Linux ignored, not immune, says hacker contest sponsor
And Vista SP1 'put a kink' in Friday's attack
Computerworld - People shouldn't read anything into the fact that of the three laptops set up for last week's "PWN to OWN" hack challenge, the only one left standing was running Linux, said the security expert who oversaw the contest.
"There was just no interest in Ubuntu," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary, which put up the cash prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure of relative security between operating systems. It's not an accurate barometer."
Just because the laptop -- a Sony running the Ubuntu 7.10 distribution of Linux -- was untouched doesn't mean that the operating system is any more secure than either Mac OS X or Windows Vista, both of which fell to attacks.
"It was actually a lack of interest" on the part of the PWN to OWN contestants, Forslof said. "[Shane Macaulay's] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows," she continued.
"Linux, it is what it is. The code is a lot more transparent. But vulnerabilities for Mac and Windows, those are the ones that are going to get the press," Forslof added.
Of the three notebooks, the first to go down was a MacBook Air. That machine was hacked last Thursday, the second day of the three-day challenge, by Charlie Miller, using a zero-day vulnerability in Safari. Friday, Macaulay breached a Windows Vista SP1-powered Fujitsu using a flaw in Adobe's Flash.
In both cases, the vulnerabilities were exchanged for cash prizes -- $10,000 for Miller, half that for Macaulay -- and acquired by TippingPoint's bug bounty program, Zero Day Initiative. The bugs have been reported to Apple Inc. and Adobe Systems Inc., respectively, so that the vulnerabilities can be closed.
By design, PWN to OWN's first day was reserved for exploits of remote code vulnerabilities on the operating systems themselves. No one managed to crack a computer that day. It wasn't until the notebooks' attack exposure was expanded -- first to any client-side application installed by default with the operating system, then to a larger group of third-party applications added to the machines -- that the MacBook Air and Fujitsu dropped.
"I really wasn't expecting anything that first day," Forslof said. Not only are vulnerabilities meeting PWN to OWN's first-day criteria harder to find and exploit, but they're also probably worth a lot more than the $20,000 TippingPoint offered that day, Forslof said. "We're talking about a worm-class issue here," she said.
- Workload Change: The 70 Percent of Your Business DevOps Forgot Adding WLA early in the development process ensures that the benefits of DevOps accrue for all applications, including your batch services. This paper...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- QA Automation: Reducing Test Execution While Improving Coverage A leading capital investment firm in the US was in need of a comprehensive, cost effective and flexible solution to reduce their existing...
- Turning Insight Into Action: Social Media Intelligence The amount of data produced on social media is staggering - and so is the potential business value for enterprises that know what...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Protecting Critical SaaS Data Before It's Too Late In this webinar, you'll hear how to avoid SaaS data loss through best practices from a panel of experts. All Operating Systems White Papers | Webcasts