Vancouver, CANADA Hundreds of security professionals and hackers flowed through a smallish room overlooking the harbor at the Marriott Renaissance Hotel on Wednesday, where three laptops wait to be compromised by some ingenious attacker in the second annual PWN2OWN contest.
Rather than heading for the table with the notebook computers, however, the attendees of the CanSecWest Conference headed for the drinks and snacks.
Perhaps the first day's rules are too onerous: Attackers must use a remote exploit that does not require any user interaction. Or perhaps the reward of $20,000 is too small, since any vulnerability that can be exploited remotely could potentially be sold for a much higher amount to a private third party.
The contest organizers expected little action on the first day, according to Terri Forslof, manager of security response for TippingPoint, which is sponsoring the competition.
Under the first day's rules, "that is not an easy target," she said.
This year's PWN2OWN competition allows contestants the chance to attack one of three laptop computers. ("Pwn" -- slang which means to compromise a system -- is pronounced like "pon" in pony.) Compromise any of the computers -- running the latest versions of Apple's Mac OS X, Microsoft Windows Vista and Ubuntu Linux -- and the attacker gets both the system and a cash prize depending on the type of vulnerability they used. Last year, when the contest offered up two MacBooks as targets, researchers Shane Macaulay and Dino Dai Zovi teamed up to use a vulnerability in the way QuickTime handles Java to compromise one of the machines, taking home $10,000 and the MacBook.
On Monday, security firm Tipping Point boosted its top bounty in the contest to $20,000 for contestants that exploit a remote vulnerability in a way that does not require user interaction. The boost in the bounty came after researchers criticized the company for the more modest prizes announced last week.
Some security researchers have already signed up to try to compromise the systems on the second and third days, when the rules allow lesser attacks and the contestants are rewarded with lesser prizes.
"There are people who have exploits and are ready to use them," said Dino Dai Zovi, the security manager who won the contest last year.
If a security researcher uses a more severe exploit to compromise a laptop on Day 2 or Day 3 of the competition, they will still get the larger cash prize, Forslof said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos