Thursday, March 5, 2009

The best software security going…

The following from Techrepublic’s Znet distribution is a brilliant example of how the supply side is kept honest and innovative:

After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year’s CanSecWest conference will have shiny new targets:  Web browsers and mobile phones.

According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile.

[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

On the browser side, the IE vs Firefox battle is sure to grab headlines although I’m not quite sure why Opera or Google’s Chrome was not included in the target list.

The rules of engagement are not yet available but it’s a safe bet that a successful attacker would have to exploit a zero-day vulnerability to gain full access to the target computer.

CanSecWest organizers plan to Sony VAIO P running Windows 7 as the platform for the contest.  The successful hacker gets to keep the machine.

[ SEE: Google Android vulnerable to drive-by browser exploit ]

The second contest — against mobile phone platforms — will be another closely watched affair.  Hackers have already successfully infiltrated the iPhone and Android platforms and there are known security problems in Symbian and Windows Mobile so we’re likely to see a lot of attention paid to this contest.

In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay tohijack a MacBook Pro via a flaw in Apple’s QuickTime software.    A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.

Alex Sotirov also partnered with Macaulay in 2008 to exploit an Adobe Flash vulnerability on a Windows Vista box.  (Thanks to NonZealot for the correction).

It’s great to have all these brains working for me!!!

No comments:

Post a Comment