Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:19:43 PM
$2M?
This is good in my view, contesters may identify unknow vulnerability, I am glad Microsoft is part of it.

 
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/29/2018 | 11:07:58 AM
Re: The rewards of virtue?
@JoeS: Could well be - but possibilities, probabilities and particulars of the M/S issue don't change the fact that we have greatly expanded, and motivated, sets of eyes examining functional code, looking for ways it could be used perversely.  That "...multiple different groups of researchers had independently discovered those flaws all around the same time...", only reinforces that point.  

Yes, that some dark intentioned individual or entity had discovered the opportunity is possible; and if they have/are/plan to use it, the strong probability is that they wouldn't be obvious about it.  Also, if they found it, they must have had an incentive to look for something like it - and they could only have been encouraged in their efforts by similar "successes" in finding vulnerabilities by others.

Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly.  The intent of the researchers has proven as irrelevant as that of programmers and chip designers. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2018 | 7:43:49 PM
Re: The rewards of virtue?
@BrianN: Actually, multiple different groups of researchers had independently discovered those flaws all around the same time, as Wired recently wrote about (along with the general phenomenon). This strongly suggests either that (1) at least some malfeasor(s) out there had already discovered it or (2) there was a substantial probability that "bad guys" were about to discover it anyway.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/28/2018 | 11:18:47 AM
The rewards of virtue?
Perhaps too many are missing the point: intent doesn't exist in code or circuitry, any more than there's an intrinsic difference between instructions and data in binary sequences - it was that realization that enabled a quantum step forward in digital processing.  It was that same realization that gave bad actors the idea to hide malicious code in digital images, or other "data values".

Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. 

With bug-bounties, and hackfests, you're offering rewards (money or status), for finding new ways to refactor the code/data that exists and is necessary for the functionality of processors, operating systems and application software - ways to turn that functionality against us. 

That rewards have been issued in the past confirms that that there were latent opportunities for malware discovered; and we have every reason to believe that more will be discovered, as pursuits and pursuers become more numerous and capable. 

Of course, the expectation is that vulnerabilities will be uncovered by the good guys; and closed before the bad guys can exploit them.  But consider what happens when the discoveries leak out before the mitigations and fixes are ready; with systems that aren't (can't/won't be), updated; with vulnerabilities within intrinsic functionality of underlying processes; or all of the above - as is the case with the Meltdown/Spectre vulnerabilities, which had lain undiscovered and unexploited until....
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2018 | 4:55:21 PM
Re: Exploit hunting for fun and profit?
@Brian: More lamentably, remember Easter Eggs? They are not often to be found anymore -- and Microsoft reportedly did away with them in Office, etc. -- because of security woes.

My favorite, I think, was one in SimCity 2000 that resulted in a very excellent (IMHO) joke being scrolled up the screen.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/26/2018 | 3:52:53 PM
Exploit hunting for fun and profit?
Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth.  Neither hardware nor software know anything of intentions; they mechanically follow the logic of their design - not the logic (valid or otherwise), of their designers.

Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. 

Bug hunters aren't looking for a programming mistake that renders some text pink rather than red; they are looking for either unintended functionality, or combinations of purposed features, which might be used by those with bad intensions - in other words: they are looking for the exploitable.  Is it always a good thing, that they find it? 
<<   <   Page 2 / 2


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23371
PUBLISHED: 2021-04-12
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
CVE-2020-24285
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
CVE-2021-29379
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...