Pwn2own 2014 Set To Hunt Unicorns

darthcamaro writes "The annual Pwn2own hacking competition has always made short work of all browser vendors' security, shredding perception of safety by hacking IE, Firefox, Safari and Chrome in minutes. This year the competition is adding a twist — for IE on Windows 8.1, hackers will also have to bypass Microsoft EMET, which is a seemingly bulletproof type of sandbox. The competition is calling this the 'Unicorn Exploit' and the first researcher to successful exploit it will pocket $150,000."

Theme handles

[TWX]

I hope whoever wins this one has a handle that's a character name from Legend...

Re:Theme handles

Like JackTheHaxor?

Re:Theme handles

[Jane+Q.+Public]

Hah. But THIS time, it's the unicorn that gets uni-cornholed.

"In minutes"

[thetagger]

Sure, they hack browsers "in minutes" after months of studying and audits.

Re:"In minutes"

[Daniel+Hoffmann]

But don't they just type the hack really fast at a moments notice just like in the movies? Hollywood you lied to me!

Re:"In minutes"

[Anubis+IV]

Exactly. What all of these headlines neglect to mention is that these folks have created automated suites that oftentimes make use of zero-day or recent exploits. It's not as if they sit down and start putting something together once they get there. Rather, they carefully crated these tools in advance in order to allow them to make the headlines by hacking things in mere minutes or even seconds.

Re:"In minutes"

[the_B0fh]

Does anyone seriously expect someone to just walk up to a machine, and search for a new vulnerability and hack it in 30 minutes?

Re:"In minutes"

So what's your point?

Does it some how make a zero day exploit less dangerous if it takes longer to find?

Re:"In minutes"

[Anubis+IV]

Have you talked to any of the types of folks that are regular watchers of CSI and its ilk? For most of them, computers are still magic boxes. A mother I was talking with yesterday was asking me if they still made computers with floppy drives, since she still uses them on a regular basis, and she was shocked to learn that not only have all of the major manufacturers stopped putting them in, but that the industry is even starting to move away from CD/DVD drives at this point towards download-only distribution. I let her know she'd be okay, however, since there are external floppy and optical drives, as well as alternatives such as thumb drives, that will likely fill her needs.

Considering that her source of information for what computers can do is probably TV shows and movies, should it come as any surprise that folks like her would read a headline and misinterpret it that way?

Re:"In minutes"

My Grandmother. To her, computers are just magical machines and hackers are akin to techpriests and engineseers: all they need to do is the right incantation and the computer does what they want. She is also talks about her computer as if it were fully self aware and has moods (to the point where she gives it complements when it is being slow). The fact that it automatically updates, most configuration changes are made at the command line and the like probably doesn't help.

Re:"In minutes"

[wile_e_wonka]

A mother I was talking with yesterday . . .

I know; mothers are the worst. Completely technologically illiterate. Did you know that the average mother still uses her uterus to produce a child?

Re:"In minutes"

[Anubis+IV]

To be clear, I wasn't generalizing about mothers. I was generalizing about the sort of folks who watch shows like that. The two sets may intersect for a large portion of their members, but they are by no means identical. I'm friends with a mother who has a doctorate, has flown in space four times, is one of the leading experts on certain types of robotics, does occasional stints as a university professor, and could run circles around me when it comes to anything technological. On the other end of the spectrum is the mother I was describing in my previous post. Somewhere in between would be my own mother, who made the transition to digital-only a few years back when we bought her a Mac Mini that didn't have an optical drive.

While I may have used a mother for my example, I was by no means intending to disparage them as a group (nor was I intending to disparage the one I was describing, for that matter; I was merely restating my encounter, which would help explain why I thought people may be confused by the headlines).

Re:"In minutes"

Technologically illiterate indeed:

http://en.wikipedia.org/wiki/Lois_Haibt

Re:"In minutes"

[wesk]

What's the basis for your generalization of those who watch CSI "and its ilk"? I used to watch one of those shows, and while I realize that the technical abilities portrayed might not be realistic or even possible, I enjoyed the show for other reasons.

Re:"In minutes"

[wiredlogic]

No they just insert a floppy disk and the computer autoruns their exploit for them.

Re:"In minutes"

[operagost]

They could at least use 9 uteruses to get it done in 1 month!

Re:"In minutes"

I've seen a system get hacked in minutes but they were all because an administrator or developer did something blatantly obvious and stupid that allowed it to happen.

Re:"In minutes"

[citizenr]

But don't they just type the hack really fast at a moments notice just like in the movies?

This requires two people typing really fast on the same keyboard simultanously

Re:"In minutes"

[Anubis+IV]

I actually enjoyed CSI for the first few seasons as well, but I think we all have a mental picture of the sorts of people I'm talking about when I make a comment along those lines. That is, people who think that technology is much more capable than it actually is, that scientists and the like catch all of the finest details every single time, and that even the slightest thing out of place is sufficient for dismissing the entire idea. I've heard that prosecutors have been having a really hard time since CSI started since people expect all of the evidence to perfectly line up every single time, when in reality it just doesn't work that way, and people are called to use their judgment in determining whether the holes that are there are sufficient cause for doubt.

Calling Zap Brannigan

The hackers will certainly hit the EMET bullseye, the rest of the dominoes should fall like a house of cards. Checkmate. Somebody's getting $150,000.00

Enhanced Mitigation Experience Toolkit

[BisuDagger]

From GHacks.net "It is by no means a catch-all security application, but it mitigates many common attack types and forms on the system. " The review on their website had led me to believe that the best of hackers could still get through EMET security. It will still be exciting to see how quickly the victor can make it into the heavily defended IE.

Re:Enhanced Mitigation Experience Toolkit

EMET just allows easier access to configure existing security controls (like ASLR and DEP.) It's not a sandbox at all.

In other shocking news...

...housewives don't generally pay for plumbing or electrical work in sexual favors, either...

Re:In other shocking news...

[boristdog]

...housewives don't generally pay for plumbing or electrical work in sexual favors, either...

So I'm wasting my time with my cable repairman correspondence course?

Re:In other shocking news...

[bob_super]

Probably because I've never met a plumber who looked anything like a porn star...

Re:In other shocking news...

When it comes to the male talent, you have to look in one-and-only-one specific place.

Re:In other shocking news...

Those who do get a surprise bill afterwards. Services can't be payed with other services. Tubing for the money and some fucks for free!

Re:In other shocking news...

[tolkienfan]

You can guess what happens next...

He fixes the cable?

Why don't they try to PWN the NSA?

There have to be holes to get into their networks, no?

Re:Why don't they try to PWN the NSA?

It's a little more challenging to get into the NSA's holes than your mom's.

Re:Why don't they try to PWN the NSA?

[cavreader]

Not to mention your mom will not be monitoring for break-ins on quite the same level of the NSA.

Re:Why don't they try to PWN the NSA?

Whoosh...

Re:Why don't they try to PWN the NSA?

It's ok, cavreader's mom pays for exploiting her holes too.

Re:Why don't they try to PWN the NSA?

[Ralph+Wiggam]

Any data classified as Secret or higher is stored on computers that are physically separate from the public internet. So before anyone could hack into the NSA or a similar agency, they would have to bypass physical security involving many men with guns.

Re:Why don't they try to PWN the NSA?

involving many men with guns.

Many, many men with guns ie. Johnsons as far as the eye can see. -- Lasard

More than meets the eye

[tepples]

Wouldn't the opposite of a Unicorn be a Priums?

"Unicorn Exploit"

Since unicorns can only be catched by virgins, I am very confident that someone in the hacker's community will meet the necessary requirements.

*scnr*

Snowden already did

[tepples]

I thought Ed Snowden already got into the NSA through the most effective method: social engineering. Heck, his name rearranges to Ends Owned.

Re:Snowden already did

[Videospike]

Actually, his name is Edward, not Ed, which rearranges into "Wanded Wonders". So there you have it. Snowden is a wizard, and he hacked the NSA with magic. Any other explanation is absurd.

Re:Snowden already did

It's been a while but: Ronald Wilson Reagan -- "Insane Anglo Warlord"

Security by obscurity?

This year the competition is adding a twist — for IE on Windows 8.1, hackers will also have to bypass Microsoft EMET, which is a seemingly bulletproof type of sandbox

Why would hackers care about Windows 8.1? What is the market share now? Half a percent better than Vista? Haven't the shills been screaming for years that Linux is only secure because it's not a 'big target' like Windows? By that definition Windows 8.1 must now be the most secure OS the world has ever known.

Nothing is ever bulletproof.

