Google offers “leet” cash prizes for updates to Linux and other OS software

Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet.

The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What's more, it's frequently much harder to patch a vulnerability than merely to find it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug," Michael Zalewski, a member of the Google security team, wrote in a blog post. "Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help."

Read 2 remaining paragraphs | Comments


Critical WhatsApp crypto flaw threatens user privacy, researchers warn

A security researcher said he has found an encryption flaw that makes it possible for adversaries to decrypt communications sent with WhatsApp, a cross-platform smartphone app that processes as many as 27 billion instant messages each day.

WhatsApp developers say messages are "fully encrypted," and company CEO Jan Koum told Ars that Tuesday's vulnerability report is "sensationalized and overblown." But a computer science student at Utrecht University in the Netherlands—and several cryptographers who have reviewed his work—said the app appears to contain long-documented weaknesses, including the use of the same encryption key on both sides of a conversation. As a result, they said, it's not hard for cryptographers to decrypt WhatsApp messages that travel over Wi-Fi networks or other channels that can be monitored.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort," Utrecht computer science and mathematics student Thijs Alkemade wrote in a blog post published Tuesday. "You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this... except to stop using it until the developers can update it."

Read 9 remaining paragraphs | Comments


Microsoft pays $100K for new exploit technique, patches IE 0-day

In June, Microsoft announced that it would start paying third-party security researchers for their work. Specifically, up to $11,000 was available for critical vulnerabilities discovered in the Internet Explorer 11 beta (a scheme that's now over), and up to $100,000 was available for any technique that bypassed Windows' built-in exploit mitigation schemes.

Four months later, the company has paid its first $100,000 bounty. Researcher James Forshaw from Context Information Security has created an as-yet unpublicized way of exploiting Windows applications that defeats systemic protections such as Address Space Layout Randomization and Data Execution Prevention.

Unlike other bug bounty programs like the one Google runs for its products, Microsoft is not paying out for individual bugs in released software. The company says that there are already plenty of companies willing to pay for such bugs, so there's no particular need to get in on that action. Rather, the $100,000 scheme pays out for entire classes of exploits, in principle enabling Microsoft to provide generic solutions that will make lots of bugs harder to use maliciously.

Read 2 remaining paragraphs | Comments


NSA saves zero-day exploits for high-value targets

The National Security Agency has a wide-ranging menu of software exploits at its disposal to tailor the right attack to the targets it wants to monitor, according to a blog post published Wednesday by security expert Bruce Schneier. While the program allows analysts to operate in almost absolute secrecy, the NSA's pursuit of an expansive surveillance program has largely defeated those efforts, his essay concludes.

As last week's publication of secret NSA documents showed, the agency operates servers codenamed FoxAcid that exploit software vulnerabilities on targets' computers. By the time those attacks are unleashed, analysts already know a huge amount about the person on the receiving end. Based on that information, the spies will use a complicated trade-off system to automatically choose an attack from a multitiered menu of options.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."

Read 2 remaining paragraphs | Comments