Familiar faces, new names step up at Pwn2Own hacking contest
Past winner, target of Sony lawsuit, others prep for $125,000 contest
Computerworld - The Pwn2Own hacking contest next month will feature its largest-ever crew of contestants, including past winners, a French security firm armed with a bagful of bugs and an iPhone jailbreak expert who has been sued by Sony.
"The major difference this year is the sheer number of interested parties," said Aaron Portnoy, manager of TippingPoint's security research team. "Either the contest is becoming more popular or more people are comfortable exploiting mobile devices this year."
TippingPoint is again sponsoring Pwn2Own, a hacking challenge now in its fifth year. The contest will kick off March 9 at the CanSecWest security conference in Vancouver, British Columbia.
Eleven individuals or teams have registered for Pwn2Own, which will pit the researchers against four Web browsers -- Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox -- as well as against smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS. The cash prizes for this year's Pwn2Own total $125,000, also a record.
More of the eleven entries will take on the smartphones than the browsers, another first for Pwn2Own.
Among the entries -- four of which granted anonymity by TippingPoint -- are both familiar names and new faces.
Charlie Miller, the only researcher to have won at Pwn2Own three years running, will go for a "four-peat" by trying to exploit Safari, and with Dion Blazakis, who like Miller works for the Baltimore-based consulting firm Independent Security Evaluators, will also tackle the iPhone.
Dan Holden, the director of HP DVLabs, the research arm of TippingPoint, highlighted several of the new faces, including George Hotz, Jon Oberheide and the French security firm Vupen.
Hotz, a well-known iPhone hacker, made news last month when he and others were sued by Sony after he showed how to jailbreak a Sony PlayStation 3 game console. Based on a random drawing, Hotz will get first crack at a Dell Venue smartphone running Windows Phone 7.
Oberheide, co-founder and chief technology officer at two-factor authentication software company Duo Security, is first in line to exploit a Samsung Nexus S running Android.
"What Pwn2Own is good at is getting incredibly bright people, who are well-known in the security community, but then making them visible to the IT industry in general," said Holden.
Vupen, meanwhile, is the first security company to field a team at Pwn2Own, and will be the first to take on Safari and the second to attack IE.
"We know the Vupen guys very well, and they know vulnerability discovery very well," Holden said. "We're glad Vupen's involved because they bring a new element -- a brand associated with the contest, rather than just individuals."
Vupen is known for taking a different tack than most security researchers: The company only reports bugs to vendors that have contracted for its services. In several cases last year and so far in 2011, Vupen has been among the first to break news of a bug in Microsoft's Windows operating system.
Both of Vupen's hacking attempts will be based on unreported vulnerabilities, confirmed Chaouki Bekrar, the company's CEO and head of research.
"To target Safari on Mac OS X Snow Leopard, we will use a highly reliable exploit taking advantage of a critical and unreported vulnerability," Bekrar said in an e-mail reply to questions.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts