Thursday, March 19, 2009

Around The Horn vol.1,66

Exposing Microsoft Windows 7 User Account Control (UAC)

By (Derek Melber)

Taking a look at the old and new UAC technology to determine if you should consider Windows 7 and UAC.

ATMs At Risk

New targeted attack on Diebold ATMs raises concerns of ATM security

U.N. Agency: Cybersquatting On The Rise

UN agency reports cybersquatting rose 10 percent last year

New Conficker Variant More Aggressive

By Darknet on worms

Conficker has gotten quite a lot of news recently with it growing so fast and Microsoft offering a bounty for the authors. It seems like the Conficker authors are really serious about retaining control of their botnet and expanding it further without hindrance from the companies trying to stop them. It’s quite likely they are netting some...
Read the full post at darknet.org.uk

[tool] Webtunnel 0.0.5

Posted by Janos Szatmary on Mar 17

I'd like to announce the release of Webtunnel 0.0.5, available at http://sourceforge.net/projects/webtunnel
.

WHAT'S NEW

2009/03/17

     Added support for proxy auto-configuration
     Fixed a bug that would cause a keep-alive timeout to...

Protip: Dont include SEC lawyer in your 4.6m botnet scam

Posted by InfoSec News on Mar 19

http://www.theregister.co.uk/2009/03/19/sec_settlement_useltons_botnet_stock_scam/

By Austin Modine in San Francisco
The Register
19th March 2009

When running a botnet to spam millions with emails touting your illegal
stock-scalping scheme, it's rarely a good idea to include a US
...

Researcher cracks Mac in 10 seconds at PWN2OWN, wins 5K

Posted by InfoSec News on Mar 19

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9129978

By Gregg Keizer
March 18, 2009
Computerworld

Charlie Miller, the security researcher who hacked a Mac in two minutes
last year at CanSecWest's PWN2OWN contest, improved...

Study: Mobile Phones Contain Treasure Trove Of Unprotected Data

Posted by InfoSec News on Mar 19

http://www.darkreading.com/security/client/showArticle.jhtml?articleID=215901048

By Tim Wilson
DarkReading
March 18, 2009

Mobile phone users are storing a dangerous amount of personal
information on their cell phones and other portable devices, and they
aren't doing nearly enough to...

GAO: SEC cybersecurity program is incomplete

Posted by InfoSec News on Mar 19

http://gcn.com/articles/2009/03/18/sec-security-controls.aspx

By William Jackson
GCN.com
March 18, 2009

The Securities and Exchange Commission has corrected some weaknesses
identified in its information security controls in the past two years,
but the lack of a comprehensive information...

Feds: Hacker Disabled Offshore Oil Platforms Leak-Detection System

Posted by InfoSec News on Mar 19

http://blog.wired.com/27bstroke6/2009/03/feds-hacker-dis.html

By David Kravets
Threat Level
Wired.com
March 18, 2009

A Los Angeles federal grand jury indicted a disgruntled tech employee
Tuesday on allegations of temporarily disabling a computer system
detecting pipeline leaks for three...

A Real Dumpster Dive: Bank Tosses Personal Data, Checks, Laptops

Posted by InfoSec News on Mar 19

http://www.csoonline.com/article/484847/A_Real_Dumpster_Dive_Bank_Tosses_Personal_Data_Checks_Laptops

By Joan Goodchild
Senior Editor
CSO
March 18, 2009

Data protection is not just an IT security issue. But security industry
analyst Steve Hunt, who heads up Hunt Business...

FBI AGENT ARRESTED FOR EXCEEDING AUTHORIZATION TO ACCESS SENSITIVE INFORMATION IN FBI DATABASE

Posted by InfoSec News on Mar 19

http://newyork.fbi.gov/dojpressrel/pressrel09/nyfo031809a.htm

United States Attorney Southern District of New York
FOR IMMEDIATE RELEASE
MARCH 18 , 2009

LEV L. DASSIN, the United States Attorney for the Southern District of
New York, TERESA GULOTTA-POWERS, the Special Agent-in-Charge of the...

Police say man hacked into teens computers, demanded sexual images from them

Posted by InfoSec News on Mar 18

http://www.orlandosentinel.com/news/local/orl-asec-sex-hacker-extortion-031709,0,3650679.story

By Amy L. Edwards
The Orlando Sentinel
Sentinel Staff Writer
March 17, 2009

For years, Patrick Connolly terrorized girls across the globe, federal
investigators say.

