The White Knights of Hacking to the Cyber-rescue

Facebook, Google and other tech heavyweights are increasingly compensating those benevolent geeks who report their security breaches. Not surprisingly, the ‘good guys’ include quite a few Israelis.

Facebook CEO Mark Zuckerberg.
Bloomberg

Earlier this month a 10-year-old Finnish boy received a delightful surprise from Facebook: $10,000, as a reward for hacking into its subsidiary Instagram and revealing a weakness in its data security. The loophole revealed by the boy genius, who is too young to even have accounts on either site, enabled him to delete user messages on the site, as he told the Finnish paper Iltalehti.

The reward for young Jani (his last name isn’t being shared at the request of his parents) is part of Facebook’s Bug Bounty program. In fact several of the technology titans and other business behemoths are tapping the seedy talents of the hacking community to locate weaknesses in their data security and services in exchange for rewards, from a T-shirt to actual money.

Speaking of seedy, the latest to jump on the bandwagon with a munificent bounty program is Pornhub, the self-declared biggest porn site on the planet, with 60 million users. The site is starting its rewards at $50 but they can reach $25,000, depending on the hole the hackers find and the potential havoc it could wreak.

“Like other major tech players have been doing as of late, we’re tapping some of the most talented security researchers as a proactive and precautionary measure – in addition to our dedicated developer and security teams – to ensure not only the security of our site but that of our users, which is paramount to us,” stated Pornhub VP Corey Price in a press release.

Hacking for the red, white & blue

The bug bounty market has become big business in recent years, changing the face of data security, and unsurprisingly, Israeli hackers are in the picture.

But hackers aren’t entirely enthused about the bounty programs out there.

The first bug bounty program was introduced by the browser Netscape (today’s Firefox) in 1995. The initiative naturally originated with the open-source crowd, which is into fixing software by nature. The entire budget for the Netscape program was $50 but it was a stunning success.

In 2010 Google introduced the most generous bug bounty program of them all, its Google Vulnerability Reward Program, and has paid out $6 million from them to date to external hackers who discovered vulnerabilities. In 2015 alone Google paid hackers $2 million. In March, Google doubled the maximal bounty on finding vulnerabilities in its operating system ChromeOS to $100,000. Recently the company announced that five problems had been discovered, of which two were serious. It paid the Polish hacker who found both $15,500.

Come 2011, Facebook joined the trend. So far it’s paid out $4.3 million to 800 so-called data security researchers. In 2013, Google changed its policy and began to receive reports and pay money to people who found vulnerabilities in certain services. A month later, Facebook and Microsoft announced a joint internet Bug Bounty plan, covering vulnerabilities in a wide range of software (such as Adobe Flash), programming languages (such as Python) and communications protocols.

By the way, one major company with no bounty plan is Apple.

Among the companies that do not scorn the hacker are United Airlines, for instance, which rewarded a hacking group called Offensi that located a vulnerability on the carrier’s website with a million flying miles (worth about $20,000). The hackers donated the miles to charity.

Keren Elazari, self-styled geek and a hacker, does research at Tel Aviv University and advises on cyber security. Elazari, who’s been studying the bug bounty phenomenon, calls hackers “the immune system of the Internet.

To her, bug bounty programs are the internet immune system in action, says Elazari. They not only detect security vulnerabilities but can sometimes uncover new uses for software. They’re a sort of crowd-sourcing mechanism from a very specific crowd.

Even the Pentagon has a pilot program, temptingly called “Hack the Pentagon” to test the resilience of the American cyber defense system. “The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches. Critical, mission-facing computer systems will not be involved in the program,” the United States Department of Defense clarifies.

Bug bounty programs could even be considered good for a company’s brand name, and for giants like Google to pay out $2 million a year is peanuts – “that’s not even the budget for croissants in the Palo Alto headquarters,” Elazar laughs. And it worked: Hackers found vulnerabilities far more serious than those discovered by Google itself.

Where things turn gray

The hackers seek weaknesses through which to they can override the site or application’s management. They pose as ordinary users, look for errors in the code or hidden links, and guess passwords or circumvent them.

Not all companies feel comfortable working directly with the hacker community – which is where platforms like HackerOne come in. HackerOne created a bug bounty platform on which companies can pay hackers to find vulnerabilities in their products. Its clients include the likes of Twitter.

The biggest of the lot is apparently BugCrowd, which handles bug bounty plans for Tesla, Western Union, Pinterest and many more, connecting between about 200 companies with 20,000 “security researchers.”

