως έχει εξειδίκευση σε προϊόντα της Apple), χρησιμοποίησε τεχνική παρόμοια με phishing για να στείλει τον υπολογιστή με το Leopard, σε ιστοσελίδα που περιείχε κακόβουλο κώδικα. Ο κώδικας τελικά μέσα σε 2 λεπτά έσπασε την προστασία του φορητού, χαρίζοντας έτσι στον Miller τα πιο γρήγορα και ίσως εύκολα 10.000 δολάρια που ήταν και το έπαθλο από τον χορηγό.

Μέχρι τώρα τα Vista και το Ubuntu στέκονται στο ύψος των περιστάσεων και αμύνονται αρκετά καλά απέναντι στις επιθέσεις των «κακόβουλων» χάκερ!

[via]

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages. (link)

Chapter 5 in Wikinomics covered a number of inter-related topics, which included a company’s control over its products and the customer hacking of their products. Some companies, such as Sony, chose to stop customer hacks on its PSP product using lock-up technology embedded in its upgrade firmware. Well, the title of this post may be deceiving, because Apple doesn’t out rightly support customers hacking their products (ie Podzilla). However, the company doesn’t completely disapprove hacking because Apple has yet to take action to stop the progress of CanSecWest’s hacking contest to be held at their security research conference in March. And why would they? The contestants find the faults in their computer systems!

Last year, CanSecWest held a Macintosh computer hacking contest, in which the first contestant to hack the computer won the computer and $10,000. The cash prize was given in exchange for details regarding the computer’s bug which enabled the hacker to gain access and thus give the company a chance to fix it.

Gartner disapprove of the method used for finding security bugs in computer systems, saying it reveals computer system’s private information. However, the benefits of having a contest to find the bugs and then enable Mac to correct them, is more valuable to the security companies.

This year, CanSecWest and TippingPoint hopes to have computers running Linux, Vista, and OS X to see which one is the most secure during the contest. Or which one is the most vulnerable.

The contest is definitely an innovative idea for software companies. It’s actually a method of embracing consumer power, by letting consumers discover the bugs and allow the company to reap the benefits of co-innovation. Don’t get me wrong, there is something in it for consumers too! Not only does the contest winner get $10,000 cash and a computer, but other consumers and users of the computers get to benefit from a further secured product.

Tasia

El pasado Lunes la empresa CanSecWest organizó un concurso de seguridad, puso a disposición de todo el que quisiera probar suerte y ganar un portátil y un buen puñado de dólares, los portátiles en cuestión eran un Sony Vaio corriendo una Ubuntu 7.10, un Fujitsu con Vista Ultimate SP1 y un MacBook Air con MacOsX 10.5.2, el primero en caer fue el Mac al segundo día de la competición, Vista también duro dos días aunque fue un equipo más que una sola persona los que lograron entrarle, y el único imbatido fue el Sony con Ubuntu 7.10, otra victoria más, aunque sea Ubuntu ;)

Fuentes:
Inglés http://www.infoworld.com/ y la web del concurso http://cansecwest.com/
Español: http://www.theinquirer.es/

If you ever have the need to drink on a vendor's tab -- RSA is the conference to do that.  While the talks are not of the caliber of a CanSecWest or even a Blackhat the parties go above and beyond and why wouldn't they?  There are a plethora of "Security Vendors" both known and unknown looking for your security budget dollars and it seems that the best way to do this is by either hiring booth sluts or getting a bunch of IT Geeks drunk.  Don't get me wrong, I have been known to enjoy a booth slut or two, and even sometimes enjoy some free drinks.  ;-)

So to all the vendors that kept me nicely sauced for the week -- Thank You!!!

I mentioned talks and how the quality of the talks is not as high as CanSecWest or Blackhat.  I am sure some of them were but in general the technical level is not there and most of the non-technical talks were simply vendors talking about the same crap as the last ten years with no real solutions.