He scoured the Web for...

Heartland data breach triggers class action suit

Posted by InfoSec News on Mar 18

http://www.computerweekly.com/Articles/2009/03/17/235295/heartland-data-breach-triggers-class-action-suit.htm

[Heartland Payment Systems trades as: NYSE:HPY - WK]

By Warwick Ashford
ComputerWeekly.com
17 Mar 2009

Heartland Payment Systems faces a class action lawsuit from investors
who...

Cyber war tops Public Safety agenda

Posted by InfoSec News on Mar 18

http://www.winnipegsun.com/news/canada/2009/03/17/8779041.html#/news/canada/2009/03/17/pf-8774296.html

By KATHLEEN HARRIS
NATIONAL BUREAU CHIEF
Winnipeg Sun
17th March 2009

Canada is facing a growing threat of cyber attacks from hostile
governments and criminals that could cripple critical...

After years in eclipse, L0phtCrack 6 re-released

Posted by InfoSec News on Mar 18

http://www.betanews.com/article/After-years-in-eclipse-L0phtCrack-6-rereleased/1237313931

By Angela Gunn
Betanews
March 17, 2009

A Windows password-auditing tool acquired by Symantec only to be shelved
when the lawyers got a look at the thing has been re-acquired by its
original authors,.

BORAT STAR FOOLS ALABAMA NATIONAL GUARD

Posted by InfoSec News on Mar 18

http://www.nypost.com/seven/03162009/news/nationalnews/borat_star_fools_alabama_national_guard_159875.htm

By CLEMENTE LISI
The New York Post
March 16, 2009

The actor famous for playing "Borat" tricked the Alabama National Guard
into giving him a military uniform and allowed him to...

In cybersecurity, there are no silver bullets

Posted by InfoSec News on Mar 18

http://gcn.com/articles/2009/03/17/cyber-security-panel-031709.aspx

By William Jackson
GCN.com
March 17, 2009

Members of a panel of security experts today painted a gloomy picture of
the cybersecurity landscape, in which rapidly evolving threats and
conditions ensure that even the best..

Terry Waite backs McKinnon

Posted by InfoSec News on Mar 18

http://www.theregister.co.uk/2009/03/17/waite_backs_mckinnon/

By John Leyden
The Register
17th March 2009

Former Beirut hostage Terry Waite has spoken out against attempts to
extradite self-confessed Pentagon hacker Gary McKinnon to face a US
trial.

Waite, who since his release in 1991..

UK fraud strategy 'more worthy of Uzbekistan'
Cambridge don lets rip

A UK government strategy for tackling internet fraud has been criticised by a senior banking security researcher.

How police busted UK's biggest cybercrime case
Sumitomo unpicked

Exclusive The story of the investigation into the failed multi-million pound cyberheist at Sumitomo Bank can finally be told, following the recent conviction and sentencing of its perpetrators.

Government funds IT security research
Bids invited for £6m pot

The government's Technology Strategy Board has invited bids for a £6m fund for research into improving information security.

A grim day for browser security at hacker contest
Safari, IE and Firefox all down for the count

CanSecWest Internet browser security took a beating during Day 1 of an annual hacking competition, with Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox all being felled in a matter of hours.

Protip: Don't include SEC lawyer in your $4.6m botnet scam
Texas men settle lawsuit over spam scam

When running a botnet to spam millions with emails touting your illegal stock-scalping scheme, it's rarely a good idea to include a US Securities and Exchange Commission lawyer's work address on the mailing list.

TinyURL, your configs are showing
Twitter pal leaves server wide open

TinyURL - the site that converts unwieldy web addresses into short, manageable URLs - has been caught running a server so poorly configured it represents a serious risk to its millions of trusting users, a security expert is warning.

Crackers latch onto year-old Windows token vuln
Unpatched bug features in multi-stage attacks

Hackers have created exploits against a long-standing, unpatched Windows "token kidnapping" vulnerability.

Privacy watchdog barks for federal Gmail probe
The Google Cloud - Is it safe?

An influential net watchdog has urged the US Federal Trade Commission to shut down Google's so-called cloud computing services, including Gmail and Google Docs, if the web giant can't ensure the safety of user data stored by these online apps.

