Cover of Hackers

Related articles by Zemanta

• Macworld 2009: Hackers make spoof annnouncement of Steve Jobs death (telegraph.co.uk)
• Hackers booting people off of Xbox Live (joystiq.com)
• Hackers aiming for Mac, and Firefox having too many security issues (from-rizo.se)
• Hackers are lurking online (jonggunlee.tistory.com)

At CanSecWest last week (note to self: write a post about how awesome the conference was) a few well known researchers, Alex Sotirov, Dino Dai Zovi, and Charlie Miller began a movement against “free bugs”.  The basic and over simplified premise is that they feel that security vulnerabilities should not be handed over to vendors for free.  I don’t necessarily agree with this but in reality who cares?  To each their own.  This is really an individual choice.

Of course, this caused a few to scratch their heads and while I am sure there are other really dumb blog posts about this — I thought this one took the cake:

http://www.sophos.com/security/blog/2009/03/3680.html

Not only is the above blog post completely off the mark, but it is clear that the author is very inexperienced in dealing with security vulnerabilities.  Lets look at some of the ridiculous comments made by Ross Thomas of Sophos.

“As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.”

Wow.. talk about raising the level of FUD and so soon in the post.  While we don’t have a heck of a lot of details on the bug (some do have more than others) I can say with a pretty high confidence level that this bug could not be used to “drain” the author’s bank account.  If it could, there would be even less reason to disclose it. 

But wait it gets even worse:

“The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit.”

Really?  Didn’t the researcher, in this case Charlie Miller, spend the time to find this bug?  He found the bug and he wrote the exploit.  That does in fact make it his to do with as he pleases.

I guess that is really the entire point that Sophos and Ross Thomas are missing.  While I personally would report any vulnerabilities I find to the vendor, for free, it really is up to the individual researcher to do as he pleases with what he finds.  Afterall, he did put in the work.

“With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year”

More FUD!  Security vulnerabilities exist, they always have and they always will.  Get over it.  Bugs exist much longer than days as it takes most vendors months to fix anything and once you have reported the bug to a vendor — it is no longer a secret.  While anyone could have found the same bug and used it for “bad things” no one did.  So what does that tell you?  It suggests to me that the so called “black market” and malware authors aren’t looking as hard or maybe they aren’t as good as looking.

Lets also not forget that users are always slow to patch their machines.  So waiting to report this really has no bearing on anything — especially when this specific bug has not been used in the wild.  Looking at the last few very successful pieces of malware — none of them used a zeroday.  In fact one of the bigger ones (although we all know the shady AV Vendors inflate their numbers) Confiker, used a known and patched vulnerability.  In fact, the trend lately has been, patch released, bad guys reverse patch, bad guys start using vulnerabilities, months later users get around to installing patch.

Perhaps once we start to see more actual zero day being used and lets be honest here, perhaps once AV Vendors start actually offering their users REAL PROTECTION that can’t be easily bypassed then we can cast stones at someone for wanting to be paid for something they do in their spare time.

So you think you’re pretty safe because you’re visiting trusted sites only, not installing software unless you’re absolutely sure its safe, and you use pretty strong passwords…

Well, maybe you are, but did you know that your keystrokes can now be identified with equipment costing only about $80!? Oh, and there isn’t a need for installing some kind of spyware on your machine either, as it can be done remotely – maybe in another office, or perhaps from outside your window.

Presenters at the CanSecWest security conference detailed on Thursday how they can sniff data by analyzing keystroke vibrations using a laser trained on a shiny laptop or through electrical signals coming from a PC connected to a PS/2 keyboard and plugged into a socket.

Eek.

Check out the article here.

I guess my only consolation now is one I usually rely on for most high-tech, sci-fi, big brother type snooping: I’m probably not important or interesting enough to actually be a target

Ok, so, CanSecWest has finished. And i must say, It was an excellent conference.

We ‘ve talked on the second day and, although it was very early, there was a lot of -amazingly not drunk- people there.

I’ve met *a lot* of interesting people there and we had so much fun at the Vancouver’s nights.
After the second day, Dragos has given an awesome party on the top of Grouse Mountain, that is a very cool place.

BTW, this place is excelent. The ppl at vancouver is very kind and open minded. I really hope to come back here the next year.

