Information Technology

Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that it misled users about some of its security features.

The FTC said that earlier this year, during the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported “end-to-end, 256-bit encryption” and that its service would store recorded calls in an encrypted format.
However, in a complaint [PDF] filed earlier this year, the FTC’s investigators found that Zoom’s claims were deceptive.
First, the FTC found that despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn’t support E2EE calls in the classic meaning of the word.
E2EE calls rely on establishing a call between two users and saving the cryptographic key used for encrypting the call on those two users’ devices.
But the FTC says that Zoom also kept a copy of the key for itself, as well, allowing it to intercept communications for all its customers.
Second, the FTC also found that some Zoom also didn’t encrypt recorded calls, as it claimed. Instead, recorded calls were kept unencrypted on Zoom’s servers for up to 60 days before being encrypted and transferred to a secure server, during which time Zoom and other parties could access their content.

“Zoom’s misleading claims gave users a false sense of security, […] especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC said in a press release today.
“In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services,” the agency added.
In addition, the FTC said it also found that Zoom had also made an error in its software design in 2019, even before the pandemic, when it silently installed a web server on the computers of macOS users.
This web server, which wasn’t disclosed in the Zoom Mac client’s official changelog, acted as a proxy between Safari and the Zoom app to allow Safari users to open the Zoom app without triggering a security alert on their OS.
As it was argued at the time, while the server was benign, it wasn’t a secure design decision and could have been abused by third-party apps or attackers to compromise macOS systems.
Zoom promises to do better
Most of the issues Zoom agreed on today have already been fixed or implemented as part of a three-month marathon, during which Zoom leadership focused on improving the company’s security posture., which also included hiring a Chief Information Security Officer (CISO).
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a Zoom spokesperson told ZDNet. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Nonetheless, as part of its settlement with the FTC, Zoom has also promised to:
assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
implement a vulnerability management program;
deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials;
review any software updates for security flaws and must ensure the updates will not hamper third-party security features;
not misrepresent privacy and security practices.
The settlement [PDF] didn’t include a fine. More

They may not be cool, and they’re certainly not up to date, but there are millions of old Android smartphones out there running 2016’s Android 7.1 Nougat or earlier. On Sep. 1, 2021, however, those phones will start failing when they try to connect with websites secured by Let’s Encrypt Secure-Socket Layer (SSL)/Transport Layer Security (TLS) certificates.

Networking

Let’s Encrypt is the enormously popular, free open-source certificate authority (CA). Thanks to its service, over a billion websites have been secured. It’s worked well, but Let’s Encrypt’s original root certificate, which relied on a cross-signature from IdenTrust, “DST Root X3,” will expire on Sept. 1, 2021.
With most operating systems, this wouldn’t be a problem. Let’s Encrypt now has its own root certificate, ISRG Root X1, and most operating systems and browsers can work with it. Alas, that’s not the case with Android.
It’s not like that Android doesn’t get updated often enough by vendors is news to anyone. After all, any Android phone running Android 6 or earlier hasn’t been getting any security updates since earlier this year. But, users, as the tens of millions still running Windows 7 show, won’t pay any attention to security until it bites them in the rump.
This coming problem, though, is one they won’t be able to ignore. At best, if you’re still using one of these older phones, you’ll get an error message asking if you still want to go to the site. At worst, you won’t be able to get into your favorite website at all.
So, what can be done about it? Well, don’t look to Let’s Encrypt for an easy answer. You see, it’s not really its problem. Since day one, Android hardware vendors have refused to update their systems. If you want an Android smartphone, which keeps up with the state of the operating system art, your only good choice is a Google Pixel phone, and to a lesser extent, Samsung phones. 
As Jacob Hoffman-Andrews, lead developer on Let’s Encrypt, said:

Android has a long-standing and well-known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there’s an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that’s not worth the effort. The result is bad for the people who buy these devices: Many are stuck on operating systems that are years out of date.   

