Published on July 28th, 2019 📆 | 3109 Views ⚑
0Why White Hats Need More Protections
https://www.ispeech.org/text.to.speech
Google recently announced it will pay up to $30,000 to security researchers who find a vulnerability in its Chrome browser and up to $150,000 to anyone who finds security holes in Chromebook devices.
But not long ago, tech companies were not very welcoming toward security researchersâaka ethical or white hat hackersâwho found vulnerabilities in their systems. In past decades, ethical hackers have faced prosecution and even jail for probing the software and networks of tech companies for security holes. Even if their intentions were sincere, ethical hackers would be taking great risks when they were doing security research.
Things have changed a lot in the past few years. Now, companies and government agencies have come to appreciate the work white hat hackers do. Many even reward ethical hackers for testing their systems.Â
However, white hat hackers still walk a fine line, and there are still cases where they find themselves in hot water for the work they do. Meanwhile, companies are often unprepared when working with security researchers.
In an interview with the Daily Dot, Julia Kanouse, CEO of the Illinois Technology Association, explained what hackers and companies can do to avoid trouble when working together.
Companies are in need of security researchers
âWhat weâve seen in the past few years is that companies are increasingly embracing the idea of ethical hacking,â Kanouse says. âTheyâre starting to put more process and structure in place around how they deal with it internally if they get a disclosure and how theyâre starting to actually promote and try and bring ethical hackers in.â
In the past years, many large tech companies such as Uber and Facebook have launched bug bounty programs, where ethical hackers can submit information about security vulnerabilities and get rewarded for their efforts. Weâve also seen the emergence of online platforms like HackerOne, where white hat hackers can officially introduce themselves and sell their services on demand.
The reason for this welcoming of ethical hacking is partly due to how work environments have evolved. Many companies have shifted from people working in a single building to online workplaces that run across several cloud platforms and apps, with users scattered in different geographical regions. Companies have effectively turned into complex online digital systems that contain sensitive information about the business, its employees, and its customers. Consequently, the costs of security breaches have become much more than they used to be.
âWhen you look at how the amount of data has exponentially increased⌠thereâs just so much more that is hackable now,â Kanouse says, adding that the internal development teams in companies often canât find security holes themselves and having a fresh pair of professional eyes look at their systems can help a lot. âIf they knew there was a vulnerability, they wouldnât have built it that way in the first place. So I think thatâs the big benefit of having that outside perspective from ethical hackers.â
Challenges remain
While the need for security has brought companies and ethical hackers closer together, there are still problems they can both run into.
For hackers, Kanouse says, if there arenât clearly defined rules from the company, they may find themselves in trouble in terms of doing something illegal related to the data.Â
âIf you donât fully know the industry rules and regulations in terms of how far you can go and what kind of data you can get access to, you just have to be really careful not to put yourself in a position where you do something that is illegal. I think thereâs a very blurry line there. Itâs very gray,â Kanouse says.
In February, an ethical hacker was arrested after reporting vulnerabilities in Magyar Telekom, a Hungarian telecommunications company. The hacker had probed the companyâs networks without having a formal contract. After the hacker reported his findings, the police arrested him for cyberintrusion. Â
In 2012, a British student was sentenced to eight months in jail after discovering security flaws in Facebookâs servers. The defendantâs argument that his intentions were non-malicious and he planned to report everything to Facebook did not convince the judge to exonerate him.Â
On the company side, the biggest pitfall is not being prepared, Kanouse says. Organizations and companies must also be prepared for when an ethical hacker reaches out to them with a vulnerability. Â
âIf you havenât proactively thought about what youâre going to do if you get that kind of message from security researchers, it can go off the rails pretty quickly,â she says.
In 2018, two security researchers approached an online casino company with vulnerabilities they had found in their servers. When the company didnât respond, the hackers took to Twitter in hopes of drawing the attention of the company. That drew the companyâs attention, but when the researchers demanded payment for their efforts, things got out of hand and resulted in confrontations with the companyâs officials.Â
This happens often, especially with companies that have no bug bounty program and no procedure to deal with security disclosures. But it also happens at big companies. Earlier this year, a teenager chanced upon a severe vulnerability in Appleâs FaceTime video-conferencing app. When his mother reached out to Apple with the bug, she received no response. Apple eventually fixed the bug, but not before it cropped up on social media with users posting videos of how they had reproduced it.Â
âCompanies need to think about it before it happens. They should be thinking about this in the exact same way that they think about mitigating other risks in their business,â Kanouse says, adding that the bigger the company, the greater the ramifications of not responding in time.
But Kanouse also adds that hackers should make sure their communication is not creepy, especially when contacting smaller companies that might be dealing with this kind of outreach for the first time.
She also stresses that hackers should not make their findings public before the company patches the vulnerability, even if they receive no answer.
âGoing public creates some issues because now youâve put it out publicly, thereâs a vulnerability and an unethical hacker could jump there right away, and thereâs a likelihood that someone bad would take advantage,â she says.
READ MORE:
Got five minutes? Weâd love to hear from you. Help shape our journalism and be entered to win an Amazon gift card by filling out our 2019 reader survey.
Gloss