Abdul-Aziz Hariri and Jasiel Spelman, two of the world's leading security experts, are meeting students at Boğaziçi University. What is Cyber War? What are the challenges of writing viruses for cyber espionage and detecting these malware? Come and listen this topics from the experts. May 2, 2018, 15: 00-17: 00.
Click for registration.
The Zero Day Initiative: Vulnerability and Exploit Intelligence Superiority
When the Zero Day Initiative (ZDI) was founded in 2005, bug bounty programs were considered to be a rare commodity. Now they are seen as an indispensable means for companies to acquire bug reports. Our initial goals were similar. The ZDI program extended our own research team by leveraging the methodologies, expertise, and time of others around the globe. The program also provided the data needed to protect Trend Micro customers while the affected vendor is working on a patch. Since that time, the program has awarded more than $15 million USD while ensuring nearly 4,000 0-day exploits were patched by vendors, all of which makes the computing landscape a safer space.
The Pwn2Own contest started in 2007 to further enhance the program by highlighting flaws in widely used and popular software. Contestants must bring a fully functioning exploit, not just a bug report, to win a category. These reports kept the ZDI abreast of the latest thinking in functional exploit techniques. The contest has also encouraged vendors to not just patch holes, but to implement new mitigation strategies to prevent classes of attacks. Each year sees the target get harder to breach, and each Pwn2Own shows nothing is flawless.
As the program grew over the years, it became clear the ZDI program went beyond simply acquiring bugs to providing real insights into vulnerability and exploit trends. Reports provided to the program allowed the ZDI to effectively crowd-source vulnerability intelligence by showing industry trends and state-of-the-art exploitation methodologies. As shown in recently leaked documents, bug reports that come through the program disrupt the exploit market and force bad actors to change their techniques. Combined with our own, in-house researchers, the ZDI program goes beyond merely buying bug reports to true superiority in terms of vulnerability and exploit intelligence.
Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis
on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program.
His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent
security researcher and threat analyst for Morgan Stanley emergency response team.
During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In
2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and
MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the
Microsoft bounty program where the proceeds went to many STEM organizations.
Jasiel Spelman is a security researcher with Trend Micro’s Zero Day Initiative (ZDI). In this role, he analyzes and performs root-cause analysis vulnerabilities submitted to the program, which represents the world’s largest vendor-agnostic bug bounty. His focus includes performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including Black Hat, DEFCON, REcon, Power of Community, and BreakPoint. When not researching the latest bugs in software, Jasiel enjoys rock climbing and playing musical instruments.