Apple, Ink
Rumors and HeadlinesAdvertisement
Apple News
Mac Manager NewsMac Administrator Jobs
Advertisement |
MacBook Air security hacked at CanSecWestSubmitted by Andy Space on Fri, 03/28/2008 - 14:17.
Oh dear, it had to happen: security experts and hackers at the CanSecWest security conference are talking about just one event - that a MacBook Air was the first of three platforms successfully hacked in the PWN 2 OWN hacking contest. The contest saw former National Security Agency employee and researcher Charlie Miller saunter across to the Mac to run his exploit, which possibly took advantage of a security flaw in Safari. Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, each running a different operating system (Mac OS X, Windows Vista and Linux). Was it fair? The deal is that the first researcher to successfully hack each computer walks home with the laptop and some prize money. While the Mac was the first system to fall to the hacker attacks, it's expected the other two systems will be PWNed later today. The company behind the competition, Tipping Point, quickly moved to notify Apple of the vulnerability, with Apple's Mac OS X team now scrambling to close the gap, reports claim. Also, note that CanSecWest's sponsors include Microsoft but no Linux Companies or Apple.
( Filed Under: )
Latest News from 9 to 5 Mac |
PollRecent comments
Who is talking about us?Who's onlineThere are currently 0 users and 162 guests online.
User login |
Delicious
Digg
StumbleUpon
Reddit
Facebook
Google
Yahoo
Technorati
All lies of course. Please
All lies of course. Please read the newest article on www.roughlydrafted.com
Roughly drafted hasn't ever
Roughly drafted hasn't ever published a slightly negative Apple Article. No where in that diatribe does it excuse the fact that, yes, a Mac got hacked by opening a web page.
Sorry fanboys Apple isn't perfect. Hopefully this will get patched ASAP and future generations of Safari will be safer....
If any one is going to pull
If any one is going to pull off a hack of such magnitude, I should hope that it's a guy from the National Security Agency.
Think again:
If YOU had your choice of the three quoted laptops PLUS the cash prize which would you hack? If this was truly a race to expose the most vulnerable of the lot and put the value on the most secure, why would any hacker covet the "lame" one to walk away with. Instead, the least vulnerable should be the FIRST prize...
MB Air : sexyest
If I had knowledge of unpatched vulnerabilities on Linux, Windows and MacOS and bundled software and opportunity to grab the 1st laptop I get into, I would surely jump on the MacBook Air to hack it so I can get home with the precious. I would do it without a glance at the other lame laptops running Vista or Linux, even if I knew only one vulnerability on MacOS (and bundled software) while knowing many others on Vista or Linux.
So the MB Air was hacked in only 2 minutes because it was the sexiest.
NOT!YG
http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-in...
We love to read Daniel D.E.
We love to read D.E.D. as much as anyone - especially when we are feeling down about the platform. Unfortunately, the bottom line is that the mac was hacked by going to a website. Thousands of words later, his article still doesn't refute that unfortunately.
I think some of us are
I think some of us are protesting a little too much. This may not have been a race to "take a cool MacBook Air prize". It seems to me that they hacker went for that system because he knew it would draw the most attention and get his name in the press. It's GREAT MARKETING. Apple uses their security as marketing all the time. This hacker is simply using that against them.
Oh, and the bragging points are incredible after a stunt like this. No matter how long it ACTUALLY took - or if the rules were relaxed. Most common people look at Macs as being impenetrable no matter what. He has proof that they aren't... and his name's on the documents.
I think some of us are
I think some of us are protesting a little too much. This may not have been a race to "take a cool MacBook Air prize". It seems to me that they hacker went for that system because he knew it would draw the most attention and get his name in the press. It's GREAT MARKETING. Apple uses their security as marketing all the time. This hacker is simply using that against them.
Oh, and the bragging points are incredible after a stunt like this. No matter how long it ACTUALLY took - or if the rules were relaxed. Most common people look at Macs as being impenetrable no matter what. He has proof that they aren't... and his name's on the documents.
Default Settings
It seems he knew a security hole in the MacBook Air (really doesn't matter if it was a MacBook Air or a Mac Pro) in the Default settings in Mac OS X and Safari.
