iPhone 4 and Blackberry fall at Day Two of Pwn2Own

The annual Pwn2Own contest is going on at the CanSecWest conference in Vancouver. Pwn2Own is an interesting contest where security experts are unleashed upon the software products that we use everyday. If the products can be hacked, the succesful exploiters win cash, hardware and bragging rights.

Day one was browser attack day and the Safari browser was the first to fall followed by Internet Explorer 8:

The first browser to fall in the three-day hacking contest was Safari, running on 64-bit version of Mac OS X. It was cracked by a team from Vupen Security in five seconds – all the team had to do was point the browser at a site containing their malicious code to take advantage of a vulnerability in WebKit.

That flaw was yesterday fixed by Apple, but the patch came too late to make it into the browser for the contest.

The second browser to fall was IE8 running on a 64-bit version of Windows 7. It was hacked by researcher Stephen Fewer using a trio of vulnerabilities.

Chaouki Bekrar, who successfully hacked Safari on a fully patched MacBook, explains the hack on e-week:

The winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X. The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.

“The victim visits a Web page, he gets owned. No other interaction is needed.”

Internet Explorer 8 was compromised by a combination of 3 attacks, 2 of which were zero-day exploits. Chrome and Firefox were also on the list for day one, but no challengers came forth.
Day two was all about smartphones. The iPhone 4 and RIM’s BlackBerry Torch both fell to the hackers. Windows Phone 7 and Android went unscathed as yet again no challengers showed up to attack them:
The iPhone 4 was taken out by Charlie Miller, setting a record by winning for a fourth year in a row. The flaw he and partner Dion Blazakis used has already been mitigated by Apple’s iOS 4.3 release.

Another team of researchers, Willem Pinckaers and Vincenzo Iozzo, managed to crack a BlackBerry Torch 9800. Each team takes home $15,000 and the handset.

The contest is not all about hacking. The exploits used in the contest are turned over to the sponsor, who in turn releases the information to the manufacturer so security adjustments can be made.

Backtrack 4: How to use Metasploit Training Class

I was going to do some training videos on how to use Backtrack 4. I did some searching to see what was already out there (why re-invent the wheel?) and I found some amazing videos on how to use the Metasploit program in Backtrack 4. If you are looking for some top notch training from some top notch experts, look no further.

This, by far, is some of the best training videos I have seen on Metasploit. It is a taped security conference from the ISSA Kentuckiana Chapter and is billed by Adrian Crenshaw as being “more Metasploit than you can stand!”

The instructors are Adrian “Irongeek” Crenshaw, David “ReL1K” Kennedy (Creator of the Social Engineering Toolkit), Martin “PureHate” Bos, Elliott “Nullthreat” Cutright, and Pwrcycle .

Topics include:

  • Introduction to Metasploit in Backtrack 4
  • Scanning and Pivoting
  • Fuzzing and Exploit Development
  • Meterpreter and Post Exploitation (and a demo of Metasploit Express)
  • Social Engineering Toolkit
  • Encoding fun and Fast Track

The class was held as a charity event with the request that attendees donate to Johnny Long’s Hacker for Charity program. I learned more about Metasploit in a few hours than I have in months playing with it myself. This is definitely worth checking out.

A link to Irongeek’s site, downloadable videos and the Hackers for Charity food program link can be found here

Wardrive shows Wireless Networks still Wide Open

A wardrive was performed at a recent computer security class in Texas. The results… stunning.

Wardriving usually consists of driving around in a vehicle searching for Wi-Fi Wireless networks using Aircrack-NG, Netstumbler, Kismet or another similar program. Information can be gleaned from available Wi-Fi networks including what type of security that they are using. It is the modern version of wardialing which was very popular in the 80’s and early 90’s where hackers would call blocks of numbers looking for a computer.

According to the graph, 13% of the Wi-Fi networks had no security at all.  And a whopping 45% were using WEP, which has been cracked a long time ago. Only 18% were using WPA2. So in effect, 58% of the detected networks would have been easy pickings for a hacker. They might as well have hung a big “Welcome!” sign on their network.

San Francisco did not fare much better:

 Here, 47% had either no security or easily defeated security. WPA is not 100% safe either, your safest route is the current WPA2.

I was actually shocked at the high percentage of unsecure Wi-Fi systems. With the dangers of Wi-Fi so well-known, it just doesn’t make sense. In fact for a product to even qualify for the Wi-Fi label, it must have WPA2 security. And that has been the standard since 2006!

You would think at this stage of the game, manufacturers would have taken the choice out of consumers hands and make the default security WPA2 out of the box.

Please check your Wi-Fi security settings to be sure that they are not set to “WEP” or worse yet, “None”. Also, if you have a wireless box that only supports WEP, it needs to be replaced with a newer, more secure version. When hackers scan your network from across the street, you want them to find a “No Admittance” sign!

(Photos courtesy of Sam Bowne. Sam has done amazing work in advancing the legitimacy of Ethical Hacking in mainstream academia. Check out his website at http://samsclass.info/)