Headline Feeds
A computer with a sky-high public profile these days -- the much talked-about and often coveted MacBook Air from Apple (Nasdaq: AAPL) -- was the first laptop to get cracked in a security hacking contest Thursday.
While headlines around the Web are claiming that it took only two minutes, there's more to the story.
The cracking went down at the CanSecWest security conference in Vancouver, British Columbia, at the PWN to OWN 2008 contest, where security gurus attempt to hack into laptops for US$10,000 in prize money. They also win the laptop they manage to compromise first. The challenge is to read the contents of a designated file located on each of the machines.
The contest includes three laptops that are running the most up-to-date and patched installations of Mac OS X Leopard, Windows Vista and Ubuntu Linux. Their hardware included a Sony (NYSE: SNE) Vaio VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1, and -- at least until Thursday -- a MacBook Air running OSX 10.5.2.
The main purpose of the event, contest organizers said, is to responsibly unearth new vulnerabilities within these systems so that the affected vendors can address them. The prize money is sponsored by security firm TippingPoint's Zero Day Initiative (ZDI) program. ZDI hosts a Digital Vaccine (DV) Laboratories blog that serves as a portal to the company's security research and services. Last year the ZDI program was able to identify an Apple QuickTime flaw. The company handed it over to Apple, which then issued a security update.
MacBook Air Breaks First
Charlie Miller, Jake Honoroff and Mark Daniel from Independent Security Evaluators (ISE) successfully compromised the Apple MacBook Air -- the first laptop to become compromised -- in two minutes. However, that two minutes was the result of directing an end-user to click on a specially crafted link that went to a Web server with a specially crafted exploit. The details, of course, are being kept under wraps until Apple can address them.
So, two minutes? Not exactly. It hasn't been revealed how long it took the ISE crew to build the exploit in the first place and have it ready for the contest, nor is it clear that ISE even bothered to attempt a crack at the other two laptops. Still, a flaw is a flaw, even one that requires special action by the computer's owner.
Two Minutes or Two Days?
In the first day of the hacking fest, participants tried to bust into the laptops using only a remote zero-day exploit, and all three laptops survived. Day two included the ability to utilize default-installed client side applications as well, which is when the MacBook Air went down. By the early hours of the third day, the Vista and Ubuntu laptops where still standing.
The most obvious question that comes to mind is whether Vista and Ubuntu -- and their related default applications -- are inherently stronger than Mac OS X and its default applications. Can any reasonable conclusions be drawn from the results of the contest?
Mike Haro, a senior security analyst for Sophos, cut to the chase: "From this, you can't conclude anything about which of those platforms is more secure," he told MacNewsWorld.
Overall, many of the latest exploits depend on the action of end-user to download a file or click on a special link in an e-mail or on a Web site. Those kinds of exploits happening a lot in the wild right now, Rich Mogull, an independent security consultant, told MacNewsWorld.
"It is probably the biggest attack vector today, more than traditional viruses. It's not that much social engineering -- the attackers break into trusted Web sites and place these links there in ways to make them run. It's called a 'drive-by,'" he explained.
Vista, Mogull noted, has a number of anti-exploitation technologies to make attacks harder. "But I do have reports of a number of security problems with Safari," he added.
Talkback: 