And, besides, “We … can’t afford to buy the world a new phone.” 
If you can’t afford to buy a new phone either — not everyone gets the latest and greatest phone no matter what the ads may lead you to believe — you can install Firefox Mobile. It currently supports Android 5.0. It helps because Firefox is the one web browser, which ships with its own list of trusted root certificates. So, if you use it, you get an up-to-date list of trusted CAs, even if your copy of Android is stuck on an out of date CA list.
If you’re a website owner, and you’re about to use Let’s Encrypt for the first time or renew an existing Let’s Encrypt certificate, you’re going to run into this problem sooner than Sept. 1. 
That’s because, as of Jan. 11, 2021, Let’s Encrypt is changing its API so that Automatic Certificate Management Environment (ACME) clients will, by default, serve a certificate chain that leads to ISRG Root X1. That means your site’s going to give older Android smartphones a lot sooner than September. 
You can, however, choose to use an alternate certificate chain for the same certificate that leads to DST Root X3. These will keep working on older phones until September. This is done with the ACME “alternate” link relation. Certbot, the most popular automated tool to use with Let’s Encrypt certificates to secure your site, supports this method starting with version 1.6.0 and newer. If you use a different ACME client, check to make sure the “alternate” link relation is supported.
You might “think” will there seriously be that many users coming to yell at me about my site not working on their old phones? I’m sorry to tell you, but, yes, there will be. Let’s Encrypt has found that major sites are still getting 1% to 5% of their traffic from these older devices. That’s a lot of annoyed users. 
So, start writing up an automated document to let your users know that if they still want to use your site, they need to start using Firefox Mobile. All too soon, you’re going to be getting heated calls and e-mails about your site’s “failure.”
Good luck.
Related stories: More

A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud computing infrastructure – although the purpose of the attacks remains unclear.
Uncovered by cybersecurity researchers at Juniper Threat Labs, the malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices.
These include 11 known vulnerabilities in technology including Asus, Huawei and Netlink routers as well as the likes of MongoDB and Apache Struts as well as the ability to compromise systems by using brute force attacks to crack default or common usernames and passwords.
After using one of these vulnerabilities to compromise the system, Gitpaste-12 downloads scripts from Pastebin in order to provide commands before also downloading further instructions from a GitHub depositary.
The malware aims to switch off defences including firewalls and monitoring software which would otherwise respond to malicious activity.
Gitpaste-12 also contains commands to disable cloud security services of major Chinese infrastructure providers including Alibaba Cloud and Tencent, indicating the botnet might be the first stage of a large multi-stage operation by attackers – although the ultimate purpose of what this could be for remains unknown.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, the malware does currently have the capability to run cryptomining, meaning the attackers can abuse the computing power of any compromised system to mine for Monero cryptocurrency.
The botnet also has the ability to work as a worm which uses compromised machines to launch scripts against other vulnerable devices on the same or connected networks in an effort to replicate and spread the malware.
“No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet,” researchers wrote in a blog post.
The Pastebin URL and GitHub depositary being used to provide instructions to the malware have both been shut down after being reported by researchers, something which should stop the proliferation of the botnet for now. However, researchers also note that Gitpaste-12 is under ongoing development, which means there’s a risk that it could return.
However, it’s possible to help protect against Gitpaste-12 by cutting off the main way in which it spreads by applying the security patches which close the known vulnerabilities it exploits.
Users should also avoid using default passwords for IoT devices as this helps protect against brute force attacks which rely on exploiting default credentials and other common passwords.
READ MORE ON CYBERSECURITY More

Image: Peter Stumpf, Compal, ZDNet
Compal, a Taiwanese electronics company that builds laptops for some of the world’s largest computer brands, suffered a ransomware attack over the weekend.
Responsible for the breach is believed to be the DoppelPaymer ransomware gang, according to a screenshot of the ransom note shared by Compal employees with Yahoo Taiwan reporters.

Screenshot of the ransom note seen on Compal workstations [URLs blurred by ZDNet]
Image via Yahoo Taiwan
According to Taiwanese media[1, 2, 3, 4], the incident was discovered on Sunday morning and is believed to have impacted around 30% of Compal’s computer fleet.
Employees arriving at work were greeted by a memo from Compal’s IT staff, asking workers to check the status of their workstations and back up important files on systems that were not impacted.

Message shown on Compal workstations over the weekend
Image via Yahoo Taiwan
Since Sunday, Compal’s IT staff has been reinstalling encrypted workstations.
Compal exec denies ransomware attack, admits hack
Despite reports in local media, in a statement provided to United News Network reporters on Monday, Compal Deputy Manager Director Qingxiong Lu admitted that the company suffered a security breach but denied that the company’s recent downtime was caused by ransomware.
“[Compal] is not being blackmailed by hackers as it is rumored by the outside world,” the Compal exec told reporters.

