back to article iPhone, IE, Firefox, Safari get stomped at hacker contest

It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered. Like dominoes falling in rapid succession, the platforms were felled in the …

COMMENTS

This topic is closed for new posts.
  1. ZedroS
    Paris Hilton

    Linux hacks ?

    Hi

    There was no mention of some linux hacks there, just Firefox.

    Does it mean that hacking firefox on a linux platform would be the whole platform at risk ? Or would it be just according to the current user rights ?

    Thanks in advance

    zedros

    Paris 'cose she wouldn't know neither

    1. Chemist

      Re Linux hacks ?

      Without a privilege escalation it should only affect the current user's account

      1. Chemist

        Re Linux hacks ?

        Would the 'expert' who down-voted this care to give an explanation

        1. Anonymous Coward
          Pint

          Explanation "Experts"

          Ex - "Former" or "Has been"

          Spurts - "Drips under pressure."

          Your explanation is that there are lots of 'experts' on these boards.

          Beer - cause it is close to Friday. OK it is Friday someplace.

        2. Chemist

          Re : Re Linux hacks ?

          "Would the 'expert' who down-voted this care to give an explanation"

          No ? - I thought not

          1. Jodo Kast
            Stop

            what is the point

            Why are you baiting the trolls? Who cares if your comment gets downvoted?

            Have you entered the real world or you still love in your mum's basement? Why worry about such trivialities? It doesn't make sense.

            I don't buy it. I say you're trolling for info that could easily be found by searching the net.

            1. Chemist

              Re : what is the point

              Someone asked a question and some of us grown-ups did our best to answer. You, on the other hand, contributed nothing.

            2. Anonymous Coward
              Anonymous Coward

              Humans

              We are a gregarious species. Those of us a with a reasonably mature and undamaged psychology place some store in what other people think of us. That you (and a lot of IT-tards) don't is testament not to your superiority, but your inability to understand and manage one of your most basic urges.

              Therefore, when chemist asks why his factual response was down-voted, he is simply exhibiting a mature and well-adjusted attitude to social matters.

              It is not, and never has been, cool or clever or in any way "better" to not care in the slightest what other people think; rather it's one of the key indicators of psychopathy.

              How's your basement? The chains pinch much?

            3. M Gale
              Badgers

              "or you still love in your mum's basement?"

              Wrong on so many levels.

    2. Rattus Rattus

      Re: ZedroS

      A simple (and very pertinent) question and he gets multiple downvotes, really? So I guess some commentards have a knee-jerk reaction and just automatically downvote anything that happens to mention Linux, regardless of the context.

      & to ZedroS: as Chemist said, without a separate privilege escalation the attacker would presumably be confined just to the rights of the user whose Firefox session got pwned.

  2. Bilgepipe

    Money

    "He said he found all of them using the same rudimentary, five-line script written in Python, raising the very legitimate question: If he can find them, why haven't people working on Apple's security team found them, too?"

    Because they don't get to prostitute themselves for financial gain. If Miller was really as holier-than-thou as he claims, perhaps he might just go and tell Apple, and Microsoft and Mozilla, about these hoards of flaws instead of using them to win prize money and fondle his ego.

    1. Steve Evans

      Email

      The article does refer to Apple applying band-aids every time he emails them, so to me that sounds like he does inform them.

      What's wrong with earning some cash from this? The man has to eat, and I'm damn sure Apple don't say "Thank you very much" and hand him a cheque every time he emails them an exploit. Which is a pity as I'm sure browser security would improve no end if the browser authors actually compensated security researchers for their hard work.

    2. J 3
      Joke

      @Money

      "Because they don't get to prostitute themselves for financial gain."

      Of course they do! They work for Apple [or insert favorite tech... oh hell, make it ANY company], FFS...

  3. BristolBachelor Gold badge
    Joke

    Issue a patch?

    "Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it"

    Which means either in 6 years, or never.

    1. Anonymous Coward
      Stop

      Actually

      MS consistently have been quicker getting patches for security flaws to end users than Apple or the various Linux distros. Check your facts before making such comments.

      I believe MS has an average of around 16 day turn-around on fixes which is only bettered by RedHat at 12. The less said about Sun the better (3+ months!)

      1. Anonymous Coward
        Headmaster

        Re: Actually

        I think the use of the "joke alert" icon generally suggests that the post is not to be taken seriously.

      2. Steven Knox
        Boffin

        Says who?

        "I believe MS has an average of around 16 day turn-around on fixes which is only bettered by RedHat at 12. The less said about Sun the better (3+ months!)" [citation needed]

        Really, if you want people to check their facts, perhaps you could do as much and tell us where you got your "facts". Was it from a sponsored study or an independent review? Did it weigh the severity of the fixes, or was a 10-day turnaround for a low-risk vuln given the same value as a 10-day turnaround for high-risk ones? How large was the sample size, and what correlation methods did they use?

        I DON'T know who's been better, but that's because I DO know that all of the "studies" I've seen on this issue have either been sponsored (resulting in biased or simply hidden methodology) or poorly designed (or, more commonly, both).

  4. Bonce
    Unhappy

    Ouch!

    The iPhone spilling its SMS database to a malicious website is a very worrying turn of events, not just for iPhone users but for ALL smartphones. Sent and received (and deleted!) SMSs are probably the most personal information most people routinely carry around with them (think Tiger Woods!) with the possible exception of emails. Bit of a wakeup call eh?

    I guess the lesson we can all take away from this is, if you *really* value the privacy of the data on your phone, turn off bluetooth and wifi and never use it to connect to a website. Kind of defeats the point of a smartphone doesn't it?

  5. Spiracle

    A simple way to stay secure

    "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually."

    As always the simplest way to choose a secure platform is to keep and eye on the stats for browser and OS market share and pick a combination near the bottom.

  6. Dodgy Geezer Silver badge
    Gates Horns

    Security by 'keeping your head down...'

    "The problem Microsoft has is they have a big market share, said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually."

    Yup. I used to run a virus lab, and that's the reason I use Opera as well. That, and the fact that it's fast, and very standards-compliant....

  7. b166er

    At last

    from the horses mouth, platform doesn't matter.

    5 lines of Python...shame on you Apple.

    1. Anonymous Coward
      Grenade

      Trojan man

      I wrote a trojan in our company's proprietary language in 3 lines of code. It's not the size that matters. Then again, I wrote an assembly application back in the days that pitch-shifted WAV files -- all in 53 bytes.

      AC for OBVIOUS reasons.

  8. Anonymous Coward
    Anonymous Coward

    This contest is flawed

    yes it helps in one way..but...

    Say you found a flaw 6 months ago and you may get a thankyou (if lucky) from vendor for letting them know. Or you hold onto that flaw for 6 months and then release it at the competition. Hey presto 10k / 100k and a thankyou.

    So does this promote security or not?

    1. Anonymous Coward
      Happy

      No it isn't.

      Say you had to decide between hunting for flaws or picking your bum.

      Hunting for flaws nets you the best part of sod-all: Pick your bum.

      Hunting for flaws nets you $10k: Hunt for flaws.

      So yes, rewarding people for finding security flaws promotes security.

  9. Anonymous Coward
    Pint

    "Why didn't they find and fix this?"

    Always love the "if I can find this bug, why couldn't Apple/Microsoft/Linux kernel developers" questions. Because they're busy building the o/s, that's why. How many operating systems have the guys mentioned in the article built and offered to the community?

    And while they were building them did they fix a lot of security issues with them? Yes? Well done. But not all of them? Oh wow, would never have seen that coming.

    And yes, Apple probably would find it easier to patch bugs if you share your method of searching for bugs with thme, rather than just mailing them about the individual bugs. Well spotted, eventually.

    1. Wolf 1

      Um, not really

      "Always love the "if I can find this bug, why couldn't Apple/Microsoft/Linux kernel developers" questions. Because they're busy building the o/s, that's why. "

      Kind of a silly argument there. MS, Apple, etc hire *thousands* of programmers. Surely they could spare 2 or 3 for vulnerability checking.

      Oh, and Charlie Miller's making a presentation on how he finds bugs. :) Wonder if Apple has any employees there to hear it?

      1. Keith Doyle
        Thumb Down

        Busy bloating the OS you mean...

