Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/22/2016
11:30 AM
Chris Wysopal
Chris Wysopal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Bug Poachers: A New Breed of Cybercriminal

As if security researchers don't have enough to worry about, we now have to contend with extortionists who take advantage of the well-established fact that applications are a ripe target for exploitation.

Security researchers walk a fine line between white hat and black hat activities. Sometimes despite being on the right side of the line, the legal side of the line, they still find themselves facing criminal charges. Consider the case of Justin Shafer: he found a security hole in a dentist office’s servers, and reported the incident to the company.

While some companies would have paid Shafer a ‘bug bounty,” he was unfortunate enough to find a hole at a company that doesn’t understand what security researchers actually do. By reporting the hole, he basically implicated himself as a cybercriminal and now he is facing criminal charges for “exceeding authorized access.”

As if security researchers didn’t have enough reason to worry about being seen as criminals, we now have bug poachers confusing matters even further. According to information from IBM, bug poachers have hit at least 30 companies. Bug poachers breach a company’s infrastructure, typically using a SQL injection aimed at a vulnerability in a company’s website. Once inside, they steal data, but here is where the twist comes in. Unlike typical black hatters, instead of selling the data, bug poachers extort their victims—telling the company they must pay to get information on how they were breached.

The bug poachers argue that they are doing companies a service. They are making companies aware of potentially harmful vulnerabilities in their systems. The vulnerabilities they exploit are publically known and have patches. They would be security researchers if they would stop once they pointed out the vulnerability. But they’re not because of their actions after a flaw is found.

Researchers publish their findings after the company has had a chance to fix the vulnerability. They most certainly do not request funds for information or threaten to actively exfiltrate data. Poachers, on the other hand, are extortionists taking advantage of a well-established yet often unrecognized fact: applications are inherently insecure.

Why Poachers Are Taking Advantage

Software isn’t designed with cybercriminals in mind; it is designed and composed with functionality as the main goal. As a result, we have design flaws, the use of vulnerable open source components, idiosyncrasies in programming languages and other insecure coding practices contributing to a large number of vulnerabilities. Research from Veracode has shown that 70% of all applications have at least one vulnerability in the OWASP Top 10 upon first scan.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies & issues security execs need to keep pace with the speed of business. Click to register.

This astronomical number of vulnerabilities leaves us dependent on the kindness of security researchers to help us find vulnerabilities before they are exploited. And that’s why so many companies have enacted bug bounty programs. Instead of punishing researchers for finding and responsibly disclosing vulnerabilities, bug bounty programs reward researchers for their work. This way, these talented individuals are not tempted to use their skills to make money in illegal ways—and there are plenty of illegal activities they could chose to do instead of responsibly disclosing vulnerabilities.

Stopping the Problem at the Source

But companies shouldn’t depend on the kindness of strangers (security researchers). Instead they need to take responsibility for their software and do the best they can to find vulnerabilities before applications are in production. Yet, according to the biennial Global Information Security Workforce Study published by (ISC)2, 30% of companies never scan for vulnerabilities in their software. No wonder we are seeing so many breaches, ransomware attacks, and now bug poaching. The proliferation of vulnerable software is making it too easy for cybercriminals to be successful. It is too lucrative of an opportunity for many talented hackers to ignore.

What can be done? The first action companies can take is to assess software for vulnerabilities during the development stage of the software lifecycle. But the software lifecycle doesn’t end at the development stage, and neither should security efforts. A shifting security landscape means new vulnerabilities are found all the time, and if a development team uses third-party and open-source components in their engineering efforts—and most do—it is possible to have a complete secure development process and still end up with vulnerabilities. This is why protecting applications in production is just as important as eliminating vulnerabilities to begin with.

A bug bounty program can go a long way toward attracting the right kind of probing into a company’s applications. And security researchers have done a lot to help companies fix vulnerabilities before the world finds out about them. But as this new wave of black hat hackers known as bug poachers demonstrates, there are still too many creative and talented hackers out there who are more than comfortable occupying the gray and sometimes black space of cybercrime. Let’s not make their job too easy. 

Related Content:

 

Chris Wysopal is chief technology officer at CA Veracode. He oversees technology strategy and information security. Prior to co-founding CA Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.