ΑΛΛΑ... Μην σκορπάτε ΚΛΑΣΣΙΚΑ ψέματα, φόβο, κλπ. γιατί ΔΕΝ σας παίρνει! Στου κρεμασμένου το σπίτι ΔΕΝ μιλάνε για σχοινί. Ή όπως λέει ο παλιός σοφός λαός: "Είπε ο γάιδαρος, τον πετεινό, κεφάλα"
Ή αλλιώς: ΔΕΝ ΜΑΣ ΧΕΖΕΙΣ ΡΕ ΝΤΑΛΑΡΑ;
In the upcoming days, some people will inevitably say “iPhone was hacked in 20 seconds” or “iPhone was first to be hacked,” implying that the Apple smartphone is the most insecure device tested at security contest Pwn2Own. However, most of these reports are conveniently missing the whole story.
Yes it happened. An exploit against the Apple iPhone was successful at Pwn2Own / CanSecWest 2010 today, on the first day of the hacker contest.
The press release goes: “Ralf-Philipp Weinmann (a postdoctoral researcher at the University of Luxembourg) and Vincenzo Iozzo (a researcher at zynamics) owned the iPhone at PWN2OWN today. A bug in Safari was exploited that extracted the SMS database from the phone and uploaded it to a server.”
Arstechnica wrote an article ahead of time titled: “iPhone will be first mobile device to fall at Pwn2Own 2010?” How did they know that?
Background
Pwn2Own 2010 is a hacking contest. It tests popular OS, browsers, and software including Mac OS X, Windows for security. Hackers prepare pre-cooked exploits ahed of the contest to unleash. Prize for successful exploit is cash and the device that is pwned.
In exchange for the prize, the hackers essentially sell the exploit to the contest, which will inform the software maker, and release the details of the hack when the software is patched.
It’s a great idea with the goal of making software safer, but some sensational headlines and misleading myths have resulted from the contest, including:
Apple device is hacked in xyz seconds
Mac / iPhone is first to be hacked
Myth: Apple iPhone Hacked in 20 Seconds
The exploit was prepared ahead of time, it didn’t take only 20 seconds to write the exploit. Instead, it took weeks to prepare. Thus, saying iPhone was “hacked in 20 seconds” is misleading. It’s like claiming writing Mac OS X in 30 seconds because that’s how long it took Mac OS X to boot up.
Myth: Apple iPhone First to Be Hacked
Security experts: nothing in the world is 100% secure. That means pretty much everything at this security contest will be hacked.
Everbody knows that successful hacking of Microsoft Windows / Internet Explorer is to be expected (happens everyday in the real wold); therefore, exploits of Microsoft software will not gain many headlines.
However, Apple products are known to suffer almost no real life exploits. With that in mind, the Pwn2Own organizers scheduled Apple iPhone and Safari first in the contest, because it’ll get much more press coverage (instead of the business as usual reaction if a Microsoft product is hacked “first”).
Here’s the Pwn2Own 2010 contest schedule:
The Pwn2Own 2010 contest scheduled iPhone to the 1st and 8th slot of the day, Apple Safari browser second and third slot of the day. Microsoft Internet Explorer 8 on Windows 7 is the fourth and fifth slot.
Yellow journalism reports “Safari on Mac OS X was the first to fall.” Ignoring the fact that other browsers were not scheduled until later in the day.
Contest Bias Against Apple?
Out of 8 slots (total of 9 but #6 was “?”) of the first Pwn2Own day, the contest leans disproportionately toward Apple products.
First Day Contest Time Allocation:
50% Apple iPhone / Safari
25% Microsoft Windows 7, Internet Explorer 8
12.5% Nokia
12.5% Mozilla Firefox 4
Seems like the Pwn2Own contest organizer wants the “Apple hacked” headlines, as the following products are scheduled no time:
Not scheduled: Google Chrome
Not scheduled: RIM BlackBerry
Not scheduled: Motorola Droid
Not scheduled: Linux (missing from the contest)
Not scheduled: Windows Mobile (missing from the contest)
Perhaps Pwn2Own contest considers Google, RIM, Motorola, Linux, & Windows Mobile unimportant?
Microsoft Windows 7 / Mozilla Firefox Hacked
Microsoft Windows 7, Internet Explorer 8 Security
Microsoft CEO Steve Ballmer claims “Windows 7 is simple to use, responsive, and unobtrusively secure.” There are even some claims that Windows 7 is the most secure OS available. Well, it was hacked at Pwn2Own 2010.
Pwn2Own, thezdi [twitter], Zero Day Initiative:
“Peter Vreugdenhil (@WTFuzz) succeeded against Internet Explorer 8 on Windows 7 with a technically impressive exploit bypassing DEP.”
DEP is the Microsoft “secure” Data Execution Prevention security measure.
Mozilla Firefox Most Secure Browser?
Some claim Mozilla Firefox is the most secure browser available.
Pwn2Own, thezdi, Zero Day Initiative:
“Nils from MWR InfoSecurity (@MWRLabs) succeeded against Firefox on Windows 7.”
Myth: Google Chrome “Not Hacked” At End of Contest First Day (Not Scheduled)
Google Chrome is not scheduled for the first day for some reason. Of course, someone will misinterpret it as Google Chrome browser is “still not hacked at the end of first day.”
Pwn2Own announced: “Wrapping up for the day. Chrome remains untested and therefore the only browser left standing.”
Yes, it does say “remains untested,” but the structure of the sentence could be easily misquoted as “Wrapping up for the day. Chrome … only browser left standing.” Again, Chrome was not tested, that’s why it’s still standing.
Smartphone Mobile Security
Android
- 2009: malicious app that steals user information already happened, not a theoretical exploit. The malicious Android App was approved by the Android market few months ago.
RIM BlackBerry
- 2007: Symantec Security Response white paper by James O-Connor mentions: While BlackBerry has a “comprehensive inbuilt security framework at both device and server level it is still susceptible to a number of potential attacks.” That’s without involving “vulnerabilities in the BlackBerry device due to hardware, operating system or firmware bugs.”
Apple iPhone Security: 2007, 2008, 2009
iPhone was released in 2007. In as recent as the 2009 Pwn2Own, security experts failed to hack the Apple iPhone.
The zynamics report on the 2010 iPhone hack: “In 2009, researchers failed to compromise the iPhone, confounding general expectations.”
Conclusion
Of course, like Mozilla and Microsoft whose products are also hacked on the first day of Pwn2Own contest at CanSecWest, Apple should also improve its security. However, something is clear. Nothing is completely secure. Looks like no matter what software is scheduled first in the Pwn2Own contest, it is highly likely to be hacked.
Keep in mind, if the organizers scheduled Firefox first in the contest, Mozilla Firefox will be the “first to be hacked.” If the organizers scheduled Microsoft Windows 7 / Internet Explorer first in the contest, W7 / I.E. will be the “first to be hacked.” See the point? Saying Apple software is first to be hacked is a simple failure in reading comprehension.
The hacked in 20 seconds is also misleading. The exploit required weeks of planning, not 20 seconds.
Did the PC Pundits say how many seconds it took to hack Windows 7? What about how long it took to hack Firefox on Windows 7? How about the number of real world exploits against Windows?
Διαβάστε το αυθεντικό άρθρο εδώ.
Και λίγα λέει το άρθρο. Λίγα λέει. Είναι ΠΟΛΥ μεγαλύτερη η πουστιά που κρύβεται κάτω από όλα αυτά. Αλλά μην σας δώσω όλο το φαγητό με το κουτάλι. Φάτε και λίγο μόνοι σας.
No comments:
Post a Comment