Hack Contests Compromise IT users
On May 1, 2007, two Gartner experts condemned the latest hack contest that exposed a newly fixed QuickTime flaw, labeling it as "a dangerous attempt" and advising patrons to review such open competitions.
During a seminar held on April 2007, TippingPoint compensated US$10,000 for a flaw detected by a scientist, Dino Dai Zovi, following a "hack-a-Mac" challenge victory achieved by him and his teammate.
However Gartner experts Rich Mogull and Greg Young deduced in a research memo named, "QuickTime flaw discovered by the challenge presents great danger," and that purveyors and security services companies should " contemplate stopping activities that inspire open commercialization of flaws, which can cause unforeseen results compromising IT customers," as published by Gartner April 30, 2007, informs Macworld's May 2, 2007 edition.
Contests to find security flaws in computers are generally harmless, the scientists averred, but they can also provide hunting ground for hackers.
" Probe to find weakness in a system is a vital activity for guaranteeing safer infotech. But, carrying on vulnerability research publicly is unsafe and could perhaps cause exploitation or lightheartedly handling of these weaknesses-which can change a well-meant challenge into a dubious one, or unwittingly offer help to hackers," scientists asserted in a research memo.
"There are many explanations of 'reliable discovery,'" responded Terri Forslof, Manager of Security Response at TippingPoint. "What it signifies to us is that the weakness and its abuse are concealed and the marketer's are granted time to fix the problem."
Both Mogull and Young suggested that security purveyors should stop such open competitions. "Think about closing public weakness exploiting activities, which can produce unforeseen results that threaten computer users," they held.
TippingPoint's Manager of Security Response, Terri Forslof assured SCMagazine.com that her firm didn't organize or patronize the contest, but was contacted by CanSecWest planners about the cash award.
Dai Zovi, who detected the QuickTime flaw and victimized it for 9- to 10-hour stint, has averred the money wasn't his incentive. "The contest, particularly with the deadline, was the actual attraction," he declared on April 27, 2007 in an e-mail dialogue, informed Macworld on May 2, 2007.
Related article: Hack.Huigezi Virus Attacks China PCs Rapidly
» SPAMfighter News - 10-05-2007