Apple's iPhone, Safari on Mac exploited at annual hacking contest

12467

Comments

  • Reply 61 of 134
    geekdadgeekdad Posts: 1,131member
    Quote:
    Originally Posted by kent909 View Post


    Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??



    yes......but of course I would not but it depends on how much time you want to spend on the hack......anything can be hacked given time and resources
  • Reply 62 of 134
    quadra 610quadra 610 Posts: 6,757member
    Quote:
    Originally Posted by extremeskater View Post


    Your reading gets more and more selective.





    "Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"



    This would be called hacking via remote access.







    'There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."



    For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.



    Can your Mac get hacked remotely? No.



    Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
  • Reply 63 of 134
    Quote:
    Originally Posted by axual View Post


    "This is the #1 reason Macs are slow to dent the business world..."



    I don't think so.



    What is the #1 reason then?
  • Reply 64 of 134
    spotonspoton Posts: 645member
    Quote:
    Originally Posted by Quadra 610 View Post


    I wouldn't worry too much about it. The contest has no actual meaning, beyond the obvious: don't let a hacker get their actual, physical hands on your machine.



    Or hack your router, or hack the DNS server, or serve up a malicious web page and send you a email to click.



    How about a malicious redirect? A corrupted PDF document or image?



    Heck, even insert packets when your updating OS X or the programs you use turning them into trojans.





    Lots of ways to crack a Mac or any computer without physical access.





    Someone has figured out a way to insert rogue code into Apple's keyboard firmware, which is not erased when the hard drive is.



    Read and be very afraid.



    http://arstechnica.com/apple/news/20...h-firmware.ars
  • Reply 64 of 134
    quadra 610quadra 610 Posts: 6,757member
    Quote:
    Originally Posted by TheShepherd View Post


    What is the #1 reason then?



    IT careers.
  • Reply 66 of 134
    Quote:
    Originally Posted by geekdad View Post


    You should think first then post......

    Everything I wrote was acurrate. Don't attack me persoanlly...we can disagree but quit the personal attack ...



    I don't want to get into a flame war.



    Please note that absolutely nothing I said was in fact anything close to a "personal attack."



    I just maintained that you were wrong, which in fact you are. I think anonymouse sums up the reasons why the "contest" is misleading, flase, etc. the best, so maybe just read that.
  • Reply 67 of 134
    geekdadgeekdad Posts: 1,131member
    Quote:
    Originally Posted by Quadra 610 View Post


    For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.



    Can your Mac get hacked remotely? No.



    Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.



    But thats not realworld what you described......everyone surfs the web......everyone is vulnerable to click on a link to a malicious website.....you don't have be directed to do it...the link could be named anything. It won;t be named "click here to malicious website"

    It could be anything.......it could be a fake headline to a news article you have been following.......
  • Reply 68 of 134
    tofinotofino Posts: 697member
    Quote:
    Originally Posted by mstone View Post


    SNIP



    The person who was registered to hack the Nokia went missing in action so no result for that device.



    SNIP



    probably at the bottom of a lake in finland by now...
  • Reply 69 of 134
    ghostface147ghostface147 Posts: 1,629member
    Quote:
    Originally Posted by kent909 View Post


    Can you download a copy of Photoshop CS4 trial and hack it and get a fully functional copy for free??



    Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.
  • Reply 70 of 134
    spotonspoton Posts: 645member
    Quote:
    Originally Posted by TheShepherd View Post


    What is the #1 reason then?





    The consumer market is over 50% of the market and doesn't have the costly demands for different configurations like the enterprise market has. So Apple can make limited product lines and maximize margins through streamlining, automation, economies of scale and discounts on mass purchases of third party parts.



    The iPad is likely very close to 100% assembled by robots, running 24/7. Unlike Mac Pro's which are very likely assembled by hand.
  • Reply 71 of 134
    isaidsoisaidso Posts: 750member
    Quote:
    Originally Posted by geekdad View Post


    Now this was the first post that made sense!!!

    read this article http://www.pcworld.com/businesscente...n_contest.html



    The iPhone was hacked in seconds......Windows 7 machine was compromised in about 2 minutes I believe this year..... so no one platform is safe....assuming you will not get compromised because you are on a Mac is sticking your head in the sand.