I can hack into anyone's LinkSys Wireless router if they just open the box, plug it in and turn it on. By default, Safari doesn't warn you if a site is going to run any code, (they did that because it is annoying to get lots of warnings)
Neither the MacBookAir nor
Neither the MacBookAir nor Mac OS X got "hacked" (cracked is the proper term to use here) in this exercise.
Safari got cracked, Big deal !
Show us an actual exploit that cracks the machine and/or the operating system.
Lamers
mac os easiest to crack...
March 28, 2008 (Computerworld) The security researcher who walked away with $10,000 yesterday by hacking a MacBook Air in less than two minutes said he chose to attack Apple Inc.'s operating system for one simple reason.
"It was the easiest one of the three," said Charlie Miller, a principal analyst with Independent Security Evaluators (ISE), a Baltimore-based security consultancy. "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."
On Thursday afternoon, Miller breached a MacBook Air, one of three laptops up for grabs in the "PWN To OWN" hacker challenge at CanSecWest, a security conference that wraps up today in Vancouver, British Columbia. For his efforts, he got the computer and a $10,000 cash prize.
The MacBook Air was running the current version of Mac OS X, 10.5.2, with all the latest security patches applied. The other two computers, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10 and a Fujitsu U810 notebook running Windows Vista Ultimate SP1, were also up-to-date and fully patched.
"We sat down about three weeks ago and decided we wanted to throw our hats into the ring," said Miller, referring to himself and ISE colleagues. "It took us a couple of days to find something, then the rest of the week to work up an exploit and test it.
"It took us maybe a week altogether," Miller said.
Because Miller was bound by a non-disclosure agreement with 3Com Inc.'s TippingPoint, the security company that ponied up PWN To OWN's cash prizes, he was unable to share details of the vulnerability. He did confirm, however, that he had exploited a bug in Safari 3.1, the current version of Apple's browser.
The PWN To OWN challenge actually started Wednesday, but the rules for that first day required researchers to break into one of laptops using a remote code-execution exploit of a zero-day. At stake: the laptop and $20,000. Only one researcher stepped up that day, however, and was unsuccessful.
Yesterday, the computers' exposure to attack was expanded by allowing hackers to go after any client-side applications installed by default, including Web browsers. Contestants were also allowed to replicate the common tactic of duping a user into following a link in an e-mail or visiting a malicious Web site. In Miller's case, he had set up a malicious Web site; the URL to that site was typed into Safari's address bar.
Related BlogIT Blogwatch: MacBook pwned in two minutes (and fly me!)"I've had a change of heart," said Miller today. "I used to think server-side vulnerabilities were easier to exploit, but now I almost think it's easier to exploit the client side. Think about a browser. There's a million things it has to do. It has to handle images and video and audio and.... That's where the danger is these days."
Miller, formerly with the National Security Agency, may be best known as one of the first to hack Apple's iPhone last summer. In August 2007, he also blasted Apple for its sluggish updating of the open-source components it uses in its operating system, calling the practice "negligent."
At the time, Miller said he had found at least one critical vulnerability that had been patched in WebKit, the open-source code that powers Safari's engine, but integrated into Apple's browser. When pressed whether the vulnerability he used yesterday to snap up the $10,000 was a similar bug, he sidestepped the question. "The version of WebKit Safari was using [before 3.1] was very very old, but when they switched to 3.1, it's now pretty much up-to-date."
Just some backround info
Just some backround info these people... they are grad students or alumni of Johns Hopkins University in Baltimore and have started a new security firm and keep pulling these stunts only to get free publicity for their start-up company based in Baltimore.
They keep picking the Mac because it generates more press.
They won't admit it, but it's true.
And it's free press for Johns Hopkins University too in a shameful way.
No, it can't be true. Apple
No, it can't be true. Apple is perfect and can do no wrong.
interestingly
The Vista machine fell on the Friday (I think), does this mean Linux is the most secure OS? Or does it mean no one can be bothered cracking, hacking or otherwise subverting it, or does it mean the machine it was running on just wasn't sexy, and breaking its security just wouldn't generate the press punditry of the other two?
Post new comment