Furthermore, Qingxiong said the incident only impacted the company’s internal office network and that Compal production lines, which build laptops for other companies, have not been impacted.
Qingxiong estimated the company would be back to normal later today, on Monday, when staff is expected to finish restoring all the systems that have been impacted by what he described as “abnormalities.”
Compal is today’s second-largest contract laptop manufacturer in the world after Quanta Computer, another Taiwanese company.
In the past, Compal has produced laptops for companies like Apple, Acer, Lenovo, Dell, Toshiba, HP, and Fujitsu. Besides laptops, the company also builds monitors, tablets, smartwatches, smart TVs, and other computer peripherals.
Compal is the third major Taiwanese plant hit by ransomware gangs this year. Taiwan’s state-owned energy company, CPC Corp., was hit by the ColdLocker ransomware in May, while the Taiwanese plant of US smartwatch maker Garmin was hit by the WastedLocker ransomware in July. More

E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company’s hosting platform.

The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart’s store hosting systems.
“We have identified what we believed to have been the vulnerability but do not wish to disclose the name until its confirmed by our security firm,” Jeff Cohen, VP of Marketing for Seller Labs, the company behind X-Cart, told ZDNet in an email.
Cohen said the attackers gained access to a small number of servers, which they encrypted, effectively bringing down X-Cart stores running on top of the impacted systems. Some stores went down completely, while others reported issues with sending email alerts.
“The outage impacted a small percentage of our infrastructure, mainly those on our shared hosting servers.
“Our core systems were not impacted,” Cohen said.
In the meantime, Cohen said that “all customer websites have since been restored.”

Nevertheless, the outage, which lasted for a few days, rubbed some store owners the wrong way, with a few trying to organize a class-action lawsuit against the store hoster.
Class-action looming?
In response to this initiative, Cohen said the company’s “first priority” during the ransomware attack “has been to get every customer back online and ensure we have a stable and secure system.”
The Seller Labs exec said they are keeping communication channels open with any customer affected by the recent ransomware attack and encouraged them to reach out for help or discussions.
Asked if Seller Labs paid the ransomware gang to recover its files, Cohen said they chose to restore from backups, and that payment couldn’t be made either way because “the hackers didn’t provide any way to communicate.”
X-Cart’s free/downloadable e-commerce CMS isn’t believed to have been impacted or tainted following the X-Cart ransomware incident.
X-Cart joins a long list of ransomware incidents that have impacted web hosting and data center providers. The list also includes Equinix, CyrusOne, Cognizant, A2 Hosting, SmarterASP.NET, Dataresolution.net, and Internet Nayana.
PortSwigger’s The Daily Swig first reported on the X-Cart ransomware incident. ZDNet reported independently from a different source. More

The federal government on Monday published an exposure draft on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. It seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
The Australian government’s Critical Infrastructure Resilience Strategy currently defines critical infrastructure as: “Those physical facilities, supply chains, information technologies, and communication networks, which if destroyed, degraded, or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security”.
Within the broad definition of critical infrastructure, the Act currently places regulatory obligations on specific entities in the electricity, gas, water, and maritime ports sectors.
“However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors,” the Bill’s explanatory document [PDF] said. 
As such, the amendments in the Bill are aimed at enhancing the obligations in the Act, and expanding its coverage to the communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.
It is proposed that responsible entities for these assets would also fall within the proposed new definition of “national security business”. The Minister for Home Affairs would also have the power to declare a critical infrastructure asset as a “system of national significance”.
The communications sector is defined in the Bill as those supplying a carriage service; providing a broadcasting service; owning or operating assets that are used in connection with the supply of a carriage service; owning or operating assets that are used in connection with the transmission of a broadcasting service; or administering an Australian domain name system.

