All posts in “hacking”

Blacklisted cybersecurity firm Kapersky decamps for Switzerland

We hear neutral territory like Zurich is lovely this time of year.
We hear neutral territory like Zurich is lovely this time of year.

Image: UIG via Getty Images

Cybersecurity company Kapersky Lab found itself blacklisted by U.S. federal agencies after accusations of enabling Russian spies to steal NSA files. Unloved and perhaps unwanted, the company — which has denied any wrongdoing — is moving a number of its international data servers to neutral territory: Zurich. Read more at PC Mag…

Hackers want your data. Meet the ones who are trying to protect it.

The last two years have seen the Equifax breach, the WannaCry cyberattack, a nefarious DDoS attack that destroyed the internet for a full day, and a laundry list of other security breaches of the stores, restaurants, and retailers we know and love. A skilled hacker has a dangerous amount of power in their hands — power with the potential to destroy lives. 

But take heart: Scattered across the internet are hundreds of thousands of equally skilled hackers who are fighting to protect you. 

If your personal information wasn’t compromised this year, you have that army of nerds to thank. 

Way back in 1983, Volkswagen offered a reward to hackers who were able to breach the operating systems of the company’s Beetles. Twelve years later, Netscape instituted the first “bugs bounty” program, offering rewards to users who reported issues in its Navigator 2.0 software. The program wasn’t especially lucrative — Netscape’s product director at the time said in an interview that “several” hackers received a $1,000 prize, while “many others” received Netscape merchandise — but it demonstrated the potential of such programs. A small but dedicated group of Netscape users put hours into the task, despite the small chance of a reward. 

A few other companies followed suit throughout the next few decades, including Mozilla, which announced a similar program, with a $500 prize, in 2004. 

But it wasn’t until 2010 that bug bounty programs were brought to the mainstream: Google launched an “experimental new incentive” for the cybersecurity community to find bugs in Chromium, offering $1,337 for “particularly severe or particularly clever” bugs and $500 for other security bugs. 

Today, most of the largest companies with technological components, from Snapchat and Dropbox to Tinder and Starbucks, have “bug bounty” programs. They offer monetary rewards, often in the thousands of dollars, to anyone who can exploit security vulnerabilities and report them to the company. Across basements, offices, cubicles, arenas, Slack channels, and forums, hackers answer their call. 

The hackers

According to a recent HackerOne report, ethical hackers largely hail from India (23%), the U.S. (20%), Russia (6%), Pakistan (4%), and the U.K. (4%). They come from a range of educations: 58% are self-taught, 50% studied computer science in college, and 26.4% studied it in high school. A full 90% are under 35, with 50% under 25, and just 8% under 18. 

But there’s one trait that all ethical hackers have in common, and that’s “endless curiosity,” according to Marten Mickos, CEO of bug bounty platform HackerOne: “We don’t find them. They find us. They read, they study vulnerabilities, and then they report them. Most of them start when they’re young.”

Jack Cable is no exception. He’s a high school senior who taught himself to program by watching YouTube lectures when he was 12 years old. In between homework, college applications, and high school math team competitions, Cable has exposed more than 200 security vulnerabilities for around 50 companies, including Uber, Bitcoin Exchange, and even the U.S. Air Force. 

Cable has spent the duration of his career serving the public good, as have other hackers. Cable also knows people who began as criminal hackers who are now turning their lives around, working for good.

Cable frequents a forum of around 150 hackers who share tactics and collaborate on finding bugs, even though they’re ultimately competing for the prizes. 

“Everyone is much more collaborators than competitors,” says Cable. “There is a strong component of helping each other out, of working together to improve these companies’ security.” 

Sean Melia is a senior security engineer at security service company Gotham Digital Science. In late 2014, he saw a YouTube video in which a hacker reported receiving $15,000 for finding a bug. Intrigued, Melia poked around the internet and found a bounty program from Yahoo. Over the next few weeks, he located more than 30 bugs for the platform — and pocketed $22,000. 