Treating today’s security risks
Audio with slides attached

Episode 2 In the second of our mini series of audiocasts assessing the state of the IT Security market, our expert panel considers the major risks and how to deal with them.

BBC botnet 'public interest' defence rubbished by top IT lawyer
V for Vigilante

The BBC's argument that "public interest" justified its purchase and use of a botnet in a controversial experiment is little better than vigilantism, according to a top IT lawyer.

Rogue Aus sysadmin jailed over hacking spree
Drunken revenge backfires

A disgruntled contractor who hacked into government systems and deleted thousands of records in Australia's Northern Territories has been jailed for three years and four months.…

Hacker Disabled Offshore Oil Platform Leak-Detection System

By Robert A. on IndustryNews

"A Los Angeles federal grand jury indicted a disgruntled tech employee Tuesday on allegations of temporarily disabling a computer system detecting pipeline leaks for three oil derricks off the Southern California coast. Mario Azar, 28, faces a maximum 10-year term after being accused of purposely impairing a computer system that monitored...

Brief: Microsoft to release exploitability tool

Microsoft to release exploitability tool

News: Browsers bashed first in hacking contest

Browsers bashed first in hacking contest

Diebold ATMs in Russia targeted with malware

By Marcia Savage

Company issued a security update after criminals attacked its Windows-based ATMs in Russia and installed malware.

Firms muddle security breach response, expert says

By Robert Westervelt

Security incident handlers are at the core of the coordination problems during security incidents, says security expert and consultant Lenny Zeltser.

Adobe JBIG2 exploits being spammed, IBM warns

By SearchSecurity.com Staff

Spam messages containing malicious PDFs are trying to exploit the JBIG2 flaw recently patched by Adobe Systems Inc.

Browsers get hacked before phones at security show

Mobile devices took the spotlight at the CanSecWest security conference Wednesday, but it was browser bugs that got all the attention at the show's popular hacking contest.

As happy as a rock star in a pig pen

Just how far does copyright extend? I ran across an interesting case recently during my research for an intellectual-property yearly review that might illuminate concepts of fair-use doctrine.

IT contractor indicted for sabotaging computer system

An IT contract employee who formerly worked at an oil and gas production company in Long Beach, Calif., was indicted Tuesday on charges of sabotaging a computer system he helped set up because the company did not offer him a permanent job.

Two men settle stock spam charges

Two Texas men have settled U.S. Securities and Exchange Commission charges that they created a huge e-mail spam campaign to drive up demand for low-value stocks they owned, with one of the men agreeing to pay US$3.8 million to settle the charges.

LinkedIn Privacy Settings: What You Need to Know

Since LinkedIn doesn't require you to share the same types of personal information as you do on Facebook, the service's privacy settings appear to be much more straightforward than its less business-oriented competitor. But if you leave the default settings in place, you might be surprised to know what information you make public on LinkedIn.

Report: Parent-child communication key to safe surfing

Good open and honest communication between parents and children is key to safe online browsing claims a new survey.

U.S. FTC urged to investigate Google's hosted services

A privacy group has asked the U.S. Federal Trade Commission to investigate whether Google Inc.'s cloud computing services, including the popular Gmail hosted e-mail service, the Google Docs applications and the Picasa photo sharing service, adequately protect users' privacy..

A Real Dumpster Dive: Bank Tosses Personal Data, Checks

Data protection is not just an IT security issue. But security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people in IT security still have that false perception.

Toshiba 500GB USB external hard drive

Toshiba Corp. recently sent in its new 500GB USB external disk drive for review. While the 2.5-inch device is a slick-looking drive with its diminutive size and shiny-black plastic case, I took issue with a couple of things after using it.

FTC urged to investigate security of Google services

An online privacy group is calling on the U.S. Federal Trade Commission to investigate whether Google is making deceptive claims over the security of data stored in cloud-computing services such as Gmail and Google Docs.

FishNet joins with Optenet for SaaS security

Two security vendors have joined forces to offer a 'comprehensive' Security-as-a-Service offering for enterprises struggling to deal with the growing complexity of security threats, coupled with the fiscal pressures associated with the current economic downturn.

