The winner of a recent hacking contest is offering the computer he broke into for sale on eBay, possibly with the Microsoft Vista attack code he used intact.
In a Monday listing, Shane Macaulay is selling the Fujitsu U810 laptop he won last Friday during the CanSecWest PWN 2 OWN contest. His listing claims that exploit code could probably still be extracted from the machine. Although he make no guarantees, he wrote, "My successfull [sic] exploitation of Vista SP1 remotely, is most likely still present."
"This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation [sic] would look like."
Starting bid? $0.01.
Macaulay, a researcher with the Security Objectives consultancy, claims that his Adobe Flash exploit will affect 90 percent of computers worldwide.
...
One hacker who knows Macaulay said that the April 1 listing is "a bit coincidental," but that he may not be worried about forfeiting the $5,000 in prize money TippingPoint paid him for his hack. "He makes good money," said Marc Maiffret, an independent security researcher, in an instant message interview. "It's all just funny to him."If he's not playing an April Fool's joke, Macaulay may be running afoul of both the PWN 2 OWN contest rules, which prohibit disclosure of bug information prior to a patch. He may also be violating eBay's user agreement, which say that users may not "distribute viruses or any other technologies that may harm eBay, or the interests or property of eBay users."
Macaulay had some funny answers when asked about these issues.
On the eBay terms of service problem, he said that he knew "some highups," at the company and was "confident, when I speak with eBay they will grant me a waiver."
And does TippingPoint know about what he's doing? "I believe at some level," he answered. "I'm sure things might change as the word percolates to the executives. Maybe I shouldn't have sold the [TippingPoint] bag with the laptop!!"
----------------------
The attack code isn't for Microsoft Vista, it is for Adobe Flash. It was used against a Vista machine, but it most likely could have been used against Linux or OS X as well.
This is a 3rd party cross-platform application vulnerability, an application which happens to be installed on almost all the computers in the world.
No comments:
Post a Comment