Wouldn’t it be nice to be paid $120,000 for 4 seconds of work? This is not a trick question to lure you into some money making scheme… or is it? Because at the annual white-hat hacker, bug-finding festival, known as Pwnfest 2016, that’s exactly what Chinese teams from Qihoo 360 received when they exploited a flaw in the Win32k kernel to compromise Adobe Flash. Ok, so they probably worked many more hours finding the flaw, but they were able to demonstrate how to use it in 4 seconds. In fact, the 360 teams received the ‘Lord of Pwn’ award and a total cash prize of $520,000.
And who pays out these hefty sums? The software makers who were attacked, of course. Yes, basically, software companies pay money to find out how bad their software is. Before the competition began, here was the list of targets to be exploited and the money that would be paid for exploiting them.
In total, the companies, or sponsors, as they are called, offered a total of $1.7 million to be humiliated. Actually, that’s a bit harsh. You have to think of these bug hunters as teammates who are helping you perfect your product. This is because the flaws they discover must be immediately disclosed to the companies. In this regard, the ‘lucky’ companies for which flaws were uncovered included Apple (Safari browser), Microsoft (Edge browser, VMWare Workstation), Adobe (Flash), and Google (Pixel smartphone).
So why don’t these talented white-hat hackers put on black hats and parlay their skills into much more money? According to one investigation, most (75%) claim that they have ethical standards that they simply won’t abandon no matter what money is offered. However, the investigator found ethics weakening when the figure of $10 million was suggested. Others seem to be seeking recognition from their peers, a few want to hack to promote political causes, 25% will hack for revenge, and others would hack to get some personal benefits such as free coupons. In other words, the distinct, red line separating white and black hats is really a fuzzy pink line: a fact that can be ultimately important to any enterprise that allows itself to be hacked.
There is also a problem in white-hat hackers taking a moral stance. This occurs when this stance may not be shared by other rational human beings. I’m sure Russia feels it has good, moral reasons for banning Linkedin in its country, but, in the process, it prevents good, moral Russians from fuller participation in the international marketplace.
Many would find a dating site that promoted marital infidelity, immoral. Many hackers may feel morally correct in exposing people who would use such a site. But would they also be happy with the numbers of divorces and suicides that resulted from their hacks?
The truth is that white-hat hackers and black-hat hackers drift back and forth between each others’ territories far more often than most would like to believe. Morgan Culbertson worked as an intern for cybersecurity firm, FireEye, developing security for Android devices. Apparently, he learned a little too much as he began selling Android malware on the dark web. He was recently sentenced to two years probation and a $10,000 fine.
Black-hat hackers will occasionally reach across to the other side to sell exploits that they have found. They may contact companies in the hope of getting financial rewards, but they most often contact governments, because that’s where the money is. Sometimes they organize into groups or firms. Hacking Team and Zerodium are two examples of such groups. The problem is that they don’t really care who their clients are as long as they make money. Some of their sales may seem ethical on the surface, but they will sell the same exploits to democratic governments or repressive regimes. For this reason, few tears were shed when Hacking Team was, itself, hacked of 400 GB of data in 2015.
Now, back to Pwnfest 2016. Would these white hat hackers even participate if they weren’t paid handsomely for their exploits? Possibly, but probably not. It may not only be about financial gain. After all, what better marketing strategy could you get than claiming your firm hacked the top products of major software firms? The status of an individual hacker would also rise from being associated with such a team. Qihoo 360 defines itself as an internet security firm, so I’m certain that winning the ‘Lord of Pwn’ award won’t hurt their image.
However, for the sake of the sponsors’ security, I sure hope that Qihoo 360 rewards the individuals in their pwn testing groups, because, if they don’t, I wouldn’t be surprised if some members would be tempted to enter the gray zone. As it is with most business decisions, each company that allows its products to be hacked must determine if the benefits they would get from such a penetration test outweigh the potential risks. Just keep in mind that risks do, in fact, exist, and they can be very costly.