The first trust infrastructure for mashups

It's been a long time since I talked about the identity of anything except people, but we should remember that everything on our networks has an identity - the devices, the services, the applications - even the data packets. I was reminded of this last week when I caught up with Ravi Ganesan, formerly CEO of TriCypher and now a Research Professor at the University of Texas San Antonio (UTSA), and CEO of SafeMashups.

Vivek Kundra reinstated as federal CIO

Vivek Kundra, who took a leave of absence from his job as the federal government's CIO last week, was reinstated Tuesday after the White House determined that he has no connection to an alleged bribery scheme in the District of Columbia's IT department, where he previously was chief technology officer.

Facebook puts privacy controls in hands of its users

How much Facebook privacy do you want?

Auditor: US SEC needs to improve cybersecurity

The U.S. Securities and Exchange Commission (SEC) has taken steps to improve its information security, but it still hasn't corrected several vulnerabilities found in February 2008, according to an auditor's report.

Visa drops processors from compliance list after breaches

Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.

Comcast: Exposed User Data Not From Internal Leak

Comcast now believes a phishing or malware scam is to blame for exposing hundreds of its customers' user names and passwords. A list containing around 8,000 names was discovered by a PC World reader this week and brought to the company's attention.

Start-up UnboundID unveils directory for Web 2.0

Directory start-up UnboundID slipped out of stealth mode Tuesday and introduced a scalable and high performance standards-based platform aimed at handling the identity and personalization demands of Web-based services and mobile computing.

Businesses shun Web 2.0 security: survey

Businesses are shunning Web 2.0 specific security, according to recent research.

Criminals sneak card-sniffing software on Diebold ATMs

Diebold has released a security fix for its Opteva automated teller machines after cyber criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software.

IT bribery suspect to stay in jail; evidence 'overwhelming'

Yusuf Acar, who has been working as acting chief security officer in the District of Columbia's IT department, was back in federal court Tuesday to seek his release from jail, where he has been held since his arrest on bribery charges last Thursday. But despite an impassioned effort by Acar's defense attorney to portray him as man with strong family ties, U.S. District Court Judge John Facciola was unsympathetic.

Brace yourselves - IE8 reported to be released, (Thu, Mar 19th)

The day some of you have been waiting for looks like it has arrived. IE8 is reported to be rel ...(more)...

Adobe Security Bulletin Adobe Reader and Acrobat, (Wed, Mar 18th)

Adobe has released security advisory APSB09-04 for Adobe Reader and Acrobat. The CVE entries related ...(more)...

Identifying applications using UDP payload, (Tue, Mar 17th)

As requested in todays stormcast, some readers/listeners sent in complete packet capture ...(more)...

Browsers hacked in seconds in Pwn2Own contest (CGISecurity.com)

Apple iPhone 3.0: Not Answering the Call of Enterprise Security (E-Week Security)

Blowfish on 24 Again (Schneier blog)

Government funds IT security research (The Register)

LinkedIn Privacy Settings: What You Need to Know (NetworkWorld Security)

Satisfying: Congressman Who Helped Create TSA Gets Rubber-Glove Treatment (Stupidsecurity)

ModSecurity < 2.5.9 Remote Denial of Service Vulnerability (milw0rm)

Brace yourselves - IE8 reported to be released, (Thu, Mar 19th) (InternetStormCenter)

Vuln: ejabberd MUC Logs Cross Site Scripting Vulnerability (SecurityFocus Vulnerabilities)

CVE-2009-0940 (Natl. Vulnerability Database)

U.S. FTC urged to investigate Google's hosted services (NetworkWorld Security)

CVE-2009-0924 (opensolaris) (Natl. Vulnerability Database)

Microsoft Releases IE8, Stresses Security (PC World) (Yahoo Security)

Protip: Don't include SEC lawyer in your $4.6m botnet stock scam (The Register)

CVE-2009-0936 (tor) (Natl. Vulnerability Database)

Privacy watchdog barks for federal Gmail probe (The Register)

Vuln: MTCMS WYSIWYG Editor 'install.cgi' Cross Site Scripting Vulnerability (SecurityFocus Vulnerabilities)

Hacker Disabled Offshore Oil Platform Leak-Detection System (CGISecurity.com)

Chasys Media Player 1.1 (.pls) Local Stack overflow Exploit (milw0rm)