The slides are available here

A few reporters covered the talk, here are the links:

SecurityFocus
ZDNet
Threat Post
CORE’s Press Release
Informationweek

And also on Slashdot

With the Pwn2Own contest at CanSecWest nearly over, nearly all of the major browsers have quickly fallen – which is unfortunate. In fact, Safari on the Macintosh MacBook fell in less than 10 seconds.

This year’s contest strongly brings the security of current browsers under scrutiny: Internet Explorer, Firefox, and Safari all quickly fell, allowing compromise of the machine they were running on. Google’s Chrome browser will come under fire on Friday.

ComputerWorld had a nice writeup.

Researchers from Inverse Path showed a couple interesting techniques for sniffing keystrokes at CanSecWest. For their first experiments they used a laser pointed at the shiny back of a laptop. The keystrokes would cause the laptop to vibrate which they could detect just like they would with any laser listening device. They’ve done it successfully from anywhere between 50 to 100 feet away. They used techniques similar to those in speech recognition to determine what sentences were being typed.

In a different attack, they sniffed characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. They haven’t yet been able to collect more than just single strokes, but expect to get full words and sentences soon. This leakage via power line is discussed in the 1972 Tempest document we posted about earlier. The team said it wasn’t possible with USB or laptop keyboards.

[Thanks Jeramy]

Dentro del contexto de la CanSecWest -una de las conferencias más importantes del mundo en lo referente a seguridad informática- que se celebra en estos momentos en Vancouver, Canadá, se realizó el ya clásico concurso Pwn2Own, que consiste en un grupo de usuarios que compiten por encontrar una vulnerabilidad en determinados grupos de aplicaciones, de diferentes plataformas. Uno de los grupos analizados son los navegadores Web, y Safari dio este año la nota alta, por segunda vez consecutiva.

Charlie Miller había ganado el concurso del año pasado por vulnerar Safari para Mac, y este año lo volvió a hacer: en un MacBook con Safari actualizado al día, sólo necesitó de unos minutos y un clic en una sola URL para tomar el control total sobre la máquina. Miller se aprovechó de un agujero no reportado de Safari, y por su pericia se embolsó diez mil dólares y el MacBook donde trabajó para penetrar en el agujero. Cabe destacar que el agujero no será publicado, sino que enviado a Apple para que tome las providencias del caso en forma de una actualización de seguridad.

Otra vez Safari está en el ojo del huracán de la seguridad informática. No es azar que por segunda vez consecutiva un usuario se burle del navegador, y no me parece que sea por simple inquina contra Safari. Es de esperar que los informáticos de Cupertino tomen cartas en el asunto y pongan a su producto como una opción interesante frente a la competencia, y  no sólo en prestaciones y aspecto, sino que también en el crucial tema de la seguridad. Safari es un navegador joven en comparación con otros, pero eso no le da derecho a permitirse este tipo de deslices, así que estaremos esperando soluciones.

Usually it’s difficult for me to make a correlation between the two primary subjects that I studied in college–computer science and philosophy. The first few things that pop into mind when attempting to relate the two are typically artificial intelligence and ethics. Lately, intuition has caused me to ponder over a direct link between modern philosophy and effective digital security.

More precisely, I’ve been applying the Hegelian dialectic to the contemporary signature-based approach to anti-virus while pontificating with my peers on immediate results; the extended repercussions of this application are even more fascinating. Some of my thoughts on this subject were inspired by assertions of Andrew Jacquith and Dr. Daniel Geer at the Source Boston 2008 security conference. Mr. Geer painted a beautiful analogy between the direction of digital security systems and the natural evolution of biological autoimmune systems during his keynote speech. Mr. Jacquith stated the current functional downfalls of major anti-virus offerings. These two notions became the catalysts for the theoretical reasoning and practical applications I’m about to describe.

Hegel’s dialectic is an explicit formulation of a pattern that tends to occur in progressive ideas. Now bear with me here–In essence, it states that for a given action, an inverse reaction will occur and subsequently the favorable traits of both the action and reaction will be combined; then the process starts over. A shorter way to put it is: thesis, antithesis, synthesis. Note that an antithesis can follow a synthesis and this is what creates the loop. This dialectic is a logical characterization of why great artists are eventually considered revolutionary despite  initial ridicule for rebelling against the norm. When this dialectic is applied to anti-virus, we have: blacklist, whitelist, hybrid mixed-mode. Anti-virus signature databases are a form of blacklisting. Projects such as AFOSI md5deep, NIST NSRL,  and Security Objectives Pass The Hash are all whitelisting technologies.

A successful hybrid application of these remains to be seen since the antithesis (whitelisting) is still a relatively new security technology that isn’t utilized as often as it should be. A black/white-list combo that utilizes chunking for both is the next logical step for future security software. When I say hybrid mixed-mode, I don’t mean running a whitelisting anti-malware tool and traditional anti-virus in tandem although that is an attractive option. A true synthesis would involve an entirely new solution that inherited the best of each parent approach, similar to a mule’s strength and size. The drawbacks of blacklists and whitelists are insecurity and inconvenience, respectively. These and other disadvantages are destined for mitigation with a hybridizing synthesis.

The real problem with mainstream anti-virus software is that it’s not stopping all of the structural variations in malware. PC’s continue to contract virii even when they’re loaded with all the latest anti-virus signatures. This is analogous to a biological virus that becomes resistant to a vaccine through mutation. Signature-based matching was effective for many years but now the total set of malicious code far outweighs legitimate code. To compensate, contemporary anti-virus has been going against Ockham’s Razor by becoming too complex and compounding the problem as a result. It’s time for the security industry to make a long overdue about-face. Keep in mind that I’m not suggesting that there be a defection of current anti-virus software. It does serve a purpose and will become part of the synthesization I show above.

The fundamental change in motivation for digital offensive maneuvers from hobbyist to monetary and geopolitical warrants a paradigm shift in defensive countermeasure implementation. For what it’s worth, I am convinced that the aforementioned technique of whitelisting chunked hashes will be an invaluable force for securing the cloud. It will allow tailored information, metrics and visualizations to be targeted towards various domain-specific applications and veriticals. For example: finance, energy, government, or law enforcement, as well as the associated software inventory and asset management tasks of each. Our Clone Wars presentation featuring Pass The Hash (PTH) at Source Boston and CanSecWest will elaborate on our past few blog posts and much more.. See you there!

By now, the security industry must recognize that the future of Message-Digest algorithm 5 is hopelessly jeopardized. The rogue CA certificate presentation at 25C3 might as well have been the nail in the coffin. A little over a year ago, NIST opened up its Cryptographic Hash Algorithm Competition for the creation of SHA-3. In response, Ron Rivest (The ‘R’ in “RSA”) developed MD6 at MIT. Security Objectives’ has been tirelessly working on a little hashing project of its own–Pass The Hash.

The security industry is currently in the process of reluctantly accepting that the current signature-based approach to anti-virus and malware identification is futile. Therefore, our Pass The Hash solution utilizes a whitelist approach in conjunction with a custom hash tree data structure to wholly single out malware variants piece by piece. Moreover, non-disclosure agreements are a besetting factor in digital forensics investigations because the analyst cannot inquire about a malware specimen by sending it out verbatim; our solution solves that problem too.

Here’s how it works: you compute Tiger hashes of files on your system, query our central database, and we tell you what they belong to. If it doesn’t match one of our hashes, you know you’ve got a problem. Once you’ve identified a piece of malware, you can coordinate specifics with our community such as fixes, research, opinions, etc.  All of this is in a really sleek WPF GUI because here at Security Objectives, we strive to make hacking look like the movies!

The hash computations that our software performs identify polymorphous variations similar to Context-Triggered Piecewise Hashes and Bloom Filters. There will also be an off-line mode where hashes can be compared against a local client-side database that deals with hash trees similar to our centralized database. Directories, drives, and even processes whose hashes need to be calculated are inserted into a dynamically managed queue; with the click of a button the queue can be re-prioritized, saved, elements can be removed, etc. Meta-data is associated with each hash object that describes attributes such as operating system, platform, user-specified information, etc.

When we first started working on this we were thinking “napster for malware” but it’s turned into so much more. More recently the description was “MRBL” (Malware Real-time Blackhole List,) similar to the MAPS SPAM countermeasure except that it actually utilizes whitelist technology. “malster” sounds cool, but we decided to name it Pass The Hash, indicative of the hash value computation and transmission taking place. This venture is clearly distinguishable from GNU Pth (Portable threads) because our acronym (PTH) is written in all caps.

