Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

isn logo Information Security News mailing list archives

MacBook hacked in contest at security event
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 23 Apr 2007 00:15:45 -0500 (CDT)
http://news.com.com/MacBook+hacked+in+contest+at+security+event/2100-7349_3-6178131.html

By Joris Evers
Staff Writer, CNET News.com
April 20, 2007

Update - VANCOUVER, B.C.-- Shane Macaulay just got himself a free MacBook.

Macaulay, a software engineer, was able to hack into a MacBook through a 
zero-day security hole in Apple's Safari browser. The computer was one 
of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the 
CanSecWest conference here.

The successful attack on the second and final day of the contest 
required participants to surf to a malicious Web site using Safari -- a 
type of attack familiar to Windows users. CanSecWest organizers relaxed 
the rules Friday after nobody at the event had breached either of the 
Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently 
with Matasano Security. Dai Zovi, who has previously been credited by 
Apple for finding flaws in Mac software, found the Safari vulnerability 
and wrote the exploit overnight in about 9 hours, he said.

"The vulnerability and the exploit are mine," Dai Zovi said. "Shane is 
my man on the ground."

Apple spokeswoman Lynn Fox declined to comment on the MacBook hack 
specifically, but provided Apple's standard security comment: "Apple 
takes security very seriously and has a great track record of addressing 
potential vulnerabilities before they can affect users."

Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced 
on Thursday if a previously unknown Apple bug was used. "Shane can have 
the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero 
Day Initiative bug bounty program.

A TippingPoint representative said the company would pay, after looking 
at the vulnerability. "If it is an actual zero-day in Safari that's fine 
with us," said Terri Forslof, manager of security response at 
TippingPoint.

The successful hack comes a day after Apple release its fourth security 
update for Mac OS X this year. The update repairs 25 vulnerabilities.

CanSecWest organizers set up the MacBooks connected to a wireless router 
and with all security updates installed, but without additional security 
software or settings.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org

  By Date           By Thread  

Current thread:
  • MacBook hacked in contest at security event InfoSec News (Apr 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]