Brief: Microsoft to release exploitability tool (SecurityFocus News)

Privacy Group Seeks FTC Scrutiny of Google Apps (E-Week Security)

BBC botnet 'public interest' defence rubbished by top IT lawyer (The Register)

Bugtraq: Re: iDefense Security Advisory 03.17.09: Autonomy KeyView Word Perfect File Parsing Buffer Overflow Vulnerability (SecurityFocus Vulnerabilities)

Adobe Security Bulletin Adobe Reader and Acrobat, (Wed, Mar 18th) (InternetStormCenter)

Hiding Behind Terrorism Law (Schneier blog)

FishNet joins with Optenet for SaaS security (NetworkWorld Security)

Vivek Kundra reinstated as federal CIO (NetworkWorld Security)

CDex 1.70b2 (.ogg) Local Buffer Overflow Exploit (xp/ sp3) (milw0rm)

The Spammers Have Won, but We'll Survive (E-Week Security)

Vuln: Pivot 'refkey' Arbitrary File Deletion Vulnerability (SecurityFocus Vulnerabilities)

FTC Urged to Investigate Security of Google Services (PC World) (Yahoo Security)

CVE-2009-0939 (Natl. Vulnerability Database)

Rogue Aus sysadmin jailed over hacking spree (The Register)

1801 Cipher Solved (Schneier blog)

New version of DNS server Trojan Flush.M spotted in the pipe (Ars Technica) (Yahoo News)

CVE-2009-0933 (dotclear) (Natl. Vulnerability Database)

The first trust infrastructure for mashups (NetworkWorld Security)

Consumer groups launch badware-busting community (NetworkWorld Virus/Worms)

CVE-2009-0917 (ptk) (Natl. Vulnerability Database)

Criminals Sneak Card-sniffing Software on Diebold ATMs (PC World) (Yahoo Security)
Why Comcast Should Be Feeling Downcast

Leak of user data should serve as another reminder that we all have to remain hyper-vigilant.

Researcher Cracks Mac in 10 Seconds

Charlie Miller defends his title; IE8 also falls on Day 1 of hacking contest.

What Google Voice Means for VoIP

Last week's announcement of Google Voice was a shot across bow of the telecommunications industry.

Internet Explorer 8: What You Need to Know

Microsoft's new browser launches today. Should you be using it?

Microsoft Releases IE8, Stresses Security

Company-commissioned report shows Microsoft's new browser detects malware better than competitors.

Browsers Get Hacked Before Phones at Security Show

Safari and IE8 were easy prey in a hacking contest but hackers made little headway with mobile devices.

Oracle 11g R2, Middleware 11g Coming Soon

Executive says 11g R2 update will bring 'grid computing to the masses'

New Site Defines Best Practices For Software Security

Building Security In Maturity Model aims to help businesses lock down their custom apps.

Feds Send Blogger to Jail for Sharing Pre-release GNR Tunes

Prosecutors claim that defendant's actions resulted in copyright infringement worth at least $371,622.

File Integrity: Windows Still Fails at the Most Basic Task

Analysis: How is it that, eight years after the release of XP, Windows 7 still fails this rudimentary undertaking?

Microsoft Blames Azure Outage on OS Upgrade

A routine event brought down applications on a test version of its cloud-computing infrastructure for nearly 24 hours

A Merger that Happens Once in a Big Blue Sun

Analysis: There's a lot of good stuff inside of Sun, which would work hand-in-glove with IBM's existing projects.

Java Crowd Has Mixed Views on Potential Sun-IBM Deal

They express concerns and hopes for the future of Sun's developer tools and open-source projects

Report: IBM is in Talks to Buy Sun Microsystems

UPDATE: IBM, Sun Microsystems share many interests, but a $6.5 billion merger is no certainty.

FTC Urged to Investigate Security of Google Services

Google is falling short of the claims it makes for the security of its cloud computing services, a US privacy group says

Sun Begins New Push Into Cloud Services Market

Sun's cloud storage and cloud compute services will compete with similar offerings from Amazon Web Services

Hands-on: Mozilla Fennec beta offers performance, features

By segphault@arstechnica.com (Ryan Paul) on Mozilla

companion photo for Hands-on: Mozilla Fennec beta offers performance, features

Mozilla has announced the first official beta release of its mobile Firefox web browser, codenamed Fennec. The release includes significant performance improvements that speed up rendering and increase the responsiveness of the user interface.

