Fedora Linux Support Community & Resources Center
  #1  
Old 30th March 2008, 05:51 PM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,329
Leopard falls first in hacking contest

Although the article concentrates on Apple, this is very much Linux related (move to Wibble if you disagree though):
Quote:
Leopard has been hacked in under two minutes using a flaw in Safari, while Vista and Ubuntu continue to stand firm.

The competition took place at the CanSecWest security conference in Vancouver, and pitted hackers against three laptops running Vista Ultimate SP1, Leopard OS X 10.5.2 and Ubuntu 7.10 to discover which was the most vulnerable.

A MacBook Air running a fully-patched version of Leopard succumbed in under two minutes, hacked by security researcher Charlie Miller who used a technique similar to a phishing attack, which involved clicking a link to a website containing malicious code, which allowed him to remotely access the machine.

Miller had been working on the exploit in the three weeks following the announcement of the challenge. He previously made a name for himself hacking the iPhone, though the Leopard exploit was far more lucrative bagging him a £5,000 prize from sponsor Tipping Point, who has notified Apple of the flaw.

At the time of writing both Vista and Ubuntu have yet to be compromised.
Original article: http://www.pcpro.co.uk/news/182370/l...g-contest.html

More articles about this: http://www.newstin.co.uk/sim/uk/4987...-010-001502598

Although not OS's fault, I got a bad feeling this will reflect badly on FreeBSD as well.

Note: Vista fell on last day. They didn't manage crack Linux (Ubuntu in this occasion) at all though.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #2  
Old 30th March 2008, 06:00 PM
Nokia Offline
Registered User
 
Join Date: Aug 2006
Location: /dev/realm/{Abba,Carpenters,...stage}
Posts: 3,286
What has FreeBSD to do with Safari ?
__________________
For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

SELinux User Guide

AutoPager
Reply With Quote
  #3  
Old 30th March 2008, 06:03 PM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,329
About as much as IE has to do with Windows. But when a flaw in a browser allows an attacker to take control over your whole system. I'm sure even you understand that that doesn't reflect well on the OS.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #4  
Old 30th March 2008, 06:07 PM
Nokia Offline
Registered User
 
Join Date: Aug 2006
Location: /dev/realm/{Abba,Carpenters,...stage}
Posts: 3,286
Thanks, I didn't knew about the close relationship between the two (Safari and FreeBSD that is )

And you're right, "even me" understands...
__________________
For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

SELinux User Guide

AutoPager
Reply With Quote
  #5  
Old 30th March 2008, 06:32 PM
scottro Offline
Retired Community Manager -- Banned from Texas by popular demand.
 
Join Date: Sep 2007
Location: NYC
Posts: 8,142
Yes, Safari is now part of the FreeBSD O/S. (For those unfamiliar with the O/S, that's a joke--FreeBSD's default installation doesn't have a GUI.)
==================
A quote that might help from http://lists.freebsd.org/pipermail/f...il/001239.html

The microkernel is MACH, but the microkernel isn't the whole kernel. GNU
Hurd uses MACH, as did the Linux kernel in the mkLinux distro for Mac.
(Actually, "MACH" is a whole family of related microkernels).

Mac's operating environment is Darwin. This is an open source BSD style
Unix. It was derived from BSD codebases, of which FreeBSD was one.

It gets confusing because GNU and Microsoft have managed to label
everything from the kernel to the desktop as "operating system". Darwin
is more than an operating system, which is why I used the term
"operating environment" earlier. Most of the userand is derived from
FreeBSD, with additions from GNU.

Apple does use FreeBSD. But not all of Darwin is FreeBSD nor is all of
FreeBSD in Darwin.
=======================

Actually, of the three, Mac is the only one that is certified as a Unix.
I can't really see it hurting FreeBSD, but if it does, no doubt it will hurt less than the years of lawsuits with AT&T and FreeBSD will survive.
Reply With Quote
  #6  
Old 30th March 2008, 07:09 PM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,329
Quote:
Originally Posted by scottro
I can't really see it hurting FreeBSD, but if it does, no doubt it will hurt less than the years of lawsuits with AT&T and FreeBSD will survive.
Not in that respect, nor I say anywhere that it will hurt - I say "reflect" - two completely different things, but as you are well aware, Apple's OS's security is regularly credited to its FreeBSD base nowadays, so now this insecutiry will be as well.

