But this year’s contest had an additional motive: to give back to the community at large.
Over the course of the two-day event, HP gave out $850,000 to researchers for the exploits they uncovered, with another $82,500 going to the Canadian Red Cross after the Pwn4Fun sponsors event.
“We’ve had a lot of firsts this year,” said Brian Gorenc, manager, vulnerability research, HP Zero Day Initiative. “One was that we added a charity event for our co-sponsors. This brought a lot of talk about doing charity events in the security industry.”
The contest challenges security professionals from around the world to exploit some of the most popular software and mobile devices on the market, and is meant to raise awareness that, despite vendor claims, no software is 100 per cent secure.
Once they’ve managed to exploit a browser or an application, the researchers “responsibly disclose vulnerabilities” to the vendor, as HP puts it, so that businesses can move forward on patching those vulnerabilities in their products.
“Everybody gets out there and says their browser is the most secure browser, but in the end, this contest is trying to show that it’s still possible to exploit them,” said Gorenc. “And what this contest is also trying to show is that this community of researchers really wants to secure software.”
Since its launch, it has grown to be one of the most recognized security contests in the IT industry. This year, eight teams or individuals from the U.S., Poland, France, Germany, South Korea, and China came to participate in 16 different categories.
In previous years, HP would randomly select the order of participants, and the winning team or individual would be the one that successfully hacked the software first.
But this year, says Gorenc, HP decided to break the contest into matches, in order to give everyone a chance to compete and create the opportunity for the company to buy more exploits.
One vulnerability that was discovered in Google Chrome was also found to affect other browsers as well.
“When we got up to the disclosure room, we learned that it also affected Apple Safari,” said Gorenc. “So we disclosed not only to Google, but also to Apple, so that both companies are able to secure their software.”
In the Pwn4Fun event, Google and ZDI both discovered exploits in popular web browsers. Google exploited Safari by launching Calculator as root in Mac OS X, while ZDI delivered a multi-stage exploit in Internet Explorer that included an adaptable sandbox bypass.
It was a productive two days for all involved, but for Gorenc, the event was enhanced by the fact that they were doing it for a good cause.
“To me, the most interesting thing abound this contest was the charity aspect,” said Gorenc. “We thought hard about how we were going to change the contest to make it good not only for the research and security communities, but also for the larger community in general.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…