        "Always love the "if I can find this bug, why couldn't Apple/Microsoft/Linux kernel developers" questions. Because they're busy building the o/s, that's why. "

        And this is what is fundamentally wrong with commercial products. The most important feature of any software product is to be completely secure. But when security isn't there, it's a bug fix to correct, not a feature upgrade (since it's supposed to be there in the first place). Commercial vendors need to get you to pay for an upgrade, which they can't really do for mere bug fixes, so they have to add fancy features that you probably don't need, inevitably making the products even more complex and even more insecure in the process. If they weren't in such a hurry to sell you a new version, they could spend more time getting it right before they change it into something new. "build an os?" what a laugh, they need to SIMPLIFY the OS, because an OS doesn't need to be that complex, and it's easier to secure a simple design than a complex one. Examples-- we didn't need ActiveX, or .NET, or Silverlight, or Vista, or IE for that matter, Microsoft did. Less is more.

        1. Anonymous Coward
          FAIL

          Some balance?

          "The most important feature of any software product is to be completely secure."

          Ah - wrong. I could make a car that is made out of cement and has no engine and the tires don't turn. No one would/could steal it. But it would be an awful car. There needs to be some balance between usefulness and security.

          1. Anonymous Coward
            Anonymous Coward

            Good balance.

            Absolutely.

            And this is what annoys me in the Web App Sec community sometimes. Not every web app is a bank. Not everyone wants to jump through two factor auth just for a quick El Reg troll.

            Yes, it's usually a good idea to carry out all the basics, checking data as it crosses app layers, access control, etc, but sometimes users would rather have the risk of user enumeration that comes with a verbose logon procedure, and sometimes a business has to respond to its users ...

  10. Anonymous Coward
    Gates Horns

    Becoming a favourite target

    How long before the iPhone becomes a favourite target for hackers?

    It's closed nature makes it an easier target once the hackers have worked out how to get in there in the first place, the agreements are designed to keep the good guys out, the bad guys don't give a sh1t. It popularity will provide a big enough pool of victims. There are probably a lot more ways of turning a profit from a hacked iPhone particularly if they find ways to make calls or to access the GPS info, targeted ads? Muggings to order (Find me a victim walking with 1 mile of here) the prospects of being able to open up a mobile device to hacking is actually quite scary.

    Even the example hack of stealing the contacts and text messages is an open invitation to blackmail. Spot texts to the wife, spot texts to the girl friend. Text victim, do these people know about each other? Would you like me to text them and explain?

  11. Anonymous Coward
    Anonymous Coward

    Opera - the only one not hacked..

    and the one hackers themselves use..

    Says alot about it's security....

    1. Anonymous Coward
      FAIL

      Opera isn't on the systems

      You can't hack what isn't there.

  12. volsano

    QA costs money

    Key questions for me are:

    Do last year's exploits still work?

    If not, it is a vaguely encouraging sign that vendors take note of this level of exposure.

    Why don't vendors pay double the prize money if an exploit is directly reported to them?

    That would have several useful results:

    -- bugs fixed quicker;

    -- more incentive for white hats to work on problems, and for gray hats to turn their results in to the vendors rather than elsewhere

    -- better publicity fallout when the product withstands a hacker conference assault

    -- trendy marketable claims about using crowdsourced security QA

  13. heyrick Silver badge

    Microsoft researchers, who were present en masse at the contest...

    Oh for a photo of their faces at the moment when IE8/Win7 was felled (or should that be failed?).

  14. elgarak
    Thumb Down

    Those exploits are important to me, how, exactly?

    As you said: "The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals."

    Not sure why you consider it "Genius" -- I consider it useless. If criminals are not interested to exploit the bugs, why should I care? Who, if not criminals, would exploit my insecure software to damage me?

    Or, more blunt, there's a reason criminals are not interested in these exploits: They're useless. The criminals cannot do with them what they want to do.

    It's precisely for that reason that this 'event' is a non-show. There's nothing to see here. Move along, folks. (Though I'm happy for the guys who won the $$$)

  15. Quxy
    WTF?

    Market share == security risk?

    "The problem Microsoft has is they have a big market share"?

    Sorry, this defence of Windows' security problems gets repeated ad nauseum, but it can't be the whole story, can it? Since OSX and Linux together own about 10% of the desktop market, any reasonable person would expect there to be a pretty sizeable amount of malware (not even 0.1% of the total, let alone 10%) targeting these OSes -- especially given the fact that OSX and Linux users are far too smug to use anti-virus software. Yet there are no significant exploits against these platforms in the wild.

