Tech Press Self-Immolation:Blundered Pwn2Own Reporting

Tech press TechTardiness abounds. It is no surprise that certain dimwits blundered their reporting of the Pwn2Own contest at CanSecWest. My net compatriot Daniel Eran Dilger covered it laudably today in his article:

CanSecWest security competition falsely portrayed, again

Read and enjoy!

64-bit 7ista Twice Hacked via both IE 8 and Firefox 3!The End Is Nigh!

I should also mention that both Mac OS X 10.6 Snow Leopard and the iPhone got hacked via Safari. Just doing a little back-at-you priority swapping. These days it is a BIG DEAL when Mac OS X gets hacked because of its reputation as the safest GUI OS on the planet. Hacking Windows is ho hum because it happens every day.

Here are some links to somewhat detailed articles about the Day 1 results from the Pwn2Own contest at CanSecWest 2010 in Vancouver, Canada:

TippingPoint blog.
CNet.
MacWorld.

The contest still has two more days of hacking to go. But here is the current list of winners from Day 1:

PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
PWNED! Charlie Miller - Safari [on Mac OS X 10.6]
Nils - Safari (Prize Claimed) [on Mac OS X 10.6]
PWNED! Peter Vreugdenhil - Internet Explorer 8 [on 7ista]
MemACCT - Internet Explorer 8 (Prize Claimed) [on 7ista]
Anonymous - Nokia
Anonymous - iPhone (Prize already won)
PWNED! Nils - Firefox [on 7ista]

Congratulations to all the hackers and thank you for making it clear that Internet surfing can be dangerous no matter the operating system or web browser. Details of each zero day hack are not published until they have been addressed by the companies or groups in charge of affected programs and operating systems. When the Mac OS X hacks have been published, I'll report them and provide links here.

I'll also post more from CanSecWest as it progresses. Dr. Charlie Miller will be presenting his 20 Mac OS X 10.6 Snow Leopard hacks.

The successful hacking of Windows 7ista is of particular interest because it involved bypassing the much lauded ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) built into 7ista. So much for those security technologies!

In each hack the victim computers were directed to websites containing exploit code. I'm going to hazard a wild guess that the sites used code written at least in part in the catastrophic mess known as ECMAScript, aka JavaScript/JScript. Readers of this blog will already know my low opinion of this scripting language and my desire that it be banished from the Internet forever. Listeners to the SecurityNow Podcast know that Steve Gibson of Gibson Research Corporation (GRC) called out ECMAScript as dangerous years ago. He recommends surfing the net with scripting turned OFF in all web browsers by default, only turning it on at trusted websites.

Java exploits are also well known at this time, indicating the need to also turn off Java while surfing the net, except again at trusted websites. What a shame.

(Note that JavaScript and Java have nothing whatsoever to do with each other apart from a similar name caused by a marketing moron deal between Netscape and Sun Microsystems, both companies now defunct).

'Tis The Season For Pwn2Own!

--
FUD FUD FUD FUD FUD!
FUD FUD FUD FUD!













This is the time of year when, historically, anti-Apple security FUD is at its highest pitch. The great event begins March 24th. Our dubious hacking heroes Dr. Charlie Miller and Nils will be participating.

Pwn2Own 2010
BY AARON PORTNOY
MON 15 FEB 2010 16:41PM

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.

When the contest starts, you can follow the results at TippingPoint's blog HERE. The favorite to lose this year is Microsoft Internet Explorer, either or both versions 7 and 8. Here is the schedule posted by ZDNet:

Day 1:
Microsoft Internet Explorer 8 on Windows 7
Mozilla Firefox 3 on Windows 7
Google Chrome 4 on Windows 7
Apple Safari 4 on Mac OS X Snow Leopard

Day 2:
Microsoft Internet Explorer 7 on Windows Vista
Mozilla Firefox 3 on Windows Vista
Google Chrome 4 on Windows Vista
Apple Safari 4 on Mac OS X Snow Leopard

Day 3:
Microsoft Internet Explorer 7 on Windows XP
Mozilla Firefox 3 on Windows XP
Google Chrome 4 on Windows XP
Apple Safari 4 on Mac OS X Snow Leopard

ZDNet also reports that a number of mobile devices are part of a second set of hacking contests:

Apple iPhone 3GS
RIM Blackberry Bold 9700
A Nokia device running Symbian S60 (likely the E62)
A Motorola phone running Android (likely the Droid)

Apple, apparently in preparation for Pwn2Own, released Safari v4.0.5 on March 10, 2010. It patched 16 security vulnerabilities. You can read about it HERE and HERE. Six patches were specifically for the Windows version of Safari. The other ten patches affected both Mac and Windows versions of Safari. Nine of the patches were specifically for WebKit, which is an Open Source project used in a number of web browsers, including Safari, OmniWeb, Chrome, Shiira, Midori, S60, Android and the Palm Pre web browser. Four of the patches patched the ImageIO used in the version for Windows. Does this cover the gamut of security vulnerabilities in Safari? The hackers at Pwn2Own consistently have surprises up their sleeves.

You can read the details of this year's Pwn2Own contest HERE.

The general concept of the contest is to gather contestants and provide them with a hacking events schedule well ahead of time. The contestants typically come to the contest prepared with a specific hack or set of hacks they will use on the target computers via interaction with the accompanying web browser. This year the contest is somewhat different in that each successive day will include the hacking of older versions of Internet Explorer with older versions of Windows. But the general contest provides three days of hacking using three pairings of web browsers and operating systems. Day 1 does not allow any access to applications on the target computer. Day 2 allows what I call 'LUSER sabotage' access to the target computers via default installed applications for each operating system. Day 3 provides popular third party applications on each computer that can be used as part of 'LUSER sabotage' hacking.

In years past the FUD mongering contingent have danced around like village idiots pointing out how quickly Macs have been hacked on Day 2. In reality, the speed of any hack is nearly irrelevant. This is due to the weeks of preparation provided to all contestants, who presumably have already proven their zero day hacks before the contest has begun. What is relevant is the existence of the hack and how much 'LUSER sabotage' is required to apply it.

This year two senior contestants, Dr. Charlie Miller and Nils, will be using Safari v4.0.5 to hack into Mac OS X 10.6.2 Snow Leopard. Vincenzo Iozzo and Ralf Philipp Weinmann, as well as an 'anonymous' human, will be hacking into the iPhone.

One concern I have this year is that Safari is not being used to hack into any version of Windows. Instead only IE 7 & 8, FireFox 3 and Chrome 4 are being tested. Presumably the choices of Windows browsers were made according to market share as well as hacker interest. I'm also a bit annoyed that no Windows Mobile phones were included in the contests. Microsoft have announced the dumping of their current mobile OS for an entirely new mobile OS. But there is no reliable time line for this change, making the hackability of current Windows Mobile devices entirely relevant.

Hack and Enjoy!

Intego VirusBarrier Review Part II

--
My friend and former employer Michael Flaminio posted a very nice video review of Intego VirusBarrier version 10.6 over at Insanely-Great Mac. You can also access it at YouTube. I could not provide any improvement over Michael's review, so please give it a viewing! VirusBarrier is the only Mac OS X anti-malware program I can recommend for individual users. See my Part I review for further details and opinions regarding the program.

This past week someone told me that FUD mongers Symantec have finally gotten their act together, allowing their Norton Anti-Virus program to work properly without damaging your hard drive. Imagine that! I am seeking verification that this is indeed the case, if anyone would please let me know. Much obliged. If I get enough happy shiny smiley stories I may dare to perform some testing on the latest version myself.

Happy spring to the northern hemisphere! Happy fall to the southern hemisphere. (-_^)
--

Another Scathing MacScan Review

--
If you read my stuff, you know I despise ripoffs. This week MacScan is being sold as part of the MacUpdate promo bundle, advertised as a 'security' program. Not much of one IYAM. Today I posted an updated review of MacScan at VersionTracker.com. I decided to provide it here as well:

Just to keep this issue hot on the burner:

Much as I very much like the idea of what MacScan is 'supposed' to do, it FAILs.

1) If you want to detect all the 'malware' on your Mac, you have to run the thing OVER and OVER and OVER. One run is never enough. That's crap programming. And yes folks: I personally have been telling them this for YEARS and YEARS and YEARS. Then they do nothing to improve their detection engine. Instead they post friendly little notes asking for more feedback. Right.

2) Their list of Trojan horses has NEVER been adequate. Right now there are 4 types of Mac OS X Trojans with a total of 22 different strains. MacScan does NOT detect all of them. So what's the point?

3) It claims to find 'spyware', but there is NO illicit spyware for Mac OS X. Not a one. Everything MacScan detects is 'legal' spyware that is freely sold commercially or as shareware to be used by employers or owners of computers in order to keep track of where their users are going and what they are doing with their computers, particularly useful for parents who care about their children. Detecting such stuff can be very useful if someone has secretly installed one of these things on your Mac for nefarious purposes. But this stuff is NOT malware.

4) It is debatable whether tracker cookies are malware. At worst they are a violation of your personal privacy. So turn on the setting in your browser that prevents downloading 3rd party cookies and turn off the setting in Flash that allows any site to put cached data on your computer. You're done. That's for free. It doesn't require MacScan.

I seriously hope MacScan can actually, factually improve and become a useful product that does what it says. But for now it is junkware, not worth paying for, well worth ignoring in favor of real anti-malware applications like VirusBarrier, ClamXav, and iAntiVirus.

--