March 16, 2013 No Comments-
It might seem strange, but every year in a venue in Vancouver, computer security researchers encourage hackers to exploit vulnerabilities in Google Chrome. The first person (or team) to successfully exploit the browser gets $100,000. But why? And is it legal?
The answer is yes – it’s both legal and encouraged at CanSecWest, in an event called Pwn2Own. In fact, it’s not only Chrome that has a potential big-money payoff. If you’re the first person to crack Internet Explorer 10 you’ll also get $100,000, while exploiting IE 9 offers $75,000, Firefox $60,000 and Safari $65,500.
Web browser plug-ins like Adobe Reader, Flash and Java also offer payouts if they are compromised. Somewhat ironically, Java, the software that has received a lot of media attention for being unsafe, has the least money offered to find an exploit (Java was exploited three times during the two day event).
Every browser and plug-in – except Safari – were compromised during the competition, which illustrates just how easy it is for determined and smart hackers to cause problems with computers. In fairness to the other browsers, no participants actually tried to exploit Safari, so it was security through obscurity rather than some magically secure programming.
All the hacks occurred on fully up-to-date versions of Windows (or OSX), and the hackers weren’t allowed to use previously discovered hacks. In essence, this meant that they had to find security wholes on computers very much like yours (scary?). For those interested, full competition rules can be found at: http://dvlabs.tippingpoint.com/Pwn2OwnContestRules.html.
The idea behind the competition is that by promoting opportunities for people who have the skills to damage computers, they will use them in a constructive way. Without competitions like this, which provide hackers with a fun and rewarding way to practice those skills, the other methods of practicing are a bit more nefarious. And as a result of the competition, the security industry can actually learn a lot about weaknesses in existing systems, and see how various hackers go about their business.
It seems to work, too. Since the competition began, Chrome and Firefox have both been broken into, but parent companies Google and Mozilla has already released updates fixing the problems (Chrome has patched 10 vulnerabilities since the competition began).
Made up of various contributors' opinions and insights - the power of the collective.
Norman Safeground Blogs Archive