Showing posts with label Black Hat 2012. Show all posts
Showing posts with label Black Hat 2012. Show all posts

Vasilis Pappas Won 'Blue Hat' Security Contest & Grand Prize of $200,000 From Microsoft

Posted by Avik Sarkar On 7/30/2012 01:52:00 am

Vasilis Pappas Won 'Blue Hat' Security Contest & Grand Prize of $200,000 From Microsoft

Earlier in last year software giant Microsoft started Blue Hat security contest. BlueHat Prize was globally  announced by the company at the 2011 Black Hat security conference in Las Vegas, offers a grand prize of $200,000, a runner-up purse of $50,000, and a third-place award of a one-year subscription to MSDN Universal--a developer's platform for Microsoft products--worth $10,000--to security researchers who design the most effective ways to prevent the use of memory safety vulnerabilities. 
This year Microsoft awarded a bunch of hackers and gave away an amount of  $260,000. 'Hackers' in the good sense here, the clever programmers who won its Blue Hat security contest, including a grand prize of $200,000

The big prize was awarded to a PhD student at Columbia University, Vasilis Pappas, who was handed the check in an American Idol-style contest finale complete with loud music and confetti. The winners were announced during a party at the Black Hat hackers conference 2012 that just happened this week in Las Vegas. Two other guys took home significant prizes, too. Ivan Fratric, a researcher at the University of Zagreb in Croatia, got $50,000 and Jared DeMott, a Security Researcher for Harris Corp. won $10,000.
They all submitted ideas to help solve a really hard security problem called Return-Oriented Programming. ROP is a hacker technique that is often used to disable or circumvent a program's computer security controls. Twenty people submitted ideas in the contest. Without getting into too much technical detail, Pappas came up with something called kBouncer which blocks anything that looks like an ROP attack from running. It's become popular these days to pay security researchers bounties. But what's cool about the Blue Hat contest is that it paid the researcher for actually coming up with a fix to a problem. Not only Microsoft, other compaines- GoogleFacebook, Paypal & many more already have their "Bug Bounty" program, where they reward researchers for simply identifying flaws in thier system. But by contrast Microsoft and Adobe don't pay bounties. Here Microsoft promised that this first Blue Hat prize won't be its last, So this may be a sign of a smart new approach to engaging with security researchers for the software giant. 


-Source (Microsoft & Business Insider)







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino"

Posted by Avik Sarkar On 7/28/2012 02:09:00 am


Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino"

For millions of travelers the ubiquitous hotel key card is the primary and essentially the only way to access their rooms at the end of day. But when you will heard that the key card, you use to access your private room is no longer safe then its very much possible that you will shock. And trust me this happened in Black Hat 2012. A security researcher, Cody Brocious believes the current systems used to secure hotel doors throughout the United States and elsewhere are severely flawed. Speaking at the Black Hat security conference here, Brocious demonstrated how locks from Onity a company that sells security products to hotels and other businesses can easily be bypassed. At the show, Brocious detailed the primary security flaws that allowed him to bypass Onity locks and gain access to rooms.
According to eWEEk -Brocious used an open-source tool known as Arduino, a portable programming platform. Arduino was used as a substitute for the commercial portable programmer that an Onity lock would typically require. Brocious explained that the Onity locks have a serial hardware connection that is easily accessible, as well. In addition to the Arduino tool, Brocious used an oscilloscope that allowed him to see what was happening in the lock whenever a key card was put in and the door opened or closed. He was able to determine through his research that the underlying firmware on the lock does not require any form of authentication to arbitrarily access the memory of the lock. This means it is possible to read out every bit of information that is on the lock, which makes it possible for anyone to gain access or make a key.
In theory, programming for the lock should go over a secure channel, rather than doing direct unencrypted memory access, said Brocious. The problem, according to his research, is that the existing Onity lock design does not easily allow for that, and there is no easy way to update the firmware. Another potential option is to actually provide physical security on the door lock. For example, the company could make the serial port harder to access. However, with 5 million of these locks in use today, Brocious said this would be an expensive and challenging way to add additional security. The actual door locks are only half the problem exposed by Brocious. The card keys are also at risk. Typical card keys in the Onity system use only 32-bit key encryption making them easy to decrypt, according to Brocious. "The system is broken at every layer," said Brocious.
The severity of the issue and its high impact is what led Brocious to choose to release his research at Black Hat. In addition to his research, he is also releasing a software tool so that others can continue or expand on his efforts. "Something needs to be done about this problem, and I didn't want to put it out there in a way that could be defeated by process," said Brocious. "No doubt, this vulnerability has been found before, and it has been in the locks for years."
Brocious added: “I'd be surprised if this hasn't been used by malicious actors in the past.” What Brocious is hoping to achieve from this disclosure is not a mass string of hackers getting unauthorized access to hotel rooms, but rather some kind of fix and industry response. "I'm saying that this is what you're vulnerable [to], so come up with a way to solve the problem," said Brocious.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search