They came from miles around to carry out a hallowed, decade-long mission: To eat your lunch.
The security researchers assembled at the2017年的Pwn2Own黑客大赛, sponsored by Trend Micro, and occasionally grouped together, then performed essentially zero-day exploits (at least by the rules, heretofore unknown) on your favorite stuff, such as Windows, MacOS and Linux. Smoldering pits in the screen were left, as teams collected cash prizes and creds.
对于笑声和笑容,Type2管理程序,VMware工作站还留下弹片,第一时间的管理程序已经以这种方式被穿透由虚拟机中的一个。这不是一个连带效应,而是整个弓了一枪。我怀疑有更多的方式穿透基础管理程序也一样,但他们并没有在囚禁据我所知已经看到。
Yes, Ubuntu was rooted, but it was because of a bug in the Linux kernel and not something Canonical (necessarily) left open.
The methods are known, and lots of compilers were running over the weekend to push new patches and fixes into the items found. We hope.
So, how does an organization protect against such things, such apparentlyeasy零天?
First, it wasn’t that easy.
其次,研究者们对机器的物理访问,并可以控制其网络。最多有趣cracks were implemented using browsers, indeed Microsoft’s Edge browser and Apple’s Safari.
第三,这些都是伟大的球队,他们赢得了他们的美元的奖金数万。
And by far, there are more. Some of the zero-days out there are known but unpatched or fixed and have been waiting for years for a theoretical attack to become real. The CVEs are full of such things, long shots made short by enterprising individuals with a knack for tenacity and love of a good explosion.
Each is happy to go to events like Defcon, Black Hat, Chaos Computer Club (CCC) and RSA. This is done for sport, certainly, but also the revenue. A decent living can be made by bug finding—and sadly, also for bug selling.
道德问题是编造有关的bug的发现和bug发现者的性质。毫无疑问的是,表面上的较量的Pwn2Own看起来像一个巨大的尴尬,因为它应该对软件供应商。吸烟陨石坑意味着大量的工作去打水漂。这也意味着什么都不是万无一失的,因为傻瓜是如此巧妙,和操作系统功能和恒修订的做法分离可本身是一个问题。
Software companies’ growth—and the problems that come with it
Publicly traded companies must report way-cool quarter after quarter growth to their slavemaster, Wall Street. Growth has to come from new purchasers, upgraders, service plans, and especially new releases. The lore that software organizations would like you to believe is that the new stuff is better than the old stuff—see our preview, our beta lists or our demo/trialware.
成长是非常重要的,因为金融烟头上线,使每一个数字,每季度,除非该季度everyoneis taking a financial bath. So, buy the new stuff. Buy our stuff that’s the result of our latest acquisition, which might work in a few quarters as though we actually thought and designed it.
The compelling nature of software growth also makes it very vulnerable. Code has become incredibly sophisticated and complex. It must interact with lots of other software successfully. It had lines of demarcation between other software, the host operating system, a hypervisor or other foundation layer, the hardware, the smarts of local networking, as well as the quality or hostility of incoming data.
Hackers want your stuff, too
Sunday night, as I was digging through WordFence on one of my websites, I noticed that there were several attempts at page loads from pages long gone—the kind you’d need to find in the Internet Archives, e.g. pages long gone. The attempts were from vastly geographically disperse IP addresses. They were undoubtedly bots.
But they want me. For what? Who knows. But they want, you, too. Except for watching network behavior, you wouldn’t have been able to have stopped most of the attacks cited in this year’s Pwn2Own. If your network smarts had identified stateless transactions or weird IP addresses, you’d have a small chance of stanching the attacks.
显然,如果他们有机会,你是敬酒。控制网络访问,如果可以的话,是对止血敌对流动的最佳选择。否则,加入的准入壁垒,如加密或独立(或联合极大)的安全保护微服务另一层,是您最佳的希望。