I can’t provide an exact release date right now–all I can say is very soon. Once it’s released you’ll be able to download it from our products page. The long-term plan is to slap an open source license on the client code, thereby exposing the XML API for the central database and LINQ for the local one. Organizations that require the achievement of total malware sovereignty can deploy a dedicated appliance that acts as a counterpart to the centralized hash database hosted by Security Objectives. So keep your eyes peeled for the upcoming release of Pass The Hash. In the meantime, sneek a peek at a screenshot.

Similar Research:

• Stealth Malware–Towards Verifiable Systems by Joanna Rutkowska of COSEINC’s Advanced Malware Labs
• Automated Structural Classification of Malware by Ero Carrera and Halvar Flake of zynamics GmbH
• National Software Reference Library (NSRL) by NIST

P.S. After a long hiatus, we plan to be hitting the conference circuit once again to present on the specifics of this new reactive malware eradication technology. We’ve been submitting CFP’s left and right, but you’re most likely to catch up with us at CanSecWest. Hope to see you there!

El pasado Lunes la empresa CanSecWest organizó un concurso de seguridad, puso a disposición de todo el que quisiera probar suerte y ganar un portátil y un buen puñado de dólares, los portátiles en cuestión eran un Sony Vaio corriendo una Ubuntu 7.10, un Fujitsu con Vista Ultimate SP1 y un MacBook Air con MacOsX 10.5.2, el primero en caer fue el Mac al segundo día de la competición, Vista también duro dos días aunque fue un equipo más que una sola persona los que lograron entrarle, y el único imbatido fue el Sony con Ubuntu 7.10, otra victoria más, aunque sea Ubuntu

Fuentes:
Inglés http://www.infoworld.com/ y la web del concurso http://cansecwest.com/
Español: http://www.theinquirer.es/

Between CanSecWest and then RSA a couple weeks after I have been way too busy to write a post so for that I apologize.  So much has gone on in the last month that I probably have a half dozen posts and there is a lot I want to comment on but I will start with RSA and oh what a place to start.

If you ever have the need to drink on a vendor’s tab — RSA is the conference to do that.  While the talks are not of the caliber of a CanSecWest or even a Blackhat the parties go above and beyond and why wouldn’t they?  There are a plethora of “Security Vendors” both known and unknown looking for your security budget dollars and it seems that the best way to do this is by either hiring booth sluts or getting a bunch of IT Geeks drunk.  Don’t get me wrong, I have been known to enjoy a booth slut or two, and even sometimes enjoy some free drinks. 

So to all the vendors that kept me nicely sauced for the week — Thank You!!!

I mentioned talks and how the quality of the talks is not as high as CanSecWest or Blackhat.  I am sure some of them were but in general the technical level is not there and most of the non-technical talks were simply vendors talking about the same crap as the last ten years with no real solutions.

I should know, I participated in a panel that was supposed to be on the technical track but was nothing more than my so called colleagues in this industry saying whatever they could to try and make their product or solution sound like the way to go.  At one point I was laughing inside wondering if any of the co-panelists actually believe the bullshit they were shovelling.

Apparently my honest opinions were not valued as anytime I attempted to make a statement that was not a thinly veiled product pitch I was quickly cut off.  I suppose I could have been more aggressive but in my defense I was hopped up on cold medicine and suffering from a bad sinus infection.

The theme I was attempting to get across was; Stop spending your money on the latest security buzzword or gimmick.  The problems you are facing today and the problems you will face tomorrow are simplyvariations on the problems that you faced in the past.  So, if the crap you bought five years ago did not help you do not expect the crap you are about to buy this year to fix that.   End users really need to start holding vendors accountable.  Accountable for writing bad security products that actually increase their vulnerability, responsible for making claims that are not true, and responsible for cashing in on fear uncertainty and doubt.

Apparently, there is not any room at RSA for honesty, because if you listened to the other panel members, their products can solve any buzzword you can throw at it.  sigh….

Not to sound bitter or burned out but security is a hell of a lot more than a check box on your <insert bullshit compliance or standard here> list or a stamp from your Final 4 Auditor.  It is doing the right thing that enables the business while keeping “the bad shit (TM)” from happening — ask me for my definition of “the bad shit (TM)” later.

Some of you may be saying, yeah that is an obvious statement, but believe me dear reader you can be called compliant and still be as insecure as a chubby teenage girl.  Anyways, I am starting to rant and rave so I will cut this post short. 

It was great seeing my friends that I only get to see at conferences this year at both RSA and CanSecWest and I will see you at the next conference.

To my one or two readers, I promise to post on a more frequent basis.

