Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards
Threaded  |  Newest First  |  Oldest First
BrianN060
50%
50%
BrianN060,
 User Rank: Ninja
1/26/2018 | 3:52:53 PM
Exploit hunting for fun and profit?
Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth.  Neither hardware nor software know anything of intentions; they mechanically follow the logic of their design - not the logic (valid or otherwise), of their designers.

Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. 

Bug hunters aren't looking for a programming mistake that renders some text pink rather than red; they are looking for either unintended functionality, or combinations of purposed features, which might be used by those with bad intensions - in other words: they are looking for the exploitable.  Is it always a good thing, that they find it? 
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
1/26/2018 | 4:55:21 PM
Re: Exploit hunting for fun and profit?
@Brian: More lamentably, remember Easter Eggs? They are not often to be found anymore -- and Microsoft reportedly did away with them in Office, etc. -- because of security woes.

My favorite, I think, was one in SimCity 2000 that resulted in a very excellent (IMHO) joke being scrolled up the screen.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
BrianN060
50%
50%
BrianN060,
 User Rank: Ninja
1/28/2018 | 11:18:47 AM
The rewards of virtue?
Perhaps too many are missing the point: intent doesn't exist in code or circuitry, any more than there's an intrinsic difference between instructions and data in binary sequences - it was that realization that enabled a quantum step forward in digital processing.  It was that same realization that gave bad actors the idea to hide malicious code in digital images, or other "data values".

Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. 

With bug-bounties, and hackfests, you're offering rewards (money or status), for finding new ways to refactor the code/data that exists and is necessary for the functionality of processors, operating systems and application software - ways to turn that functionality against us. 

That rewards have been issued in the past confirms that that there were latent opportunities for malware discovered; and we have every reason to believe that more will be discovered, as pursuits and pursuers become more numerous and capable. 

Of course, the expectation is that vulnerabilities will be uncovered by the good guys; and closed before the bad guys can exploit them.  But consider what happens when the discoveries leak out before the mitigations and fixes are ready; with systems that aren't (can't/won't be), updated; with vulnerabilities within intrinsic functionality of underlying processes; or all of the above - as is the case with the Meltdown/Spectre vulnerabilities, which had lain undiscovered and unexploited until....
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
1/28/2018 | 7:43:49 PM
Re: The rewards of virtue?
@BrianN: Actually, multiple different groups of researchers had independently discovered those flaws all around the same time, as Wired recently wrote about (along with the general phenomenon). This strongly suggests either that (1) at least some malfeasor(s) out there had already discovered it or (2) there was a substantial probability that "bad guys" were about to discover it anyway.
BrianN060
50%
50%
BrianN060,
 User Rank: Ninja
1/29/2018 | 11:07:58 AM
Re: The rewards of virtue?
@JoeS: Could well be - but possibilities, probabilities and particulars of the M/S issue don't change the fact that we have greatly expanded, and motivated, sets of eyes examining functional code, looking for ways it could be used perversely.  That "...multiple different groups of researchers had independently discovered those flaws all around the same time...", only reinforces that point.  

Yes, that some dark intentioned individual or entity had discovered the opportunity is possible; and if they have/are/plan to use it, the strong probability is that they wouldn't be obvious about it.  Also, if they found it, they must have had an incentive to look for something like it - and they could only have been encouraged in their efforts by similar "successes" in finding vulnerabilities by others.

Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly.  The intent of the researchers has proven as irrelevant as that of programmers and chip designers. 
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/29/2018 | 6:19:43 PM
$2M?
This is good in my view, contesters may identify unknow vulnerability, I am glad Microsoft is part of it.

 


10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Here’s some insight on what's working – and what isn't – in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.