dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1201
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

CanSecWest 2013/Pwn2Own 2013 - Mar 6-7-8

quote:
The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. This blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.
Tipping Point: »dvlabs.tippingpoint.com/blog/201···own-2013


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 edit
Wednesday:

1:30 - Java (James Forshaw) PWNED

2:30 - Java (Joshua Drake) PWNED

3:30 - IE 10 (VUPEN Security) PWNED

4:30 - Chrome (Nils & Jon) PWNED

5:30 - Firefox (VUPEN Security) PWNED

5:31 - Java (VUPEN Security) PWNED

[edit- to update]
Thursday:

12pm - Flash (VUPEN Security) PWNED

1pm - Adobe Reader (George Hotz) PWNED

2pm - Java (Ben Murphy via proxy) PWNED

»h30499.www3.hp.com/t5/HP-Securit···/5981157


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

reply to chachazz
Apparently despite all the last minute patches the vendors put out, everyone came loaded for bear and it was a clean sweep for the hackers today and not a single Chinese Military hacker in the bunch. Listening to comments with the exception of Java, exploits are getting harder to come by which is good news, but its obvious they aren't impossible, so security concerns remains. Congrads to everyone involved for a good showing thus far.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 edit
Researchers rake in $280K at Pwn2Own hacking contest
»www.computerworld.com/s/article/···_contest

(Google's own contest, Pwnium 3, kicks off Thursday at CanSecWest when Chrome OS -- the search giant's browser-based operating system -- will be targeted by researchers.)


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to chachazz
$100,000 is a cheap exploit cost, so I don't understand why the fruit company is being so cheap and only offered $65,000, like who cares and on top of that you don't have to be first to get the cash as they are paying out for every exploit and you know there are going to be extra perks as well like paid trips to meet with the dev teams etc to describe your exploit and finding processes etc (unless your hacking the fruit company then they just try to puke on you, just ask Charlie Miller).

Some companies understand that good research costs good money, others maybe not.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to chachazz
i would like to read more about vupen's cracking "flash player", if they did..


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Vupen also managed to exploit a vulnerability in Java, as did researchers from Accuvant Labs and Contextis. Praising Adobe's effort to secure Flash and Reader, Chaouki Bekrar Vupen's CEO told threatpost: "Writing exploits in general is getting much harder.

Article
See also:
»h30499.www3.hp.com/t5/HP-Securit···/5981157


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to redwolfe_98
said by redwolfe_98:

i would like to read more about vupen's cracking "flash player"

"On Thursday, the team from French security firm VUPEN jumped through a series of hoops, chained together three separate zero-day vulnerabilities and successfully compromised the latest patched version of Flash as part of the contest. That feat won the company another $70,000"
/ / / / / / / / / / /
"Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it," Bekrar said. "It's more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure."

»threatpost.com/en_us/blogs/firef···n-030713


FF4m3

@rr.com
reply to chachazz
From The Register:

"VUPEN Security's crack on IE 10 running on Surface Pro was an eye-opener," Gorenc said. "The vulnerability was so elegant it didn't even crash the browser. They launched the process from outside the sandbox so the user wouldn't even know if they had been hacked."

Meanwhile, two researchers from MWR Lab managed to subvert Google's Chrome browser so completely that they compromised the entire target system it was installed on, which Gorenc praised as "highly skilled."



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
Chrome OS undefeated at Pwnium 2013 event
At this year’s Pwnium event hosted by Google, hackers would unable to exploit Chrome OS.

However, partial exploits are currently being reviewed.
»www.omgchrome.com/chrome-os-unde···3-event/


unavailable

@tds.net
reply to Link Logger
Well, "The Fruit Company" was the only one beside the Chromebook left standing. It's not like folks haven't had a blast going after Safari first and having it fall in minutes in previous years.

Looks like "The Fruit Company" knows something about security.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
said by unavailable :

Well, "The Fruit Company" was the only one beside the Chromebook left standing. It's not like folks haven't had a blast going after Safari first and having it fall in minutes in previous years.

Looks like "The Fruit Company" knows something about security.

They know how to be ignored, the only reason it was left standing is no one bother to work for peanuts.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool


unavailable

@tds.net
Bull. Nobody had anything in their pocket for it. If they could. They would. To believe anything else is just being an anti-Apple troll.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to chachazz
Did anybody even try (and the answer to that would be No)? And if you think that no one trying equals unhackable, that's just Apple Fanboy talk. Security researchers saw what Apple did to Charlie Miller so they just don't care about Apple as its clear they don't appreciate the help, hell Charlie is working for Twitter anymore so even he stopped caring about Apple and had a chuckle about this years Pwn2Own, and the lack of interest in Apple.

Think about it for a moment when Chaouki Bekrar of Vupen says the weakest point of Chrome is Webkit, quick name another browser that uses Webkit and perhaps you can explain why that wouldn't be a problem.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

evoxllx

join:2007-06-07
Winter Park, FL
reply to unavailable
said by unavailable :

Looks like "The Fruit Company" knows something about security.

Nothing about transport security it would seem. Even after being publicly criticized about not having HTTPS for their app store, they still manage to royally screw over their configuration when it's finally implemented.

»www.ssllabs.com/ssltest/analyze.···.219.171
»www.ssllabs.com/ssltest/analyze.···pple.com
»www.ssllabs.com/ssltest/analyze.···pple.com


unavailable

@tds.net
reply to Link Logger
said by Link Logger:

Think about it for a moment when Chaouki Bekrar of Vupen says the weakest point of Chrome is Webkit, quick name another browser that uses Webkit and perhaps you can explain why that wouldn't be a problem.

Blake

I quoted the only relevant part of your reply.

And, it's damning... If not for the fact that WebKit is open like Mozilla's base. So, anyone can wrap their brand around WebKit and give it away or sell it off.

The fact of the matter is that even with a "great weakness" like an open browser base such as WebKit... ZERO hackers had anything in their pocket to compromise it on OS X Mountain Lion.

Anyone who is more than a casual observer realizes that even the years when Safari was taken down in "2 minutes" that the attack was in the works for many months beforehand.

What you're saying is that no intermediate level hacker could make an easy $65,000 on the "weak" WebKit based Safari on Mountain Lion. I wholeheartedly agree.

It was left standing, and the only other browser/os that was, was a different beast altogether. The Chrome Book. /Pwn2Own