Hackers gonna hack -- but you're more secure than you think

At CanSecWest, hackers nab major prize money for exposing OSes and browsers. But new zero-days aren't as easy to come by

We're awash in stories about catastrophic breaches and mysterious security threats that endanger computing as we know it. But is it really that bad? Last week's Pwn2Own and Pwnium hacking contests at the CanSecWest conference in Vancouver suggest otherwise.

Yes, participants in the Pwn2Own and Pwnium contests were out to show that, essentially, everything is hackable. But at the event, Craig Young, a security researcher at the firm TripWire, noted that "the sky is falling" mentality is unwarranted. "All technology has vulnerabilities. These competitions demonstrate that if you give talented people the time, money, and equipment, they will find those vulnerabilities."

In the case of the Pwn2Own competition, sponsor HP/TippingPoint paid out $850,000 in awards for vulnerabilities in the Internet Explorer, Safari, Chrome, and Firefox Web browsers, as well as Adobe's Flash. Based on the results, Young observed, the message to other security researchers is that the bar is being raised for hackers -- white hats and black hats alike. "The security level is getting to the point where you're not going to compromise something with one vulnerability," he said.

In order to write malicious code onto vulnerable systems, researchers working on platforms like IE and Chrome often have to chain together two or more vulnerabilities. That was the message from Vupen founder Chaouki Bekrar, whose company walked away from CanSecWest with $400,000 in prize money last week. "Exploitation is harder. Finding zero-days in browsers is hard," Bekrar told Threatpost.com.

The story was the same from Fang Jiahong and Liang Chen of up-and-coming security research firm Keen Team of China. The two pocketed more than $100,000 in reward money for exploits of Apple's Safari Web browser and Adobe Flash. Speaking to Threatpost, Chen said that Apple's OS X operating system is no easy mark: "Even if you have a vulnerability, it's very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems."

Not that we should dispense with the big stage and the cash prizes. Even if big-money hacking contests create a false impression of widespread insecurity in (mostly) secure products, Young said they serve an important role as a recruitment tool for the security industry: "These contests draw the interest of people in college who see the money at stake and think, 'Maybe this is a field I want to get interested in.'"

The United States and other countries need to promote this message, Young argues. "We need more people who have good wits about them about security -- who can identify a vulnerability or write code that has fewer of them."

This article, "Hackers gonna hack -- but you're more secure than you think," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies