Mobile Pwn2Own Offering $300K In Prizes Money

The second annual Mobile Pwn2Own contest will take place in Tokyo Japan on Nov. 13-14, TippingPoint announced on its company blog today. This year's event will offer participants up to $300,000 in prize money for those researchers who can successfully demonstrate attacks against mobile services and browsers.

This year’s Mobile Pwn2Own contest is offering the following prizes in the following categories: 

• Short Distance/Physical Access ($50,000), either:
  • Bluetooth, or
  • Wi-Fi, or
  • Universal Serial Bus (USB), or
  • Near Field Communication (NFC)
• Mobile Web Browser ($40,000)
• Mobile Application/Operating System ($40,000)
• Messaging Services ($70,000), either:
  • Short Message Service (SMS), or
  • Multimedia Messaging Service (MMS), or
  • Commercial Mobile Alert System (CMAS)
• Baseband ($100,000)

Contestants are allowed to select the target they wish to compromise during the pre-registration process.  The exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The following targets are available for selection:

• Nokia Lumia 1020 running Windows Phone
• Microsoft Surface RT running Windows RT
• Samsung Galaxy S4 running Android
• Apple iPhone 5 running iOS
• Apple iPad Mini running iOS
• Google Nexus 4 running Android
• Google Nexus 7 running Android
• Google Nexus 10 running Android
• BlackBerry Z10 running BlackBerry 10

 In addition Google’s Chrome Security Team, in conjunction with the Chrome on Android team, is sponsoring a top-up reward for the Mobile Web Browser category. If a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10k to make it a total of $50,000.  There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.

For those looking to enter the full contest rules are listed here. For those geeks that want to stay updated on the contest ZDI will be tweeting regular updates and news on Mobile Pwn2Own up to and during the contest. You can follow them at @thezdi on Twitter or search for the hash tag #pwn2own.

Google Bets Big On Chrome OS Offers Pwnium Hackers $3.14M In Potential Prizes

Google has had a long standing history in betting big on it's products. They were one of the first companies to offer the public bug bounties for their Chrome browser and just last year took thing to a new level with the $1million sponsorship of "Pwnium". Now the search giant is taking things to new heights tripling the maximum total prize money to $3.14 million.

Dubbed Pwnium 3, this new challenge will open the door for researchers to focus their sites on the Chrome OS, Google's browsers based operations system that has been gaining a bit of traction thanks to the ChromeBook. The content will reward those who can hack the operating system with individual prizes of $110,000 and $150,000 with a max total up to $3.14159 million.

The attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack.

Pwnium 3 will take place along side the Pwn2Own during the CanSecWest security conference held March 7th in Vancouver, British Columbia. Google will also partner with HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program to host Pwn2Own. That contest, with $560,000 in total cash prizes, will focus on Web browsers, including Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox, as well as plug-ins from Adobe and Oracle.

Google withdrew support for last years event citing differences in what information was going to be made available concerning the exploits used in achieving the hacks. Full exploit details are traditionally been handed over after the contest however last year was an exception and an explicit non-requirement for the contest which Google felt was unacceptable.

"This year, we've teamed up with ZDI by working together on the Pwn2Own rules and by underwriting a portion of the winnings for all targets," said Evans about the new understanding between Google and HP TippingPoint. "The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards."

Pwn2Own 2013 Going To Be Bigger Than Ever With Record $560K In Prize Money

This year's Pwn2Own hacking contest promises to be bigger and better than ever with HP TippingPoint, the long-time organizer of Pwn2Own, revamping the challenges and offering cash awards exceeding half a million dollars.

For the 2013 content HP’s DVLabs Zero Day Initiative (ZDI) is expanding the focus of the annual Pwn2Own competition beyond vulnerabilities in the web browser alone. Instead this year focusing not just on the browser itself but browser based plug-ins which are often the target of malicious attacks. Hackers will be allowed to target and demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari as well as popular add-ons like the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.

