Editor’s Note: A few months ago, I shared an article and video from a new InfoSec related site, Third Certainty. This security news and analysis site isn’t just a great professional resource, but one I think appeals to normal consumers as well. It’s lead by pulitzer prize winning journalist, Byron Acohido, who excels at breaking down complex topics into stories that everyone can understand. Sign up for the free weekly newsletter, and recommend the site to your less technical friends.
In any case, Acohido recently published an article talking about bug bounty programs, which includes a video where I talk about the underbelly of the zero day vulnerability market. Check out Acohido’s article in full below, and visit his site for more great content.
Business is booming for bug bounty hunters
By Byron Acohido, ThirdCertainty
[vimeo http://player.vimeo.com/video/122450361 w=500&h=280]
Corporate-sponsored bug bounty programs have become an indispensible means of tempering new forms of cyber attacks.
It is now routine for Google, Mozilla, Adobe, Facebook and Microsoft to pay five- and six-figure fees to hackers who make a living ferreting out fresh security holes in the software applications consumers and companies use every day.
Hackers are continually on the hunt for overlooked flaws in popular operating systems, such as Windows, Mac OS, and Android, as well as in ubiquitous software applications — all of the major Web browsers and any software that runs on browsers, such as Adobe Flash and Java.
The more widely the operating system or app is used, the more hackers probe it for flaws. These flaws are referred to as zero-day vulnerabilities, or zero days. There are endless zero days yet to be discovered. And each one discovered, has to be patched.
Security & Privacy News Roundup: Stay informed of key patterns and trends
There is an entire cottage industry of white hat hackers who do little else but search for zero days. When one is discovered, the tech company responsible for the OS or app gets notified of the new bug. And the white hat gets paid handsomely. The tech company then develops a patch and seeks to get it widely deployed.
Black hat hackers hunt for bugs, too, and also are compensated well. The difference is that they sell to the top cyber crime rings that then use the zero days for thievery and spying.
There also is a third major group paying out bug bounties: governments, including the United States.
Like organized crime rings, governments don’t want the zero days patched, because they have something very specific in mind for them, Corey Nachreiner, director of security strategy at WatchGuard Technologies, tells ThirdCertainty.
Governments are seeking to stockpile zero days, and hold them in reserve to use against rival nations. In modern cyber warfare, no superpower wants to be on the short side of a zero-day gap.
“Governments need an arsenal, so it’s in their advantage not to get the vulnerability fixed,” Nachreiner says.
In harm’s way
American companies are aware of this potential to be hacked by a government-backed hackers, armed with the best-available zero-days, and many are seeking to strengthen their encryption systems. And they are resisting government efforts to ensure that U.S. intelligence agencies can still crack into their communications, according to a recent report in The New York Times. While the government’s request seems reasonable, it also leaves businesses more vulnerable.
The problem is, of course, there are a lot of busy, motivated bug hunters out there.
So it is very plausible that sooner or later someone else will discover a flaw that’s stockpiled in a government cyber war chest, Nachreiner says.
If a black hat hacker finds a security hole that, say, the U.S. government has had in its stockpile for a long time, that’s not a good thing.
A crime group could put the zero day to work for an extended period, doing wide damage, before anyone notices.
“Not fixing these vulnerabilities as quickly as we know about them, in the long term, harms everyone’s security because we’re all using the same software,” Nachreiner argues.
More on security concerns