HackInTheBox
Latest
Hacker claims he can remotely hijack airplanes using an Android app
Hugo Teso, a security consultant who also happens to be a trained commercial pilot, says he's developed an Android app that can make an airliner "dance to his tune" by attacking its flight management systems. The hack was demoed at this year's Hack In The Box conference in Amsterdam, where Teso showed how the app -- called PlaneSploit -- can seek out targets from the ground by infiltrating radio broadcasts between aircraft and air traffic control, and then use a second communication system to send malicious messages to that could "take full control of the plane" or indirectly affect the pilot's behavior. PlaneSploit is proof-of-concept software, designed to work in a closed virtual environment, so it's not like we're going to see it pop up on Google Play any time soon, but just the fact it exists will hopefully help to keep the puppet masters out of real-world planes. And no, there's no Windows Phone version.
Google patches SVG and IPC exploits in Chrome, discoverer banks $60,000 in the process
Google revels in hacking contests as ways of testing Chrome's worth. Even if the browser is compromised, the failure provides a shot at fixing an exploit under much safer circumstances than an in-the-wild attack. No better example exists than the results of Google's Pwnium 2 challenge in Malaysia: the company has already patched vulnerabilities found in the contest that surround SVG images and IPC (inter-process communication) before they become real problems. Staying one step ahead of truly malicious hackers carries a price, however. Pwnium 2 winner Pinkie Pie -- yes, Pinkie Pie -- is being paid $60,000 in prize money for catching the exploits. That may be a small price to pay if it reassures a few more Internet Explorer users looking to hop the fence.
Google teases hackers with $2 million in prizes, announces Pwnium 2 exploit competition
The folks in Mountain View are starting to make a habit of getting hacked -- intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it's doing it again -- hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don't let that stop you -- Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.
Hack in the Box conference features iPhone Dev Team
Turns out there are awesome conferences all over the world, and the hotness of mobile has only increased the number of quality get-togethers out there. Case in point: Hack in the Box, currently underway in Amsterdam. Learn more about the conference here or check out the agenda here. Friday May 25 is a presentation by the Dream Team, but today was a presentation by MuscleNerd about the evolution of the iPhone baseband and unlocks. Cool stuff if you're into security or the mechanisms behind unlocking an iPhone.
New Windows 7 hack purports to be "unfixable"
A hack that's "unfixable" is a pretty bold claim, but that's just what researchers Vipin Kumar and Nitin Kumar have announced at the now-happening Hack in the Box security conference, and they seem ready to back it up. Apparently, they've devised a means to gain control of a Windows 7 computer during the boot up process though the use of a tiny 3KB program dubbed VBootkit 2.0 (a follow-up to a similar Vista hack), which loads itself into the system memory and bypasses the hard drive altogether, making it extremely difficult to detect. Once loaded, an ill-intentioned individual could potentially change passwords, access protected files, or do just about anything else and then leave without a trace. The one fairly big drawback to the hack, however, and upside for most users, is that it can't be performed remotely, so it'll likely only be a significant concern for businesses or other folks using computers in public places -- unless, of course, Microsoft finds a way to fix the "unfixable."[Via Electronista]
Researcher claims to have discovered universal attack code for Intel chips: no one is safe
Also, he says he found Intel's diary and is totally telling everybody about that one thing. But seriously, we think Kris Kaspersky is being a bit of a tease here. He claims to have found a flaw in Intel's processors that would allow a hacker to bust up on a computer using JavaScript or TCP/IP, with no regard for what operating system the computer is running... only he won't say what it is. He's planning on unveiling the attack at the Hack In The Box conference in Malaysia this October, where he says he'll show working code that can take control of computers, all of which he plans to release publicly. The attack takes advantage of known errata in chips, which most vendors have a workaround for in BIOS, but not all. XP, Vista, Linux, BSD and Mac operating systems are all vulnerable, so we all get to run around panicking until October -- unless somebody figures it out first.
