Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

CanSecWest security competition falsely portrayed, again

Daniel Eran Dilger

Another year, another grossly ignorant misrepresentation of the CanSecWest security competition. Nothing new here, just the the widely reported idea that CanSecWest hosted a shootout among operating system platforms and Apple’s were among the first to fall.
.

But the security contest, which pits black hat hackers against a variety of desktop and mobile systems, has nothing to do with the relative merits of each platform and everything to do with said hackers’ previous year of research into finding exploitable problems.

This year, two young European researchers discovered an exploit that enabled them to hack the iPhone and access its SMS database of texts via a browser-based exploit that crashed Mobile Safari. The exploit took weeks of effort to develop, but the tech media insisted that the job was a “20 second” affair.

Media reports of CanSecWest so prominently assail Apple’s products by name that it causes one to think that, just possibly, the event’s major sponsors such as Microsoft, BlackBerry, and Google are really getting their money’s worth.

Mac Shot First: 10 Reasons Why CanSecWest Targets Apple

Who benefits from CanSecWest?

A primary benefactor of the event, however, is Apple and its customers, who are shielded from any malicious application of the exploits hackers find. That’s because the people who discover exploits are rewarded by the event itself, while the vendor, in this case Apple, is given information needed to harden its software.

Without such a high profile contest handing out prizes and notoriety to security experts, there would be little incentive to invest in the efforts needed to discover flaws that need to be patched, leaving Apple to do all that work itself.

As it is, there is currently little to no black market value for Mac or iPhone exploits, but if that ever changes it’ll be good to know that CanSecWest has been helping to harden Apple’s software on a regular basis, making it all that much more impossibly difficult to find vulnerabilities to maliciously exploit.

Neanderthal or Shill?

By selectively exaggerating the risk and emotionally charging the rather boring but technically sophisticated work of security experts, writers like ZDNet’s Ryan Naraine, who works as a “security evangelist” for antivirus developer Kaspersky Lab, helped muddy the waters and create security panic where none was warranted.

The security experts themselves behaved rather differently, delivering their security kills with some class and professionalism. Halvar Flake, who assisted Vincenzo Iozzo and Ralf Philipp Weinmann in attacking the iPhone, explained that the discovered vulnerability only affects one app sandbox at a time, noting that the “exploit doesn’t get out of the iPhone sandbox.”

However, since a variety of Apple’s own bundled apps use the same low privileged user (and play in the same sandbox), its possible for a specific exploit like the one they discovered to provide some access to not only the phone’s texts, but also contacts, emails, photos, and iTunes music.

The iPhone exploit, along with Charlie Miller’s third successful attack on Safari, were the most notable exploits for Apple’s platforms this year, but both were bought up by TippingPoint Zero Day Initiative so that users will be spared any real risk until Apple can patch the flaws.

Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller… Mac Antivirus Foe
Pwn2Own 2010: iPhone hacked, SMS database hijacked | Zero Day | ZDNet.com

26 comments

1 Ludor { 03.27.10 at 3:39 pm }

Okay if you say so. But why isn’t there any black market value for Mac or iPhone exploits? People buying these exquisite apparati would be expected to have more money on hand than people buying plasticky craputers at Walmart?

2 lowededwookie { 03.27.10 at 4:23 pm }

What do you go for? The one millionaire who knows security because he has to protect his investments or the thousand middle class who aren’t so security conscious and therefore require the least amount of work to get that same million dollars?

3 jdb { 03.27.10 at 4:34 pm }

I have to say that what I read this year was markedly different than previous years. Along with the nonsense about 20 seconds to hack an iPhone and Safari there were also numerous reports about Windows 7/IE 8 and Firefox falling as well.

The hack that was done for the iPhone and the one for IE 8 were both very impressive technically. Having them removed from availability for criminal use is a very good thing.

4 uberVU - social comments { 03.27.10 at 4:43 pm }

Social comments and analytics for this post…

This post was mentioned on Twitter by DanielEran: New: CanSecWest security competition falsely portrayed, again – http://tinyurl.com/yhh7epa

5 ShabbaRanks { 03.27.10 at 5:52 pm }

@ Ludor.

It’s down to time and expense invested vs. return. High initial costs due to expertise required and long lead times required to get these exploits working combined with limited exploitable points in the target and lack of retrievable information of consequence. As with most things in business. Go for what’s easy, cheap and useful.

Hacking iPhone and Safari is possible, but not necessarily worth it. Even with a large number of users or small number of rich users, the extra work required is a high entry cost which again detracts from it. Good evidence of this is the iPhone exploit which was elegant in the extreme and had some very clever people who plugged away for a long time on it. After all that work, once discover it will likely be patched pretty quickly.