It doesn't really matter whether it has anything to do with actual security of FreeBSD versus Apple's bastardized version of it, it's the perception that people have that does.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #7  
Old 30th March 2008, 08:01 PM
Reisswolf Offline
Registered User
 
Join Date: May 2006
Posts: 337
Vista was the next to fall. A Flash vulnerability felled at towards the end of the contest.

That left Ubuntu as the only survivor. Absolutely fantastic!

I don't know for sure, but I seriously doubt that the installation of Ubuntu used SELinux. With SElinux, Fedora is likely even more secure.
__________________
Registered user # 441814
Reply With Quote
  #8  
Old 30th March 2008, 08:05 PM
Nokia Offline
Registered User
 
Join Date: Aug 2006
Location: /dev/realm/{Abba,Carpenters,...stage}
Posts: 3,286
Ubuntu is using AppArmor...which is less than fortunate apparently.
__________________
For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

SELinux User Guide

AutoPager
Reply With Quote
  #9  
Old 31st March 2008, 12:33 AM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,329
Quote:
Originally Posted by Nokia
Ubuntu is using AppArmor...which is less than fortunate apparently.
Is it enabled by default?

Just curious since those test boxes were default installations (+ updates).
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #10  
Old 31st March 2008, 12:46 AM
bob Offline
Administrator (yeah, back again)
 
Join Date: Jul 2004
Location: Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
Age: 69
Posts: 22,177
From what I've read, the guys were well versed in macs, so that probably had a lot to do with the mac dropping first. Actually, they discovered some flaws in linux but weren't willing to put in the time necessary to exploit them. As in real life, the payoff wasn't worth the effort, but nothing's perfect if you really want to attack it full force for long enough.
__________________
Linux & Beer - That TOTALLY Computes!
Registered Linux User #362651


Don't use any of my solutions on working computers or near small children.
Reply With Quote
  #11  
Old 31st March 2008, 12:50 AM
Nokia Offline
Registered User
 
Join Date: Aug 2006
Location: /dev/realm/{Abba,Carpenters,...stage}
Posts: 3,286
I hope I'm not mistaking here: If there is, it appeared in Gutsy and it's not a default. If there isn't, it will be by the end of the month when Hurdy's due.

The reason I cannot be more specific about it is that on all my boxes I dist-upgraded to Gutsy from at least one installation back (although I have boxes running Ubuntu for ~ two years and dist-upgraded to the latest version) Yet I never had the chance to install Gutsy and I think there might be differences.

So I am ~90% sure Gutsy hasn't AppArmor enabled. I've seen AppArmor in OpenSUSE and there's no such thing in Ubuntu.

Hope I'm not missleading here
__________________
For safer browsing, use OpenDNS nameservers 208.67.222.222 and 208.67.220.220

SELinux User Guide

AutoPager
Reply With Quote
  #12  
Old 31st March 2008, 06:38 AM
notageek Offline
Registered User
 
Join Date: Jan 2008
Location: Bangalore, India
Posts: 2,146
Vista laptop fails security test.

According to an article in computer world.

http://www.computerworld.com/action/...&taxonomyId=16

Quote:
March 30, 2008 (Computerworld) A security researcher on Friday exploited a critical bug in Adobe Systems Inc.'s Flash Player to hack a notebook running Windows Vista Ultimate, the second machine to fall in this year's "PWN To OWN" challenge.

The only unclaimed laptop of the original trio by the contest's end was a Sony Vaio running the Ubuntu distribution of Linux.