• Web Browser
• Google Chrome on Windows 7 ($100,000)
• Microsoft Internet Explorer, either
• IE 10 on Windows 8 ($100,000), or
• IE 9 on Windows 7 ($75,000)
• Mozilla Firefox on Windows 7 ($60,000)
• Apple Safari on OS X Mountain Lion ($65,000)
• Web Browser Plug-ins using Internet Explorer 9 on Windows 7
• Adobe Reader XI ($70,000)
• Adobe Flash ($70,000)
• Oracle Java ($20,000)

The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. You can follow along as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.

For more details checkout: DVLabs Pwn2Own 2013

iPhone 4S, Samsung Galaxy S3 Hacked At Mobile Pwn2Own

TippingPoint DVLabs and the Zero Day Initiative (ZDI) the major sponsors for the infamous Pwn2Own hacking contest have created a new mobile only version of the Pwn2Own competition. The primary goal of the new contest is to demonstrate the current security level of the most prevalent mobile technologies in use today; including attacks on mobile web browsers, mobile operating system, Near Field Communication (NFC), Short Message Service (SMS), and the cellular baseband.

During this week's competition held alongside the 2012 EUSecWest conference in Amsterdam, Netherlands, hackers had the chance to try to exploit several of today's most popular phones running the latest operating systems on the market. Among the options were several Android based phones, an Apple iPhone 4S running iOS 5.1.1, a BlackBerry Bold 9900 and two phones running Windows Phone 7.5.

As of today only two phones had been exploited. The first being the iPhone 4S which was exploited via a bug in WebKit. According to ZDNet security researchers Joost Pol and Daan Keuper, of Certified Secure, exploited a WebKit vulnerability to launch a drive-by-download to hijack the address book, photos, videos, and browsing history from a fully patched iPhone 4S.

The attack works on iOS 5.1.1 and the developer release of iOS 6, as well as on the iPad, iPhone 4, and previous versions of the iPod Touch, Pol told ZDNet.

The second phone to fall victim to hackers was the Samsung Galaxy S3which was hacked via NFC, allowing the attackers to download all the data from the Android based smartphone. Researchers from security company MWR Labs were able to to beam an malicious file over a NFC (Near Field Communication) connection by holding two Galaxy S3s next to each other.

Using this technique, a file is loaded on the targeted S3. The file is then automatically opened and gets full permissions, meaning that the attacker has full control over the phone, explained Tyrone Erasmus, security researcher at MWR. The app runs in the background so the victim is unaware of the attack. The attacker can gain access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

The exploit is aimed at a document viewer application that comes as a default installed app on the Galaxy S2, S3 and some HTC phones, the researchers said. They wouldn't say which specific app is targeted because they did not want others to take advantage of the exploit. The vulnerability was tested on both the S2 and the S3, and worked on both phones, they said.

For their successful exploits both teams were rewarded $30,000 cash and other prizes, such as a BlackBerry Playbook tablet from sponsor Research in Motion.For more details on the Pwn2Own mobile contest you can follow either @thezdi on Twitter or search for the hash tag #pwn2own.For details on the phones used in the contest or contest rules checkout the TippingPoint Blog.

Related Articles:

• ZDNet - Mobile Pwn2Own: iPhone 4S hacked by Dutch team
• PC Mag - iPhone4S Hacked at Mobile Pwn2Own
• CIO - Galaxy S3 Hacked Via NFC At Mobile Pwn2own Competition

Pwn2Own Day Two: iPhone 4, BlackBerry Both Go Down

On day two of the Pwn2Own security researchers had their chance to take on several of the markets latest smartphones. Included where an Apple iPhone 4, RIM BlackBerry Torch 9800, Nexus S running Google's Android and Dell Venue Pro running Windows. At the end of the day only two challengers reamined unbroken the Dell and the Nexus S both of which went unchallenged.

Long time Pwn2Own contestant Charlie Miller became the first four time winner teaming with Dion Blazakis to take down the iPhone 4. The hack utilized a drive-by exploit on a rigged web-page. Once the phone visited the page a lfaw in MobileSafari was exploited to swipe the phone’s address book

In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.

“If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won’t work. I’d have to bypass DEP and ASLR for this exploit to work,” Miller said.

On the BlackBerry, a multi-national team composed of Vincenzo Iozzo, Ralf-Philipp Weinmann and a third researcher from the Netherlands were able to successfully hack their BlackBerry Torch combining two information leak bugs and an integer overflow bug to exploit. The WebKit based BlackBerry browser was exploited to run their code on the phone.

The teams each will receive a check for $15,000 from TippingPoint, as well as the smartphones they exploited, in a ceremony Friday at CanSecWest.

There is still one more day of the contest however it is unlikely that anyone would step forward to attempt exploits of the still-standing browsers and smartphones. No one, for instance, has attempted Mozilla's Firefox, Google's Chrome or the other two smartphones.


Day one results: Pwn2Own Day One: No Surprises Here Safari, IE Both Hacked

Pwn2Own Day One: No Surprises Here Safari, IE Both Hacked

For followers of the now highly publicized Pwn2Own hacking contest it should come as little surprise that both Apple's Safari and Microsoft's Internet Explorer have fallen of the first day.

Taking just short of 5 seconds and despite a last-minute update from Apple, Safari was the first to be cracked by security researchers from the French penetration test company VUPEN. Reportedly the team used a known flaw in Apple's Calculator program to execute a bypass of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

Apple had released a last minute update that patched 62 vulnerabilities in various aspects of Safari 5.0.3. This however was of little consequence to the contest at the MacBook Air used in the contest was still running the older un-patched version. TippingPoint can not disclose the nature of the vulnerability but has said the vulnerability used by Vupen to hack Safari has not been fixed in 5.0.4, otherwise they would not have awarded the $15,000 prize.

VUPEN won a $15,000 cash prize and an Apple MacBook Air 13″ running Mac OS X Snow Leopard.

A second researcher, Stephen Fewer, successfully hacked into a 64-bit Windows 7 machine running Internet Explorer 8 using three different vulnerabilities and custom exploits. Fewer used two different zero-day bugs in IE that he’d found previously to get reliable code execution, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox to get to the operating system.

Like VUPEN, Fewer’s attack also successfully bypassed DEP and ASLR in Windows 7. Fewer won a $15,000 cash prize and a new Sony Vaio laptop running Windows 7 for being the first contestant to hack the Windows browser.

Firefox and Google Chrome stood untested, with the attempts at hacking Firefox being rescheduled to Thursday and the contestants scheduled to test Google Chrome being no shows. Thursday will also feature attempts at hacking the four smartphones slated for this year including and iPhone 4 running Apple's iOS 4.2, a Nexus S running Google's Android (version unknown), a Dell Venue Pro running Windows 7 and a Blackberry Torch 9800 running the Blackberry 6 OS. TippingPoint will award $15,000 for the first hack of each of the smartphones.

The contest will continue through the CanSecWest conference ending March 11th.

Google Ups The Ante At Pwn2Own 2011 Offers $20k For Chrome Hack

Google reportedly raised the stakes for this years Pwn2Own hacking contest, offering up an additional $20,000 for anyone that successfully hacks into Google Chrome.

Organized by the Zero Day Initiative (ZDI) team at security researchers TippingPoint, the 5th annual Pwn2Own 2011 contest pits security teams against some of your favors operating systems equipped with the webs best browsers as well as some of our favorite smartphones. This year the contest will offer up to $125,000 in prizes ($105k plus Google's bonus) for the teams that find and exploit security holes in Internet Explorer, Safari and Firefox, as well as in Windows Phone 7, iOS, Blackberry 6 and Android.

To walk off with Google's $20,000 the researchers must find and exploit two vulnerabilities in Google's code and successfully break out of the browser's protective sandbox on Pwn2Own's first day. Only on the second and third days of the contest can researchers employ a non-Chrome bug, say one in Windows, to break out of the sandbox. A successful attack on the second and third days will still put $20,000 in the researcher's pocket, but only $10,000 of that will come from Google; TippingPoint will pony up the other $10,000.

Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldn't commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.

"Pwn2own now offering 20k for attack on Chrome," said Miller on Twitter. "Must be hard, glad Mac OS X doesn't sandbox their browser."

It would be great to see if Miller has anything up his sleeve for Chrome and the additional bounty might just be whats needed to entice him to enter again this year.