    Yes, I have kiddy scripts banging on my Linux servers all day long, looking for security holes. But I'm honestly curious about why the Windows desktop OS (which I rarely use) reportedly falls over like a house of cards in a breeze any time a black hat breathes on it?

    1. Arkasha
      Thumb Down

      No, not the whole story

      Obviously not. Windows has traditionally been a single-user OS where the single user runs with full admin privileges. This helps make a hacker's job a lot easier: compromise that account and you have pretty much unfettered access to the system.

      Furthermore, Windows users are more biased towards the computer-illiterate end of the market. No offence - there are some very capable people using Windows - but on the whole it's your self-employed person doing their VAT and accounts, or grandma keeping in touch with the grandchildren half-way across the world via Skype that use Windows and quite frankly don't know or understand fully the security risks. These are the people that hackers really want to target. Generally, Linux users are towards the computer-literate end of the user spectrum. I have a circle of about 40 friends and family of varying degrees of computer-literacy and it is always, without fail, the "computer numpties" - no offence Melissa and Pete ;o) - whose computers I have to sanitize every couple of months; despite all the warnings about "not doing this", "not going there", "not running that." And this is despite having good security software and the latest patches.

      However, having the largest market share (coupled with the above) probably is the biggest driver. If your intention is to cause disruption and generally create a bit of a kerfuffle why would you go after <10% of systems? Even if you managed to compromise 1% of those (over a period of time) it would be statistically insignificant compared to 10% of the other 90% of machines.

      I would point out that I use both Linux and Windows of a daily basis. I love Linux because I love scripting and programming and it's so easy to do. But I also love gaming (and hate consoles) and I'm a realist and know that the best platform for that is the PC running Windows. I've never had a virus, never had a computer I own and manage compromised in any way, never had a problem of any sorts like that. The point is, any OS is only as safe as the person managing it and all to often with Windows, that person doesn't know what they're doing.

    2. Maliciously Crafted Packet

      Agreed

      When you look at Apples premium pricing you can be sure OS X is used by the more wealthy segments of the computer using population.

      This surly must make OS X a nice fat juicy target for malware purveyors.

      Yet there has not been one self replicating virus on OS X since its inception in 2001.

      "The problem Microsoft has is they have a big market share" is the biggest line of bullshit thats been heard in tech circles over the last 9 years.

      With a 5 percent markett share (10 percent in the USA) You would have thought OS X would attract at least some malware. But it has none. How can this be so?

      Oh and shenanigans in the computing lab doesn't count. If a threat is not in the real world then it can be regarded as nothing more than the yapping of stray dogs.

      1. Anonymous Coward
        Anonymous Coward

        hmm

        but the IPhones just be owned!...

      2. Ammaross Danan
        FAIL

        Title

        Why hasn't OS X been targeted, even though it has more "wealthy" people? Most of the malware I have been being punted about recently is scareware (that in turn installs a back-door or the like). Scareware works off of numbers. If only 1 in 100 infected are stupid enough to actually pay for the stuff to "get protected," then attempting to infect a measely 5-10% of the computer population is just plain stupid. It is the same reason commercial game developers don't develop for Linux. If your goal is to make returns by getting it out to the largest possible audience for the least amount of effort (or in the case of malware, the highest chance of infection from a random visitor), you target the most popular OS. It's just icing on the cake that the most popular OS happens to have loads of stupid users.

      3. Quxy
        Thumb Up

        @Agreed

        I agree. In my experience, Apple users aren't any more computer-literate than Windows users. They're more likely to be non-technical professionals who want their computer to "just work". Maybe I'm just being politically correct, but it's hard for me to believe that a graphic designer who bought her Macbook Pro at the Apple Store is less likely to click links in questionable email than the burger-flipper who bought a budget PC at Walmart. And the OSX software environment is even more homogeneous than the variety of Windows installations out there.

      4. Anonymous Coward
        Anonymous Coward

        Title

        You missed the point slightly. First, Mac is not mentioned - just Linux and Windows. Secondly it doesn't matter the amount of money Apple users have. There's just too few of them to bother with. If there are 15 times more Windows users than Mac then you need 15 times higher infection rate on the Mac to get the same net gain. It's just not worth the effort.