    Any platform can get hacked at anytime..... and not just by a virus....Most of them by malicious code from a website.......so everyone is vulnerable.....unless you don't connect to the outside world that is.......



    You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.

    Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?

    Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?

    It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)
  • Reply 72 of 134
    quadra 610quadra 610 Posts: 6,757member
    MIller took advantage of brute-force techniques and called it hacking.



    Too funny.
  • Reply 73 of 134
    elrothelroth Posts: 1,201member
    Quote:
    Originally Posted by JupiterOne View Post


    Pwn2Own winner tells Apple, Microsoft to find their own bugs



    "People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said.



    Of course it makes more sense to him - if they don't fix the exploits, he can do it again next year, for MORE money.
  • Reply 74 of 134
    geekdadgeekdad Posts: 1,131member
    Quote:
    Originally Posted by isaidso View Post


    You seem to keep missing the critical question (at least the one I'm trying to pose) here, and the article you link does not address it.

    Siting your example above; were the iPhone and Win 7 machine both hacked by the same person? Yes/No? Were they as experienced / proficient at hacking both systems equally?

    Is Chrome is last man standing because it is the most secure? Or because there are no "Chrome hackers" at Pwn2Own?

    It all seems "relative" because media reporting of the event doesn't address the critical aspects of the contest. (and I read all about it every year)



    I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....

    Try this link http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010

    or this one.....http://blogs.zdnet.com/security/?p=995

    or at the source....http://cansecwest.com/
  • Reply 75 of 134
    isaidsoisaidso Posts: 750member
    Quote:
    Originally Posted by ghostface147 View Post


    Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.



    Not that I care, or use Photoshop; but doesn't the demo still expire after the clock runs out without activation?
  • Reply 76 of 134
    spotonspoton Posts: 645member
    Quote:
    Originally Posted by ghostface147 View Post


    Yep, modify a plist file and block it from contacting the servers at Adobe for activation. However I did have to find a working serial number first online.



    or use a outgoing firewall like littlesnitch or others
  • Reply 77 of 134
    elrothelroth Posts: 1,201member
    Quote:

    "Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine"



    Then how did he "make" the machine to go to the malicious website? If he had remote access, who gave him the password?
  • Reply 78 of 134
    isaidsoisaidso Posts: 750member
    Quote:
    Originally Posted by geekdad View Post


    I guess what I was trying to get you to do was some research on your to answer your own questions. the link to the website I posted had links to other articles. Also just Google it and you will have the answers to the questions you posted....

    Try this link http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010

    or this one.....http://blogs.zdnet.com/security/?p=995

    or at the source....http://cansecwest.com/



    Sorry thought this part of my post loosely addressed that: "(and I read all about it every year)"

    My question is why do the media (and commenters) not address these questions about the competition, whose absence make the results meaningless?
  • Reply 79 of 134
    spotonspoton Posts: 645member
    Quote:
    Originally Posted by webhead View Post


    If I remember correctly, the last time I heard about this contest none of the computers were hacked on the first day, then on the second day the rules get relaxed and the hackers are allowed to have partial password rites to the computer being hacked, like sending an email to the computer with malicious code and allowing the receiving computer to click accept and open the email, thus releasing the hack.



    Is there a similar situation going on here? let?s get all the fact, because what I described above is not a true test of security.





    The second day (last year) the contest situation was set up to realistically mimic real user situations, surfing the net, emailing etc. using the computer basically. Not just a locked box sitting on a table.
  • Reply 80 of 134
    tofinotofino Posts: 697member
    Quote:
    Originally Posted by isaidso View Post


    So is the speed with which a device / system is hacked, more an indication of inherent vulnerability, or an indication of the talent of the individual hacker.



    If Charlie Miller hacked a Mac in XX number of minutes; was he not able to hack a Windows system just as fast?



    no - it means that charlie miller was well prepared. IIRC - in the past he had found vulnerabilities in open source contributions to the mac os and didn't report them so he could get himself a macbook air.
Sign In or Register to comment.