Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Conference sponsors second hacking contest
Published: 2008-03-18

The CanSecWest conference announced on Tuesday the format for this year's competition in which security pros can attempt to compromise a laptop computer's operating system to win the laptop and potentially a cash reward.

Dubbed the "PWN2OWN" competition, the contest will give security professionals the opportunity to hack one of three systems: up-to-date versions of Microsoft's Windows Vista, Apple's Mac OS X, and Ubuntu Linux. To win the contest, a person must run code on the laptop using a previously unknown vulnerability in the operating system or a major application, such as a Web browser, a plug-in browser program, an instant messaging client, or an e-mail reader.

"These computers are real and fully patched," Dragos Ruiu, the organizer of CanSecWest, said in an e-mail announcing the contest. "All third party software is widely used. There are no imitation vulnerabilities. Any exploit successfully used in this contest would also compromise a significant percentage of Internet connected hosts."

The first person to compromise one of the notebook computers gets to keep the system and can submit the vulnerability to the Zero-Day Initiative run by 3Com's Tipping Point. The company pays for responsibly disclosed software flaws and could reward up to $25,000 for a vulnerability.

Last year, the Pwn (pronounced like "pon" in "pony") to Own contest featured two MacBooks, but did not attract much attention from security researchers until Tipping Point offered a $10,000 reward for any remote exploit used. Two security professionals, Shane Macaulay and Dino Dai Zovi, worked together to find a vulnerability and compromise one of the MacBooks. Macauley got the MacBook, Dai Zovi claimed the $10,000.

Each would-be hacker can either attack the systems using a crossover cable -- creating an exclusive network connection -- or, under special circumstances, through a wireless network connection in a remote location. Each contestant will have a 30-minute slot to conduct the attack and can ask that contest officials go to a malicious Web server, read e-mail messages sent by the attacker, or add attackers to instant messaging buddy lists and read their messages.

The notebook computers being used in the competition include a Sony VAIO VGN-TZ37CN running Ubuntu 7.10 "Gutsy Gibbon," a Fujitsu U810 running Windows Vista Ultimate Service Pack 1, and an Apple MacBook Air running Mac OS X 10.5.2.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus