Sunday, 11 March 2012
Chrome hacked in less than 300 seconds
It has been a field day for a group French hackers at the ongoing Pwn2own competition in Canada, reports ZDNet. The annual competition, which invites ethical hackers from around the world to attempt hacking into the most popular web browsers and in the process expose vulnerabilities and loopholes in the browser's security, while grabbing a handsome reward. At this year's competition, the co-founder and head of research of Vupen, Chaouki Bekrar and his team managed to break into Google Chrome in less than 5 minutes, in the process quashing talks about the browser's unquestionable security. They used "a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine." For the successful break-in, Vupen has won itself 32 points.
Vupen, the company, who's team managed to crack open Chrome's security system, according to this report is "the controversial company that sells vulnerabilities and exploits to government customers." This year, their attack at Chrome was deliberated, since they wanted to tell users that no software is foolproof, "if the hackers have enough motivation to prepare and launch an attack." At the last year's competition, Chrome had emerged unscathed. This time, however, Vupen, the French firm managed to get the better of it.
Reportedly, Bekrar and his team were being constantly bombarded with headlines, all saying that Google Chrome was unbreakable and that no one could hack it. This, they say became their biggest motivator and they "wanted to make sure it was the first to fall this year." Quoting Bekrar, the report stated that, "We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox. It was a use-after-free vulnerability in the default installation of Chrome. Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway."
Describing the hack process, Bekrar explained that he created a web page that was booby trapped. Then, just when the "target machine" visited the page, "the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox." Explaining the process in a nutshell, Bekrar was quoted as saying, "There was no user interaction, no extra clicks. Visit the site, popped the box." The company, although, now plans to sell the rights to one of the zero-day vulnerabilities, they won't be giving away the sandbox escape and plan to keep it private, just for their customers.
However, despite his victory against Chrome, Bekrar was all praises for the popular browser. In his view, "the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available."
We wonder what Google have to say!
Gone in 300 seconds!
Vupen, the company, who's team managed to crack open Chrome's security system, according to this report is "the controversial company that sells vulnerabilities and exploits to government customers." This year, their attack at Chrome was deliberated, since they wanted to tell users that no software is foolproof, "if the hackers have enough motivation to prepare and launch an attack." At the last year's competition, Chrome had emerged unscathed. This time, however, Vupen, the French firm managed to get the better of it.
Reportedly, Bekrar and his team were being constantly bombarded with headlines, all saying that Google Chrome was unbreakable and that no one could hack it. This, they say became their biggest motivator and they "wanted to make sure it was the first to fall this year." Quoting Bekrar, the report stated that, "We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox. It was a use-after-free vulnerability in the default installation of Chrome. Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway."
Describing the hack process, Bekrar explained that he created a web page that was booby trapped. Then, just when the "target machine" visited the page, "the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox." Explaining the process in a nutshell, Bekrar was quoted as saying, "There was no user interaction, no extra clicks. Visit the site, popped the box." The company, although, now plans to sell the rights to one of the zero-day vulnerabilities, they won't be giving away the sandbox escape and plan to keep it private, just for their customers.
However, despite his victory against Chrome, Bekrar was all praises for the popular browser. In his view, "the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available."
We wonder what Google have to say!
Delhi woman loses Rs 14 lakh in online fraud
NEW DELHI: A south Delhi resident was duped of Rs 14 lakh when she fell for a fake lottery offer. Sonia (name-changed) had received an SMS on New Year's Eve, which said she had won 1 million.
A series of emails and phone calls from Delhi, Mumbai and the UK followed. She readily gave all the details she was asked for. Then she was asked to pay Rs 32,000 as first installment as clearance fee. That was just the beginning. She realized she had been duped after depositing around Rs 14 lakh in different accounts across the country.
Sonia had returned home last year after working in the UAE as a PR executive with a multinational company. She spent all her lifesavings, FDs and even her parents' money in this. And when she fell short of money, she took a bank loan to pay the fraudsters.
But she realized she had been duped only after she approached the Reserve Bank of India. She sought help from the crime branch. The Economic Offences Wing of the crime branch has registered a case of fraud under Section 420 of the IPC.
A senior cop said on condition of anonymity, "People should understand that they cannot win a lottery of one million pounds sitting in Delhi or any other city for that matter. These mails and messages should be ignored or reported to us. No one should divulge any personal details to strangers who use the internet to cheat people."
A series of emails and phone calls from Delhi, Mumbai and the UK followed. She readily gave all the details she was asked for. Then she was asked to pay Rs 32,000 as first installment as clearance fee. That was just the beginning. She realized she had been duped after depositing around Rs 14 lakh in different accounts across the country.
Sonia had returned home last year after working in the UAE as a PR executive with a multinational company. She spent all her lifesavings, FDs and even her parents' money in this. And when she fell short of money, she took a bank loan to pay the fraudsters.
But she realized she had been duped only after she approached the Reserve Bank of India. She sought help from the crime branch. The Economic Offences Wing of the crime branch has registered a case of fraud under Section 420 of the IPC.
A senior cop said on condition of anonymity, "People should understand that they cannot win a lottery of one million pounds sitting in Delhi or any other city for that matter. These mails and messages should be ignored or reported to us. No one should divulge any personal details to strangers who use the internet to cheat people."
Subscribe to:
Posts (Atom)