The contest will be taking place on the 9th, 10th, and 11th of March, 2011 in Vancouver, BC during the CanSecWest conference. This blog post will be updated as the contest plays out, but for real-time updates you can follow either @thezdi or @aaronportnoy on twitter or search for the hashtag #pwn2own.

Miller Snubs Apple and MS Says 'Find Your Own Bugs'

Following his feats at Pwn2Own security researcher Charlie Miller gave the snub to software giants Apple, Microsoft and Adobe when he refused to provide the companies with the more than 20 vulnerabilities he has found in their software.

When Miller took the floor at CanSecWest many believed that his intent was to fully disclose the vulnerabilities he found, however that was never his intention. He instead demonstrated how he found the vulnerabilities, hoping that Apple, Microsoft and other vendors would listen to what he has to say.

Using a "dumb fuzzer", which is basically just a few lines of code that search for flaws in software by inserting data to see where the program fails, Miller quickly uncovered 20 vulnerabilities ranging across several different applications including; Apple's Mac OS X 10.6, aka Snow Leopard, and its Safari browser; Microsoft's PowerPoint presentation maker; Adobe's popular PDF viewer, Reader; and in OpenOffice.org, the open-source productivity suite.

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.

"We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, the software gets incrementally better, but they actually need to make big improvements. But I can't make them do that."

Miller's hope is that vendors like Microsoft, Apple and Adobe, which spend millions of dollars and have teams of security engineers and scores of machines running fuzzers looking for flaws, will sep up and learn from something that one researcher with three computers has done in a short time. If the companies will duplicate his work, and maybe, just maybe, be motivated to do more of their own research prior to releasing the software they can learn to find these flaws before the release rather than taking findings from researchers after the fact and creating a reactionary fix. 

Hackers Go Four-for-Four As Firefox 3 on Windows 7 Falls at Pwn2Own

I see a reoccurring theme here, all four teams that have competed at this years Pwn2Own contest have successfully exploited their targets and compromised the machines at hand. This time it was a Windows 7 equipped machine running Firefox 3.

@TheZDI Nils from MWR InfoSecurity (@MWRLabs) succeeded against Firefox on Windows 7 with the quintessential calc.exe launching payload.

As with most of the hacks there aren't many details given out as to how they were accomplished. Its really not surprising me that most have fallen but what is surprising me is the rate at which they are being exploited. In most cases it has taken less than 30mins. Now keep in mind most of these target hacks are exploiting third party software and not the OS itself, but it's still a bit unnerving.

Update: Via Threat Post

A 26year old German hacker known simply as "Nils" exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine. "Nils" who heads up the security research team at U.K.-based MWR InfoSecurity, used several tricks to bypass Address Space Layout Randomization (ALSR) and Data Execution Prevention (DEP) to get his drive-by download to load an executable on the target machine.

ASLR+DEP are held up as significant roadblocks to thwart malware attacks on the newest versions of Windows but, as this contest shows, skilled hackers with enough motivation and resources can bypass those mitigations easily.

Nils said Mozilla can do a better job of opting into ASLR on Windows, a clear hint that implementation errors make it easy to bypass the Windows defenses.

Windows 7 And IE8 Fall At Pwn2Own

So far the hackers are three for three at Pwn2Own, with the ZDI now confirming that Windows 7 and Internet Explorer 8 have fallen.

@thezdi Peter Vreugdenhil (@WTFuzz) succeeded against Internet Explorer 8 on Windows 7 with a technically impressive exploit bypassing DEP.

It'll be interesting to see if the rest of the smartphones the, RIM Blackberry Bold 9700, Nokia E72 device running Symbian and HTC Nexus One running Android as well as the two browsers Google Chrome 4 and Mozilla Firefox 3 can withstand the onslaught.

Update: Via Threat Post
Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.

“I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass,” he added.

Update: Via PCWorld

"[The exploit] reuses Microsoft's own code to disable DEP," said Vreugdenhil. "You can reuse Microsoft's own code to disable memory protection."

In a paper he published today ( download PDF ), Vreugdenhil spelled out how he evaded both ASLR and DEP in more detail.

"It was a two-step exploitation," Vreugdenhil said of the unusual attack. "I could have done it with one, but it would have taken too long." Using the double-exploit technique gave him control of the machine in a little over two minutes; if he had used only one exploit, the task would have required 50-60 minutes.

"I didn't know how much time I would have at Pwn2Own," he said, referring to the constraints of the contest, where hackers had limited time slots. And he didn't want to bore his audience. "I put some eye candy in the exploit," he said, referring to a progress bar he inserted that read "Please be patient while you are being exploited..."

Mac Book Pro Running OS X Falls In Under A Minute @Pwn2Own

 Correction: Miller actually hacked the full patched MacBook Pro in under 10seconds!!

Wow Charlie wasn't kidding when he said he had a bag full of hacks ready for this years Pwn2Own. The ZDI just confirmed that Miller (@0xcharlie) successfully hacked the MacBook Pro running OS X via Safari what looks like less than a minutes time. His payload returned a full command shell.

@thezdi Charlie Miller (@0xcharlie) popped the MacBook Pro via Safari. His payload returned a full command shell.

As we reported a few days ago Miller said he was ready to report on no less than 20 zero day exploits that he had discovered within OS X. It looks like he might have know at least a few that are affecting Safari as well ;)

"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller on Wednesday, not long after he had won the prize. "It probably took five or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.

iPhone Hacked Via Safari At Pwn2Own

 Hackers,  Iozzo and Weinmann compramised their fully patched iPhone in a total of 20 seconds.

The Zero Day Initiative (ZDI), an initiative founded by TippingPoint which organizes the security competition Pwn2Own, has confirmed via Twitter that contestants Vincenzo Iozzo and Ralf Philipp Weinmann successfully exploited the iPhone via a 0day Safari hack! 

@thezdi Vincenzo Iozzo and Ralf Philipp Weinmann successfully exploit the iPhone via Safari! Their payload pulled the SMS database. #pwn2own

The team of Iozzo and Weinmann were the first candidates in the hacking contest and the iPhone, which was hacked in less than 10 minutes, is the first smartphone to fall in the contest in the last two years. The iPhone was a 3GS model and was running iPhone OS 3.1.3.

Up next Charlie Miller gets to take his crack at exploiting Safari I believe on an Apple Macbook Pro running OS X. Stay tuned for more details.

Update: additional details courtesy the ThreatPost:

The exploit crashed the iPhone's browser session but Weinmann said that, with some additional effort, he could have a successful attacked with the browser running.

"Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control," Weinmann explained. Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge.

Halvar Flake, a renowned security researcher who assisted with the winning exploit, said the biggest hiccup was bypassing the code-signing mitigation implemented by Apple on its flagship mobile device.

"This exploit doesn't get out of the iPhone sandbox," Flake explained, noting that an attacker can do enough damage without escaping from the sandbox.

"Apple has pretty good counter-measures but they are clearly not enough. They way they implement code-signing is too lenient," Flake added.

In addition to hijacking the SMS database, Weinmann said the winning Pwn2Own exploit could have exfiltrated the phone contact list, photographs and iTunes music files. He was unsure if the exploit could have hijacked e-mails.

Weinmann declined to publicly discuss the techniques he used to find the vulnerability. "We're working on developing techniques to find a certain class of vulnerabilities. I don't want to discuss it too much."

Aaron Portnoy, a security researcher at TippingPoint Zero Day Initiative (the company sponsoring Pwn2Own), described the attack as "very impressive."

"It was a real world exploit against a popular device. They exfiltrated the entire SMS database in about 20 seconds. It was as if a Web page was loading."

TippingPoint ZDI acquired the exclusive rights to the flaw information. The company will report the issue to Apple and will withhold details until a patch is released.

Weinmann and Iozzo won a $15,000 cash prize and got the keep the hijacked iPhone.

What Does Hacker Charlie Miller Have Up His Sleeve For Pwn2Own 2010?

Charlie Miller quickly gained notoriety two years ago at the CanSecWest security conference when he and his team used an exploit in the Safari web browser to hack the brand new MacBook Air in just under 2mins winning himself and his team not only the new MacBook Air but also $10,000 from security firm TippingPoint Technologies.