I should know, I participated in a panel that was supposed to be on the technical track but was nothing more than my so called colleagues in this industry saying whatever they could to try and make their product or solution sound like the way to go.  At one point I was laughing inside wondering if any of the co-panelists actually believe the bullshit they were shovelling.

Apparently my honest opinions were not valued as anytime I attempted to make a statement that was not a thinly veiled product pitch I was quickly cut off.  I suppose I could have been more aggressive but in my defense I was hopped up on cold medicine and suffering from a bad sinus infection.

The theme I was attempting to get across was; Stop spending your money on the latest security buzzword or gimmick.  The problems you are facing today and the problems you will face tomorrow are simplyvariations on the problems that you faced in the past.  So, if the crap you bought five years ago did not help you do not expect the crap you are about to buy this year to fix that.   End users really need to start holding vendors accountable.  Accountable for writing bad security products that actually increase their vulnerability, responsible for making claims that are not true, and responsible for cashing in on fear uncertainty and doubt.

Apparently, there is not any room at RSA for honesty, because if you listened to the other panel members, their products can solve any buzzword you can throw at it.  sigh....

Not to sound bitter or burned out but security is a hell of a lot more than a check box on your <insert bullshit compliance or standard here> list or a stamp from your Final 4 Auditor.  It is doing the right thing that enables the business while keeping "the bad shit (TM)" from happening -- ask me for my definition of "the bad shit (TM)" later.

Some of you may be saying, yeah that is an obvious statement, but believe me dear reader you can be called compliant and still be as insecure as a chubby teenage girl.  Anyways, I am starting to rant and rave so I will cut this post short. 

It was great seeing my friends that I only get to see at conferences this year at both RSA and CanSecWest and I will see you at the next conference.

To my one or two readers, I promise to post on a more frequent basis.

To anybody out there writing exploits: make sure you're doing it just for fun. Currently, there are no outlets for any financial gain that will accurately measure your time investment or fairly compensate your hard work.

Security Objectives' own Shane Macaulay "owned" Vista SP1 in the PWN2OWN contest at CanSecWest 2008 by exploiting a bug in Adobe Flash. As a result of the contest's categorization of the bug as third-party, the exploit was grossly under-appraised (especially when considering cross-platform targets and the fact that it would work well into the future with Vista's new Service Pack.) Sure, it technically was a bug in a third-party application, but this particular third-party application happens to be installed on just about every Internet-enabled PC. According to Adobe, "Adobe® Flash® Player is the world's most pervasive software platform, used by over 2 million professionals and reaching over 98% of Internet-enabled desktops in mature markets as well as a wide range of devices."

Even if Shane was unfairly compensated, it doesn't matter because at least he used "responsible disclosure" -- or does it? I highly doubt that the people in charge of the companies writing buggy software and brokering bug information have any idea about the amount of work and skill that goes into discovering an exploitable bug, let alone writing a proof-of-concept for it. As it stands, software companies are setting themselves up for a black market in digital weapons trading of unprecedented proportions.

Here's something else to think about.. I expect Adobe to patch this one rather quickly given all the publicity. How long does it take for a vendor to fix a given vulnerability when it is reported to them directly? Even some of the brokered "upcoming advisories" on 3Com's ZDI site are many months or even years stale. This "patchtile dysfunction" will increase the value of a 0-day exploit exponentially.

Time is money and to make up for lost time, Mr. Macaulay decided to sell the laptop he had won on eBay. An innocent bystander at the contest dubbed this decision "from pwn to pawn." So why not? Laptops get sold on eBay everyday--but not this one. It wasn't long before eBay pulled Mr. Macaulay's item from auction on the first of April, ostensibly as an April Fool's shenanigan. This came as a surprise to me. Things to consider here:

• The laptop may or may not have had forensic evidence of the controlled attack that occurred during the contest.
• Even so, Mr. Macaulay is a responsible discloser and would not have shipped the laptop until the bug was patched.
• Mr. Macaulay's and Mr. Sotirov's autographs should have increased the laptop value, regardless.

