The holy grail at security conference

VANCOUVER, B.C.--That innocent-looking mobile phone you use to call your mother and check e-mail represents the next frontier for malicious hackers, though it eluded researchers who stood to earn $10,000 for exploiting a smartphone at the CanSecWest security conference this week.

TippingPoint Technologies, which sponsors a Pwn2Own hacking contest each year at the event, was offering the prize money for each successful exploit of an iPhone, BlackBerry, and phones running Google's Android, Windows Mobile, and Symbian operating systems.

Researcher Dino Dai Zovi, on the left, discovered a vulnerability in QuickTime and won the Pwn2Own contest at CanSecWest two years ago remotely by having a friend act on his behalf. At this year's show, he served as a proxy for a researcher in Italy who was participating in the contest remotely, trying to exploit a Symbian-based smartphone. The exploit attempt failed, and no one won the $10,000 smartphone exploit prize. Next to him is TippingPoint security researcher Aaron Portnoy.

(Credit: Elinor Mills/CNET News)

On Friday, a researcher in Italy wanted to participate in the contest remotely and was told he had to find someone at the show to serve as his proxy and physically use the mobile device to surf to the site where the malicious code is located. He found a proxy, but the exploit attempted on a Nokia phone running Symbian failed. Another researcher had tried to exploit the Symbian and BlackBerry systems on Thursday but failed.

Much of the first day of the three-day event on Wednesday was devoted to mobile security. Dragos Ruiu, who first organized CanSecWest 10 years ago, said he wanted to focus on mobile this year because of the ubiquity of the devices and the increasing risk they pose to information security.

"I carry two phones at any one time," he said, pointing to one in his pants pocket and another in his jacket pocket. "And now, they are more capable computers."

Ruiu wasn't sure why the mobile devices hadn't been hacked, while a similar browser-hacking contest had seen the major browsers exploited on the first day of the conference. "Maybe they are too bleeding-edge; maybe they are just difficult to develop exploits for," he said of the mobile platforms. "It's good news."

In an informal survey, attendees said they suspected that researchers were just being lazy in not turning their attention to mobile attacks at the show.

"Mobile-phone research is an emerging field," said Aaron Portnoy, a security researcher at TippingPoint. "Not many people have the prerequisite knowledge to exploit them, nor do they have an exploit prepared."

Things will undoubtedly be different by next year's CanSecWest, he said, adding that already, there are mobile exploits in the wild.

"There's a lot we don't know yet about them," said Charlie Miller, who exploited the Safari browser in about 10 seconds on Wednesday, winning $5,000 and the MacBook Pro used to perform the feat. (The other major browsers were exploited shortly thereafter.)

"They are all different platforms, different hardware," he said, adding that "there's a learning curve associated with it."

In his presentation on security in Google's Android mobile platform, University of Michigan graduate student Jon Oberheide said the code in mobile software is newer than that found on the desktop and less robust against attacks. Attackers aren't really targeting it yet because mobile phones aren't seen as being much use for sending spam and launching denial-of-service attacks, however, they are good for attacks targeted at individuals, he said.

Oberheide said smartphones are at risk of a man-in-the-middle type of attack in which a malicious attacker could interfere with data communications between the device and a trusted Web server. For instance, an attacker could send a spoof message saying an update for a Facebook app is available and instead send malicious code, he said.

In a presentation titled "The Smart-Phones Nightmare," researcher Sergio Alvarez pointed out all the different attack vectors for mobile devices, including e-mail, attachments, Web pages, SMS, MMS, Facebook, Wi-Fi, and Bluetooth.

Microsoft Opens Blinds on Windows Mobile App Store

Microsoft has offered more detailed information about how it will manage its upcoming mobile application store. Developers' fee structures were detailed, as were revenue-sharing models -- a 70/30 split, just like Apple's mobile app structure. It also promised a great deal of transparency about what types of applications would be allowed to distribute through the store.

Microsoft (Nasdaq: MSFT) on Wednesday revealed more details about how its upcoming Windows Marketplace for Mobile app store will work and its strategy for luring more developers to the Windows Mobile platform.

The software giant will give developers a 70 percent cut of all sales generated by their applications on the new app store -- the same percentage that Apple (Nasdaq: AAPL) gives to app developers for the popular iPhone.

Microsoft will also "provide transparency throughout the certification process of each app submitted" as well as "guidance and support from the stage of development to the final sale to the consumer," the company said.

Developers will set the prices for their applications and can also choose to distribute their applications at no cost. In other words, the new Windows Mobile app store isn't the only place where developers can sell their wares.

Microsoft will charge a US$99 annual registration fee to developers who want to submit their applications for sale on the new app store. The first five application submissions to Windows Marketplace for Mobile are included in the introductory fee. Each additional submission within the annual period will cost $99.

Microsoft's stock was up 1.82 percent to $16.78 per share in mid-day trading on Wednesday.

YouTube vs. Royalties, Spy vs. Spy, Dell vs. a Firehose

YouTube, UK royalties agency get into it ... U.S. Cybersecurity czar takes a hike ... Dell rolls out rugged laptop ... Google tries out expanding advertisements ... sheriff sues Craigslist over prostitution ... Google's Schmidt denies interest in Twitter purchase, and more.

MTV pretty much gave up on music years ago in order to concentrate on how many different variations of "The Real World" and "Road Rules" it could squeeze out. But YouTube has largely picked up MTV's slack -- type in just about any video you want to see, and Google's (Nasdaq: GOOG) sharing site will play it for you.

Or perhaps not, if you're living in the UK. YouTube is in a legal standoff with PRS for Music, a UK outfit that collects royalties for musical artists.

YouTube says PRS wants it to pay too much money each time users click on a music video of one of their artists. It also alleges that the arrangement PRS has proposed wouldn't even specify which songs would be included in each license it wants to sell. The deadlock's been going on for months, and YouTube has finally crimped the hose -- no more music videos for UK viewers.

They'll have to resort to music videos the old-fashioned way, which involves holding your breath and spinning in circles while listening to a tune. Works every time, and it's usually just as good.