Wednesday, April 02, 2008

PWN to OWN Sponsors Say Linux Not Immune To Hacking

PWN to OWN sponsors say it was actually a lack of interest in hacking Ubuntu not its immunity that saved it from falling victim to the hacking contest.

"There was just no interest in Ubuntu," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint. She continued to say, "[Shane Macaulay's] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows."

Finding vulnerabilities for Mac and Windows are the ones that are going to get the press so obviously those are the ones you'd go after. there isn't a big draw to hack Linux machines, you don't get a lot of notoriety.

Last week we reported that the MacBook Air was the first victim of the contest. With the Vista equipped laptop falling second. However the Ubuntu equipped laptop could just have easily been the second victim leaving Vista unhacked.

Everyone has been quick to jump aboard Ubuntu and Linux and say its unhackable. In this case it simply isn't true. No one managed to crack any of the operating systems alone. It wasn't until the attack exposure was expanded that we saw any of the machines breached. First to any client-side application installed by default with the operating system, then to a larger group of third-party applications added to the machines.

Hacking operating systems is a lot hard to do than attacking applications. For the most part finding those types of vulnerabilities is also going to net you a lot more money than the contest offered. So it was unlikely that even if the contestants knew about any that they'd use them. Using application vulnerabilities found, and exploited, in applications such as Internet Explorer, Microsoft Word, Firefox, Adobe Reader and others is faster and easier.

According to ComputerWorld Vista Service Pack 1 was a lot tougher to hack than Shane Macaulay first thought.

"SP1 was a huge challenge to him," said Forslof. "When he walked in, he was strutting, he was going to own [that machine], he was going to break it in two minutes, he was going to wow the crowd."

Hover it didn't happen that way. Macaulay had prepared an exploit, but had very little time to test it on SP1. So he had to use a few more tricks and tactics to get the ball rolling.

"Microsoft has built a lot of things into its OS to make exploiting vulnerabilities more challenging," Forslof said, ticking off several defensive technologies, including ASLR (address space layout randomization). "Shane had to use some tricks to get that exploit to work on SP1."

According to Forslof, the Flash vulnerability Macaulay exploited on the Vista SP1 notebook is multiplatform and is present on both Mac OS X and Linux. So his exploit could have worked to bring down either of those machines as well.

If you'd like to read more about the contest checkout ComputerWorld's article Linux ignored, not immune, says hacker contest sponsor

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you