or Connect
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest
New Posts  All Forums:Forum Nav:

Apple's iPhone, Safari on Mac exploited at annual hacking contest - Page 4

post #121 of 130
You think the vendors would offer researchers more than $10,000 so they would disclose before the event each year.
post #122 of 130
The obscurity myth continues because people somehow think that hackers will only attack the largest base of computers. This mentality equates to the car parts industry - obviously, people will only steal the most common cars because they fill the largest segment and won't even try to steal BMWs because of their small market share.

It's not about percentages - there are enough Macs out there in the wild to make it worthwhile for SOME hacker to try to attack the platform ... that is unless you believe that hackers are all ego driven and only want to attack the largest base. Then again, you would think that some ego-maniacal hacker would try to go after the Mac platform just to prove it could be done, rather than simply showing up at these hacking contests to show their theoretical vulnerabilities.
post #123 of 130
Quote:
Originally Posted by geekdad View Post

Now this was the first post that made sense!!!
read this article http://www.pcworld.com/businesscente...n_contest.html

The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......

Hmm, I guess that you AND PC world missed the part where the hackers worked for TWO WEEKS prior to the contest to figure out how to hack the iPhone ...
post #124 of 130
Quote:
Originally Posted by Quadra 610 View Post

MIller took advantage of brute-force techniques and called it hacking.

Too funny.

Hackers can and will use any tools available to them to achieve their goal, so why not him? You might not call it smart but he still had to know how to use the tool and what code in particular would achieve the result of some sort of compromise (not told exactly what) which is a hell of a lot more than I (and probably you?) could achieve.

He seems like a really decent guy too. I totally agree with his sentiment that if companies like Apple and MS just rely on people submitting security bugs and then taking ages to verify and patch them it's nowhere near good enough because they're already way behind the eight ball and the hackers who might harbour malicious intent. Companies need to be really proactive about finding the flaws themselves. The example that he used the same hack to win multiple years in a row is a real embarrasment for Apple.
post #125 of 130
Quote:
Originally Posted by Quadra 610 View Post

Which is nearly half the web.

But I'm sure that sticking to CNN and Disney will keep you perfectly safe.

I can't off the top of my head think of any site that will compromise OS X, or that is even remotely a threat. There's a good chance that none even exist at this point, which would be par for the course when it comes to OS X.

That's precisely the point. Some studies for Windows PC's:

Study: Unpatched PCs compromised in 20 minutes (2004)

Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC (2008)

If I understand well, it seems that the user does not need to visit any infected site, they will just find you. Of course this assumes the computer is not behind a router.

Do we have similar studies for other systems?
post #126 of 130
Safari was first to fall again this year. Obviously, there is a pattern of cheating going on here, since I've never had a virus before. But I've gotten many on Windows.

The contest organizers probably had keyloggers installed on the Macs. What a joke of a contest.

iPad2 16 GB
iPhone 5 32 GB

Reply

iPad2 16 GB
iPhone 5 32 GB

Reply
post #127 of 130
Quote:
Originally Posted by DaveGee View Post

Okay lets be a little adult about this...

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

Going after ANY Microsoft product?!?! Perhaps a project that the 'preschoolers' might find mildly challenging but if you notice nobody gets too much 'street cred' for boasting their latest attack on Microsoft... UNLESS perhaps the OS was just release or 'newly patched' to be 'even more secure!'

Linux is so open its not even worth talking about... It's like bragging you stole a boat load of cash when in fact you simply took a few pennies form the 'need a penny' container at the 7-11.

So yes.. the SUPER SPOTLIGHT is clearly shown on hackers who tackle Apple products and ... rightfully so...

BUT as others have already pointed out... this crap is done EVERY YEAR but these folks and yes somehow another year ticks by without an significant* virus, worm or trojan making assaults OS X based systems or devices.

* I used 'significant' simply because I couldn't with a 100% certainty say nobody on a Mac based system was ever attacked or infected by a virus in the past year while running its native OS (OS X and/or iPhone OS) not dual booting or virtual machines running alternate OS... That kinda crap clearly wouldn't count!

I would just like to know why it is that these people are so good at finding these holes, and yet Apple seems so bad at spotting them beforehand? Is it that the people in security at Apple are not looking thoroughly enough?

