Cybercrime Pays, and More Lessons From HP's Hacking Contest

Photograph by Press Association via AP Photo

Hacking is a solitary business, furtive and dimly lit by the glow of a computer screen, at least in the popular imagination. Not so the semiannual competition known as Pwn2Own, organized by Hewlett-Packard’s Zero Day Initiative (ZDI), where teams gather to demonstrate “exploits,” the insider term for using security vulnerabilities in Web browsers and video streaming programs to gain control of a laptop.

This year, eight contestants (some groups, some individuals) completed 12 successful attacks, winning $850,000 from March 12 to 13 in Vancouver. There was also a chance for HP and Google teams to hack for charity, disclosing vulnerabilities and donating the prize money to the Canadian Red Cross. The results tell you a bit about cybersecurity.

It’s getting harder to hack. Over the two days of the contest, 35 separate vulnerabilities were disclosed, often by chaining together several flaws into one attack. They’re much more involved and, based on the work done at Pwn2Own, took much longer to develop than in past contests, says Jacob West, chief technology officer for enterprise security products at HP. “It highlights some of the impact we’ve had in the software industry at beginning to really build better security,” he says. “Attackers are having to develop more complex exploits involving more individual vulnerabilities and more complex connections between them than they would have in the past.”

There’s a lot of money to be made. At the first Pwn2Own in 2007, the payout per exploit topped out at $10,000. Today it’s $150,000. That reflects a broader trend: Hackers who want to sell their skills now have a lot of options and an increasingly well-developed market. ZDI pays researchers when they find and disclose vulnerabilities, so that companies can have a chance to fix the holes. Individual companies (Google, Microsoft, Mozilla, etc.) do the same.

The biggest winner at the contest was the team from Vupen Security, which won $400,000. Vupen’s business is to develop vulnerabilities and sell them to governments and intelligence agencies, which use them for spying or cyber attacks. That’s what HP defines as the gray market for bugs (there’s a nice infographic on the contest website). And then of course there’s the straight-up black market, where cybercriminals buy the exploits they need to, say, hack into Target.

Companies are faster at fixing the flaws—but they’re still too slow. Once the hackers have displayed their weapons at Pwn2Own, they explain how they did it to the relevant software makers in what press releases refer to as the Chamber of Disclosures. In 2010 it took companies more than a year to patch vulnerabilities reported through ZDI and the Pwn2Own contest, West says. Now, six of the top 10 vendors with vulnerabilities reported to ZDI patch them in under 120 days—and as of this month, ZDI has made that an official deadline. ZDI publishes advisories on bugs not fixed by then to allow third parties to develop protections. Cutting the reaction time from more than a year to four months is progress. But that’s still a big window of opportunity for cybercriminals.

    Before it's here, it's on the Bloomberg Terminal.