iPhone, IE, Firefox, Safari get stomped at hacker contest

@Robert Carnegie

Opera wasn't hacked in the contest, nor was Chrome. Everything else was. and as for Sandboxing, that does not really offer any value to security, it just means one tab is isolated from another. it's still got the same hooks to the OS that all browsers need to a certain degree.

I ONLY trust Opera, purely because it's got a proven track recording on taking security seriously, and when something does crop up, it's always sorted promptly. it's other rather swish and VERY fast. it also doesn't need bloated plugins to do what I want to do. It's got them all in there.

Stop scaring people

(most) of these hacks are useless. You'd make most people think we could steal their bank accounts simply buy identifying the IP address of their device... Other than for Windows, no, none of these "Owns" actually provided that.

Take the iPhone: Only if directed to a specific website can it be compromised, and even then it simply dumps the SMS history file. No contact database, no account settings, no passwords, can't install a bot, can't take over the device; just a simple trick to get it to release a file which can surely be easily patched.

Safari? Great, lots of hacks. Did any of them result in permission escalation that would allow the installation of a dangerous application (keylogger, bot, something that can corrupt data, etc, steal the keychain file?) No. It simply provided the person on the other end the ability to access files that Safari otherwise could, and only manually not with some automated code. Even half of that only works if no AV software or white list app was in use.

Windows is a gaping hole, yes we all know. Get in through any browser and permission escalation almost isn't even necessary, but even so it's still easily accomplished. However, as dangerous as the browser itself might be, did anyone even point out that the single most dangerous thing is DOWNLOADING?

Simple rules:

1) never click a link unless that link is on a known trusted site and the hyper link matches the link text. When in doubt, type the base site URL in and browse to the link manually.

2) Run both AV and AS software (even on macs). Use a blacklist (if not a white list), to avoid going to potentially dangerous or known hacked sites.

3) never run as root, when possible, disable default admin accounts completely.

4) never store passwords, SSNs, or any other important information in unencrypted systems.

5) use IE only when it's required explicitly by the site (and question why that is if it is). Use Opera or Chrome

6) download only when necessary, and only from trusted sources, and scan all files before they're opened. If you really must use torrents, do that in a VM or alternate machine that is clean of any sensitive information.

7) Only use online banking if it supports dual factor authentication. Pay online using a real credit card, a debit card if you don't have one, and never use your checking account number online if it can be avoided.

8) If your bank doesn't provide fraud protection on your debit card, change banks. Check to see if they offer it on checking as well.

9) use very strong passwords, and never use the same password on more than one site. spend $10 on a good password manager application, and change all your site passwords regularly.

10) be VERY careful about social networks. Never add someone as a friend just because they asked, you should actually KNOW them. Don't post anything online ever that you would not otherwise want to make public to the entire world, even in private parts of your site.

11) set your default browser to one you DON'T use, that has no plug-ins installed, and is set to the tightest possible security settings. If a link opens in your default browser, and its safe, copy the link into the browser of your choice.

12) never forget, no company will EVER e-mail you to go to their site about a security or account change issue.

13) unsubscribe from everything, get off all mailing lists, and tell your friends and family to take you off theirs as well. use an alternate e-mail account when sites make you provide one, and keep your private e-mail, business e-mail, and "other" email completely separate.

14) USE A HARDWARE FIREWALL, and keep the software firewall in your OS on, don't run services you don't have to, and keep sharing on your notebook turned off outside your home.

Limiting your surface area is a much more effective prevention from hackers than is actually securing the system. If they can't see your IP, external penetration attacks are useless. If you don't do stupid things, and follow their links, or download infected apps, you have essentially taken away every vector they have into your machine. Almost every single hack used in this contest required the user to do something (most commonly go to a web site). YOU are the security hole...

Next week's news story

Delete all browsers and make do with Telnet, German govt warns.

iPhone: Oh no, not my SMS

They might see that one where my girlfriend took a picture of her backside and sent it too me. THEY COULD FIND OUT WHAT MY GIRLFRIEND'S BUTT LOOKS LIKE. This is clearly a sign of horrible security holes.

iPhone owners...

...will probably want to avoid the News of the World website then.

actually

>"Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it"

>Which means either in 6 years, or never.

As much as I love to bash M$ for their business practices just the fact they take this event seriously and have auto update etc shows they have really come a long way in the last five years. They handle security issues much better than many other large software houses <cough Adobe, Oracle>. Granted if they would have taken security seriously starting in the early 90s, they and us would be in a much better place but hey as anybody in the industry knows legacy code is a bitch. I guess having your dirty underwear aired via the worm of the week will get even a multibillion dollar corp. attention.

No need to hack to mug/attack

" Muggings to order (Find me a victim walking with 1 mile of here) the prospects of being able to open up a mobile device to hacking is actually quite scary."

I seem to recall an episode of Top Gear where Stephen Fry was talking about an iPhone app called Grinder which lets you find like minded, same sex people in your area.

I am surprised its not standard issue on the BNP company iPhones for a spot of gay bashing.

There are probably other apps out there with similar functions that any scumbag could use for the purpose of mugging people.

@Mike Powers

I'm very jealous that your girlfriend has a Butt, wish mine had one.

Mmmm. 144 gallons of beer. Mmmm