Establishing Digital Trust: Don't Sacrifice Security for Convenience
Over the last several years, the Pwn2Own hacking challenge has become known as the place where browsers get hacked, sometimes within just a matter of minutes. This year, the event's organizers at HP TippingPoint's Zero Day Initiative (ZDI) are looking to project a more serious demeanor and downplay the sensational nature of the contest -- even as they change the rules in an effort to demonstrate a record number of exploited security vulnerabilities.
"In the past, due to the way the competition was architected, we had lots of sensationalist headlines, things like 'Mac hacked in three seconds'," said Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint, in a conversation with InternetNews.com. "We don't think that type of sensationalism was representative of all the research that was going on."
In previous years, researchers would go on stage to demonstrate a vulnerability, sometimes in under a minute. At the 2011 event, Apple Safari and Microsoft's IE were hacked on the first day. At the event two years prior, Safari was hacked in under two minutes.
The events in previous years also used a random drawing to determine which researcher would get the opportunity to demonstrate their vulnerability exploit. As such, even if there were five researchers ready to demonstrate a Firefox 0-day vulnerability, only one was admissible to win the contest.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The problem with that is that it's not much of a competition, as the researchers were not really competing against each other as it was just a random drawing," Portnoy said. "As well, the vulnerabilities that other contestants had, but were not able to demonstrate at the contest, were not being fixed and were just kind of ignored."
The 2012 contest will be structured as a three-day event running at the CanSecWest security conference in Vancouver from March 7-9. Rather than simply being chosen from the random drawing and then demonstrating a vulnerability, this year's contestants will be competing and ranked according to a point system.
"Each 0-day vulnerability that is demonstrated against any of the browsers (Firefox, IE, Safari and Chrome) will be worth a certain point value," Portnoy said.
In contrast to previous events, where only one 0-day vulnerability was allowed to be presented for each browser, this year there is no such limit. For example, there is nothing to stop a security researcher from demonstrating 10 new Firefox vulnerabilities and collecting all the 0-day points for them.
In a new twist, Pwn2Own 2012 will also be taking aim at known vulnerabilities. These are browser issues that were disclosed at some point in the past year, but do not yet have a public exploit. The researchers will need to actually exploit the given vulnerability in order to score additional points.
"In the past, Pwn2Own has shown the importance of 0-day vulnerabilities and the fact that at any given time you are susceptible to attack regardless of your patch level," Portnoy said. "What we had been ignoring is the fact that it's really important to actually patch vulnerabilities."
He added that by showing that known vulnerabilities can be turned into exploits relatively quickly, the goal is reinforce the message that patching is critical.
The opportunity to compete for prize money is a key driver for security researchers' participation at Pwn2Own. HP is offering $105,000 in total prize money for the 2012 contest. The top point scorer will win $60,000, second place will be awarded $30,000, and third place gets $15,000.
Putting even more money on the table, Google is throwing in an additional $20,000 for vulnerabilities that affect Chrome. Google made a similar offer in 2011, but no security researcher was successfully able to demonstrate an exploit against the browser.
HP's Tipping Point Zero Day Initiative (ZDI) is no stranger to paying researchers for their efforts. Outside of the Pwn2Own event, ZDI pays researchers for disclosing vulnerabilities to them. In turn, ZDI responsibly discloses the vulnerabilities to the affected vendors. Vendors at Pwn2Own 2012 "will get reports and they'll get them for free, the only difference this year is that they might get more [of them]," Portnoy said.