[ISN] Laptop, complete with Vista attack code, listed on eBay

From: InfoSec News (alerts@private)
Date: Tue Apr 01 2008 - 00:23:55 PST


http://www.networkworld.com/news/2008/040108-laptop-complete-with-vista-attack.html

[Just as I was getting ready to send this, eBay pulled the auction, for 
the record I did bid $200.01 hoping for a real good deal on a laptop. :)  - WK] 


By Robert McMillan 
IDG News Service 
04/01/2008

The winner of a recent hacking contest is offering the computer he broke 
into for sale on eBay, possibly with the Microsoft Vista attack code he 
used intact.

In a Monday listing [1], Shane Macaulay is selling the Fujitsu U810 
laptop he won last Friday during the CanSecWest PWN 2 OWN [2] contest. 
His listing claims that exploit code could probably still be extracted 
from the machine. Although he make no guarantees, he wrote, "My 
successfull [sic] exploitation of Vista SP1 remotely, is most likely 
still present."

"This laptop is a good case study for any forensics 
group/company/individual that wants to prove how cool they are, and a 
live example, not canned of what a typical incident responce sitchiation 
[sic] would look like."

Starting bid? $0.01.

Macaulay, a researcher with the Security Objectives consultancy, claims 
that his Adobe Flash exploit will affect 90 percent of computers 
worldwide.

He was one of two hackers to claim laptops and cash prizes for 
penetrating systems during last week's contest. Organizers offered 
Vista, Mac OS, and Linux-based laptops for the taking, along with prizes 
that varied from $5,000 to $20,000, depending on the difficulty of the 
exploit. By Friday, however, only the Linux laptop remained unbreached.

Although he listed his laptop just hours before April 1, a date that is 
usually met with widespread Internet pranking, Macaulay said the listing 
is no joke. According to him, he's simply looking to see what an 
unpatched exploit might fetch in the open market."I figure this is a 
good way to see... [what] an exploit for something that only a limited 
amount of people know about, is worth," he said in an e-mail interview.

"The system was delivered to me as my prize. I'm free to use it as I see 
fit," he added.

One hacker who knows Macaulay said that the April 1 listing is "a bit 
coincidental," but that he may not be worried about forfeiting the 
$5,000 in prize money TippingPoint paid him for his hack. "He makes good 
money," said Marc Maiffret, an independent security researcher, in an 
instant message interview. "It's all just funny to him."

If he's not playing an April Fool's joke, Macaulay may be running afoul 
of both the PWN 2 OWN contest rules, which prohibit disclosure of bug 
information prior to a patch. He may also be violating eBay's user 
agreement [3], which say that users may not "distribute viruses or any 
other technologies that may harm eBay, or the interests or property of 
eBay users."

Macaulay had some funny answers when asked about these issues.

On the eBay terms of service problem, he said that he knew "some 
highups," at the company and was "confident, when I speak with eBay they 
will grant me a waiver."

And does TippingPoint know about what he's doing? "I believe at some 
level," he answered. "I'm sure things might change as the word 
percolates to the executives. Maybe I shouldn't have sold the 
[TippingPoint] bag with the laptop!!"

The IDG News Service is a Network World affiliate.

All contents copyright 1995-2008 Network World, Inc

[1] http://cgi.ebay.ca/ws/eBayISAPI.dll?ViewItem&item=280214168502
[2] http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up
[3] http://pages.ebay.com/help/policies/user-agreement.html


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Apr 01 2008 - 00:35:07 PST