When you think about it, time really is all we have. It’s what you have at your disposal, to do anything and everything. It seems that we’re better off not knowing when it comes to security–for our own good. Can it really be so utilitarian?

To anybody out there writing exploits: make sure you’re doing it just for fun. Currently, there are no outlets for any financial gain that will accurately measure your time investment or fairly compensate your hard work.

Security Objectives’ own Shane Macaulay “owned” Vista SP1 in the PWN2OWN contest at CanSecWest 2008 by exploiting a bug in Adobe Flash. As a result of the contest’s categorization of the bug as third-party, the exploit was grossly under-appraised (especially when considering cross-platform targets and the fact that it would work well into the future with Vista’s new Service Pack.) Sure, it technically was a bug in a third-party application, but this particular third-party application happens to be installed on just about every Internet-enabled PC. According to Adobe, “Adobe® Flash® Player is the world’s most pervasive software platform, used by over 2 million professionals and reaching over 98% of Internet-enabled desktops in mature markets as well as a wide range of devices.”

Even if Shane was unfairly compensated, it doesn’t matter because at least he used “responsible disclosure” — or does it? I highly doubt that the people in charge of the companies writing buggy software and brokering bug information have any idea about the amount of work and skill that goes into discovering an exploitable bug, let alone writing a proof-of-concept for it. As it stands, software companies are setting themselves up for a black market in digital weapons trading of unprecedented proportions.

Here’s something else to think about.. I expect Adobe to patch this one rather quickly given all the publicity. How long does it take for a vendor to fix a given vulnerability when it is reported to them directly? Even some of the brokered “upcoming advisories” on 3Com’s ZDI site are many months or even years stale. This “patchtile dysfunction” will increase the value of a 0-day exploit exponentially.

Time is money and to make up for lost time, Mr. Macaulay decided to sell the laptop he had won on eBay. An innocent bystander at the contest dubbed this decision “from pwn to pawn.” So why not? Laptops get sold on eBay everyday–but not this one. It wasn’t long before eBay pulled Mr. Macaulay’s item from auction on the first of April, ostensibly as an April Fool’s shenanigan. This came as a surprise to me. Things to consider here:

• The laptop may or may not have had forensic evidence of the controlled attack that occurred during the contest.
• Even so, Mr. Macaulay is a responsible discloser and would not have shipped the laptop until the bug was patched.
• Mr. Macaulay’s and Mr. Sotirov’s autographs should have increased the laptop value, regardless.

This incident, in a way, reminded me of eBay’s great fearwall debacle from a few years ago (CVE-2005-4131.) In that case, there were several key differences: an information broker such as ZDI was not involved, a pseudonym was being used, the code statements where the memory corruption occurred were disclosed, and no computer hardware was for sale. Nevertheless, I respect eBay’s decision to discontinue the auction as this is obviously a very controversial issue.

Brokering information? How can you do it? From experience, the idea of using an escrow service and 3rd party verification is largely ineffective. It would appear that ZDI is the only show in town. Of course there’s that auction service, but you have to send them your exploit first so how does that work? It appears that they’re still trying to do business by the way, despite alleged legal troubles. I’m subscribed to their mailing list and they send out an e-mail every time new information goes up for auction; they put up a dozen or so new exploits last week but it would appear that few if any were sold. Where do we go from here? Is brokering information even possible?

Imagine for a moment a scenario where a dozen or so exploits of critical severity related to a single software company are posted to Full Disclosure with rumors of many more circulating in the underground and exploits actively being carried out in the wild. Now imagine shareholders shorting that company’s stock. I suppose that the vulnerability information might be more realistically valued in a situation such as this. Anyone have any other ideas?

Yes, I know I haven’t updated this BLOG in quite a while.  Basically, the busier I get at work, the less time and motivation I have to update the BLOG.  Work has been super busy but to be honest that is a good thing, I have been in situations in the past where things have been slow and steady and typically those jobs don’t last long.

Anyways, back to the point of this post – CanSecWest 2008.  As usual, Dragos, Wil, Sean, and the rest of the crew put on a great show.  Yes, I am a bit biased because I have always been a CSW fanboy, but I like to think that I am honest enough that if I found something sucked — I would say it sucked.

Pwn-2-0wn was as usual a feast for the press.  Huge apologies to my new friend Aviv Raf who was counting on me to use a flaw he found to win him the Vista box.  There is no one to blame on this not happening, his vulnerability works, but myself and perhaps my lack of motivation.  So again, huge apologies.

