Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards
Threaded  |  Newest First  |  Oldest First
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/26/2018 | 3:52:53 PM
Exploit hunting for fun and profit?
Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth.  Neither hardware nor software know anything of intentions; they mechanically follow the logic of their design - not the logic (valid or otherwise), of their designers.

Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. 

Bug hunters aren't looking for a programming mistake that renders some text pink rather than red; they are looking for either unintended functionality, or combinations of purposed features, which might be used by those with bad intensions - in other words: they are looking for the exploitable.  Is it always a good thing, that they find it? 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2018 | 4:55:21 PM
Re: Exploit hunting for fun and profit?
@Brian: More lamentably, remember Easter Eggs? They are not often to be found anymore -- and Microsoft reportedly did away with them in Office, etc. -- because of security woes.

My favorite, I think, was one in SimCity 2000 that resulted in a very excellent (IMHO) joke being scrolled up the screen.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/28/2018 | 11:18:47 AM
The rewards of virtue?
Perhaps too many are missing the point: intent doesn't exist in code or circuitry, any more than there's an intrinsic difference between instructions and data in binary sequences - it was that realization that enabled a quantum step forward in digital processing.  It was that same realization that gave bad actors the idea to hide malicious code in digital images, or other "data values".

Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. 

With bug-bounties, and hackfests, you're offering rewards (money or status), for finding new ways to refactor the code/data that exists and is necessary for the functionality of processors, operating systems and application software - ways to turn that functionality against us. 

That rewards have been issued in the past confirms that that there were latent opportunities for malware discovered; and we have every reason to believe that more will be discovered, as pursuits and pursuers become more numerous and capable. 

Of course, the expectation is that vulnerabilities will be uncovered by the good guys; and closed before the bad guys can exploit them.  But consider what happens when the discoveries leak out before the mitigations and fixes are ready; with systems that aren't (can't/won't be), updated; with vulnerabilities within intrinsic functionality of underlying processes; or all of the above - as is the case with the Meltdown/Spectre vulnerabilities, which had lain undiscovered and unexploited until....
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2018 | 7:43:49 PM
Re: The rewards of virtue?
@BrianN: Actually, multiple different groups of researchers had independently discovered those flaws all around the same time, as Wired recently wrote about (along with the general phenomenon). This strongly suggests either that (1) at least some malfeasor(s) out there had already discovered it or (2) there was a substantial probability that "bad guys" were about to discover it anyway.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/29/2018 | 11:07:58 AM
Re: The rewards of virtue?
@JoeS: Could well be - but possibilities, probabilities and particulars of the M/S issue don't change the fact that we have greatly expanded, and motivated, sets of eyes examining functional code, looking for ways it could be used perversely.  That "...multiple different groups of researchers had independently discovered those flaws all around the same time...", only reinforces that point.  

Yes, that some dark intentioned individual or entity had discovered the opportunity is possible; and if they have/are/plan to use it, the strong probability is that they wouldn't be obvious about it.  Also, if they found it, they must have had an incentive to look for something like it - and they could only have been encouraged in their efforts by similar "successes" in finding vulnerabilities by others.

Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly.  The intent of the researchers has proven as irrelevant as that of programmers and chip designers. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:19:43 PM
$2M?
This is good in my view, contesters may identify unknow vulnerability, I am glad Microsoft is part of it.

 


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.