Shane Macaulay, a consultant with Security Objectives, claimed the $5,000 cash prize by breaking into a Fujitsu U810 running Windows Vista Ultimate SP1 late Friday. According to 3Com Inc.'s TippingPoint, which put up the prizes for the three-day hacker challenge at CanSecWest, Macaulay exploited an unidentified zero-day vulnerability of the ubiquitous Flash Player.

Macaulay, who was assisted by Derek Callaway, also of Security Objectives, and Alexander Sotirov, an independent researcher, was the second PWN To OWN winner. Thursday, Charlie Miller from Independent Security Evaluators hacked a MacBook Air using a vulnerability in Apple Inc.'s Safari browser to win the notebook and a $10,000 check from TippingPoint.

The Austin, Tex.-based security company, perhaps best known for its Zero Day Initiative (ZDI) bug bounty program, announced Macaulay's win in a post to its blog.

Like Miller, Macaulay was bound by a nondisclosure agreement with TippingPoint, which under the PWN To OWN rules acquired the vulnerability its ZDI. TippingPoint said it has reported the bug to Adobe. "Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability," the company said in the blog post.

The hack challenge, which kicked off last Wednesday, expanded the notebooks' exposure to attack after the first and second days. No one, for example, walked away with the first day's $20,000 prize, which had required that researchers break into one of the laptops using a remote code-execution exploit that didn't rely on any user interaction. Miller won his $10,000 and the MacBook Air after attacks were allowed on installed-by-default applications, and user action could be replicated.

On Friday, when Macaulay took down Windows Vista, contest organizers added a number of popular third-party client applications to the remaining two notebooks, including Adobe's Acrobat Reader and Flash Player, the Firefox browser, and Skype, a voice-over-Internet program.

Adobe patched Flash Player several times last year. The most recent large-scale security update was issued last December to plug nine holes in the software.

Macaulay also had a part in 2007's inaugural PWN To OWN contest, which pitted a single computer, a MacBook Pro, against all comers for a $10,000 prize. Although Dino Dai Zovi provided the QuickTime exploit that hacked the machine last year, Macaulay served as his on-site partner.
Reply With Quote
  #13  
Old 31st March 2008, 09:11 AM
kona0197 Offline
The Wibble Rouser
 
Join Date: Mar 2005
Age: 39
Posts: 4,160
Interesting...
__________________
Custom Desktop | Intel Pentium E5400 Dual-Core CPU - 2.7 GHz | 4 GB DDR2-800 RAM | 120 GB HDD | Nvidia GeForce 7050 Graphics | DVD-RW | Windows Vista SP1

No fate but what we make...
My Blog: kona0197.wordpress.com
Reply With Quote
  #14  
Old 31st March 2008, 02:52 PM
forkbomb Offline
Registered User
 
Join Date: May 2007
Location: U.S.
Posts: 4,851
As I commented on Digg (and oddly my comment got dugg down), I think more testing is needed. This is hardly proof that Linux is the most secure and Macs are the most insecure - yet some people are sadly taking this as proof of the "unhackability" of Linux (the term "hack" being misused as is typical).
__________________
- Tom
"What is freedom? To have the will to be responsible for one's self." - Stirner
Reply With Quote
  #15  
Old 31st March 2008, 02:59 PM
leigh123linux
Guest
 
Posts: n/a
Threads merged
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apple Snow Leopard Wayne Wibble 15 27th August 2009 12:26 AM
How to Dual Boot Fedora and Leopard OS X from External HD? LeecherSeeder Installation, Upgrades and Live Media 0 11th February 2009 12:10 AM
The axe falls on XP Dan Wibble 26 1st July 2008 05:44 PM
Leopard-Inspired Ideas for Fedora 8!!! HudsonMan Linux Chat 15 22nd June 2007 06:30 PM
Yum update falls over wrightkevin Installation, Upgrades and Live Media 4 29th July 2006 01:57 PM


Current GMT-time: 05:58 (Sunday, 26-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Portugalete Travel Photos on Instagram - Patnos - Ngunut Travel Photos on Instagram