A year later he repeated the feat when he used yet another of his already known exploits to win him his second MacBook Air and an additional $5,000.

This year looks like it will be a three-peat for Miller who took second slot and first draw for Safari yet again. The security expert claims to have found no less than 20 zero-day exploits within OS X. Miller via Twitter last week stated he will present details on how he found the exploits during the conference but he made it clear he will not reveal the exact details on how the exploits work.

While the full details will not be disclosed Miller eluded to the approach in finding the zero-day flaws. According to his interview with Heise Security, Miller discovered the new vulnerabilities by fuzzing, a process which involves bombarding an application's input channels with as much corrupted data as possible. His presentation is subtitled: "An analysis of fuzzing 4 products with 5 lines of Python". The expert explained: "The talk is about what you really find when you fuzz and it tries to draw conclusions about what to expect in the future when you fuzz a mature product." Parts of the presentation apparently consist of statistics, for instance, about which percentage of flaws causes crashes, and which percentage can be exploited remotely.

Pwn2Own 2010 should be an interesting event this year, not only because of the flaws Miller found but because many including Miller himself are predicting the fall of the iPhone this year, this coming in-spite of the fact that last year not a single smartphone was hacked.

If you want full detail on the event including a schedule checkout the TrippingPoint Blog and to follow along with real-time updates and real-time feedback follow the TippingPoint Zero Day Initiative via theirTwitter account @theZDI.

MacBook And Safari Fall First Yet Again

Charlie Miller made headlines last year at Pwn2Own when he hacked his way into the winners circle by hacking a MacBook in just under 2mins. Last years feet seemed nothing short of amazing, so imagine the surprise when he backed his results with an even more impressive time. This year hacking a full updated MacBook in mere seconds, yes seconds.

Utilizing an exploit in Apple's Safari web browser Miller was able to trick officials into visiting a link which allowed him to gain control of the MacBook.

“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

As usual with the contest the technical details of the vulnerability will not be released until a patch is ready and all contestants are required to sign NDA's so its uncertain exactly what and how he did it. But it was likely a know vulnerability that he had been working on.

The second machine to fall this year was a Sony Vaio machine equipped with Windows 7 and the recently released IE 8 browser. By the end of day one FireFox, IE8 and Safari had all three been breached with Google's Chrome being the only browser still standing.

For more detils checkout the TrippingPoint Blog

Shane Macaulay Explains Selling PWN 2 OWN Laptop

PWN 2 OWN contest winner Shane Macaulay listed his Vista equipped Fujitsu U810 laptop on eBay yesterday causing a big stir. Many people first thought it was an April Fool's joke but Shane was serious about selling the very laptop he won during the PWN 2 OWN contest.

He said that a top-quality hacker could probably examine the machine's hard drive and dig up the unpatched zero-day exploit code he had used to compromise the computer. However he never intended to disclose details of a flaw, at least not before the patch was created.

In a Tuesday interview with IDG News he explained that Adobe Systems plans to patch his Flash bug on April 8, the day his auction was set to end, and so he would have been practicing responsible disclosure, releasing details of a flaw that had already been patched.

According to contest rules; any vulnerability that the Zero Day Initiative awards a cash prize for, becomes the property of the ZDI, and therefore the winner can not discuss or disclose details of the 0day until the affected vendor has successfully patched the issue. Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize.

In an InfoWorld article a hacker who knows Macaulay said that the April 1 listing is "a bit coincidental," but that he may not be worried about forfeiting the $5,000 in prize money TippingPoint paid him for his hack. "He makes good money," said Marc Maiffret, an independent security researcher, in an instant message interview. "It's all just funny to him."

However eBay thought he was in violation of their user agreement, which says that users may not "distribute viruses or any other technologies that may harm eBay, or the interests or property of eBay users," so they pulled the listing.

When asked about it Macaulay had some funny answers when asked about these issues.

On the eBay terms of service problem, he said that he knew "some highups," at the company and was "confident, when I speak with eBay they will grant me a waiver."