That said, congrats to K2 (the Whiner.. hehe) for taking the Vista box.  I love how K2 has stirred the pot around this contest and the buying of vulnerabilities in general.  Perhaps we will see organizations like ZDI start to actually offer what they are worth and not the low-ball amounts.  Although in their defense, they do not resell the vulnerabilities or make any money off of them other than the associated PR it generates.

All of the Operating System fanboy traffic around the contest was amusing.  Between the claims that the Mac box only fell because Microsoft was a sponsor (note: they were a conference sponsor not the pwn-2-0wn contest sponsor) and the claims that Ubuntu didn’t fall because it’s the most secure I could do nothing but laugh.  I highly doubt any of us will live long enough to see the day that the O/S wars cease. 

Those of you that follow my Twitter Feed probably saw me poking fun at one of the VMWare talks.  Please do not take my comments as disrespect, anyone who puts the time in to research an issue then gets up in front of a group of hung over and in general grumpy geeks and presents their work is cool with me.  But I found it hard to get excited about issues that require me to have local physical access to the system.  I mean, of course at that point there are a number of ways to pop the Guest Operating Systems.

In general all of the talks were great, some hard to hear due to audio issues, but other than that I can say I learned a few things, met some more cool people and had a great time.  That is, in general, the point and not to beat up on other conferences, something that is missing from many of the old school conferences.  Hopefully I make it out to Tokyo for PacSec this year too!

Oh, and to those that expressed concern over Dragos handing me a sharp Samurai Sword.  The sword has safely made it back to Calgary and this weekend will safely make it back to California incident and more importantly blood free.

I will be at RSA next week, possibly only on Tuesday to participate in my panel but if you are going to be there and want to grab some beers, feel free to get in touch with me.

As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability.

During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head.

As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe’s Flash, and the Ubuntu machine did not get hacked at all.

when the hacking contest was on its second day. The second day consisted of stock configurations along with browsers and some mail applications. That’s when the MacBook Air laptop was hacked in in about 2 minutes utilizing a Safari vulnerability that Apple has now been notified of.

Technically it wasn’t really Microsoft’s fault that the machine was hacked since Adobe is the one who creates Flash. The MacBook Air vulnerability, on the other hand, was in the Safari browser which ships on all Apple computers.

A security researcher at a Canadian security conference won over $10,000 in prize money for attacking a completely patched OSX system.

Hackers in the “PWN2OWN” competition at CanSecWest were given the choice of attacking Vista SP1, OSX 10.5.2 or Ubunti 7.10. The winner of the competition, Charlie Miller, chose OSX as his platform, explaining “it was the easiest one of the three”. He exploited a Safari vulnerability and compromised the system within the space of two minutes.

This doesn’t mean that there will suddenly be an deluge of OSX attacks. Windows is, without doubt, the platform of choice to exploit. Just a heads up for all those Mac users out there.

http://www.computerworld.com.au/index.php?id=790701222&eid=-144

In questi giorni a Vancouver si tiene il CanSecWest 2008, evento dedicato alla sicurezza informatica. All’interno di questa manifestazione si svolge un simpatico contest. Tre laptop, più esattamente:

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

sono dati in pasto agli hacker. Che riesce a violarli si porta a casa 10000$. L’hacker è infine tenuto a non rivelevare le modalità dell’attacco.

Bene. Il MacBookAir è stato violato in 2 minuti da Charlie Miller, con tanti saluti alla presunta sicurezza offerta da casa Apple. Il laptop con Vista a bordo ha richiesto due giorni di lavoro e l’aiuto di un collaboratore: alla fine Shane Macaulay e Derek Callaway hanno bucato il sistema che, aggiornato al service pack 1, si è rivelato più ostico del previsto. L’unico rimasto è il laptop con Linux. Ma non perché a prova di hacker. Sono invece stati diversi i bug rinvenuti nel sistema, solo che nessuno si è voluto cimentare a scrivere codice per attaccare la LinuxBox.

Fatta l’ovvia premessa che non è dagli hacker che ci dobbiamo guardare ( che, ricordiamolo, non sono pirati informatici ) viene comunque il dubbio che forse la sicurezza oggi è offerta più che dagli sviluppatori dalla solidarietà di chi attacca. A patto che abbiate Linux!