Posts Tagged: charlie miller


19
Jun 13

Microsoft to Offer Standing Bug Bounty

Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.

win8-1pThe bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows  — Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

Continue reading →


4
Feb 13

Flaw Flood Busts Bug Bank

The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE  said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports.

beltfixCurrently, when a vulnerability is reported or discovered, it is assigned a CVE number that corresponds to the year it was reported, followed by a unique 4-digit number. For example, a recent zero-day Java flaw discovered earlier this year was assigned the identifier CVE-2013-0422.  But in a recent publication, The MITRE Corp., the organization that maintains the index, said it wanted to hear feedback on several proposed changes, such as modifying the CVE to allow for up to 999,999 vulnerabilities to be cataloged annually.

“Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year,”  CVE Project announced last month. “The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.”

It’s not clear if this shift means software is getting buggier or if simply more people are looking for flaws in more places (probably both), but new research released today suggests that bug finders have more incentive than ever to discover — and potentially get paid handsomely for — new security holes.

For example, one of the hottest areas of vulnerability research right now centers on the industrial control system space — the computers and networks that manage critical infrastructure systems which support everything from the power grid to water purification, manufacturing and transportation systems. In a report released today, Austin, Texas based security firm NSS Labs said the number of reported vulnerabilities in these critical systems has grown by 600 percent in 2010 and nearly doubled from 2011 to 2012 alone.

NSS’s Stefan Frei found that 2012 reversed a long running trend of decreasing vulnerability disclosures each year. At the same time, NSS tracked a decline in vulnerabilities being reported by perhaps the top two organizations that pay researchers to find bugs. For example, Frei noted, iDefense‘s Vulnerability Contributor Program (VCP) and HP Tipping Point‘s Zero Day Initiative (ZDI) each reversed their five-year-long rise in vulnerability reports with a reduction of more than 50 percent in 2012.

Frei suggests one major reason for the decline in bugs reported by ZDI and the VCP: researchers looking to sell vulnerability discoveries today have many more options that at any time in the past.

Continue reading →


7
Aug 12

How to Break Into Security, Miller Edition

For this fifth edition in a series of advice columns for folks interested in learning more about security as a craft or profession, I interviewed Charlie Miller, a software bug-finder extraordinaire and principal research consultant with Accuvant LABS.

Probably best known for his skills at hacking Apple‘s products, Miller spent five years at the National Security Agency as a “global network exploitation analyst.” After leaving the NSA, Miller carved out a niche for himself as an independent security consultant before joining Accuvant in May 2011.

BK: How did your work for the NSA prepare you for a job in the private sector? Did it offer any special skill sets or perspectives that you might otherwise not have gotten in the private sector?

Miller: Basically, it provided on the job training.  I got paid a decent salary to learn information security and practice it at a reasonable pace.  It’s hard to imagine other jobs that would do that, but if you have a lot of free time, you could simulate such an experience.

BK: The U.S. Government, among others, is starting to dedicate some serious coin to cybersecurity. Should would-be cyber warriors be looking to the government as a way to get their foot in the door of this industry? Or does that option tend to make mainly sense for young people?

Miller: For me, it made sense at the beginning, but there are some drawbacks.  The most obvious drawback is government pay isn’t as competitive as the private industry.  This isn’t such a big deal when you’re starting out, but I don’t think I could work for the government anymore for this reason.  Because of this, many people use government jobs as a launching point to higher paying jobs (like government contracting).  For me, I found it very difficult to leave government and enter a (non govt contracting) industry.  I had 5 years of experience that showed up as a couple of bullet points on my resume.  I couldn’t talk about what I knew, how I knew it, experience I had, etc. I had a lot of trouble getting a good job after leaving NSA.

BK: You’ve been a fairly vocal advocate of the idea that companies should not expect security researchers to report bugs for free. But it seems like there are now a number of companies paying (admittedly sometimes nominal sums) for bugs, and there are several organizations that pay quite well for decent vulnerabilities. And certainly you’ve made a nice chunk of change winning various hacking competitions. Is this a viable way for would-be researchers to make a living? If so, is it a realistic rung to strive for, or is bug-hunting for money a sort of Olympic sport in which only the elite can excel?

Miller: In some parts of the world, it is possible to live off bug hunting with ZDI-level payments.  However, given the cost of living in the US, I don’t think it makes sense.  Even if you mix in occasional government sales, it would be a tough life living off of bug sales.  If I thought it was lucrative, I’d being doing it!  For me, it is hard to imagine making more than I do now as a consultant by selling bugs, and the level of risk I’d have to assume would be much higher.

Continue reading →


11
Jan 10

Firm to Release Database & Web Server 0days

January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products.

Continue reading →