The Fennec project was first launched in 2007 when Mozilla established its new mobile team. They aimed to bring the full functionality of the Firefox web browser, including support for extensions, to handheld devices.

What IBM might gain by buying Sun Microsystems

By hannibal@arstechnica.com (Jon Stokes) on Sun

A report in today's Wall Street Journal claims that Sun's execs have been shopping the company around recently and that IBM is an interested party. The report indicates that if the talks between the two companies go well, a deal could be announced fairly soon. The number allegedly being floated by IBM is $10 to $11 per share for Sun, which would put the total size of the deal at $8 billion.

Assuming that IBM is actually interested in buying Sun, the obvious question is "why?" There is a ton of overlap between the two companies' product lines, so it's hard to see a lot of complementarity there. In fact, such a deal would seem overwhelmingly to be about one thing for IBM: shrinking the competition. Suns execs would pocket fat bonuses, and the former Silicon Valley high-flyer would be chopped up and absorbed into the belly of the Big Blue beast. Parts of Sun's business with no volume and hence no real future in the present market (things like the SPARC processor family) would be end-of-lifed, while some software assets and other IP could be picked up and used by IBM.

Privacy groups to FTC: Investigate Gmail, Picasa

By jacqui@arstechnica.com (Jacqui Cheng) on security

Cloud computing hasn't just enabled us to store mass amounts of data online; it has also brought with it a number of privacy and security issues that have now come to the attention of the Federal Trade Commission. The Electronic Privacy Information Center (EPIC) has petitioned the FTC to investigate privacy concerns over Google's gaggle of online services just as the FTC was already meeting to discuss whether the benefits of living in the cloud justify the risks.

In its petition (PDF) to the FTC this week, EPIC asked that services like Gmail, Google Docs, Picasa, and Google's other cloud computing services be investigated to determine "the adequacy of the privacy and security safeguards." The privacy organization cited a recent glitch in Google Docs that made certain documents—previously marked as private by their owners—public and available to the world, despite repeated claims from Google that the data is safe and secure. EPIC also highlighted a number of reports from security experts about vulnerabilities in Google's services between 2005 and now.

New version of DNS server Trojan Flush.M spotted in the pipe

By jhruska@arstechnica.com (Joel Hruska) on Trojan

The SANS Internet Storm Center has reported spotting a new version of the Flush.M Trojan nosing around online. The original malware program was isolated and, erm, canned back in December; March's updated model sports a fresh coat of paint and a few new tricks. Both forms of Flush.M are DNS hijackers capable of redirecting entire networks towards malicious DNS servers. The original version of Flush would redirect to DNS servers located at 85.255.112.36 or 85.255.112.41; the update targets 64.86.133.51 and 63.243.173.162.

Open Source Hardware Hackers Start P2P Bank

By Priya Ganapati

Two open source hardware enthusiasts are pioneering the idea of a peer-to-peer lending community as a way for enthusiasts to fund open source hardware projects.

Feds: Hacker Disabled Offshore Oil Platforms' Leak-Detection System

By David Kravets

A disgruntled tech employee is accused of temporarily disabling a leak-detection system monitoring three Southern California offshore oil platforms' underground pipelines. Luckily, there were no leaks off the Huntington Beach coast, authorities said.

The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1

By Thomas Ricker on vulnerability

That didn't take long. One day into the Pwn2Own hacking competition at CanSecWest and already Apple, Microsoft, and Mozilla have been sent packing to their respective labs to work on security issues in their browsers. In a repeat performance, Charlie Miller pocketed a $5,000 cash prize and a fully-patched MacBook by splitting it wide, and gaining full control of the device after a user clicked on his malicious link. Another white-hatter by the name Nils (pictured) toppled Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "protection that no other browser can match," eh Mr. Ballmer? Nils then demonstrated a second Safari exploit before hacking Firefox later in the afternoon netting him a cool $15k by the close of day one. Only Google's Chrome was left unscathed -- Opera isn't part of the contest. This year's contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. In other words: this contest that runs through Friday isn't over by any stretch

Browsers hacked in seconds in Pwn2Own contest

By Robert A. on IndustryNews

"Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference. Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser...

No comments:

Post a Comment

My Blog List