CanSecWest amps up 'PWN to Own' challenge with more prizes


The security conference that last year made headlines with a hacking challenge whose winner walked away with a $10,000 prize will reprise the contest next week -- this time with more money at stake, the contest's organizer said today.

CanSecWest, which will run from March 26 to 28 in Vancouver, British Columbia, will feature a second "PWN to Own" contest that pits researchers against a trio of laptops armed with the latest versions of Windows Vista Ultimate, Mac OS X 10.5 and the Ubuntu Linux distribution, said Dragos Ruiu, the conference's organizer. The first to hack one of the laptops by exploiting a remote preauthentication code-execution vulnerability in a default service on the notebook's operating system will take home the machine and a $10,000 prize.

3Com Corp.'s TippingPoint unit and its Zero Day Initiative bug-bounty program is providing the cash, as it did last year.

"We wanted it to be a live-fire exercise," said Ruiu. "We debated the format of this for months before we came up with the three-OS idea."

At last year's CanSecWest, Dino Dai Zovi and his on-site partner Shane Macaulay took honors when they hacked a MacBook running Mac OS X 10.4, a.k.a. Tiger, by exploiting an until-then-unknown QuickTime vulnerability. Their exploit got even more attention when some Apple users refused to accept the results, which in turn opened up an online argument about Mac OS X's security prowess.

"[Last year] was a win-win-win for everybody, and it worked out great," said Ruiu. "Apple got to fix its stuff, TippingPoint got the vulnerability, and Dino and Share got the limelight for a little while."

This year's challenge, however, will be much more structured. "Last year, we were kind of flying by the seat of our pants," said Ruiu. Next week's revamped contest will be the result of months of planning and work by a number of people,including Lt. Col. Ron Dodge, who teaches at the U.S. Military Academy at West Point. "We've been hashing out the details for weeks," Ruiu said.

For example, the laptops will be accessible only via a crossover cable, and any wireless- or Bluetooth-based attacks will be verified off-site, said Ruiu, to make sure there isn't a repeat of last year, when someone claimed to have nicked the exploit over a wireless connection during the challenge and let it loose on the Web. The claim was later discovered to be bogus.

Also unlike last year, each hacker or hacker team gets just 30 minutes before the next in line gets a crack. "And Shane [Macaulay] and Dino [Dai Zovi] will be there, going head to head," said Ruiu. "Last year, no one was really prepared for [the contest], but I've heard of a couple of people who will come loaded for bear.

"It should be a fairly colorful environment," he said.

And perhaps more profitable. TippingPoint has upped its contribution to the hacking contest. In addition to offering a $10,000 prize to the first person or group to hack one of the laptops with a remote code-execution exploit, it will also provide a $5,000 prize to any zero-day vulnerability exploited in a long list of client-side applications on the notebooks, as well as a $5,000 bonus to the "best bug" during the contest.

The client-side applications up for prizes, according to a blog post today by Terri Forslof, TippingPoint's manager of security response, include Adobe's Flash and PDF file format, Microsoft's IE and Outlook, Mozilla's Firefox, Apple's Safari and Mail, Skype and Java. Apple's QuickTime is notably absent.

"[The] winning entries must be true zero-day," said Forslof. "They may not have already been submitted to the affected vendor or to third parties."

"I think this will be a lot of fun," Ruiu concluded. "There's always a lot of uncertainty in an exercise like this."