        As for there being no malware on OSX, that's a downright lie. Just type in "OSX malware" to google and open your eyes, or go look at any AV manufactures database, for example: http://www.symantec.com/business/security_response/landing/azlisting.jsp?azid=O

        1. Quxy
          Gates Halo

          So that's what puts the "soft" in "Microsoft"!

          Well... Vreugdenhil was talking comparing Mac and Windows, as was I when I asked the question that started this thread.

          But I think that you've actually provided the answer to my question. Sure malware for OSX exists -- just as does malware for Linux, and my router, and the network-accessible switchgear at the electrical substation down the street. But attackers DO tend to concentrate on the softest targets; i.e. those where the largest gains can be made with the least investment (money, time, technical expertise, physical access) and least risk (legal, physical exertion). And as even the resident Microsoft fan club has pointed out, Windows is hands-down the softest target out there.

          So I've chosen St Bill, in hopes that the rest of us will be protected as long as Windows is, well, Microsoft.

      5. heyrick Silver badge

        Interesting qualifier...

        "Yet there has not been one self replicating virus on OS X since its inception in 2001."

        Does there need to be? Virus code no longer gets into computers to scramble your harddisc or display obscure political messages. It is looking to steal data. Login details, anything that can eventually be "monetized".

        Okay, granted, in many cases the OS X trojans and stuff need to be given authorisation, but how many people tend to dismiss messages without really reading them? It is easy to not be vigilant, and it is even easier when stupid people say OS X is virus free. Sure, they may only be trojans, but they can hook into other programs (which is a replication of sorts), modify application data (including /apps programs), make merry havoc with instant messaging, and rip off data.

        And that, my friend, is my definition of a successful attack. Not whether or not it has self-replicated, but whether or not data has been compromised. And using my definition, OS X is *not* as secure as you'd like us to believe. Oh, yeah, it is streets ahead of Windows, but not 100%. Nothing is.

        For your reading pleasure, here's a link: http://www.sophos.com/security/analyses/viruses-and-spyware/osxhovdya.html and Google will find a number of others. I can't tell you if there are tens or hundreds or more for OS X because, hey, it's 4.30am and I actually don't care. But I found one compromise vector. In time, others will come. Perhaps ones of the sort where you, end user, don't have to do anything in order to get pwned.

        So don't brag about never having a virus. Not having a virus is not the same as not being ABLE to have a virus.

  16. Cablegrrl
    Flame

    Just another reason....

    Just more proof that spaghetti software is crap and that all those people that have found ways to go in and around the "patches" should be the ones helping find all the flaws BEFORE this stuff hits the market in the first place imho.

  17. Atli

    It's a jungle out there!

    No place is safe and no protection invulnerable!

    ... What else is new?

  18. Hugh McIntyre

    Security on internet facing software

    It certainly seems that the current approach to browser fixes is not remotely keeping up with the exploits. Perhaps more emphasis on the following is needed:

    1. On Solaris or Linux, I can do "ssh captiveuser@localhost" and then run Firefox as that user so that even if it gets hacked, all it can do is access files of the captiveuser account, which only contains the browser profile. Possibly also in a chroot/zone. So on MacOS and Windows, maybe there needs to be more emphasis on "run sandboxed to avoid damage if exploited" at least as much as "try to avoid all the bugs up front".

    The recent browsers with "run plugins in a child process" represent a start in this direction, but only a start.

    2. The fact that we've ended up with JavaScript and Flash, plus some other culprits, all being able to run somewhat arbitrary code and then hoping to plug all of the leaks so that no hacks can occur is also asking for trouble. Apart from anything else. this ends up being a DOS attack if you have lots of windows open, all with some dubious JavaScript using up CPU in the background. And I suspect if you'd told someone in 1993-1995 that we'd allow remote Internet sites to run scripts on your computer as a side effect of viewing a remote document, they would think you were a bit mad.

    So it seems there's merit in trying to split things back to "basic script interpreter which can just alter window/form contents" and anything else claiming to be an app-in-a-web-page such as gmail would need special approval from the user to be enabled. This at least might limit some of the damage. I.e. a more built-in but also split-level "NoScript".

    Obviously these things don't stop all of the attacks because there are many other causes including fonts, but it seems that "limit the damage" is needed at least as much as "hoping this security bug is the last".

  19. David Webb

    Chrome

    Any word on Google Chrome, or is it still harder to exploit because of the sandbox mode?

  20. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Linux wasn't hacked because...

      ...it isn't used for the competition (only Windows and MacOS are for the desktops). It has nothing to do with it's security (or otherwise).

      Likewise Opera - it isn't one of the browsers used in the competition (it is only IE, Firefox and Chrome). You can't very well hack something that isn't on any of the systems in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Oops, and safari

        EOM

  21. Robert Carnegie Silver badge

    Opera just updated to 10.51, coincidence?

    According to slightly fractured English at http://www.kommunikationsforum.dk/michael-valiantin-rasmussen/blog/google-chrome-the-only-safe-browser-in-a-canadian-contest

    "Opera has been hacked" previously. Apparently Chrome - and Opera - survived at last year's event.

    I use Opera because I get to keep a lot of web sites open at once, and graphics-optional. I used an Opera version first on machines that basically couldn't run another browser, like Windows 3.1.

    Opera's 0.0x increment editions are bug fixes and security fixes, usually.

    I wonder if it was Firefox 3.6.2 that got cracked this time (security fix), or 3.6.

    Multiple-platform browsers like Opera and Firefox are liable to offer multi-platform vulnerabilities... does Linux support DEP anyway?

  22. Jamie Kitson

    Re: Opera - the only one not hacked

    > and the one hackers themselves use..

    > Says alot about it's security....

    You missed the point, read it again.

  23. MarkOne
    Stop

    @Robert Carnegie

    Opera wasn't hacked in the contest, nor was Chrome. Everything else was. and as for Sandboxing, that does not really offer any value to security, it just means one tab is isolated from another. it's still got the same hooks to the OS that all browsers need to a certain degree.

    I ONLY trust Opera, purely because it's got a proven track recording on taking security seriously, and when something does crop up, it's always sorted promptly. it's other rather swish and VERY fast. it also doesn't need bloated plugins to do what I want to do. It's got them all in there.

    1. Anonymous Coward
      FAIL

      Sigh... Opera wasn't on the systems!

      Of course it wasn't hacked. IT WASN'T THERE TO BE HACKED.

      Read the fucking rules of the competition before posting stupid shit you fucking retards.

  24. Michael C
    Stop

    Stop scaring people

    (most) of these hacks are useless. You'd make most people think we could steal their bank accounts simply buy identifying the IP address of their device... Other than for Windows, no, none of these "Owns" actually provided that.

    Take the iPhone: Only if directed to a specific website can it be compromised, and even then it simply dumps the SMS history file. No contact database, no account settings, no passwords, can't install a bot, can't take over the device; just a simple trick to get it to release a file which can surely be easily patched.

    Safari? Great, lots of hacks. Did any of them result in permission escalation that would allow the installation of a dangerous application (keylogger, bot, something that can corrupt data, etc, steal the keychain file?) No. It simply provided the person on the other end the ability to access files that Safari otherwise could, and only manually not with some automated code. Even half of that only works if no AV software or white list app was in use.

    Windows is a gaping hole, yes we all know. Get in through any browser and permission escalation almost isn't even necessary, but even so it's still easily accomplished. However, as dangerous as the browser itself might be, did anyone even point out that the single most dangerous thing is DOWNLOADING?

    Simple rules:

    1) never click a link unless that link is on a known trusted site and the hyper link matches the link text. When in doubt, type the base site URL in and browse to the link manually.

    2) Run both AV and AS software (even on macs). Use a blacklist (if not a white list), to avoid going to potentially dangerous or known hacked sites.

    3) never run as root, when possible, disable default admin accounts completely.

    4) never store passwords, SSNs, or any other important information in unencrypted systems.

    5) use IE only when it's required explicitly by the site (and question why that is if it is). Use Opera or Chrome

    6) download only when necessary, and only from trusted sources, and scan all files before they're opened. If you really must use torrents, do that in a VM or alternate machine that is clean of any sensitive information.

    7) Only use online banking if it supports dual factor authentication. Pay online using a real credit card, a debit card if you don't have one, and never use your checking account number online if it can be avoided.

    8) If your bank doesn't provide fraud protection on your debit card, change banks. Check to see if they offer it on checking as well.

    9) use very strong passwords, and never use the same password on more than one site. spend $10 on a good password manager application, and change all your site passwords regularly.

    10) be VERY careful about social networks. Never add someone as a friend just because they asked, you should actually KNOW them. Don't post anything online ever that you would not otherwise want to make public to the entire world, even in private parts of your site.

    11) set your default browser to one you DON'T use, that has no plug-ins installed, and is set to the tightest possible security settings. If a link opens in your default browser, and its safe, copy the link into the browser of your choice.

    12) never forget, no company will EVER e-mail you to go to their site about a security or account change issue.

    13) unsubscribe from everything, get off all mailing lists, and tell your friends and family to take you off theirs as well. use an alternate e-mail account when sites make you provide one, and keep your private e-mail, business e-mail, and "other" email completely separate.

    14) USE A HARDWARE FIREWALL, and keep the software firewall in your OS on, don't run services you don't have to, and keep sharing on your notebook turned off outside your home.

    Limiting your surface area is a much more effective prevention from hackers than is actually securing the system. If they can't see your IP, external penetration attacks are useless. If you don't do stupid things, and follow their links, or download infected apps, you have essentially taken away every vector they have into your machine. Almost every single hack used in this contest required the user to do something (most commonly go to a web site). YOU are the security hole...

    1. Wolf 1
      FAIL

      You should do more reading

      The guy who hacked the iPhone specifically said he could have gotten email, contacts, photos or anything else he wanted, he just chose the SMS.

      As for hijacking a browser to go somewhere, that's pathetically easy. One way is to compromise the *ads* running on a trusted site.

      This *IS* scary stuff. iPhones are owned by people who haven't a clue about what to do or not do--mixed with Apple's official smugness makes this seriously dangerous.

      One poster mentioned hacking the GPS function. How'd you like to be the target of a mugger who knows this hacker...

      Phones are a whole other level of danger because you carry them with you in public. And people do stupid things like text to someone they're having an affair with. Blackmail gold!

  25. M Gale
    Thumb Up

    Next week's news story

    Delete all browsers and make do with Telnet, German govt warns.

    1. Anonymous Coward
      Unhappy

      Following week....

      ..telnet insecure, use the browsers again warn German Goverment.

      1. Anonymous Coward
        Happy

        A few days later....

        Browsers still insecure, use SSH and learn to spell government.

        Germans' have lost interest....

  26. Mike Powers
    Alert

    iPhone: Oh no, not my SMS

    They might see that one where my girlfriend took a picture of her backside and sent it too me. THEY COULD FIND OUT WHAT MY GIRLFRIEND'S BUTT LOOKS LIKE. This is clearly a sign of horrible security holes.

    1. Mister Tea

      Re: iPhone: Oh no, not my SMS

      If you're not bothered about the picture getting out in the wild would you mind posting it up somewhere so we can all take a look?

      Don't forget to include the girlfriends name and phone number so we can give her call and let her know about the "horrible security hole"!

  27. Anonymous Coward
    Joke

    iPhone owners...

    ...will probably want to avoid the News of the World website then.

  28. asdf Silver badge
    Gates Horns

    actually

    >"Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it"

    >Which means either in 6 years, or never.

    As much as I love to bash M$ for their business practices just the fact they take this event seriously and have auto update etc shows they have really come a long way in the last five years. They handle security issues much better than many other large software houses <cough Adobe, Oracle>. Granted if they would have taken security seriously starting in the early 90s, they and us would be in a much better place but hey as anybody in the industry knows legacy code is a bitch. I guess having your dirty underwear aired via the worm of the week will get even a multibillion dollar corp. attention.

  29. Anonymous Coward
    Black Helicopters

    No need to hack to mug/attack

    " Muggings to order (Find me a victim walking with 1 mile of here) the prospects of being able to open up a mobile device to hacking is actually quite scary."

    I seem to recall an episode of Top Gear where Stephen Fry was talking about an iPhone app called Grinder which lets you find like minded, same sex people in your area.

    I am surprised its not standard issue on the BNP company iPhones for a spot of gay bashing.

    There are probably other apps out there with similar functions that any scumbag could use for the purpose of mugging people.

  30. Neil Greatorex
    Pint

    @Mike Powers

    I'm very jealous that your girlfriend has a Butt, wish mine had one.

    Mmmm. 144 gallons of beer. Mmmm

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020