My last blog talked about Vancouver's CanSecWest, and I promised to give a wrap -up of BlackHat Europe today. But, I lied. Actually, I wanted to tie up some loose ends on CanSecWest before discussing BlackHat.
Firstly, as most now know, in the PWN 2 OWN contest, the Fujitsu Vista machine was finally compromised by Shane Macaulay from Security Objectives, with a little help from Alexander Sotirov. For those who forgot, Shane "Mac hack a day" was last year's winner, by taking down a Mac with a Safari 0day vulnerability. Although, this year he pwnd Windows Vista Ultimate SP1, with an Adobe Flash 0day.
The Linux machine, with Ubuntu 7.10, was the only box left standing. Why? There are several theories circulating-too difficult, more secure, less interest, respect for open source-but you won't hear any speculation here.
However, I do want to comment, not speculate, on some of the post conference internet buzz regarding this event. It seems as though many individuals reporting on the PWN 2 OWN contest, were not familiar with its workings. I will try to clarify a few things.
Firstly, after details of the Zero Day Initiative (ZDI) cash incentive were known, DVLabs laid down the final rules on their blog here. Not a whole lot changed, but for those unfamiliar with the contest details, you should check out that blog link. For those too lazy, I'll summarize.
You have three laptops, three operating systems, and three days to hack. Most people got that part right. What seemed to elude much of the media, were the rules, or perhaps "layers" that changed with each day. The first day was limited to the execution of remote vulnerability exploitation. The second day opened up attacks to default client-side applications which access the internet. Finally, for the third day, some well known 3rd party applications were installed on the machines. For example, with Flash installed, Shane was able to exploit that 3rd party app to 0wn the machine.
What so many journalists missed in their sensationalism, was the concept of 0day exploits. A 0day exploit is not named so because a hacker conceived it in less than one day. It usually takes at least one, or sometimes two days, to create a 0day, although, mathematically that's kind of illogical. But seriously, the headline news of the MacBook Air being 0wnd in two minutes sounds great, but is a little inaccurate.
Crafting a 0day takes lots of time, with lots of open source, and lots of Linux. The exploits were authored in advance (hence, pre-auth) and the conference acted as a venue to demonstrate (or attempt) these new exploits on new fully patched machines. While Charlie Miller may have taken two minutes to successfully execute his exploit, he didn't just sit down, figure it out, and write it from scratch in two minutes. If he did...well...then... that may be a sign that I've been out of the hacking arena for too long, and should probably be blogging about finding software Easter eggs.
Anyway, the other issue I wanted to mention, is in regard to the order in which the machines were hacked. There has been lots of opinionated posting, that questions the participants' personal motivation. My own two cents about this wouldn't equal a penny, so I'll spare you. But I will tell you what, were most likely, not motivating factors.
Several people have stated, that the laptops were sequentially hacked according to their monetary value. The intellectual force that drives the hacker psyche to find vulnerabilities is not that of a free laptop (even a MacBook Air). The ZDI sponsored cash of $20,000 (day 1) would be enough incentive for many people, to do all sorts of things. But once again, this was not the main reason why these talented individuals were competing at CanSecWest. Most black hats know that to make real cash from a 0day, is to keep it a 0day, and exploit it until it's discovered. I only know that because someone had scribbled it on the back of my used Orange Book.
Catalyzed by a passion for understanding computer systems, the challenge of discovering vulnerabilities overlooked by teams of professionals, employed by multi-billion dollar companies, can produce an intoxicating determinism....the hacker mentality. Maybe it's my age (while age >20 and <40 do) and being a little old school, but it's usually curiosity that killed the OS.
Actually, I think they were all really trying to win one of the new Zero Day Initiative laptop bags. I'll wait and get mine on eBay.
I will get to talking about BlackHat Europe. Tomorrow.
Send me your NEXTSTEP 0day exploits at:
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Post new comment