Re:Security by obscurity?

[tepples]

Why would hackers care about Windows 8.1? What is the market share now?

I'd guess well over 90% of newly manufactured desktop and laptop PCs not made by Apple and sold to homes and small-business users in the first world.

Re:Security by obscurity?

[Threni]

If true, that's the percentage of a vanishingly small sector of the total internet connected devices. You've basically said "well over 90% of 0.7% of the market" which proves the OP's point entirely.

Re:Security by obscurity?

[gl4ss]

well, the 150 000 is to make them care.

Re:Security by obscurity?

[tepples]

The comparison isn't to "Internet-connected devices". Not all devices that connect to the Internet even run a web browser. The comparison I intended was to other devices on which a web browser is commonly used. This includes at least desktops, laptops, tablet PCs, smartphones, and tablets running a smartphone operating system. I imagine that Windows 8.1, Windows RT 8.1, and (soon) Windows Phone 8.1 combine to cover a lot more than 0.7% of these markets.

bulletproof type of sandbox = $150k?

Breaking a "bulletproof type of sandbox" gets you ... $150k? That's all it's worth?

Re:bulletproof type of sandbox = $150k?

[Immerman]

For now maybe.
For now Windows 8.1 is such a small part of the installed base that the botnet controllers are probably unwilling to pay much more than that for exploits to make it more accessible. Eventually that will change and the value may become much higher, but if you're an amoral hacker trying to wait until then to cash in you run the risk that some other hacker will discover the exploit and cash in with Microsoft, which renders your work valueless.

But come on, how many man-hours do you suppose are going to be spent by a single hacker-collective to find a vulnerability in the "bulletproof" security? $150,000 is a hell of a lot of money for anyone not in the top 10%. Hell, it's decent change for anyone not in the 1%. Put a full man-year into the project (2085 hours assuming 40h/w and no vacations) and you still stand to make ~$72/hour.

Re:bulletproof type of sandbox = $150k?

[im_thatoneguy]

Presumably only one person wins. If it's a task that the average security researcher could accomplish ($150k is not a very high wage). Then you have to estimate how many *other* people will enter. You also have to estimate that all 'average' security researchers will be equally successful.

That means you spend $150k and you are 1 of let's say 1,000 entrants and your average payout is $150 for a year's work. About 2 hours of your hourly rate. Even if you were only one of 100 contestants then your payout is $1,500 which means unless you finish it in about a day's work it's not worth your time to win.

This is why I never enter contests. Even if I'm amazingly qualified there are undoubtedly at least 10 other amazingly qualified entrants. That means I have to compete in 10 contests in which I'm amazingly qualified to statistically get paid. Even blockbuster winnings like $200,000 suddenly look iffy when the value proposition is for say 3 months of work for $20k. Now you might say "Wow $80k a year sounds like a nice project living to me!"

But in most industries if $80k is appealing per year, you aren't going to be competitive so you'll be winning $0 in prizes. Generally the only way you'll "win" from a financial standpoint is if the price is very large, it's awarded to all winners (see bounties), you're damn near certain you'll win or you live in a developing country with a very low cost of living and can't freelance with a company that pays you better.

Re:bulletproof type of sandbox = $150k?

[Immerman]

Yes, but do you suppose an "average security researcher" would bother to enter one of these things unless just for the sport of it? I suspect these competitions appeal more to the fringe types who aren't content to work as a cog within the machine - refusing to be a well-oiled cog does tend to take its toll on earning potential.

"seemingly bulletproof" ?

[ljw1004]

I was curious about this "seemingly bulletproof" sandbox as described in the summary. But the opening paragraph on Microsoft's website explains:
These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited

So much for the hyped-up summary...

Re:"seemingly bulletproof" ?

[Richard_at_work]

Of course they dont guarantee, as that would be an issue if it were exploited.

