Tag Archives: hack

Pwn2Own: Nothing is safe

Chrome got both its stable and beta versions hacked in just two minutes. Google paid $75,000 for just one buffer overflow in Chrome which allows an attacker to bypass the sandbox.

Apple’s Safari got also hit by using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution.

Internet Explorer 11 64-bit was taken out with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges. The attacker evaded all the defensive mechanisms by using a sandbox escape through privileged JavaScript injection, all of which resulted in medium-integrity code execution.

Mozilla Firefox was hit with an out-of-bounds read/write vulnerability leading to medium-integrity code execution.

A team of researchers showed their skills against Flash by using a heap overflow remote code execution vulnerability and then leveraging a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 for the Flash bug and a bonus of $25,000 for the SYSTEM escalation. Another researcher exploited Flash by using a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker.

Adobe Reader was exploited twice through a stack buffer overflow – once for an info leak and again for remote code execution. The researcher leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD. For the day, that brings his total payout to $90,000 USD.

The final numbers for Pwn2Own 2015 are quite impressive:

5 bugs in the Windows operating system

4 bugs in Internet Explorer 11

3 bugs in Mozilla Firefox

3 bugs in Adobe Reader

3 bugs in Adobe Flash

2 bugs in Apple Safari

1 bug in Google Chrome

————————————-

$557,500 USD bounty paid out to researchers

As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors in the  “Chamber of Disclosures,” and each vendor is working to fix these bugs through their own processes.

The post Pwn2Own: Nothing is safe appeared first on Avira Blog.

Will 2015 be the biggest yet for Cybersecurity?

President Obama’s recently announced comprehensive new cybersecurity proposal for the U.S., highlighted in his State of the Union address (you can see a full transcript of this address here), puts the issue of cybersecurity where it should be: front and center.

The high-profile cyber-attacks and hacks of the past year have drawn a mainstream spotlight to cybersecurity. As the President emphasized in his address: “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.”

What are my thoughts? I think this is a real, actionable step in the right direction to increase the war on cyber-attacks and protect consumers and businesses.

The new Presidential cybersecurity proposal, officially announced  on December 19 at  the National Cybersecurity and Communications Integration Center, aims to move to quicker and more active security breach and threat reporting.

Image courtesy of The Guardian

According to the White House announcement, the proposal would create a more proactive environment for companies and organizations in the private sector to share security breaches with the government. The proposal, for example, would criminalize the sale of stolen financial data, and mandate that companies notify consumers about data breaches, as well as protect companies from liability.

As stated by the White House, “Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information.”

Information sharing provides a way to get a real-time response to these breaches. But it’s the old left-hand, right-hand problem.  Information sharing would speed up an organized response to a data breach or cyber-threat and allow a concerted response. But there remain legitimate concerns in many camps about the information shared.

This proposal seems to be well crafted in that it recognizes a general apprehension of handing over information to the government, a genuine concern (even an obsession) for many. The plan seeks to mollify privacy concerns by requiring participating companies to comply with a set of restrictions, such as removing “unnecessary personal information” and to protect personal information that has been shared.

A national standard in the United States for reporting breaches has been a long time coming. If you’re a company that has been hacked, your obligations are different in different states. If your information has been hacked, a company’s obligation to report it to you currently depends on the regulations of the state you reside in, which simply doesn’t make sense. If you’ve been hacked by someone from Russia, for example, does it matter whether you live in Connecticut or Texas? The problem is a global one, but a national plan is a great move.

The new cybersecurity proposal has critics and supporters lining up in debate.  And the prospect is real that this cybersecurity plan like previous proposals could become stalled in Congress.

“cybersecurity needs to be proactive in preventing and detecting cyber crime”.

We all need to focus on the idea that cybersecurity is not just reactive, but needs to be proactive – in preventing and detecting cyber crime. The President’s proposal is a step along that path.

I’m looking forward to a next step and results of the newly announced Summit on Cybersecurity and Consumer Protection at Stanford on February 13, 2015 which will convene a wide variety of groups for industry, private and public – to help shape public and private sector efforts to protect consumers and companies from growing network threats.

The good news is that momentum for cybersecurity is building. If we can get business, government, and the security industry in this country working from the same digital page, the benefits could be tremendous.

It’s a critical and very exciting time to be in digital security.