Melia located more than 30 bugs for Yahoo — and pocketed $22,000. 

“I’ve never had that much money at one time getting deposited into something,” he said of his start. “I was kind of hooked after that.” 

Now, after a long day of assessing the security of networks and web applications, Melia goes home and hacks. He has found more than 800 bugs for more than 50 companies, including Yahoo, Twitter, and Starbucks. 

That said, Melia insists that the money isn’t everything. “To be good at this, it has to be a passion,” he says. “If you’re just like, ‘I want the money,’ you’re not going to fare well.” 

Still, the money is a nice incentive. One hacker, “robd4k,” recently earned enough to build himself a house.  And according to HackerOne data, the top hackers based in India earn 16 times that of the average software engineer. 

While the hacking community is predominantly white and male, there’s diversity in the methodology that hackers employ, and this multifaceted approach is what companies with bug bounties seek. 

Ethical hackers “will be much more creative in finding the bugs,” Mickos said. “Even if you have a really smart person in house, it’s difficult [for them] to find their own typos. The outside world will always outperform the inside world.” 

Are they ever tempted to exploit vulnerabilities for themselves? Not as long as the reward for being ethical is bigger. 

“I’ve never found a case where I would benefit more from not reporting it,” Cable said.

The process

Melia discovered one of his recent bugs by accident. 

He was routinely scanning the Starbucks app, just like a normal user, and was in the process of ordering himself a coffee when he realized that by changing his order number on the checkout screen, he could modify other people’s orders. This would allow him to send coffees to other people’s houses — or have their orders sent to his house, at no cost. Melia reported the bug for a reward of several thousand. 

“I’d rather have a $4,000 to $6,000 bounty than a chance of stealing a free coffee,” he said. 

Though ethical hackers sometimes congregate and share strategies, the process itself is generally solitary — other hackers are, at the end of the day, the competition. They’ll spend hours poring over apps and websites, often with little reward. 

“It’s a lot of trial and error,” says Cable. “Testing everything, [thinking about] how you can use that to employ something.” He adds, “Ninety-nine percent of the time it’s not going to indicate a vulnerability. and in that case, you have to move on.” 

The most important feature in an ethical hacker, Cable says, is persistence. “If you can keep the mindset that there will be setbacks and at times it will be difficult to find vulnerabilities, if you keep trying new things and keep learning, you’ll be able to identify more vulnerabilities.” 

Melia prefers a “black box” approach. On a typical day he opens an application, enters it like a “normal” user, and tries to manipulate everything he can to make the application do things it wasn’t intended to do. Along the way, he learns as much about the company as possible: the size of the network, the scope of the audience, the locations the app or website reaches, the structure of it and what might be exposed. 

When discouragement comes, Melia recommends stepping away from the computer, or turning to Netflix. 

“There have been instances where I can’t exploit a bug, and then I’m lying in bed and I’m like, ‘Oh, I figured it out.'”

If they want to make a profit, a hacker can’t rest for too long. “Any one of the other hackers would have found it eventually,” said Melia of his Starbucks hack. “I was just the first one.” 

The future

Many individuals with hacking skills don’t choose the path of Cable and Melia. Some of that, says Mickos, has to do with the stigma of the job. 

The deluge of breaches, vulnerabilities, scams, and viruses that tend to envelope cybersecurity news have left a bad taste in the public’s mouth when it comes to the word “hacker.” And there’s not enough reporting on the good that hackers do to convince the public to value the community.         

There are about 1,000 ethical hackers for every bad one, but they don’t get covered in the press.  

“For every bad hacker there are about 1000 ethical hackers,” Mickos says. “It’s just they don’t make a story in the press, so you don’t hear much about them.”

That’s a problem for two reasons. First, because most hackers, according to Mickos, begin building their skills at an age when they’re just developing their moral compass, when bounties are difficult to get, and when free coffees look incredibly tempting. And when hackers don’t feel that people value their work, they’re less inclined to help those people. 

