Custom Search
GamersGate Download games for PC and Mac now Visit Top Oahu Attractions At One Low Price Life of Playboy Owner
Make Big Profits Extreme Funny Pictures Follow Us on Twitter Discover Us On StumbleUpon We are on MySpace Make this site your tips updates
Share

Wednesday, January 12, 2011

What This Chinese Hacker Could Teach Apple

If tough love is the best way to fix the world's software, then Wu Shi may be one of the information security industry's unsung heroes.

Since 2007 the 35-year-old Shanghai-based researcher has found and reported more than 100 critical flaws in Web browsers like Internet Explorer, Safari and Chrome that could be used to hijack users' computers when they browse to an infected Web page. In the last year alone he's sold more than 50 of those flaws to vulnerability bounty projects like Zero Day Initiative and iDefense, organizations at Hewlett-Packard and VeriSign, respectively, that pay researchers for bug information and use the data in security products before passing it on to affected software vendors.

Those numbers represent more flaws reported to Zero Day Initiative and iDefense in a single year--and certainly more vulnerabilities in Web browsers--than practically any other researcher in the world. And more than half those flaws have been in Apple's Safari browser.

In one security update last month, for instance, Apple released 64 new patches for its iPhone operating system. Only six of those security problems had been identified by Apple's internal researchers. Twelve had been identified by researchers at Google. Fifteen had been identified by Wu.

"Perhaps Apple should hire Wu Shi to help them, since apparently he can find more than twice the bugs their whole security team can find," fellow security researcher Charlie Miller told Forbes at the time.

In instant messenger and e-mail conversations, Wu explains how he uses a method known as "fuzzing" to harvest those bugs. Fuzzing a browser involves entering a stream of tweaked files into the program to see which cause it to crash, and then analyzing those crash instances to see which would allow a hacker to insert code that would give him or her control of the browser.

Wu uses his own unique algorithm to generate those test files, and throws them at his own Apache Tomcat server, allowing him to test more samples at a higher frequency than the average researcher. Instead of merely switching single variables in a file, he says his method changes the entire sample, making as many changes as possible that still allow a browser to recognize the file as HTML. "My fuzzing framework focuses on the software's structure, not the details," Wu said.

Wu doesn't perform deep analysis on the bugs he finds, says Aaron Portnoy, a research manager at ZDI who has examined his findings. But Portnoy says the Chinese researcher's full-file fuzzing catches bugs that other approaches can't. "These files have complex hierarchies of related items. Instead of changing one of those items, he can change how the relationship tree works," says Portnoy. "A lot of people fuzz data. He fuzzes relationships."

Wu says he came up with his bug-finding breakthrough after a series of career disappointments. As China's stock market bubble swelled in 2006, his job at a small IT firm began to feel like a sinking ship. "I fell deeper and deeper into despair," Wu said. "On my salary, I couldn't even feed myself."

He left the IT firm and launched a startup based on peer-to-peer file sharing technology. But when a big customer refused to pay for a major project it had commissioned, his partner took another job and the company collapsed.

Wu began assembling a security consultancy and experimenting with fuzzing ideas he'd first had as a student at Fudan University years before. He found several Microsoft security flaws and reported them to the company directly before a friend told him about "vulnerability buying" programs like ZDI. "From that time on, I became a full-time bug hunter," he says.

The hunt has been fruitful. ZDI has paid Wu at least $5,000 for each of the 50 bugs it's bought from him, and iDefense has on occasion paid more than $10,000 for a single flaw. Wu won't say just how much those rewards have added up to, though some simple math shows they go well beyond a quarter of a million dollars--a tidy sum in China. ZDI has also awarded Wu "platinum status," a title that comes with a $20,000 bonus and a free trip to the Black Hat security conference in Las Vegas.

The idea of hundreds of critical security bugs in the hands of a mainland Chinese researcher might worry some in the wake of several widespread cyber espionage networks recently linked to China. The very public hacking of Google, Juniper, Intel, Yahoo and several other companies by cyberspies seemingly based in the country, for instance, used a flaw in Internet Explorer that could have been found with techniques similar to Wu's.

But Wu says that he has sold bugs only to those that "don't do evil" and report the bugs directly to software vendors. For some Internet Explorer bugs, he says he's had offers of 10 times ZDI's bounty from black-market buyers. But moral questions aside, Wu wants none of the risks that come with criminal associations.

Even so, the sheer numbers of vulnerabilities that Wu has found may be troubling, particularly in Apple's software. Wu says that he focuses on Apple's flaws because it's clear that the company hasn't. (Apple did not immediately respond to a request for comment.)

While Microsoft has been busy hardening its software against a decade of attacks--Wu cites threats like the Code Red worm that spread to hundreds of thousands of computers in 2001 and defaced websites with the phrase "Hacked By Chinese!"--Apple has enjoyed complacent years of being ignored by cybercriminals.

But Wu says that lull can't last. The rise of targeted attacks, for instance, has meant that Apple's smaller market share can no longer shield the company from dealing with security issues. "The iPhone and Mac OS are much easier to attack than Windows 7," he says. "I think in the future there will be a lot of attacks on Apple's software."

In other words, Apple's turn to be "hacked by Chinese" may come soon enough. And not all of them will be as charitable as Wu Shi. Courtesy of MSN

No comments:

Share |
AbeBooks.co.uk