What EMET is - and isn't

[daboochmeister]

At the risk of introducing information into the discussion ... some of the other respondents have taken oblique cue shots off this info, but to get it out on the table ... EMET is a software package that enforces otherwise existing security protections on programs that may not have them in place. For example, DEP, ASLR, SEHOP (very Windows-specific mitigation), heapspray prevention, and in 4.1 they added certificate pinning, to detect mitm attacks. (looking up acronyms left as an exercise for the reader)

The good news - these mitigations can be applied from outside the apps involved (as of 4.1, no more app recompiling or special-versions needed). The somewhat bad news - there are compatibility issues, and many apps are not compatible with the whole list of protections (see the MS KB article for more info). I also wonder if there are performance impacts from doing so, as opposed to compiling in the mitigations that can be compiled in - but don't quote me on that, I'm not sure

More bad news - it won't work with certain app features, e.g. any code that accesses certain system services at too low a level, so for example DRM-using apps (so many videogames are off the table); and it only intended for desktop apps (so they "do not advise" you use it with system services or server apps).

We tested the 3.0 version, focusing solely on the mitigations that could be imposed from outside the code even in that version - and found that many apps had issues with most, and some with all, of the mitigations (and, a killer for us, it wouldn't work with virtualized apps). Maybe that's improved, not claiming to know.

All in all - it has value if you're deploying legacy apps over which you have no control to a broad array of desktops, and it doesn't break your apps. Frankly, I don't know why the emphasis on IE11 ... I think the only protection that wouldn't already be compiled in is the certificate pinning, but maybe that alone is enough - or it makes it doubly difficult to break out of IE11 if you have the compiled in e.g. ASLR as well as the imposed-sandbox ASLR ... not sure.

To be clear ... it's NOT comparable to mandatory access control - it's more mitigation-specific than that. And also, by way of information, the open source operating systems often enforce the same kinds of mitigations on the apps that they support from their repositories (e.g., the Canonical Ubuntu team compiles every app in their repo with all possible mitigations -- see the Ubuntu security features page for more info). That's one of the big advantages of open source - you don't have to try to impose really-meant-to-be-compiled-in security features from outside.

Hunting unicorns

Damn, I was hoping this finally spelled the end for Princess Twilicorn.

go for the bypasses

You usually have to submit exceptions to EMET for everything to keep working after turning it all on.

I'd target the most common exceptions.

"perfect security"

[v1]

typically attracts people that already have a stable full of unicorns, especially if you're foolish enough to put a big bounty on it. Announcing you have "perfect security" just brings the embarrassment to your door that much faster.

And try as you might, even actual "perfect security" on your part will usually fail miserably at someone else's hands. Look at Safai, and how often flash or java (or the user themselves) is used to compromise it. (approaching 100%?)

Re:"perfect security"

My non-existent hard drive is perfectly secure.

We'd Like to Thank! Our Pwn2own Platinum Sponsors

[DroneWhatever]

215 of The Patriot Act, The NSA, The CIA, The FBI, DHS and the following individuals who shall remain nameless. Without whose contributions, there would be no "ethical" paid hacking as a career, endless amounts of American civil liberties, no war on ter-r. Think any agencies will be doing some recruiting there?

not worth it

[Gravis+Zero]

it's clear that the amount offered is very little compared to what you could get by selling the info. if you can get a browser hack that can highjack the OS then it's worth a shitload more than the pennies they are offering. they need to start offering real cash for these deep level hacks.

Re:not worth it

it's clear that the amount offered is very little compared to what you could get by selling the info.

That's why when I find someones wallet on the ground I immediately steal their identity and drain their bank accounts. I never even consider returning it, because I know I at most will get a small token reward, or perhaps, merely a heartfelt thank you. Oh, wait, no, that's not what I do at all. I return them, even going out of my way to do so.

if you can get a browser hack that can highjack the OS then it's worth a shitload more than the pennies they are offering.

Money isn't the only thing in the universe.

Re:not worth it

I would like to point out that $150,000 is 15 million pennies, which weighs 82673.35 lbs, or 41.34 tons. A shitload is equal to 1.848 metric tons, which is 4,074.14 lbs, or 2.04 tons. This is 5% of our original 41.34 tons, and is therefore equal to $7,391.40. In other words, you think they should be paid $157,391.40.

I am not sure why you would chose that number. It seems arbitrary to me.

unicorn hunting?

[corbettw]

Here I thought this would be about talking to single ladies at couples clubs.

Re:unicorn hunting?

know. your. audience.
talking to single ladies?
couples clubs?
talking?

Did they misspell "Unicron"?

After all, they have to hack into a "World Wide Web" browser.

Why Hunt Unicorns?

[El_Oscuro]

... When you can just order it online?

Marigold won't like it

Marigold will be quite upset to hear they're offering bounties on unicorns. She might take it as a personal affront.