And does TippingPoint know about what he's doing? "I believe at some level," he answered. "I'm sure things might change as the word percolates to the executives. Maybe I shouldn't have sold the [TippingPoint] bag with the laptop!!"

Read the IGN interview and more about Shane at InfoWorld

PWN to OWN Sponsors Say Linux Not Immune To Hacking

PWN to OWN sponsors say it was actually a lack of interest in hacking Ubuntu not its immunity that saved it from falling victim to the hacking contest.

"There was just no interest in Ubuntu," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint. She continued to say, "[Shane Macaulay's] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows."

Finding vulnerabilities for Mac and Windows are the ones that are going to get the press so obviously those are the ones you'd go after. there isn't a big draw to hack Linux machines, you don't get a lot of notoriety.

Last week we reported that the MacBook Air was the first victim of the contest. With the Vista equipped laptop falling second. However the Ubuntu equipped laptop could just have easily been the second victim leaving Vista unhacked.

Everyone has been quick to jump aboard Ubuntu and Linux and say its unhackable. In this case it simply isn't true. No one managed to crack any of the operating systems alone. It wasn't until the attack exposure was expanded that we saw any of the machines breached. First to any client-side application installed by default with the operating system, then to a larger group of third-party applications added to the machines.

Hacking operating systems is a lot hard to do than attacking applications. For the most part finding those types of vulnerabilities is also going to net you a lot more money than the contest offered. So it was unlikely that even if the contestants knew about any that they'd use them. Using application vulnerabilities found, and exploited, in applications such as Internet Explorer, Microsoft Word, Firefox, Adobe Reader and others is faster and easier.

According to ComputerWorld Vista Service Pack 1 was a lot tougher to hack than Shane Macaulay first thought.

"SP1 was a huge challenge to him," said Forslof. "When he walked in, he was strutting, he was going to own [that machine], he was going to break it in two minutes, he was going to wow the crowd."

Hover it didn't happen that way. Macaulay had prepared an exploit, but had very little time to test it on SP1. So he had to use a few more tricks and tactics to get the ball rolling.

"Microsoft has built a lot of things into its OS to make exploiting vulnerabilities more challenging," Forslof said, ticking off several defensive technologies, including ASLR (address space layout randomization). "Shane had to use some tricks to get that exploit to work on SP1."

According to Forslof, the Flash vulnerability Macaulay exploited on the Vista SP1 notebook is multiplatform and is present on both Mac OS X and Linux. So his exploit could have worked to bring down either of those machines as well.

If you'd like to read more about the contest checkout ComputerWorld's article Linux ignored, not immune, says hacker contest sponsor

Vista Laptop Becomes Pwn to Own's Second Victim

A laptop running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software making it the second victim to be hacked by Pwn to Own contestants.

Shane Macaulay and Derek Callaway of Security Objectives along with Alexander Sotirov, were able to gain control of the Fujitsu laptop using an Adobe Flash zero day vulnerability. They are the second successful team to hack a machine at the PWN to OWN contest at the CanSecWest security conference. However, since the rules had been relaxed, they only get $5,000 and the laptop of course.

Yesterday ISE security researchers Charlie Miller, Jake Honoroff, and Mark Daniel used a zero-day vulnerability in Apple's Safari 3.1 Web browser to hack the MacBook Air in just two minutes.

It looks like at the end of the last day of the contest, only the Sony VAIO laptop running Ubuntu, a popular linux distro, was left standing.

MacBook Air Hacked In Just Two Minutes

ISE security researchers Charlie Miller, Jake Honoroff, and Mark Daniel used a zero-day vulnerability in Apple's Safari 3.1 Web browser to hack the MacBook Air in just two minutes.

The researchers from Independent Security Evaluators (ISE) were participating in the "PWN to OWN" competition at the CanSecWest security conference, which began Wednesday in Vancouver, British Columbia.

Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems.

That changed Thursday when attacks on default client-side applications -- Web browser, e-mail, IM -- were allowed. Using an attack code already set up on a Web site the ISE team "tricked" the judges using the MacBook into visiting the site and retrieving a file.

The team won $10,000 from security firm TippingPoint Technologies for compromising the MacBook Air.

The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.

The contest rules stipulated that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.