Second, laws in many places reflect a broader societal suspicion toward the hacking community, and that can impede the work that ethical hackers do. 

The Computer Fraud and Abuse Act, passed in the 1980s, defines the term “computer fraud” in a way that prosecutors are able to stretch broadly to subject white-hat hackers to hefty fines, or even prison time. While it’s unlikely to apply to official bug bounty programs where authorization is explicitly granted, the threat of legal action can keep self-employed hackers from sharing discoveries they make and, consequently, from advancing the field overall. 

Melia has been nervous about law enforcement before. He once found a vulnerability in a website that allowed him access to the data of 3,000 users. He “immediately cancelled” what he was doing and reported the bug, but still received an “almost threatening” phone call from the company. He was sent a $500 gift card only after assuring the company that he’d done nothing with the data. He was relieved that he wasn’t arrested, but was still required to sign a non-disclosure agreement. 

He’s one of the lucky ones. 

In 2008, the Massachusetts Bay Transportation Authority invoked the CFAA to bar three MIT students from presenting at a conference about flaws they’d found in its electronic ticketing system — talking about hacking, the judge ruled, was as bad as hacking itself. 

And in 2005, 19-year-old Samy Kamkar was able to create a script that would force anyone who visited his Myspace page, or the page of anyone who had visited his page, to send him a friend request. Kamkar reported the bug anonymously to Myspace, but it was too late. One million friend requests and a deleted profile later, the Los Angeles Police Department seized Kamkar’s computers and electronics. He was sentenced to three years of probation — without internet access. 

Companies need to offer high enough bounties that make it more profitable for hackers to help.

To end up with the world’s most talented hackers working for good rather than breaching Equifax, companies need to offer high enough bounties. To do so is an investment in the companies, and in the public’s security. 

Legislation should make concrete exceptions to protect hackers who report bugs that they find — the world is worse off if those bugs are kept secret, or even exploited, because hackers fear arrest. 

Most importantly, companies and the media should recognize the work that hackers do. 

“I see in all parts of society that teenagers and teenage boys will go outside of the human rules,” says Mickos. “But if you work with them, don’t dismiss them, and appreciate their energy and skill and curiosity, they will develop into very good citizens and find their moral compass.”

Companies should incentivize ethical hacking and offer monetary rewards. HackerOne reports that nearly one in four hackers have not reported a vulnerability because the website lacked a channel to disclose it. 

But companies should go beyond offering monetary rewards. They should publicize the work that ethical hackers do, to make the media and the world aware. 

This recognition plays no small part in keeping hackers like Cable and Melia around. A name in a news article can lead to media appearances, and even job offers.  

“They have to make it worth the hackers’ while,” says Melia. “There needs to be some type of public disclosure. The bounty community helped fix these issues … the companies need to recognize the efforts put in by the communities to protect them.” 

Hackers are, according to Mickos, “the ones who will rescue and safeguard our society.” ed41 036e%2fthumb%2f00001

UK and U.S. authorities warn of Russian attacks on routers

Russia is being accused of a massive campaign to undermine the security of firewalls and routers in a bid to support espionage and future attacks.

It comes from UK and U.S. authorities who have issued a joint cybersecurity alert for the first time ever to warn people of the threat.

“The activity highlighted today is part of a repeated pattern of disruptive and harmful malicious cyber action carried out by the Russian government,” FBI deputy assistant director Howard Marshall said in a statement online.

“As long as this type of activity continues, the FBI will be there to investigate, identify and unmask the perpetrators, in this case, the Russian government.” he said. “We do not make this attribution lightly and will hold steadfast with our partners.”

The warning states that since 2015, authorities have received information about “cyber actors” exploiting large numbers of enterprise-scale and residential routers and switches around the world.

These “cyber actors” are identifying vulnerable devices to break into, where they can extract device configurations, harvest login details, and control the traffic that goes through the router.

“Russia is our most capable hostile adversary in cyberspace.” 

