Mac Cracked Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 03/19/2009 6:24:11 PM PDT by Swordmaker
Charlie Miller, the security researcher who hacked a Mac in two minutes last year at CanSecWest's PWN2OWN contest, improved his time Wednesday by breaking into another Mac in under 10 seconds.
Miller, a principal analyst at Independent Security Evaluators LLC, walked off with a $5,000 cash prize and the MacBook he hacked.
"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller Wednesday not long after he had won the prize. "It probably took 5 or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.
The PWN2OWN rules stated that the researcher could provide a URL that hosted his or her exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. "I gave them the link, they clicked on it, and that was it," said Miller. "I did a few things to show that I had full control of the Mac."
(Excerpt) Read more at pcworld.com ...
If you want on or off the Mac Ping List, Freepmail me.
Oh my!!
Not exactly true, he brought in a drive that had a program he had been working on for months..
Well crap.
That’s the way hacking is done. You write subroutines that are reusable, it becomes a hacker’s tool chest. Hacking without a tool chest would be akin to changing a flat without a tire iron.
ping
:-p
Let's be honest - there isn't anything that can't be cracked. And these guys are very, very good. It just means that everyone who owns one of any flavor has to take minimal precautions. All holy wars do is to lull people into a false sense of security.
Charlie Miller and his two associates are ex-NSA computer security wonks... There may be no better hackers in the world than these three. Miller has made it a crusade to always attack the Mac...
Well, in this contest it may well be. But Windows 7 and Internet Explorer 8 fell a few minutes later to another attacker. The same attacker also exploited FireFox on Windows 7 and found a different vulnerability in Safari on the Mac. He got the trifecta...
All of the targeted browsers fell on the first day... in fact in the first hours of the contest.
As for the guy who got the Firefox/Safari/IE trifecta...I say back off and nuke him from orbit. It's the only way to be sure. :-)
I do that all the time. Can't you?
Nah, I tried to take the lug nuts off with my teeth and all I got were these dentures.
LOL. Next time try a 1/2 ratchet and an impact driver.
They really need to change this competition so that you have to start your hack from zero when you get there. If you think of it, this was not good security ethics because this guy knew of a vulnerability for months without notifying the manufacturer.
If one uses OpenDNS, it provides another layer of protection from hacker sites. If someone has been hacked and it has been reported, this will prevent you from stumbling into it...
OpenDNS
http://www.opendns.com/
True.
But I want to see a competition that cracks the COMPUTER with an actual machine exploit, not a stupid OPERATOR with a stupid human engineered "Please hit this website and allow the program it downloads to execute."
Good lord. Why do they even bother to mention the type of computer or browser? They're hacking the OPERATOR, not the COMPUTER.
Grrr.
That's because a new MS-Windows exploit isn't news.
ok, this is not helping my argument for buying a mac.. :)
Don't worry about it... it really didn't take 10 seconds. It took less. The 10 seconds were the human reaction time to have the referees navigate to the instructed website and click on the malicious link. Note that there was required human interaction... just as any socially engineered attack requires.
Snow Leopard will have the memory locations being used by this exploit randomized and applications such as Safari sandboxed to avoid such new style attacks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.