Blog

The MacBook Air was the first computer to fail in a hacking contest between laptops made by Apple, Windows and Linux at the CanSecWest security conference in Vancouver, British Columbia.

Charlie Miller, the participant who was able to hack into the MacBook in two mintues, won $10,000 – plus the MacBook laptop that he successfully hacked.

No one was able to hack into any of the machines through the network on the first day of the contest, however, yet Mr Miller was able to do so once the event’s organisers allowed the hackers to direct human operators from the three machines to visit websites and open emails.

While details of the hack are not being made public, experts are assuming that the vulnerability must be within Apple’s Safari browser because Mr Miller was only able to use software preinstalled on the Mac laptop.

Rich Mogull, the new security writer at Tidbits wrote: “Although we need to take contests like these with a grain of salt, we can’t dismiss the results. Since it took Mr Miller only two minutes to compromise the MacBook Air, it’s clear that he walked in the door with a complete exploit ready to go.”

Users of Mozilla Firefox are vulnerable to phishing attacks because the pop-up dialogue box for password entry in the latest version of the web browser can be spoofed, a leading security researcher has warned.

Aviv Raff claims a vulnerability in the way that Firefox displays authentication dialogs allows cyber criminals to obtain username and password information by deceiving users into thinking they are giving their details to a reliable source.

In an advisory, he wrote: “Mozilla Firefox allows spoofing the information presented in the basic authentication dialog box. This can allow an attacker to conduct phishing attacks by tricking the user to believe that the authentication dialog box is from a trusted website.”

Mr Raff has posted a video on the popular video sharing website YouTube to show how criminals can exploit the vulnerability and he is urging Firefox users not to provide any usernames and passwords to any sites using the basic pop-up dialogue box method of authentication.

Last month Mr Raff highlighted a security loophole in Google’s Toolbar browser utility that allowed phishers to spoof a URL in a dialog box that popped up when users tried to download new toolbar buttons.

Microsoft warned companies on Monday that a flaw in the way Windows searches for Web proxies could allow an attacker the ability to reroute traffic through a malicious server.

The security issues occur when a Windows computer attempts to find a proxy server using Microsoft’s Web Proxy Automatic Discovery (WPAD) technology and the organization’s domain name starts at the third level or deeper, such as somecompany.co.jp, the software giant stated in an advisory. The WPAD search first attempts to find the server using the fully-qualified domain name (FQDN), and if it doesn’t find the server will try the next higher level of the domain name. For example, a search for a proxy server in somecompany.co.jp will look for servername.somecompany.co.jp and then move on to servername.co.jp, which could be a malicious server outside the company’s network.

“At this time, we are not aware of attacks attempting to use the reported vulnerability, but we will continue to track this issue,” Tim Rains, a spokesman for the Microsoft Security Response Center, said on the teams’ blog. “The advisory contains several mitigations that customers can use to help protect themselves from attackers.”

Read more