People go for Firefox for it’s high volume userbase which is also mostly using the shaky Windows OS for further exploitation. Linux and OSX users are harder to exploit, not just from a browser but period.

It goes without saying why IE is a popular target.

6 tonortall { 03.28.10 at 4:14 am }

Daniel,

this article seems particularly ‘thin’: none of what you wrote is peculiar to a particular vendor at all. It’s not as if hackers were given a head start on any particular platform. In fact, it would seem this article is really sour grapes and seems rushed and overly defensive.

You can’t talk about iPhone taking 25% of the smart phone market in article, and in the current one suggest that there is little to no value in pursuing an exploit on that sector of the market.

7 John E { 03.28.10 at 10:51 am }

The media focus on such “cutting edge” contests and the latest exploits. but the criminals do not.

their big target remains the hundreds of millions of PC’s worldwide still running Windows XP and older versions of IE etc., which are so easy to attack. even more so the hundreds of millions of PC’s with pirate copies of Windows (even Vista/Win 7) that can’t readily be updated with security patches, and so may be totally defenseless against current Windows OS exploits.

when you can shoot fish in a barrel all day, why bother with some new river or lake?

(and like the Windows-centric IT industry, these guys grew up on crummy MS software and probably don’t know how to grow out of it/let go of it either.)

8 ulicar { 03.28.10 at 2:09 pm }

Mac OS is by far the worst operating system security wise. You know it, because I have said that like million times, but your defense was “we are too small for any value for money”. You also said “I don’t want to run AV or firewall because it will slow down my machine”.

Every time some of those contests runs, he Mac OS is the first to go, because it is super-easy to penetrate it. However, “we are too small to worry” defense is used every time.

I have said then and I am saying now, hoping that the hackers don’t see you as a valuable target is stupid defense strategy. You are an idiot if you think differently.

9 FreeRange { 03.28.10 at 5:36 pm }

ulicar – Excuse us but you are the idiot here. It is total nonsense and grossly false and misleading to say that Mac OS X “is by fare the worst operating system security wise”. ALL data points to the exact opposite being true. Who are you shilling for????? Mac OS X is unix based which is virtually bullet proof in comparison to ANY version of MSFT’s OS, especially when MSFT’s OS is paired with things like the horribly flawed IE, or PDF expoits.

And to tonortall, try reading! These hacks were developed over weeks, if not months, and they simply applied that work as a finished product when they got to the event to come up with the “20 seconds” to hack.

10 Per { 03.28.10 at 6:06 pm }

@ulicar

Maybe you can get your own blog then instead of just complaining about what others write. Write something and link to it here instead of sounding like a guy who’s complaining from his mom’s basement.

11 donarb { 03.28.10 at 7:05 pm }

So perhaps anyone who believes that Mac OS X is the most insecure OS out there could provide at least once instance where a brand new Mac connected to the Internet is rooted and owned within 15 minutes. Can’t come up with one? That’s because it has never happened. And yet granDmothers who own PCs are unknowingly running spambots because of a very broken and insecure operating system.

12 luisd { 03.28.10 at 7:29 pm }

@Per,

One of the great things about this blog, is that trolls are never fed, please don’t feed them.

13 stevelee { 03.28.10 at 8:39 pm }

Even so, I love the argument that something is true because someone has repeated it a million time.

14 ulicar { 03.28.10 at 9:52 pm }

The fact that Mac OSX is too small of a target does not increase the quality of the code. When somebody decides to take Mac OS X they simply do. Run AV and Firewall or be an idiot. That is up to you.

15 luisd { 03.29.10 at 1:04 am }

A million and one it seems.

16 anon { 03.29.10 at 1:54 am }

@ulicar

“Mac OS is by far the worst operating system security wise” doesn’t become less delusional the more you say it. FYI.

By the way, this:
http://macscan.securemac.com/spyware-list/

Kills any premise that OS X is too small of a target for hackers to attack. The reason why the list is so short, and almost completely made up of trojans and keyloggers requiring user interaction to install, is because OS X has security that actually works. Meaning you can’t write any truly nasty stuff for it(like worms*, viruses, or self-installing trojans and keyloggers).

That list represents the absolute best that malware authors have managed after nearly a decade of trying to “take Mac OS X”. And no, all those juicy Mac exploits discovered at CanSecWest don’t matter very much in the real world because they have little to no value outside of CanSecWest, which is why Mac malware has failed to progress beyond simple keyloggers and trojans despite all the Mac hacking “advances” that’ve been made there.

The funny thing is that it’s completely obvious ANY OTHER OPERATING SYSTEM is more secure than Windows, so people like you have to invent complex rules and exceptions to explain why Windows is actually MORE secure despite being covered in malware and security holes, while other operating systems are actually LESS secure despite how they don’t suffer from epic malware and security issues like Windows does.