But this is where things get gray or worse. Last September, a company called Zerodium announced a competition to find “Zero Day” vulnerabilities (meaning, they’d never been discovered before) in the latest iOS9 operating system for iPad and iPhone. Zerodium allocated $3 million, including a million-dollar first prize, to anybody discovering a way to break into the OS. One hacker claimed the prize (it isn’t known if he received it).

Thing is, unlike regular bug bounty programs where the vulnerabilities are reported to the company, here a company essentially pays to buy a vulnerability that it can later monetize. For instance, sell it to the competition or even to a hostile government. It’s perfectly legal, just as trading in weapons is perfectly legal. If Zerodium is buying a vulnerability for a million dollars, one may suspect somebody’s willing to pay it even more for the information. Wired even outed Zerodium’s pay-list, based on the quality of the vulnerabilities and the platforms; at the top, by a wide margin, is vulnerabilities in the Apple cellular operating system.

In fact, one of the main reasons that companies began to pay hackers through bounty programs is to prevent information about their weaknesses from reaching bad places – the gray or black market. In the shadows, hackers constantly detect weaknesses and trade in them; you can get a lot of money for a powerful Zero Day vulnerability. A bounty program may pay rather less, but many hackers are willing to “swallow” the difference to be legitimate.

Bounty plans also give good-guy hackers an address. Otherwise, who would they contact at a company when finding a bug? Note the story of Khalil Shreateh, a Palestinian hacker from Ramallah who discovered a serious security breach in Facebook in 2013 that allowed him to post to any timeline, even if not “friends” with the timeline’s owner. He told Facebook, which declined to pay him a bounty. So he posted on the wall of Sarah Godin, the first employee of Facebook and Mark Zuckerberg’s girlfriend in college, then on Zuckerberg’s own page, apologizing for the violation of his privacy but arguing that he had no choice, since his letters to Facebook security were being ignored.

Facebook fixed the bug but wouldn’t pay him a sou. The white-hat hacker community stood up for Shreateh, arguing that whatever his violation, he had spared much damage and merited reward. Ultimately Facebook apologized to him and he’s been participating in its bounty program ever since and has received $40,000 from them for it.

Slave labor

The only snag is that for hackers, bounty programs pay peanuts. Amitay Dan, 31, an Israeli bounty hacker and founder of a cybersecurity company, is unequivocal: “This is slave labor, an industry that takes advantage of people. If I sold the vulnerabilities I have exposed, I could be very rich now.”

His discoveries include breaches in Samsung smart TVs and Skype, and Zendesk, which manages customer relations for 50,000 companies. Famously, Dan, and another Israeli data security maven, Barak Tawily, also located vulnerabilities in the Alibaba trading website, which had exposed the details of all the Chinese site’s users. Alibaba gave Dan some coupons for stuff but ultimately, better things ensued. The Chinese company sent representatives to Israel to look at Israeli data security companies and met with Dan too, who learned that Alibaba did have a bounty program advertised on its website – in Mandarin Chinese. Now they have one in English too. Now four of the 18 data security analysts working with Alibaba are Israeli.

But while Israelis are hacking happily and tech companies the world wide are offering bounties, Israeli companies aren’t. Why does United Airlines have a bug bounty program and El Al none? Why doesn’t Bank Leumi, which takes pride in its digital services, or Maccabi or the Education Ministry? Or Wix? One reason is the rule of law; in December 2015, the High Court of Justice ruled that accessing a computer without the consent of its owner could be a violation of the law. And that put paid to white hat hacking in Israel, says Dan. The only way around the Israeli law is to act through universities doing academic research.

Anybody watching “Mr. Robot,” the second season of which is now airing on Israeli cable television, knows that hackers aren’t in it for the money. If anything, they’re suspicious of filthy lucre and its sources. The way to their hearts is to speak their language; Facebook for one found an original way to reward them – it hands over a prepaid debit card, utterly black, bearing just the words “white hat” – which means a good hacker. Google maxed its reward at $31,337, which may sound weird. But many hackers use an internal language called eleet; that number is merely the name eleet in digits.

But indeed, with pay so low, Western hackers have better uses for their time, says Dan: The only ones for whom bounty programs really pay are Indian and Pakistani hackers. A $500 bounty could be big money in the Third World and could even jump-start careers, Elazari says. And, she adds, users of Chrome and Facebook and a whole lot of other services are much safer because of them.