All hacking eyes on the prize money at CanSecWest
Nearly $4 million in prize money between Pwnium and Pwn2Own drives more attention than ever to the two hacking contests, as Google crosses the $3 million security award mark.
VANCOUVER -- When it comes to hacking, it turns out that greed really is good.
All four of the major desktop browsers, plus two Adobe browser plug-in programs, succumbed to the predations of the hacker community in two different contests.
Pwn2Own, sponsored by Hewlett-Packard and organized by the HP-owned Zero-Day Initiative, featured up to $1.085 million in prizes, and security researchers going after Adobe Flash and Reader, Apple Safari, Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.
Eight research teams earned $850,000, with another $82,500 going to charity for Pwn4Fun over the two-day competition, which concluded on Thursday at the CanSecWest conference at the Sheraton Wall Hotel here. HP has summarized results for Day One and Day Two
The new Pwn4Fun charity contest saw Pwn2Own co-sponsor Google nailing Apple Safari for $32,500, while Pwn2Own organizer Zero-Day Initiative hit Internet Explorer for $50,000. Both teams donated their prizes to the Canadian Red Cross.
Why security hacking is becoming more lucrative Team Vupen of Vupen Security scored the most cash with $400,000, the most that any single Pwn2Own team has ever won. Vupen Chief Executive and Chief Researcher Chaouki Bekrar said to not let the high value of the prizes fool you: browser security, he said, is improving.
"The major value of Pwn2Own is to show that even the most secure software can be compromised by a team of researchers with enough resources," he said just after knocking off Google Chrome, the first of two contestants this year to do so.
But, he said, there's more value to the competition than just the lucrative prizes.
"Since we report the vulnerabilities to the vendors, they fix the flaws and [then] they harden the browser to prevent future attacks." Browsing in general becomes safer for everybody, Bekrar said, as browser vendors learn from each other's mistakes.
Brian Gorenc, the manager of the Zero-Day Initiative, agreed that the larger prizes are having a two-fold impact on the day-to-day security of what's likely to be your favorite browser.
"Microsoft, [Adobe] Flash, and Google were all patched before the contest. The vendors are definitely trying to put their best product forward," Gorenc said.
He said that reflects the growing trend where companies respond somewhat faster to reported bugs. The average two years ago was 180 days, but that's down to 120 days now.
Meanwhile, Gorenc said, the growing prize pot is attracting researchers like nerds to an arcade game. This year saw the highest number of entries in the decade-long history of the contest, at 16. It's getting to the point where security researchers can make in one contest enough to live on for a year, but it's not easy. There are strict requirements for proving your newfound vulnerability and exploit.
Where Vupen spent around four to six weeks to earn its prize money, Keen Team, from China, scored $65,000 for hacking Apple Safari and co-hacking Adobe Flash. They will donate some of their winnings to a Chinese charity for the people missing on Malaysian Airlines flight MH370.
Keen Team senior researcher Liang Chen said it took three months to develop those exploits, but he clarified that factors such as operating system and browser version can affect how successful an exploit is.
"Desktop Safari is harder to hack than on iOS 7 because [Apple] will implement the latest security enhancements more often," he said.
Not all the software up on the Pwn2Own chopping block lost its head. Bekrar's Vupen withdrew from scheduled attempts at Oracle's Java and Apple Safari, although he might've passed on Safari because the Keen Team successfully exploited it an hour earlier -- possibly with the exploit he had discovered.
One researcher failed at an Internet Explorer hack, although the browser succumbed to other attempts.
Left unscathed was the highest single prize of the contest, $150,000 for the "Exploit Unicorn." This rare beast demanded a specific hack: system-level code execution on a Windows 8.1 x64, in IE 11 x64, with an Enhanced Mitigation Experience Toolkit (EMET) bypass.
Pwnium for hacking Chrome OS Google held its own concurrent one-day hacking contest on Wednesday this week, giving security researchers a crack at Chrome OS and a grand total of $2.7 million in cash rewards.
Google would not reveal the number of participants, but George Hotz, a well-known researcher known on the console hacking scene as "Geohot" won $150,000 for an exploit chain six deep on the HP Chromebook 11. A second participant is up for a partial reward on the same device. Hotz also claimed one of the four $50,000 Firefox exploits at Pwn2Own.
Chris Evans, a Google security engineer who has been on the Chrome security team since Google began building the browser, echoed a similar note to Gorenc, Bekrar, and others in Vancouver this week: If you want high-quality security, you have to pay for it.
"The prize is high," Evans said, "because the amount we can learn from it is high. We can close whole classes of bugs, while devising new hardening measures."
Evans said that across all Google security rewards programs, which includes its regular Chrome bug bounty, the Google Search bug bounty, and the Pwnium event, the company has paid more than $3 million for bugs. That includes this week's Pwnium awards, and is accelerating: Google crossed the $2 million mark only seven months ago.
"We've gone from 2 to 3 really fast," he said. "The more money we can put into the "white hat" community, the better off we all are."
Evans said that the impetus at Google to improve security is driven by a desire simply to be better than the bad guys, and part of that is acknowledging and fixing previously-unknown vulnerabilities and exploits. He made it clear that Google feels it wins when it can point to lessons learned, such as the three losses by Chrome and Chromium this year.
"Bad guys are fundamentally lazy," Evans said, then added, "like the rest of us."
They're looking for the highest return with the least amount of effort, he said.
"They want the weakest link," he said, "and we will never have Chrome be the weakest link."