Microsoft had recently organized the Blue Hat security contest, and awarded a hefty grand prize of $200,000 (approximately 1.1 crore Indian rupees) to the winning contestant. The prize was bagged by Vasilis Pappas, a Ph.D student from Columbia University. He was handed the cheque in an American Idol-style contest with loud music and confetti, reports Business Insider. Microsoft gave away $260,000 in all in prizes at the contest. Two contestants named Ivan Fratric, a researcher at the University of Zagreb in Croatia, and Jared DeMott, a Security Researcher for Harris Corp won $50,000 and $10,000 respectively.
Microsoft rewards $200,000
Contestants were required to submit their ideas to resolve a complicated security problem based on Return-Oriented Programming. ROP is a hacking technique usually used to disable or circumvent a program's computer security controls. In all, twenty people submitted ideas for the contest. Pappas came up with a solution called 'kBouncer', which blocks anything that resembles an ROP attack, from running. He did so without getting into any technical details. Reportedly, it is become popular these days to pay security researchers ‘bounties.’ But what's cool about the Blue Hat contest is that it paid the researcher for actually coming up with a fix to a problem.
Recently, many big companies have suffered loss of trust and user information due to the hacking of their websites. So, as major businesses go online, the importance of online security is increasing by the day. The most recent incident was when Nvidia revealed that unauthorized third parties had gained access to user information such as username, email address, hashed passwords with random salt value, and public-facing “About Me” profile information from its forum. The Nvidia forum hack followed the recent LinkedIn and Yahoo! hacks. Earlier 6.5 million LinkedIn hashed passwords were stolen, and subsequently published on unauthorized websites. Lax security by LinkedIn was blamed for the hack. Security experts had pointed out that LinkedIn neither has a Chief Information Officer (CIO) nor a Chief Information Security Officer (CSIO) whose job is to monitor breaches. Furthermore, there are no penalties for such companies who are responsible for breach of customers' data. In fact, after the LinkedIn password breach, the company’s stock rose. Moreover, LinkedIn wasn’t a new start-up. It rakes in the moolah by helping companies hire top talent, and it entered initial public opening last year.
Hackers belonging to a hacking collective called D33Ds Company had retrieved and dumped login details of more than 400,000 Yahoo! Voice user accounts in plain text. The hackers used a union-based SQL injection attack to get the information stored in the database. Reporting on the issue, Ars Technica's Dan Goodin wrote that the union-based SQL injection hacking technique used here affects inadequately secured web applications that do not “properly scrutinize text entered into search boxes and other user input fields”. He added, “By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information”. Earlier, the music website Lastfm.com and the dating website eHarmony were also attacked.