Hack­ing to find se­cu­rity weak­nesses is of­ten a lu­cra­tive busi­ness

Weekend Argus (Saturday Edition) - - MEDIA& MARKETING -

NEW York: Imag­ine get­ting $1 mil­lion for find­ing a se­cu­rity weak­ness in a mo­bile op­er­at­ing sys­tem. That’s what hap­pened to an anony­mous team of hack­ers who found a way to hack through Ap­ple’s iOS to score the siz­able prize, se­cu­rity startup Zerodium an­nounced this week.

Zerodium launched the chal­lenge in Septem­ber, say­ing it would pay seven fig­ures to a team able to fig­ure out a way to take over iPhones and iPads run­ning the lat­est ver­sions of iOS just by trick­ing it into vis­it­ing the wrong web page or open­ing a text mes­sage.

Two teams ac­tively com­peted for the re­ward, but only one was able to meet the terms of the bounty by the con­test’s Oc­to­ber 31 dead­line, Zerodium founder Chaouki Bekrar told The Wash­ing­ton Post.

He said the com­pany plans to re­port the vul­ner­a­bil­i­ties to its cus­tomers, de­scribed on its web­site as “ma­jor cor­po­ra­tions in de­fence, tech­nol­ogy, and fi­nance” and gov­ern­ment or­gan­i­sa­tions “in need of spe­cific tai­lored cybersecurity ca­pa­bil­i­ties”.

But it isn’t plan­ning to im­me­di­ately tell Ap­ple how the hack works, al­though it may do so “later”, he said. That could help Ap­ple cre­ate a patch to pro­tect against the at­tack. Ap­ple de­clined to com­ment.

Even if the an­nounce­ment is a public­ity ploy – as some se­cu­rity re­searchers be­lieve be­cause nei­ther the team’s iden­tity nor the ex­act de­tails of how it broke through iOS’s de­fences have been re­vealed – there is some­thing that we can learn from the com­pe­ti­tion.

And that is the eco­nomics of hack­ing and the good, the bad, and the ques­tion­able ways to make money by find­ing bugs in soft­ware.

First there are “white hat” hack­ers who work with com­pa­nies to pro­tect soft­ware.

Many work at pen­e­tra­tion test­ing

Some com­pa­nies pay fairly sig­nif­i­cant re­wards. For ex­am­ple, Mi­crosoft’s pro­grammes will pay up to $15 000 (about R210 000) for an in­di­vid­ual bug and up to $100 000 for pre­vi­ously un­known tech­niques which can some­times re­quire de­vel­op­ers to re­think the ar­chi­tec­ture be­hind a sys­tem.

And this mar­ket has be­come more or­gan­ised in re­cent years, with com­pa­nies like Hack­erOne pop­ping up to help con­nect re­searchers to com­pa­nies that of­fer such pro­grammes.

How­ever, not all tech com­pa­nies – even ones that are good about work­ing with re­searchers who come for­ward with prob­lems – have for­mal bounty sys­tems.

For in­stance, Ap­ple, which has a gen­er­ally pos­i­tive rep­u­ta­tion among re­searchers, doesn’t have a for­mal bug bounty pro­gramme. And in some cases, com­pa­nies new to the vul­ner­a­bil­ity dis­clo­sure process may feel threat­ened by a third- party re­searcher at­tempt­ing to tell them about a prob­lem and re­act with le­gal threats.

“Of­ten se­cu­rity re­searchers are threat­ened with law­suits un­der the Com­puter Fraud and Abuse Act or the Dig­i­tal Mil­len­nium Copyright Act in the US, and there are sim­i­lar laws around the world,” ex­plained Hack­erOne chief pol­icy of­fi­cer Katie Mous­souris. “But this doesn’t ac­tu­ally ben­e­fit the com­pany in ques­tion. It may tem­po­rar­ily si­lence re­searchers, but the flaw is still there,” she said. – Wash­ing­ton Post

‘Some com­pa­nies

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.