Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/22/2016
11:30 AM
Chris Wysopal
Chris Wysopal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Bug Poachers: A New Breed of Cybercriminal

As if security researchers don't have enough to worry about, we now have to contend with extortionists who take advantage of the well-established fact that applications are a ripe target for exploitation.

Security researchers walk a fine line between white hat and black hat activities. Sometimes despite being on the right side of the line, the legal side of the line, they still find themselves facing criminal charges. Consider the case of Justin Shafer: he found a security hole in a dentist office’s servers, and reported the incident to the company.

While some companies would have paid Shafer a ‘bug bounty,” he was unfortunate enough to find a hole at a company that doesn’t understand what security researchers actually do. By reporting the hole, he basically implicated himself as a cybercriminal and now he is facing criminal charges for “exceeding authorized access.”

As if security researchers didn’t have enough reason to worry about being seen as criminals, we now have bug poachers confusing matters even further. According to information from IBM, bug poachers have hit at least 30 companies. Bug poachers breach a company’s infrastructure, typically using a SQL injection aimed at a vulnerability in a company’s website. Once inside, they steal data, but here is where the twist comes in. Unlike typical black hatters, instead of selling the data, bug poachers extort their victims—telling the company they must pay to get information on how they were breached.

The bug poachers argue that they are doing companies a service. They are making companies aware of potentially harmful vulnerabilities in their systems. The vulnerabilities they exploit are publically known and have patches. They would be security researchers if they would stop once they pointed out the vulnerability. But they’re not because of their actions after a flaw is found.

Researchers publish their findings after the company has had a chance to fix the vulnerability. They most certainly do not request funds for information or threaten to actively exfiltrate data. Poachers, on the other hand, are extortionists taking advantage of a well-established yet often unrecognized fact: applications are inherently insecure.

Why Poachers Are Taking Advantage

Software isn’t designed with cybercriminals in mind; it is designed and composed with functionality as the main goal. As a result, we have design flaws, the use of vulnerable open source components, idiosyncrasies in programming languages and other insecure coding practices contributing to a large number of vulnerabilities. Research from Veracode has shown that 70% of all applications have at least one vulnerability in the OWASP Top 10 upon first scan.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies & issues security execs need to keep pace with the speed of business. Click to register.

This astronomical number of vulnerabilities leaves us dependent on the kindness of security researchers to help us find vulnerabilities before they are exploited. And that’s why so many companies have enacted bug bounty programs. Instead of punishing researchers for finding and responsibly disclosing vulnerabilities, bug bounty programs reward researchers for their work. This way, these talented individuals are not tempted to use their skills to make money in illegal ways—and there are plenty of illegal activities they could chose to do instead of responsibly disclosing vulnerabilities.

Stopping the Problem at the Source

But companies shouldn’t depend on the kindness of strangers (security researchers). Instead they need to take responsibility for their software and do the best they can to find vulnerabilities before applications are in production. Yet, according to the biennial Global Information Security Workforce Study published by (ISC)2, 30% of companies never scan for vulnerabilities in their software. No wonder we are seeing so many breaches, ransomware attacks, and now bug poaching. The proliferation of vulnerable software is making it too easy for cybercriminals to be successful. It is too lucrative of an opportunity for many talented hackers to ignore.

What can be done? The first action companies can take is to assess software for vulnerabilities during the development stage of the software lifecycle. But the software lifecycle doesn’t end at the development stage, and neither should security efforts. A shifting security landscape means new vulnerabilities are found all the time, and if a development team uses third-party and open-source components in their engineering efforts—and most do—it is possible to have a complete secure development process and still end up with vulnerabilities. This is why protecting applications in production is just as important as eliminating vulnerabilities to begin with.

A bug bounty program can go a long way toward attracting the right kind of probing into a company’s applications. And security researchers have done a lot to help companies fix vulnerabilities before the world finds out about them. But as this new wave of black hat hackers known as bug poachers demonstrates, there are still too many creative and talented hackers out there who are more than comfortable occupying the gray and sometimes black space of cybercrime. Let’s not make their job too easy. 

Related Content:

 

Chris Wysopal is chief technology officer at CA Veracode. He oversees technology strategy and information security. Prior to co-founding CA Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.