This incident, in a way, reminded me of eBay's great fearwall debacle from a few years ago (CVE-2005-4131.) In that case, there were several key differences: an information broker such as ZDI was not involved, a pseudonym was being used, the code statements where the memory corruption occurred were disclosed, and no computer hardware was for sale. Nevertheless, I respect eBay's decision to discontinue the auction as this is obviously a very controversial issue.

Brokering information? How can you do it? From experience, the idea of using an escrow service and 3rd party verification is largely ineffective. It would appear that ZDI is the only show in town. Of course there's that auction service, but you have to send them your exploit first so how does that work? It appears that they're still trying to do business by the way, despite alleged legal troubles. I'm subscribed to their mailing list and they send out an e-mail every time new information goes up for auction; they put up a dozen or so new exploits last week but it would appear that few if any were sold. Where do we go from here? Is brokering information even possible?

Imagine for a moment a scenario where a dozen or so exploits of critical severity related to a single software company are posted to Full Disclosure with rumors of many more circulating in the underground and exploits actively being carried out in the wild. Now imagine shareholders shorting that company's stock. I suppose that the vulnerability information might be more realistically valued in a situation such as this. Anyone have any other ideas?

Anyways, back to the point of this post - CanSecWest 2008.  As usual, Dragos, Wil, Sean, and the rest of the crew put on a great show.  Yes, I am a bit biased because I have always been a CSW fanboy, but I like to think that I am honest enough that if I found something sucked -- I would say it sucked.

Pwn-2-0wn was as usual a feast for the press.  Huge apologies to my new friend Aviv Raf who was counting on me to use a flaw he found to win him the Vista box.  There is no one to blame on this not happening, his vulnerability works, but myself and perhaps my lack of motivation.  So again, huge apologies.

That said, congrats to K2 (the Whiner.. hehe) for taking the Vista box.  I love how K2 has stirred the pot around this contest and the buying of vulnerabilities in general.  Perhaps we will see organizations like ZDI start to actually offer what they are worth and not the low-ball amounts.  Although in their defense, they do not resell the vulnerabilities or make any money off of them other than the associated PR it generates.

All of the Operating System fanboy traffic around the contest was amusing.  Between the claims that the Mac box only fell because Microsoft was a sponsor (note: they were a conference sponsor not the pwn-2-0wn contest sponsor) and the claims that Ubuntu didn't fall because it's the most secure I could do nothing but laugh.  I highly doubt any of us will live long enough to see the day that the O/S wars cease. 

Those of you that follow my Twitter Feed probably saw me poking fun at one of the VMWare talks.  Please do not take my comments as disrespect, anyone who puts the time in to research an issue then gets up in front of a group of hung over and in general grumpy geeks and presents their work is cool with me.  But I found it hard to get excited about issues that require me to have local physical access to the system.  I mean, of course at that point there are a number of ways to pop the Guest Operating Systems.

In general all of the talks were great, some hard to hear due to audio issues, but other than that I can say I learned a few things, met some more cool people and had a great time.  That is, in general, the point and not to beat up on other conferences, something that is missing from many of the old school conferences.  Hopefully I make it out to Tokyo for PacSec this year too!

Oh, and to those that expressed concern over Dragos handing me a sharp Samurai Sword.  The sword has safely made it back to Calgary and this weekend will safely make it back to California incident and more importantly blood free.

I will be at RSA next week, possibly only on Tuesday to participate in my panel but if you are going to be there and want to grab some beers, feel free to get in touch with me.

During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head.

As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe's Flash, and the Ubuntu machine did not get hacked at all.

when the hacking contest was on its second day. The second day consisted of stock configurations along with browsers and some mail applications. That’s when the MacBook Air laptop was hacked in in about 2 minutes utilizing a Safari vulnerability that Apple has now been notified of.

Technically it wasn’t really Microsoft’s fault that the machine was hacked since Adobe is the one who creates Flash. The MacBook Air vulnerability, on the other hand, was in the Safari browser which ships on all Apple computers.