I know that Apple has a real-world track record that is admirable, but are the people who actually write this software not the least bit shamed by the fact that a couple of people can compromise their system within seconds? I know they just hired a guy that used to work for the NSA. It would appear that Apple is at least trying to make security important, yet these holes are there for these people to exploit in these contests and Apple doesn't have a clue they existed prior?

Why is it that we aren't issued security updates after these contests with literature stating that each one of these holes has been successfully patched and won't be exploited again? I know we just had a Safari update, but I'm not sure if they fixed the holes these people exploited.

I know I'm naive when it comes to the software writing and patching thing. I trust the folks at Apple to have some bright people who prevent this sort of thing from happening. Do those bright people even remotely have egos? Do they not hang their heads in shame knowing that despite their best efforts, their "best" was beaten in five seconds? If they are using websites to get into the Macs that are malicious, why is it that Apple doesn't have a thing in Safari that detects this and stops it from happening in the first place? How do the people at Apple who are supposed to look for these holes (if there are such people) justify that for the last three years, they haven't been successful in staving off the attack?

Maybe Lion will be better. Maybe they see that gaining market share means gaining a target for their users as well. Seeing Apple get its @$$ handed to it every single year is getting flat out depressing when these people are laughing it up that Apple is apparently full of holes.
Fortes Fortuna Adiuvat
Reply
Fortes Fortuna Adiuvat
Reply
post #128 of 130
http://arstechnica.com/security/news...challenged.ars

Quote:
Historically, the competition has required competitors to use the newest version of the browser and operating system. Perhaps aware of this, Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3. Under the new rules, pwning (and hence owning) only needs to succeed on the frozen version. However, to receive prize money (in addition to the hardware), the flaw must also exist in the newest release.

And maybe they go after the Mac because of prestige?
post #129 of 130
Quote:
Originally Posted by cmf2 View Post

It gives people an incentive to find vulnerabilities and report them so they can be patched.

Maybe. But often the vulnerabilities are sat on for months, sometimes over a year before being tried in the contest. To me this is a significant problem with fixed timeframe contests. They actually disincentivize sharing the vulnerability until it can be tried for potential profit.
.
Reply
.
Reply
post #130 of 130
Quote:
Originally Posted by Brian Green View Post

I would just like to know why it is that these people are so good at finding these holes, and yet Apple seems so bad at spotting them beforehand? Is it that the people in security at Apple are not looking thoroughly enough?

I know that Apple has a real-world track record that is admirable, but are the people who actually write this software not the least bit shamed by the fact that a couple of people can compromise their system within seconds? I know they just hired a guy that used to work for the NSA. It would appear that Apple is at least trying to make security important, yet these holes are there for these people to exploit in these contests and Apple doesn't have a clue they existed prior?

Why is it that we aren't issued security updates after these contests with literature stating that each one of these holes has been successfully patched and won't be exploited again? I know we just had a Safari update, but I'm not sure if they fixed the holes these people exploited.

I know I'm naive when it comes to the software writing and patching thing. I trust the folks at Apple to have some bright people who prevent this sort of thing from happening. Do those bright people even remotely have egos? Do they not hang their heads in shame knowing that despite their best efforts, their "best" was beaten in five seconds? If they are using websites to get into the Macs that are malicious, why is it that Apple doesn't have a thing in Safari that detects this and stops it from happening in the first place? How do the people at Apple who are supposed to look for these holes (if there are such people) justify that for the last three years, they haven't been successful in staving off the attack?

Maybe Lion will be better. Maybe they see that gaining market share means gaining a target for their users as well. Seeing Apple get its @$$ handed to it every single year is getting flat out depressing when these people are laughing it up that Apple is apparently full of holes.

These guys have developed special tools that they use to check for vulnerabilities related to certain sets of circumstances. They run the tools in automated and randomized ways over significant periods of time. Both over the code itself when it is open sourced and via the GUIs using programs like VNC to screen scrape and provide the necessary virtual mouse/keyboard events.

They don't generally share their tools because they consider them proprietary. That leaves the software writers forever in a reactionary mode instead of having access to the tool that may illuminate the problem before shipping.
.
Reply
.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest