or Connect
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest
New Posts  All Forums:Forum Nav:

Apple's iPhone, Safari on Mac exploited at annual hacking contest - Page 2

post #41 of 130
Quote:
Originally Posted by zindako View Post

That magazine caters to the windows world, nothing said in that article can be construed as fact, its mostly FUD.

Ok...how about Macworld then.....
http://www.macworld.com/article/1500...3/pwn2own.html

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #42 of 130
Quote:
Originally Posted by zindako View Post

That magazine caters to the windows world, nothing said in that article can be construed as fact, its mostly FUD.

If that makes you feel better. Talk about head in sand . . .
post #43 of 130
Quote:
Originally Posted by geekdad View Post

Ok...how about Macworld then.....
http://www.macworld.com/article/1500...3/pwn2own.html

As it contains much of the same information it must be FUD as well.
post #44 of 130
Quote:
Originally Posted by geekdad View Post

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far.

It was the first put up in the "contest".
It's not like they all started hacking all the computers at the same moment and the Apple was the 1st to be exploited.
Quote:
This is the #1 reason Macs are slow to dent the business world.....

No it's not. As even Apple has stated, Apple does almost nothing to cater to the business world.
post #45 of 130
Quote:
Originally Posted by Chris_CA View Post

It was the first put up in the "contest".
It's not like they all started hacking all the computers at the same moment and the Apple was the 1st to be exploited.

No it's not. As even Apple has stated, Apple does almost nothing to cater to the business world.

You are correct.....except that the Mac was compromised in less time than anyother machine including Windows machines......
Sorry editing.... my post.
This years total results are not in yet. I was basing my statements on the past years Pwn2Own results......

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #46 of 130
Is there a link that posts the actual minutes (hours?) in which each was hacked?
post #47 of 130
Quote:
Originally Posted by AppleInsider View Post

By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.

Pwn2Own winner tells Apple, Microsoft to find their own bugs

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.

So does that mean he's not accepting the money?
post #48 of 130
Quote:
Originally Posted by allblue View Post

Firefox plus AdBlock; FlashBlock and NoScript, on a Mac. That's a pretty secure combo I reckon.


Yes, a lot more secure than Safari on a Mac.

Add the following: Ghostery, RequestPolicy and WOT (Web of Trust)

Good thing about WOT is it will verify links in web based emails.


Running in a General User, not Admin, is a wise decision for Mac and Windows users.

Simply create a new Admin User, log into it and change the previous Admin User to General User.

What this does for one is to protect the applications folder from alterations. If one needs to do something a window pops up and you enter the admin name and password, gives you a short period of Admin power while in General User.
post #49 of 130
Quote:
Originally Posted by geekdad View Post

You are correct.....except that the Mac was compromised in less time than anyother machine including Windows machines......

OK, this is just completely stupid. Yet, every year we hear people spouting this same nonsense.

The time it takes to hack one of these systems is not the time they report at the contest. The time it takes to hack one of these systems is the total time that the participants put into figuring out how to do it, which is never reported. There is no basis for comparison of the relative security of systems based on the reported times, nor based on the order in which machines are compromised, nor even on whether a system is compromised or not.

(To expand on the last point, a system may have 100 vulnerabilities, possibly known to various people with malicious intent, but it's entirely possible that none of the participants in this event will discover any one of those 100 vulnerabilities, yet they may exist and may be known to someone who intends to use them.)

In essence, this is just a big publicity stunt by the organizers, and a chance to gain some fame, money, and hardware for the participants. The only thing this event shows is that certain specific vulnerabilities exist on certain systems.
post #50 of 130
So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.

If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?
post #51 of 130
Nothing is unhackable at the current moment that I am aware of.
post #52 of 130
Quote:
Originally Posted by anonymouse View Post

OK, this is just completely stupid. Yet, every year we hear people spouting this same nonsense.

The time it takes to hack one of these systems is not the time they report at the contest. The time it takes to hack one of these systems is the total time that the participants put into figuring out how to do it, which is never reported. There is no basis for comparison of the relative security of systems based on the reported times, nor based on the order in which machines are compromised, nor even on whether a system is compromised or not.

(To expand on the last point, a system may have 100 vulnerabilities, possibly known to various people with malicious intent, but it's entirely possible that none of the participants in this event will discover any one of those 100 vulnerabilities, yet they may exist and may be known to someone who intends to use them.)

In essence, this is just a big publicity stunt by the organizers, and a chance to gain some fame, money, and hardware for the participants. The only thing this event shows is that certain specific vulnerabilities exist on certain systems.

You are right....the exploits they use took them a lot of time to figure out and how to use them...... Except for the last 3 years when Charlie Miller used the SAME exploit that he reported to Apple but went unpatched. That is how was able to compromise the Mac in 2 minutes.....

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #53 of 130
Quote:
Originally Posted by AppleInsider View Post

Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.

On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.

Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.

Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.

Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.

Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.

By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.

The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.

By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.

Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.

Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.

So I guess the message here is don't let any of these guys sit down at your PC unattended.
post #54 of 130
Quote:
Originally Posted by ghostface147 View Post

Nothing is unhackable at the current moment that I am aware of.

Now this was the first post that made sense!!!
read this article http://www.pcworld.com/businesscente...n_contest.html

The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #55 of 130
Quote:
Originally Posted by isaidso View Post

So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.

If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?

I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.
post #56 of 130
Quote:
Originally Posted by JupiterOne View Post

Pwn2Own winner tells Apple, Microsoft to find their own bugs

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.

So does that mean he's not accepting the money?


He won the money and the devices (who wouldn't go for the more expensive Mac's first anyhow?) but insists the companies are not doing enough to find the bugs themselves.

So by not telling them, rather showing them how to find them, he hopes they will get the idea and find them out for themselves.

Holding these hacking contests has been a inexpensive way for these companies to test their products apparently.

My belief is the companies purposely are not trying their best to find the exploits on their own because they have been asked not to do so by Uncle Sam.

If I was in charge, I would have several servers running fuzzing software on all my code 24/7, well beyond human capability and updating the vulnerabilities as soon as they are found.

Instead Apple has to be told about a vulnerability and they sit on it for several months before fixing it.

Is there a reason Apple doesn't give a rats ass? Or are they allowing complacency to rule because they have been told if they want to sell hardware to the Army they better not?

Is the Army getting the more secure versions of Apple's software?

It's public knowledge that Microsoft provides a more secure version of Windows to the military than the public at large.
post #57 of 130
Quote:
Originally Posted by SpotOn View Post

He won the money and the devices (who wouldn't go for the more expensive Mac's first anyhow?) but insists the companies are not doing enough to find the bugs themselves.

So by not telling them, rather showing them how to find them, he hopes they will get the idea and find them out for themselves.

Yes, I read all of that, but the AI article seem to suggest that there were some kind of rules or contract saying that by accepting the prizes, they would reveal the exploits to the affected companies. So if he doesn't reveal, does he have to return the prizes? Or is this just some sort of unenforceable agreement.
post #58 of 130
If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.

Is there a similar situation going on here? lets get all the fact, because what I described above is not a true test of security.
post #59 of 130
Quote:
Originally Posted by webhead View Post

If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.

Is there a similar situation going on here? lets get all the fact, because what I described above is not a true test of security.

read it for yourself...
http://www.pcworld.com/businesscente...n_contest.html

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #60 of 130
Quote:
Originally Posted by ghostface147 View Post

Nothing is unhackable at the current moment that I am aware of.

Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??
post #61 of 130
Quote:
Originally Posted by kent909 View Post

Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??

yes......but of course I would not but it depends on how much time you want to spend on the hack......anything can be hacked given time and resources

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #62 of 130
Quote:
Originally Posted by extremeskater View Post

Your reading gets more and more selective.


"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"

This would be called hacking via remote access.



'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."

For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.

Can your Mac get hacked remotely? No.

Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
post #63 of 130
Quote:
Originally Posted by axual View Post

"This is the #1 reason Macs are slow to dent the business world..."

I don't think so.

What is the #1 reason then?
post #64 of 130
Quote:
Originally Posted by Quadra 610 View Post

I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.

Or hack your router, or hack the DNS server, or serve up a malicious web page and send you a email to click.

How about a malicious redirect? A corrupted PDF document or image?

Heck, even insert packets when your updating OS X or the programs you use turning them into trojans.