Hackers in the "PWN2OWN" competition at CanSecWest were given the choice of attacking Vista SP1, OSX 10.5.2 or Ubunti 7.10. The winner of the competition, Charlie Miller, chose OSX as his platform, explaining "it was the easiest one of the three". He exploited a Safari vulnerability and compromised the system within the space of two minutes.

This doesn't mean that there will suddenly be an deluge of OSX attacks. Windows is, without doubt, the platform of choice to exploit. Just a heads up for all those Mac users out there.

http://www.computerworld.com.au/index.php?id=790701222&eid=-144

Un pequeño ordenador portátil Fujitsu corriendo con Vista fue hackeado en el último día del concurso. Linux, corriendo sobre una Sony Vaio, se mantuvo intacto.

Le llevó dos días de trabajo, pero Shane Macaulay, finalmente logró apoderarse del Vista este viernes, con un poco de ayuda de sus amigos. Macaulay, quien fue un co-ganador del año pasado del concurso de hacking, necesitó algunos trucos de hacking cortesía del investigador de VMware Alexander Sotirov. Esto se debe a que Macaulay no esperaba atacar la versión de Service Pack 1 de Vista, que viene con unas medidas de seguridad adicionales. También recibió una pequeña ayuda de su compañero de trabajo Derek Callaway.

En virtud de las reglas del concurso, Macaulay y Miller no están autorizados a revelar información específica acerca de sus trabajos hasta que se disponga de un parche, pero Macaulay dijo que aprovechó de errores de Java para burlar la seguridad de Vista. “La falla está en otra cosa, pero la naturaleza inherente de Java nos ha permitido sortear las protecciones de Microsoft”, dijo en una entrevista poco después de que reivindica su premio el viernes.”Esto también podría afectar a Linux o Mac OS X.” Macaulay dijo que escogió Vista para trabajar, ya que había estado contratado en el pasado para Microsoft y está más familiarizados con sus productos. Aunque algunos asistentes trataron de romper el sistema Linux, nadie pudo hackear el sistema, dijo Terri Forslof, un gerente de seguridad de TippingPoint. “Me sorprendió que no se pueda”, dijo.

 

Appena due minuti e i sistemi di sicurezza del MacBook Air, il nuovo notebook ultrasottile della Apple sono stati violati da un hacker. E' successo a Vancouver, durante la nona edizione del CanSecWest, uno dei piu' importanti convegni sulla sicurezza informatica. In palio per chi fosse riuscito nell'impresa c'erano 10mila dollari, che sono andati a Charlie Miller, che di professione fa il consulente informatico, e che era divenuto gia' famoso per essere ruscito a violarel'i-phone.

Secondo il regolamento del concorso, Miller non ha potuto rivelare come e' riuscito ad aggirare i sistemi di sicurezza del notebook.Quello che si sa e' che il punto debole sembra essere Safari, il browser usato dal computer. In due minuti Miller e' riuscito a far visitare dagli ultizzatori del MacBook un sito da lui preparato e a installare un virus da questo sito. L'impresa di Miller ha dimostrato che anche il sistema operativo della Apple, che un tempo si credeva immune dai virus, puo' ormai essere vittima dell'azione degli hacker.

]]> http://soundmonster.wordpress.com/?p=120 Mon, 31 Mar 2008 13:40:59 +0000 soundmonster http://soundmonster.wordpress.com/?p=120 Bei CanSecWest werden um die Wetter drei Rechner gehackt - ein Windows-PC, ein Mac und eine Ubuntu-Kiste. Der eindeutige Verlierer war der Mac - schon nach 2 Minuten wurde das MacBook Air über eine offene Lücke in Safari geknackt. Die Vista-Maschine gab nach drei Tagen nach, der Ubuntu-Rechner gar nicht.

Kurios - der Preis, den die Hackergruppe bekommen hat, ist ein MacBook Air. Macht irgendwie keinen Sinn :-)

via [Golem.de]

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

sono dati in pasto agli hacker. Che riesce a violarli si porta a casa 10000$. L'hacker è infine tenuto a non rivelevare le modalità dell'attacco.

Bene. Il MacBookAir è stato violato in 2 minuti da Charlie Miller, con tanti saluti alla presunta sicurezza offerta da casa Apple. Il laptop con Vista a bordo ha richiesto due giorni di lavoro e l'aiuto di un collaboratore: alla fine Shane Macaulay e Derek Callaway hanno bucato il sistema che, aggiornato al service pack 1, si è rivelato più ostico del previsto. L'unico rimasto è il laptop con Linux. Ma non perché a prova di hacker. Sono invece stati diversi i bug rinvenuti nel sistema, solo che nessuno si è voluto cimentare a scrivere codice per attaccare la LinuxBox.

Fatta l'ovvia premessa che non è dagli hacker che ci dobbiamo guardare ( che, ricordiamolo, non sono pirati informatici ) viene comunque il dubbio che forse la sicurezza oggi è offerta più che dagli sviluppatori dalla solidarietà di chi attacca. A patto che abbiate Linux!

O hacker foi o primeiro a invadir um dos três laptops (e ganhar o prêmio máximo de 10 mil dólares) nesta quinta-feira (27/03), o MacBook Air, no caso, durante o concurso "PWN 2 OWN" na conferência CanSecWest.

Organizadores do evento ofereceram um Sony Vaio, um Fujitsu U810 ou o MacBook como prêmios, afirmando que eles poderiam ser ganhos por qualquer um que descobrisse uma maneira inédita de invadi-los e ler conteúdos em um arquivo no sistema.
Ninguém conseguiu a proeza no primeiro dia do concurso, onde só eram permitidos ataques pela rede. No dia seguinte, porém, as regras foram relaxadas para que ações de usuários, como navegar ou receber e-mails, pudessem ser uma porta de entrada para ataques.Miller, mais conhecido como um dos pesquisadores que invadiram o sistema do iPhone em 2007, precisou de apenas 2 minutos para invadir ao redirecionar os responsáveis pelo concurso a um site que continha um malware que, acessado, dava controle do micro ao hacker. Uma platéia de 20 presentes delirou com o feito.

Ao ganhar, Miller assinou um acordo em que não revelaria informações sobre a falha até que uma empresa de segurança patrocinadora do evento notificasse a Apple.

O campeão no ano passado, Dino Dai Zovi, explorou uma brecha no QuickTime para ganhar o prêmio. Zovi não participou da edição deste ano, afirmando que era hora de outra pessoa ganhar.

Fonte: IDG Now!

Well known security researcher Shane Macaulay claimed the prize, but it is believed Dino Dai Zovi was the real creater of the attack, and that he and Macaulay had some sort of deal over the competition entry. Dino Dai Zovi, has a strong track record with exposing flaws in Apple, Windows and other Networking software, having previously and somewhat famously exposed flaws in Safari and Quicktime.

While neither Shane Macaulay, Dino Dai Zovi made any statements about whether mac or pc were more secure (and both are users of both Macbooks and pc's) they have previously been on record as saying that Mac are not as immune to attacks as many of their users may like to believe.

The 2 other note books, a sony vaio and a Fujitsu U810 were not successfully hacked during the expo and remained unclaimed.

A zero day attack is defined as an computer threat that tries to exploit unknown, undisclosed or unpatched vulnerabilities in a computer application.

The flaw in Safari, that was exploited during the expo was actually in the way QuickTime handles Java. This threatens everyone running the Mac OS X and may even expose pc users running Safari and quicktime. It is expected that a patch to protect users from this flaw will be released soon.

Speaking of parties there will be a great one sponsored by my employer at CanSecWest so at the very least hunt me down for details on that closer to the conference.  I am participating on a panel this year at RSA as well.

I am skipping Source Boston this year due to personal stuff which kind of sucks but next year I will make sure to be there next year as this one looks like a great con.

*inside joke that is probably unfair but funny.