The Bill would also introduce definitions for three types of critical infrastructure assets in this sector: Telecommunications, broadcasting transmission, and domain name systems.
The definition of the “data storage or processing sector”, according to the Bill, is the sector of the Australian economy that involves providing data storage or processing services on a commercial basis.
This includes enterprise data centres, managed services data centres, colocation data centres, and cloud data centres. The sector definition also includes three types of cloud services: Infrastructure as a service (IaaS), software as a service (SaaS), and platform as a service (PaaS).
According to the document, an asset is a “critical data storage or processing asset” if it is owned or operated by an entity that is a data storage or processing provider; and it is used wholly or primarily in connection with a data storage or processing service that is provided on a commercial basis to an end-user that is the Commonwealth, a state, or a territory, or a body corporate established by a law of the Commonwealth, a state, or a territory.
“The definition covers data centres and cloud service providers that manage data of significance to Australia’s national interest,” the explanatory document continued. “It is not intended to cover instances where data storage is secondary to, or simply a by-product of, the primary service being offered, for example, accounting services that may result in the storage of some of their client’s data.”
“Business critical data” would be defined in the Bill as personal information that relates to at least 20,000 individuals; sensitive information; information relating to any research and development in relation to a critical infrastructure asset; information relating to any systems needed to operate a critical infrastructure asset; or information relating to risk management and business continuity in relation to a critical infrastructure asset.
For a “critical data storage or processing asset”, the responsible entity is the entity that is a data storage or processing provider to Commonwealth, state or territory government clients, and other critical infrastructure assets.
However, the asset would only become a critical data storage or processing asset where the responsible entity knows that it is storing or processing business critical data of a critical infrastructure asset.
Home Affairs understands that this threshold would capture at least 100 data centre entities, including those entities on the Digital Transformation Agency’s Government Supply Panel and at least 30 cloud service providers.
Meanwhile, the space sector would be defined as the sector of the Australian economy that involves the commercial provision of space-related services and reflects those functions that are critical to maintaining the supply and availability of space-related services in Australia.
The Bill also introduces a definition of the financial services and markets sector, the defence industry sector, the food and grocery sector, higher education and research, the healthcare and medical sector, the transport sector, the energy sector, and the water and sewage sector.
Responsibilities for those classed as critical infrastructure
The Bill, if passed, would also introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
This framework would apply to owners and operators of critical infrastructure regardless of ownership arrangements.
“This creates an even playing field for owners and operators of critical infrastructure and maintains Australia’s existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage,” the exposure draft [PDF] noted. 
The PSO would build on the existing obligations in the Act to “embed preparation, prevention, and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened”. 
The government is hopeful it would also provide greater situational awareness of threats to critical infrastructure assets. 
The PSO involves three aspects: Adopting and maintaining an all-hazards critical infrastructure risk management program; mandatorily reporting serious cybersecurity incidents to the Australian Signals Directorate; and where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.  
Government said it would work alongside industry to design the sector-specific requirements that underpin the risk management program obligation. 
The Bill would also expand the Register of Critical Infrastructure Assets and give the Home Affairs Minister “on switch” powers to ensure that a PSO only applies in appropriate situations.
“The increased range of sectors covered by the Register will enable the government to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary,” it wrote.
Under the title of “enhanced cybersecurity obligations”, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cybersecurity activities, such as the development of cybersecurity incident response plans, cybersecurity exercises to build cyber-preparedness, vulnerability assessments, and provision of system information.
This Bill also introduces a government assistance regime to respond to serious cybersecurity incidents that applies to all critical infrastructure sector assets.
“Government recognises that industry should and in most cases, will respond to the vast majority of cybersecurity incidents, with the support of government where necessary,” it wrote. “However, government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for government assistance to protect assets during or following a significant cyber attack.”
Home Affairs on Monday published 128 of 194 submissions it received prior to distributing its Exposure Draft. Consultation on the Bill continues until Friday 27 November 2020.
RELATED COVERAGE More

Image: Asha Barbaschow/ZDNet
The federal government recently closed consultation on a package of reforms focused on protecting critical infrastructure and systems of national significance.
With that part of the process wrapped up, the government is now looking to introduce an enhanced regulatory framework, which would build on existing requirements under the Security of Critical Infrastructure Act 2018. This includes: A positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
With the definition of what constitutes critical infrastructure and systems of national significance not yet fully defined, the federal government is seeking to determine who the enhanced framework would apply to, with one proposed sector covering data storage and cloud.
Amazon Web Services (AWS) said that while it was broadly supportive of the proposal to expand the regime to include the data and cloud sector, the expansion raises questions such as what service providers should be included in the sector, what security standards should apply, and how the government can prevent over-regulation.
See also: Amazon Web Services scores Australia-wide government cloud deal
In its submission [PDF] to the consultation, the cloud giant also raised concerns that the proposal for government “assistance” or “intervention” powers could give it overly broad powers to issue directions or act autonomously.
“While we have not seen the draft law, the high-level summary of these powers suggest they could be significant and exercisable across a broad swath of society, with unclear limitations or guardrails,” it wrote.

AWS said the breadth of the newly regulated critical infrastructure sectors, coupled with seemingly broad powers described in the consultation paper [PDF], raised many issues and unknowns.
“For example, we are concerned that the government’s power to take direct action in the event of an emergency is vague and undefined,” it said.
“A plain reading of the consultation paper suggests that the government could use these new powers to either issue directions or take autonomous action to do virtually anything in response to cybersecurity threats.”
The consultation paper said the government assistance would be provided to entities that are the target or victim of a cyber attack through the establishment of a government capability and authorities to disrupt and respond to threats in an emergency.
“Critical infrastructure entities may face situations where there is an imminent cyber threat or incident that could significantly impact Australia’s economy, security or sovereignty, and the threat is within their capacity to address. In these cases, we propose that government be able to provide reasonable, proportionate and time-sensitive directions to entities to ensure action is taken to minimise its impact,” the government wrote.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.
Elsewhere in its submission, AWS said it was unclear from the consultation paper whether and how the enhanced regulatory framework would apply, explaining that it was concerned the position of applying the enhanced regulatory framework at the “owner and operator level, not at [a] specific piece of technology” could lead to negative consequences.
AWS added that if the plan would be to regulate all of an entity’s facilities, infrastructure, products, or services — without considering the level of criticality — it could have unintended consequences and result in “over-burdensome regulation”.
Instead, the cloud giant has recommended the enhanced regulatory framework only apply to specific critical infrastructure assets of a critical infrastructure entity.
In order to avoid over-regulation, AWS said a technology service provider — that is also a regulated critical infrastructure entity complying with its own sector PSO — should not have to comply with additional security obligations imposed by another regulator that duplicates or builds upon that entity’s PSO.
See also: Amazon asks for clarification of data retention requirements under Australia’s encryption laws
It also wants clarification that entities will not be inspected, examined, or audited against the same requirements by multiple regulators.
Acknowledging each sector is different, AWS said PSOs for one sector should not contradict or conflict with those in another sector, but it was concerned this approach could lead to a fragmented set of security requirements across different sectors.
Asking for further clarity, AWS wants an appropriate scope of what entities and infrastructure are included in the “data and the cloud” sector.
If there was to be a threshold, the cloud giant has suggested a test of “a data centre containing IT equipment capable of consuming more than 100kW of power in total” so that operators of infrastructure have clarity on whether they are covered.
“Our recommendation is that the PSOs for the Data and the Cloud Sector apply to physical data centre security rather than software or services running in those data centres,” the company said.
“If a PSO applies to the software running in a data centre and the services of a cloud services provider (and not the physical data centres it uses) each of those services will need to meet the requirements even if it is not being used by a critical infrastructure entity. This approach will slow the pace of innovation, delay the launch of new services in Australia, increase the costs of compliance and drive up the cost of services to all Australian customers.”
In addition, AWS said the PSO should reflect that an entity is only able to implement security processes that are within its control.
“For example, it would not be possible for a cloud service provider to implement security controls for applications the customer controls. Instead, the law should specify that PSOs do not apply to aspects of security that are outside an entity’s control,” it added.
RELATED COVERAGE More

Tianfu Cup winners: The 360 Government and Enterprise Security Vulnerability Research Institute
Image: Tianfu Cup
Many of today’s top software programs have been hacked using new and never-before-seen exploits at this year’s edition of the Tianfu Cup — China’s largest and most prestigious hacking competition.

Held in the city of Chengdu, in central China, the third edition of the Tianfu Cup ended earlier today.
“Many mature and hard targets have been pwned on this year’s contest,” organizers said today. Successful exploits were confirmed against:
iOS 14 running on an iPhone 11 Pro
Samsung Galaxy S20
Windows 10 v2004 (April 2020 edition)
Ubuntu
Chrome
Safari
Firefox
Adobe PDF Reader
Docker (Community Edition)
VMWare EXSi (hypervisor)
QEMU (emulator & virtualizer)
TP-Link and ASUS router firmware

Image: Tianfu Cup

Image: Tianfu Cup
Fifteen teams of Chinese hackers participated in this year’s edition. Contestants had three tries of five minutes each to hack into a selected target with an original exploit.
For each successful attack, researchers received monetary rewards that varied depending on the target they chose and the vulnerability type.
All exploits were reported to the software providers, per contest regulations, modeled after the rules of the more established Pwn2Own hacking competition that has been taking place in the west since the late 2000s.
Patches for all the bugs demonstrated over the weekend will be provided in the coming days and weeks, as it usually happens after every TianfuCup and Pwn2Own contest.

Just like last year, the winning team came from Chinese tech giant Qihoo 360. Named the “360 Enterprise Security and Government and (ESG) Vulnerability Research Institute,” the winners accounted for almost two-thirds of the entire prize pool, going home with $744,500 of the total $1,210,000 awarded this year.
Ranking second and third were the AntFinancial Lightyear Security Lab and security researcher Pang.

Image: Tianfu Cup More