There are various ways to do it and I’ll be interested to see which are used in the contest, the most elegant solutions of course get better prizes.

Security firms have split over the merits of a hacking contest aimed against anti-virus packages planned for August’s Defcon conference.

Anti-virus firm Sophos reckons the exercise will serve only to increase the volume of malware in circulation, further taxing the resources of already hard-pressed security firms. However, net security services firm MessageLabs reckons the proposed Race to Zero competition has some merits as an exercise. It compared the wheeze to penetration testing against corporate networks.

During the proposed Race to Zero contest, delegates to the Defcon hacker conference will be invited to develop techniques to modify supplied virus samples so that these variants are able to evade detection by anti-virus packages. The contest will progress in difficulty leading to awards at its conclusion including “most elegant obfuscation” and “most deserving of beer” as well as an overall winner.

I am of course pro-knowledge, so I think this contest is a great idea. As stated similar research conducted in the past has been useful..so why not this time?

Personally I think signature based virus detection is very weak and heuristic scanning is nowhere near as good as it should be. The AV vendors needs to get their collectives acts together and develop some cool new stuff that effectively blocks unknown malware rather than permanently playing a catch-up game.

Contest organisers said that the exercise will help to demonstrate shortcomings in signature-based virus detection. They also want to highlight weaknesses among anti-virus vendors exposed by the testing process, which will involve passing modified samples through a number of antivirus engines housed on a closed portal. Modified samples will not be released into the wild, the organisers explain. Results of the contest, a fringe event planned outside the main Defcon conference programme, are due to be presented during the annual Las Vegas-based hacking jamboree.

Despite these assurances some security vendors are less than impressed. Graham Cluley, senior technology consultant for Sophos, said: “The last thing the world needs is more malware. It’s really disappointing to see that Defcon appears to be condoning the creation of malware in this way.

“If people really want to test the quality of different anti-virus products there are well established ways of doing it – and testing industry initiatives like ATMSO are working hard at improving standards,” he added.

I would have thought Sophos were amongst the more progressive AV vendors, but it seems not so. Anyway it’s definitely something to watch and we’ll be keeping an interested eye on it.

Source: The Register

Not one person entered the first day, perhaps they don’t want to divulge those heavy exploits…or perhaps no one had any. The second day had a lot more entrants. It’ll be interesting to see what the 3rd day turns up when everything is open to attack.

A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. The feat won him a $10,000 prize paid by Tipping Point, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.

Interesting the exploit came in Safari, but gave full control. Still $10,000 is not bad for a days work (I’d imagine though he’s probably prepared the exploit earlier).

I was somehow expecting Mac to fall first.

At time of writing, the Windows and Linux machines were still standing.

Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because “I thought of the three it was the easiest”. He said he didn’t test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger.

Miller’s win came on day two of the contest, which gradually eases the rules for what constitutes as qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine’s operating system, drivers or network stack. Winners were eligible for a $20,000 prize.

On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.

I wonder if any of our readers are attending CanSecWest, any of you guys there? Having a go at the contest?

I think more things should be organized like this, at the end of it – it really does make all the OSes more secure. Saying that though just because no-one exploited it, doesn’t mean the vulnerability isn’t there and the bad boys aren’t already using it.

It’s been shown before, the underground is always ahead…and a vulnerability with exploit for a fully patched Windows machine is worth way more than $20,000!

Source: The Register

There will be three distinct, yet related, phases to this contest. The first phase will be a hacker challenge, for which anyone can register to participate. The second stage of the contest will be a market (based on the Phase 1 challenge). Participation in this second phase will be by invitation only, based on performance in the first phase. The third phase of the contest will be a more challenging hacker challenge; this phase may or may not be invitation-only. There are opportunities to earn money in all three phases of the contest.

All file downloads and uploads necessary for the contest will be possible after the participant has logged in. The market will also be visible, at the appropriate time, after logging in.

You can read more here.

http://www.hackerchallenge.org/

All payments are in U.S. dollars, and will be made anonymously via PayPal with prizes up to $50,000USD for the three phases.

You can register here.

Chaos Communication Camp 2007 will take place at a brand new location at the Airport Museum Finowfurt, directly at Finow airport. So if you like, you can directly fly to the Camp. You can get to the location easily with a car in the less than 30 minutes starting in Berlin and we will make sure there is a shuttle connection to the next train station.

“In Fairy Dust We Trust!”

CCC 2007 will be held between August 8th and August 12th, 2007.

More info here:

http://events.ccc.de/camp/2007/

The Black & White Ball will be held at the stylish Ministry of Sound venue in London, the date is to be confirmed (but it will be in September).

In security parlance, the terms Black Hat and White Hat refer to hackers on opposite sides of the fence. Black Hat hackers break the law when they hack into computers, they do it for their own personal gain. White Hat hackers are professional hackers who do it for a living, who hack with the knowledge and consent of the computer owners. We named the event the Black & White Ball to describe the unique 2-track conference style of presenting first 2 days of the latest Black Hat techniques and trends, followed by 2 days of the latest White Hat defensive methodologies and policies.

In September 2007, Whitedust will be running the first annual Black & White Ball in London. Presented in a unique two track format, The Ball will run for 4 days – the first two bringing the latest in hacker techniques and attacks, the last two presenting the cutting-edge of security defence mechanisms and strategies.

The Ball will present the latest research in information security, network penetration, malware generation, hacker methodologies, 0-day attacks, forensic and anti-forensic methods. Bringing together the leading minds from both the White Hat sphere (CSO’s, Programmers, Security Architects) and the Black Hat sphere (hackers, crackers, virus writers, digital miscreants), the Ball will provide a unique venue to pit the best of the best against the rest.

You can find a list of speakers here and submit your papers here.

The main site is here:

http://www.theblackandwhiteball.co.uk/

Unfortunately we won’t be able to go, so all the pictures are welcome. (-:

If there’s any missing do let us know.

Recon 2006 – WWW – 16 June to 18 June 2006 – Plaza Hotel Centre-Ville, Montreal, Canada

InfoSecurity Canada 2006 – WWW – 20 June to 21 June 2006 – Metro Toronto Convention Center, Toronto, Canada

HOPE Number Six – WWW – 21 July to 23 July 2006 – Hotel Pennsylvania, New York, USA

Secure Malaysia 2006 – WWW – 24 July to 26 July 2006 – Putra World Trade Centre, Kuala Lumpur, Malaysia

The Third Conference on e-Mail and Anti-Spam – WWW – 27 July to 28 July 2006 – Mountain View, California, USA

Defcon 14 – WWW – 4 August to 6 August 2006 – Riviera Hotel & Casino, Las Vegas, USA

RuxCon 2006 – WWW – 30 September to 1 October 2006 – University of Technology, Sydney, Australia

Mobile Security – WWW – 3 October to 5 October 2006 – Crowne Plaza, St James, London, UK

Infosecurity New York 2006 – WWW – 23 October to 25 October 2006 – Jacob K. Javits Convention Center, New York, USA

You can also visit SecurityPark for a complete list of Information Security events.

SyScan’06 – The Hackers’ Conference, will be held in Singapore from 20th to 21st July 2006. This is the third year running for SyScan.

SyScan’06 Day 1 – 20th July 2006

8:00 a.m. Registration
8:40 a.m. Welcome Speech – Thomas Lim
8:45 am Marc Maiffret – Chief Hacking Officer, eEye – Keynote Speech
9:30 a.m. Paul Craig – Unpacking Malware, Trojans and Worms
10:30 a.m. Coffee and Beer Break
11:00 a.m. Thorsten Holz – Towards Automated Botnet Detection and Mitigation
12:30 a.m. Lunch
1:30 a.m. Enrique Sanchez – I-worm.Fuzzer: A New Propagation Type of Virus
2:30 p.m. Andrew Griffth – Securing Unix/Linux Systems
3:30 p.m. Hendrik Scholz – VoIP Security Issues: Problems on the users’ side and what are the providers doing wrong?
4:30 p.m. Coffee and Beer Break
5:00 p.m. Barnaby Jack – Exploiting Embedded System
6:00 p.m. Alexander Sotirov – Reverse Engineering Microsoft Binaries
7:00 p.m. End of Day 1

SyScan’06 Day 2 – 21st 2006
9:00 a.m. Joachim De Zutter – Feedback Fuzzing
10:00 a.m. Coffee and Beer Break
10:15 a.m. Angelo Rosiello – Writing behind a buffer
11:15 a.m. Andre Protas – Skeleton in Microsoft closet
12:15 p.m. Lunch
1:00 p.m. Nish Bhalla – Binary Analysis, Finding Secret in ISAPIs
2:00 p.m. Marek Bialoglowy – Are You Sure Phone Banking Is Safe?
3:00 p.m. Coffee and Beer Break
3:15 p.m. Fyodor Yarochkin and Meder Kydyraliev – Yet Another Web Application Testing Toolkit
4:15 p.m. Alexander Kornbrust – Oracle Rootkits and Oracle Viruses
5:15 p.m. Coffee and Beer Break
5:30 p.m. Joanna Rutkowska – Subverting Vista Kernel for Fun and Profit
6:30 p.m. Closing Speech and Lucky Draw
7:00 p.m. End of SyScan’06

For more information check here:

http://www.syscan.org/