Google teases hackers with $2 million in prizes, announces Pwnium 2 exploit competition

The folks in Mountain View are starting to make a habit of getting hacked — intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it’s doing it again — hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don’t let that stop you — Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.

Google

Microsoft to malware: your AutoRunning days on Windows are numbered

Beware, malware. The Windows AutoRun updates for Vista and XP SP3 that Microsoft released in February have so far proven successful in thwarting your file corrupting ways. Although Windows 7 was updated to disable AutoPlay within AutoRun for USB drives — freezing the ability for a virus to exploit it — the aforementioned versions had remained vulnerable up until right after January. Fast-forward to the period between February and May of this year, and the updates have reduced the number of incidents by 1.3 million compared to the three months prior for the supported Vista and XP builds. Amazingly, when stacked against May of last year, there was also a 68 percent decline in the amount of incidents reported across all builds of Windows using Microsoft’s Malicious Software Remove Tool. There’s another fancy graph after the break to help illustrate, and you’ll find two more along with a full breakdown by hitting the source link down under.

CNET

Microsoft

Sony Pictures hacked by Lulz Security, 1,000,000 passwords claimed stolen

Oh, Sony — not again. We’ve just received numerous tips that Lulz Security has broken into SonyPictures.com, where it claims to have stolen the personal information of over 1,000,000 users — all stored (disgracefully) in plain text format. Lulz claims the heist was performed with a simple SQL injection — just like we saw the last time around. A portion of the group’s exploit is posted online in a RAR file, which contains over 50,000 email / password combos of unfortunate users. We’ve downloaded this file (at our own risk, mind you) and can verify these sensitive bits are now in the wild, though it remains unclear if what’s published matches reality. In addition to user information, the group has blurted out over 20,000 Sony music coupons, and the admin database (including email addresses and passwords) for BMG Belgium employees. Fresh off the heels of the PlayStation Network restoration, we’re guessing the fine folks in Sony’s IT department are now surviving solely on adrenaline shots.

iPad 2 jailbroken, no ETA on public release

You knew this was coming — it was only a matter of time — and here it is, Apple’s latest creation sans the iOS 4.3 chains. The development community credits @comex with installing Cydia on this white iPad 2, and he’s apparently already hard at work on a public jailbreak. According to his Twitter feed, the hack required a brand new exploit, as previous bugs were squashed in iOS 4.3. We’ll keep you posted on when the hack’s ready for you to use, too.