In short, your comments suck and you’re stupid and you smell like armpits.

*The “worms” for OS X that were shouted about awhile back were misclassified trojans. But they had worm-ish behavior so there’s sort of an excuse for it, kind of.

17 Berend Schotanus { 03.29.10 at 2:50 am }

“two young European researchers discovered an exploit that enabled them to hack the iPhone and access its SMS database of texts via a browser-based exploit that crashed Mobile Safari.”

As a little background:
The hack targeted the electronic payment system of ING-Bank. ING uses a system with secret numbers to confirm electronic payments. Originally these numbers were supplied to the costumer on paper and sent by post (the system was developed back in the 1980′s).
Some years ago the paper distribution was not considered safe anymore. The bank created the option to distribute the secret numbers by SMS and encouraged their customers to use SMS instead of paper.
By then cellphones didn’t have internet capability and the chance someone could steal both your phone and your (separate) logincodes to the bank website were apparently considered small.

The problem with the iPhone hack is that suddenly both channels could be conquered in one single hack. To me it raises questions as to whether SMS really is a safe channel to distribute secret bank codes.

18 ShabbaRanks { 03.29.10 at 8:10 am }

I think I’ve said this before, but I’ll say it again. Can we please stop feeding Ulicar.

19 mailjohannes { 03.29.10 at 8:59 am }

The reason Mac OS X has no viruses and bot-nets is that no one succeed in creating one. Not that no one tried, or that it wouldn’t be profitable.

Even with 5% market-share a tremendous amount of money can be harvested, especially with a much wealthier audience.

The main problem in creating viruses for Mac OS X is not that it cannot be hacked but to create a hack that can propagate itself without hacker intervention, say, to automate the hack.

Al hacks I have seen so far have this problem. It is possible to get in, but only within a restricted (user level) environment.
And even if the use is an administrator this level of authorization is never granted for the whole user session, it is requested every time a user needs this elevation, for example to install some software.
A hacker can install some kind of key-logger to get the administrator password but this introduces lots of data that is difficult to sift true automatically.
Even if someone succeeds in doing that reasonably successfully it is still needed to hide future authorization prompts from the user. It is also likely that false positives will be noticed by Mac users, which will help to track the hackers.

20 ObamaPacman { 03.29.10 at 12:24 pm }

Additional details. For example, the contest host is headed by former Palm president:

http://obamapacman.com/2010/03/pwn2own-hacking-contest-host-security-conference-cansecwest-partly-microsoft-sponsored/

@8 ulicar,
Sorry, you FAIL again. The OP article explains that Mac OS is not “first to go.” They gave Apple hackers head start in the contest (but don’t mention it), to fool people like you.

21 TheMacAdvocate { 03.29.10 at 5:26 pm }

Every time CanSecWest comes around, I look up Thurrott’s blog entry where he complains that, try as he might, he cannot isolate a particularly persistent piece of malware and is forced to do a clean install of XP.

OS X since 2001. Compromises of any sort: 0. Anyone beating a stump claiming differently can SIOOMA.

/crotchchop

22 John E { 03.29.10 at 10:06 pm }

OMG, look at the CanSec video of the “random drawing”! (thanks ObamaPacman).

what a fake! the “random drawing”. it is impossible to mix up folded pieces of paper in a small black limp (fabric?) bag like that. the on-camera shaking was pathetically lame, but even more shaking wouldn’t help. the bag is just too small and springy folded paper has tremendous friction, stays put. i know, i’ve done a lot of raffles. only can really mix folded paper like this in a big container with some kind of free-falling tumbling action. otherwise the last papers put in stay on top and are the first ones out. didn’t see the guy trying to dig deep either – that takes more time and he was going too fast. they didn’t show us the bag loading either. one person obviously wrote all the names, so they knew what order they put them in the bag.

so of course they put their favored hackers names in last. charlie miller is #2 – surprise!

the fix was in.

23 Imapolicecar { 03.30.10 at 2:13 am }

Hi anon,

“In short, your comments suck and you’re stupid and you smell like armpits.”

Unfortunately, you have to repeat that 999,999 times before it becomes true ;-)

24 ulicar { 03.30.10 at 6:26 pm }

“They gave Apple hackers head start in the contest (but don’t mention it), to fool people like you.”

O, that is the reason why Mac OSX is first to go two years in the row? It is all CIA and Vatican conspiracy against Apple! Thank you for explaining this to me! Yeah! It makes sense!

25 Per { 03.31.10 at 5:41 am }

@luisd and ShabbaRanks

Sorry for that. I promise not to feed trolls again.

26 ShabbaRanks { 04.01.10 at 5:30 pm }

@Per.

You are forgiven my son.

You must log in to post a comment.