Lots of ways to crack a Mac or any computer without physical access.


Someone has figured out a way to insert rogue code into Apple's keyboard firmware, which is not erased when the hard drive is.

Read and be very afraid.

http://arstechnica.com/apple/news/20...h-firmware.ars
post #65 of 130
Quote:
Originally Posted by TheShepherd View Post

What is the #1 reason then?

IT careers.
post #66 of 130
Quote:
Originally Posted by geekdad View Post

You should think first then post......
Everything I wrote was acurrate. Don't attack me persoanlly...we can disagree but quit the personal attack ...

I don't want to get into a flame war.

Please note that absolutely nothing I said was in fact anything close to a "personal attack."

I just maintained that you were wrong, which in fact you are. I think anonymouse sums up the reasons why the "contest" is misleading, flase, etc. the best, so maybe just read that.
post #67 of 130
Quote:
Originally Posted by Quadra 610 View Post

For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.

Can your Mac get hacked remotely? No.

Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.

But thats not realworld what you described......everyone surfs the web......everyone is vulnerable to click on a link to a malicious website.....you don't have be directed to do it...the link could be named anything. It won;t be named "click here to malicious website"
It could be anything.......it could be a fake headline to a news article you have been following.......

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #68 of 130
Quote:
Originally Posted by mstone View Post

SNIP

The person who was registered to hack the Nokia went missing in action so no result for that device.

SNIP

probably at the bottom of a lake in finland by now...
post #69 of 130
Quote:
Originally Posted by kent909 View Post

Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??

Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
post #70 of 130
Quote:
Originally Posted by TheShepherd View Post

What is the #1 reason then?


The consumer market is over 50% of the market and doesn't have the costly demands for different configurations like the enterprise market has. So Apple can make limited product lines and maximize margins through streamlining, automation, economies of scale and discounts on mass purchases of third party parts.

The iPad is likely very close to 100% assembled by robots, running 24/7. Unlike Mac Pro's which are very likely assembled by hand.
post #71 of 130
Quote:
Originally Posted by geekdad View Post

Now this was the first post that made sense!!!
read this article http://www.pcworld.com/businesscente...n_contest.html

The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.
Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......

You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.
Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?
Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?
It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)
post #72 of 130
MIller took advantage of brute-force techniques and called it hacking.

Too funny.
post #73 of 130
Quote:
Originally Posted by JupiterOne View Post

Pwn2Own winner tells Apple, Microsoft to find their own bugs

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.

Of course it makes more sense to him - if they don't fix the exploits, he can do it again next year, for MORE money.
post #74 of 130
Quote:
Originally Posted by isaidso View Post

You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.
Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?
Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?
It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)

I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....
Try this link http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010
or this one.....http://blogs.zdnet.com/security/?p=995
or at the source....http://cansecwest.com/

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #75 of 130
Quote:
Originally Posted by ghostface147 View Post

Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.

Not that I care, or use Photoshop; but doesn't the demo still expire after the clock runs out without activation?
post #76 of 130
Quote:
Originally Posted by ghostface147 View Post

Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.

or use a outgoing firewall like littlesnitch or others
post #77 of 130
Quote:
"Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"

Then how did he "make" the machine to go to the malicious website? If he had remote access, who gave him the password?
post #78 of 130
Quote:
Originally Posted by geekdad View Post

I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....
Try this link http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010
or this one.....http://blogs.zdnet.com/security/?p=995
or at the source....http://cansecwest.com/

Sorry thought this part of my post loosely addressed that: "(and I read all about it every year)"
My question is why do the media (and commenters) not address these questions about the competition, whose absence make the results meaningless?
post #79 of 130
Quote:
Originally Posted by webhead View Post

If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.

Is there a similar situation going on here? lets get all the fact, because what I described above is not a true test of security.


The second day (last year) the contest situation was set up to realistically mimic real user situations, surfing the net, emailing etc. using the computer basically. Not just a locked box sitting on a table.
post #80 of 130
Quote:
Originally Posted by isaidso View Post

So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.

If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?

no - it means that charlie miller was well prepared. IIRC - in the past he had found vulnerabilities in open source contributions to the mac os and didn't report them so he could get himself a macbook air.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest