Security Lessons Learned from Pwn2Own Contest
The CanSecWest security conference is going on this week in Vancouver. Part of the CanSecWest conference is the annual Pwn2Own contest where security researchers show off their hacking expertise and compete to exploit and compromise fully-patched systems--a challenge the security researchers seem to overcome with surprising ease year after year.
Two security researchers succeeded in exploiting a fully-updated iPhone 3GS in a matter of seconds--the first time the iPhone 2.0 has been hacked . Charlie Miller, famous for compromising a fully-patched Macbook the past two years, succeeded once again in hacking the Macbook to take the Pwn2Own prize. Another researcher bypassed Microsoft security controls like ASLR and DEP to compromise a 64-bit Windows 7 system.
There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share.
Ironically, while there are admittedly no real malware threats circulating in the wild for the Mac OS X platform, the perception of inherent security makes Mac users more vulnerable in other ways. Many Mac users are so sure that the platform is impervious that they are oblivious to security concerns at all. Unfortunately for them, phishing attacks and identity theft are a function of social engineering more than security technology, and the lack of awareness makes Mac users more gullible.
The second lesson from Pwn2Own is that the browser is the new Achilles heel of security regardless of the hardware or software platform. The iPhone hack leveraged an unknown vulnerability in the Safari mobile Web browser. The Macbook attack by Charlie Miller also went through the Safari Web browser to get to the operating system. And, the 64-bit Windows 7 compromise relied on an exploit of Internet Explorer 8.
Contrary to the mantra to abandon Internet Explorer for "more secure" Web browsers, though, a recent study actually showed Internet Explorer 8 to perform significantly better than other browsers in defending against socially-engineered attacks. The operating system platform the browser is running on also has a significant impact on the security of the browser.
The number one lesson to take away from the Pwn2Own contest, though, isn't about which platform is more secure, or which browser was hacked the fastest. The important lesson to learn is that all platforms and browsers are vulnerable to an attacker with sufficient dedication and resources.
There is a common misperception that the targets of the Operation Aurora attacks earlier this year in China could have avoided being exploited and compromised had they just used a Web browser other than Internet Explorer.
This perception assumes that the attackers discovered a security hole in Internet Explorer, developed an exploit for it, and then sought out targets that use Internet Explorer as the default Web browser to attack and compromise. This logic seems reasonable because it fits--more or less--with the traditional model for malware attacks.
However, a targeted attack takes the opposite approach. A targeted attack identifies a target, researches what operating system, applications, and Web browser are used by the target, and then examines those products to find security vulnerabilities and develops exploits specifically aimed at compromising that specific target.
Using Mac OS X instead of Windows 7, or using Google Chrome instead of Microsoft Internet Explorer will not prevent a dedicated attacker from mounting a targeted attack.
I am not suggesting that you give up and simply abandon security. However, I am stressing that you not view anything as a security "silver bullet". It's not about choosing the right operating system, or the right Web browser, or even the right city.
Regardless of those choices, awareness and common sense are still the deciding factors in remaining secure. The Pwn2Own exploits against the iPhone and the Macbook both relied on luring the user to a malicious Web page to execute the attack. If users are aware of security risks, and have the common sense not to click on unknown or shady links, attacks such as these would not succeed.
Maybe Apple should go ahead and approve that Opera Mini Web browser for the iPhone so users have another, possibly more secure option than Safari, though. Just in case.