Schneier on Security
A blog covering security and security technology.
« Why Is Quantum Computing So Hard? |
| Tide Becomes Drug Currency »
February 7, 2013
Over $3M in Prizes to Hack Google Chrome
Google's contest at the CanSecWest conference:
Today we’re announcing our third Pwnium competitionPwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS.
We’ll issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD:
- $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
- $150,000: compromise with device persistence -- guest to guest with interim reboot, delivered via a web page.
We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.
Posted on February 7, 2013 at 6:35 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This will also increase prices to pay by governemental agencies (TLA) buying exploits for Chrome OS, to more that $150000. TLA have an annual objective of 0day exploits to buy, and billions of $.
Result: more people will try to develop exploits of Chrome OS. But Chrome OS won't be safer.
Google's $3141590 cannot compete with them.
Well I do believe that will help a little bit. I doubt that anyone will exploit an updated version of Google Chrome this year, the automatic update with the sandbox makes it very secure.
BTW, in last year Edition, VUPEN hacked into chrome and declined to reveal how they escaped the sandbox. They said they were going to sell the code instead, what happened with the code?
Zen DDoS Protection
Any sincere commitment to security would mean they offer strong payment regularly, not just with one show where one has to jump through a bunch of hoops to join and get involved with.
The payment I am seeing from these firms is paltry compared to what I see from the government black market. (Which I have never seen is so great, though just from peer talk.)
I do not know about Chrome OS, but the Android OS has some serious weaknesses in it.
If you gain access to the user's Google credentials, you can gain access to their Google Play site where you can force upload from the web remotely whatever programs you wish onto their system.
Google does not encrypt their credentials in their mail application's database -- which is not secured permissions wise.
And they have a lot of sites where someone could steal their cookies. Like one sees with this recent Yahoo hack.
Their main sites are very hard core secured at the web level, but not so with all of their far flung sites of the same domain.
(Their main sites' security is not so secure when combined with certain Android applications.)
I strongly doubt Chrome OS is "all that", and if it was, they would feel confident in offering stronger monetary rewards all the time.
Want to cash in Google's money without actual research ?
(1) setup a chrome OS as a blog server paraphrasing articles about fortune of China's leaders.
(2) firewall any non-http inbound connection with an OpenBSD computer (or other secure computer, see http://www.schneier.com/blog/archives/2013/02/... for details).
(3) publish on the blog that you regularily visit english.cri.cn to check that they don't write about it.
(4) increase your visibility through Search Engine Poisoning, comments at NYTimes newspaper, private mail to NYTimes under China's scrutiny, ...
(5) publish the OS version of your blog server.
(6) visit regularily english.cri.cn, and use the OpenBSD box to log all answers.
(7) parse these answers on OpenBSD. This is the difficult step.
(8) sell this 0day exploit to Google.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.