“Russia is our most capable hostile adversary in cyberspace so tackling them is a major priority for the National Cyber Security Centre and our U.S. allies,” Ciaran Martin, CEO of the National Cyber Security Centre, said in a statement.

“This is the first time that in attributing a cyber attack to Russia the U.S. and the UK have, at the same time, issued joint advice to industry about how to manage the risks from the attack. It marks an important step in our fight back against state-sponsored aggression in cyberspace.”

The alert details some of the things owners and manufacturers can keep an eye on. For owners, they’re asked to ensure network devices are up-to-date, change default passwords, and ensure the firmware on the device is from a trusted source.

Manufacturers and ISPs are asked to not support out-of-date, unencrypted, or unauthenticated protocols and services.

“Many of the techniques used by Russia exploit basic weaknesses in network systems. The NCSC is leading the way globally to automate defences at scale to take away some of those basic attacks, thereby allowing us to focus on the most potent threats,” Martin added. 0860 18ad%2fthumb%2f00001

Hackers exploit casino’s smart thermometer to steal database info

Having a whole bunch of smart objects like lights, appliances, and thermometers can make life a little more convenient for businesses, but buying into the internet of things can also make those same businesses more vulnerable to hackers.

Nicole Eagan, CEO of cybersecurity company Darktrace, revealed Thursday that a casino fell victim to hackers thanks to a smart thermometer it was using to monitor the water of an aquarium they had installed in the lobby, Business Insider reported. The hackers managed to find and steal information from the casino’s high-roller database through the thermometer.

 “The attackers used that to get a foothold in the network,” Eagan said at a Wall Street Journal panel. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”

That database may have included information about some of the unnamed casino’s biggest spenders along with other private details, and hackers got a hold of it thanks to the internet of things.

As Eagan explained at the panel, the proliferation of connected smart devices makes people more vulnerable to cyber attacks. Hardly a surprise revelation, but this case stands as a good object example of the risks.

“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices,” she said. “There’s just a lot of IoT. It expands the attack surface, and most of this isn’t covered by traditional defenses.”

Because these devices tend to be very basic, they often don’t include added security features outside of the common WPA2 Wi-Fi protocol, which by itself isn’t a great line of defense. Of course, people are working to make these devices safer and more secure, but the world is still a long way off from being totally safe from hackers who exploit the internet of things.

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f85533%2f79bbce86 a2b2 4b4d 96ac 7d78f93ad5c6

Cryptocurrency exchange puts $250,000 bounty on hackers

The hunter has become the hunted and so on.
The hunter has become the hunted and so on.


Binance is done playing nice. 

The cryptocurrency exchange was the target of an attempted hack last week, and although the company claims that the attackers were largely unsuccessful in their efforts, they nevertheless still made someone at the exchange mad. So mad, in fact, that on Sunday, Binance announced the equivalent of a $250,000 bounty on the hackers. 

“To ensure a safe crypto community, we can’t simply play defense,” read the statement. “We need to actively prevent any instances of hacking before they occur, as well as follow through after-the-fact.”

That follow through just so happens to come in the form of a fat cryptocurrency reward, and is all but guaranteed to kick off a mad digital vigilante rush. 

“The first person to supply substantial information and evidence that leads to the legal arrest of the hackers, in any jurisdiction, will receive the equivalent of $250,000 USD in BNB [Binance Coin],” continued the modern day version of a wanted poster. 

Binance appears to relish being on the offensive — a fact emphasized by the company’s CEO, Changpeng Zhao.

“As in a football match, you can’t just play defense,” he tweeted

Regardless of how this particular case gets resolved, it doesn’t look like the idea of exchanges putting bounties on hackers is going away any time soon. In fact, it’s probably going to pick up steam. 

“Binance has currently allocated the equivalent of $10,000,000 USD in crypto reserves for future bounty awards against any illegal hacking attempts on Binance,” noted the same announcement. “We have also invited other exchanges and crypto businesses to join our initiative.”

So all you would-be cryptocurrency exchange hackers out there, consider yourselves warned.

[embedded content]