Tag Archives: Pwn2Own

Security News for the Week Ending November 15, 2019

Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week

Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions.  Of those, 327 were categorized as priority 1.  These payouts are an additional way for companies to do software testing beyond what they do internally.   Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is?  Source: Bleeping Computer.

 

National Privacy Bill Introduced

I may have to eat these words.  But I doubt it will become law.  HR 4978, the Online Privacy Act, has been introduced.

The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.

You, of course, get “free” services because you are the product.

The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have.  Any bets on whether it becomes law?  Source: The Internet Patrol.

 

Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers

White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event.   They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices.  Just shows that IoT devices are not so secure.  Source: Security Week

 

Court Rules The Fourth Amendment Applies, Even to the Government

A Massachusetts court  has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border.  This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason.  The case is likely to be appealed to the Supremes, so stay tuned.  Source:  The Register

 

Trusted Platform Module (TPM) Fails with TPM-Fail Attack

The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type.  Not only does this affect computers, but it also affects many IoT devices that have security.  There are patches available from the TPM vendors.  Source: Bleeping Computer.

VMware Escape Nets Researcher $105,000

We think of a virtual machine as a way to isolate one system from another and, in general, it works well.  But not always.

Pwn2Own is a hacking contest that is part of the CanSecWest security conference in Vancouver, BC, Canada.

This year researchers who were members of Qihoo 360’s security team figured out a way to exploit a heap overflow bug in the Microsoft Edge browser.  Using that, they were able to execute code in the browser that allowed them to exploit a Windows 10 bug to escape the Edge sandbox.

But they weren’t done yet.

Finally, they exploited a hardware simulation bug in VMware to escape from the virtual machine completely and get down to the host hypervisor.

All of this started with visiting a website.

Obviously, the affected vendors will be issuing patches for all these bugs, but it points to the fact – and it is a fact – that nothing is bulletproof, only bullet resistant.

That means that you need to be smart in segmenting workloads on VM hosts (that means any VM hypervisor – VMWare, HyperV, Openbox, etc.).

To the degree that you can implement micro segmentation, that should be your goal.  Micro segmentation allows you to create many network segments, not just a couple, or one.

Then you need to make sure that you only place compatible workloads on the same host.  If you combine micro segmentation with smart virtual load management, you make your environment as secure as you can in the case of a virtual machine escape.

The folks that engineered this attack won a prize of $105,000.  Before you think that they got all that money for a few hours of work, many times the researchers work on these attacks for a year (starting right after the last Pwn2Own) and then release them at the next hack-fest.

This year Pwn2Own distributed more than a half million dollars of prize money.  That is a lot of motivation for researchers.

The only question is whether I.T. security engineers are smart enough to use the results of Pwn2Own to reconsider how they are engineering their workloads.  Doing that reengineering is a lot of work, but modern day hypervisors allow companies to easily move loads, sometimes with no downtime at all.

Information for this post came from Ars Technica.