Hackers beat Firefox and Safari to earn $105K at Pwn2Own

Zero-day exploits earned hackers $105,000 in total on Thursday during the second day of the Pwn2Own contest in Vancouver, British Columbia. Packed into a small basement room, a rapt crowd watched as Richard Zhu successfully hacked Firefox and gained control of the target computer to win $50,000 and clinch the overall victory for the competition. That in addition to his wins Wednesday, when he earned $70,000 successfully targeting Microsoft Edge with an exploit that took him almost a week of work to develop. Zhu, a veteran of the world class Carnegie Mellon University capture the flag (CTF) team as well as previous Pwn2Own competitions, had a particularly memorable run against Microsoft Edge when he debugged his exploit on the fly and on the clock, succeeding on his third and final attempt. It followed a three-strike failure when Zhu opened the contest with an unsuccessful attempt to hack Safari, Apple’s default browser. “I put a lot of work into […]

The post Hackers beat Firefox and Safari to earn $105K at Pwn2Own appeared first on Cyberscoop.

Continue reading Hackers beat Firefox and Safari to earn $105K at Pwn2Own

Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own

Zero-day exploits netted hackers $135,000 in total on Wednesday during the Pwn2Own contest in Vancouver, British Columbia. Exploits targeting Apple Safari and Microsoft Edge web browsers were the highlight of Pwn2Own’s first day, a zero-day vulnerability hacking contest organized by Trend Micro’s Zero Day Initiative. Some of the best hackers in the world attended this year for a chunk of $2 million in prizes. One of the biggest wins of the day belonged to Samuel Groß (saelo) who successfully targeted Apple Safari with a macOS kernel escalation of privilege. He capped off his $65,000 payday with a bit of showmanship by signing the touchbar on a MacBook Pro: Success! Samuel Groß (@5aelo) manages to pop calc and brings back his trademark touchbar finesse. Now off to the disclosure room for confirmation and vendor notification. pic.twitter.com/REQh1kHBjB — Zero Day Initiative (@thezdi) March 14, 2018 Richard Zhu, a veteran of Pwn2Own, competed twice on Wednesday. […]

The post Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own appeared first on Cyberscoop.

Continue reading Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own

Look-Alike Domains and Visual Confusion

How good are you at telling the difference between domain names you know and trust and imposter or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names (IDNs), as well as which browser or Web application you’re using.

For example, how does your browser interpret the following domain? I’ll give you a hint: Despite appearances, it is most certainly not the actual domain for software firm CA Technologies (formerly Computer Associates Intl Inc.), which owns the original ca.com domain name:

https://www.са.com/

Go ahead and click on the link above or cut-and-paste it into a browser address bar. If you’re using Google Chrome, Apple’s Safari, or some recent version of Microsoft’s Internet Explorer or Edge browsers, you should notice that the address converts to “xn--80a7a.com.” This is called “punycode,” and it allows browsers to render domains with non-Latin alphabets like Cyrillic and Ukrainian.

Below is what it looks like in Edge on Windows 10; Google Chrome renders it much the same way. Notice what’s in the address bar (ignore the “fake site” and “Welcome to…” text, which was added as a courtesy by the person who registered this domain): Continue reading Look-Alike Domains and Visual Confusion

Apple offers another Meltdown fix for Mac users…

For Apple users worried about the Spectre and Meltdown CPU security vulnerabilities, it’s been a busy and slightly confusing few weeks. Continue reading Apple offers another Meltdown fix for Mac users…

Sensor data can be used to guess your PIN, unlock your phone

Turns out that those sensors in your smartphone that do all kinds of cool, magical things like give you directions, find your friends, let your Uber or Lyft driver find you, and a host of other conveniences have a not-so-cool downside. Continue reading Sensor data can be used to guess your PIN, unlock your phone