Laptops 1, Hackers 0 as $20,000 prize goes unclaimed in hack challenge
'Pwn to Own's' first day ends with no break-in; $10,000 at stake today
Computerworld - The first day of a hacker challenge that pits researchers against a trio of laptops, with thousands of dollars in prize money on the line, ended without a winner, the contest sponsor said Thursday.
"We had only one attempt at the remote configuration of the machines," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint unit. The vulnerability research company put up the prize money for "Pwn to Own," the hacker contest being held at CanSecWest, a security conference that opened Wednesday in Vancouver, British Columbia. "There was a lot of limelight and attention, newspapers, TV and radio broadcasts, and so I'm not sure if that played a part in scaring people away."
Pwn to Own's rules for Wednesday required researchers to break into one of the three machines using a remote code-execution exploit of a zero-day -- or previously unknown -- vulnerability. At stake: the laptop and a cash prize of $20,000.
When the challenge resumes at 12:30 p.m. PDT, the laptops' exposure to attack will be expanded: Hackers will be allowed to attack any client-side applications installed by default on the computers. That means exploits relying on duping a user into following a link in an e-mail or visiting a malicious Web site -- the typical way criminals compromise computers in the real world -- will be permitted starting this afternoon. The prize for second-day exploits, however, drops to $10,000, half the amount on the table yesterday.
After consulting with the CanSecWest organizers, TippingPoint simplified the prize awards just before the conference opened to make it a "best of the best" challenge that offered only one cash prize per laptop. To balance the reduction in the number of prizes, TippingPoint doubled the dollar amounts of the top two awards. For instance, when the second-annual Pwn to Own was conceived, TippingPoint set $10,000 as the top prize and said it would issue multiple $5,000 awards.
If no one hacks into a machine today, several popular third-party applications will be added to the laptops, giving researchers more ways to break in. The case prize drops to $5,000 on Friday.
But Forslof expects to be handing out a check today. "I've heard a lot of buzz, a lot of talk about this vulnerability or that one that people say they have," she said.
Last year's CanSecWest made headlines with the debut of Pwn to Own, which was won by Dino Dai Zovi and Shane Macaulay when they hacked the one MacBook in the challenge. Their exploit of an unknown QuickTime vulnerability made even more news when some Apple users refused to accept the results and claimed that the attack was bogus.
This year's contest features three systems: a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 notebook running Windows Vista Ultimate SP1 and an Apple MacBook Air running OSX 10.5.2.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts