SAN FRANCISCO: It should come as no surprise that the internet is riddled with holes. For as long as people have been writing code, they have been making mistakes. And just about as long as they have been making mistakes, criminals, governments, so-called hacktivists and people who wreck things for kicks have been taking advantage.
But if 2014 was the year that hackings of everything from federal government computer networks to the computers of Sony Pictures became routine news, 2015 may be the year that companies tried to do something about it — although not without some rough nudging.
Technology companies including Google, Facebook, Dropbox, Microsoft, Yahoo, PayPal and even electric-car maker Tesla now offer hackers bounties for reporting the flaws they find in the companies’ wares.
It is a significant shift from the tech industry’s standard way of responding — or not responding — to hackers who find vulnerabilities.
Twenty years ago, reporting a bug to a big company might fetch a well-intentioned programmer a T-shirt, credit on a website or a small bounty. But more often than not, such people were ignored or even threatened with criminal prosecution.
It should not be that shocking, then, that a healthy black market for so-called zero day bugs — flaws that have yet to be discovered or patched and can be easily exploited without setting off an alarm — has emerged over the years. Online criminals and governments have been paying for word of such flaws and stockpiling them for future hackings, according to foreign policy experts who have been tracking claims by government officials who have publicly disclosed their online weaponry or whose online attack programs have been leaked.
An additional 40 countries are also buying so-called spyware tools from a growing list of companies in the United States and Europe that sell to governments.
“As the global water level of threats naturally increases, what you see are these lower-tier groups, criminal actors and hacktivists begin to acquire capabilities that used to only be available to nation-states,” said Michael Hayden, former director of the National Security Agency. “Even the less capable actors can now develop and/or acquire tools and weapons that we thought in the past were so high-end that only a few nation-states could acquire and use them.”
“This,” Hayden added, “is an absolutely predictable development.”
There is little question that new thinking is needed around the seemingly insurmountable problem of online security. In 60% of 2,122 data breaches last year analyzed by Verizon, attackers were able to compromise their victims’ data within minutes. And even when vulnerabilities were discovered and a patch was devised, companies weren’t applying the patch. Verizon found that 99.9% of known vulnerabilities remained in place more than a year after the vendor provided a patch.
Now Facebook and Microsoft sponsor an Internet Bug Bounty program, run by volunteers from the security sector, that pays hackers to report bugs. After one particularly serious, overlooked bug — named Heartbleed — was discovered last year in a security protocol that is used in millions of internet-connected devices, the nonprofit Linux Foundation and more than a dozen major tech companies started an initiative to pay for security audits in widely used open-source software.
By far, the most aggressive effort to batten down the internet has been that of Google, which in addition to paying hackers to report bugs, tapped its top security analysts last year to join a new effort called Project Zero. The program has enlisted an elite group of hackers to work on uncovering holes not just in Google’s systems but across the Web as well.
Project Zero recently discovered serious holes in Adobe Flash; TrueCrypt, the encryption software once used by NSA whistle-blower Edward Snowden; Avast, the popular anti-virus software; and security software sold by Kaspersky Lab. This, all in the span of just two weeks in September.
Project Zero’s goal is to make those stockpiles of zero day bugs useless.
“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Chris Evans, then Project Zero’s lead and now chief of security at Tesla, wrote in a blog post. “Yet in sophisticated attacks, we see the use of ‘zero day’ vulnerabilities to target, for example, human rights activists or conduct industrial espionage. This needs to stop.”
It’s nearly impossible to know if Project Zero is making a dent in countries’ attack tools. In the United States and other countries, vulnerability exploitation programs are often classified, making data hard to come by.
So far, Google’s team of 10 full-time hackers has fixed more than 400 critical flaws in widely used programs, many of which would have been easy to exploit for espionage or destruction.
But their efforts are not without controversy, particularly with competitors whose software is being audited by Google’s hackers. At Apple, which still does not pay hackers bounties for turning over bugs, Project Zero has discovered more than 60 bugs in crucial Apple applications, like the Safari browser and mobile developer kits.
And last year, after Google detected and disclosed security flaws in Windows, Microsoft did not exactly write a thank-you note. Microsoft’s security executives criticized Google’s researchers for not giving them more time to fix the flaws before disclosing them to the wider Web.
“We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain time frame, and then publicly disclose information that could be used to exploit the vulnerability and attack customers before a fix is created,” Chris Betz, a senior director of the Microsoft Trustworthy Computing Group, wrote in a blog post.
Google has a 90-day rule for disclosing bugs that vendors have not patched, but after the Microsoft controversy, it added a 14-day extension for companies that say they are working on a patch.
But not all bug bounty programs are being run by the tech industry’s giants.
Newer startups like HackerOne and BugCrowd team up with companies in industries like tech and energy to solicit hackers to test their applications for vulnerabilities and, in many cases, pay them for their finds.
Both services help companies, like Twitter, Yahoo and Snapchat, set up bounty programs and then recruit hackers to test their clients’ products and applications. In cases where companies are willing to offer a financial reward, HackerOne and BugCrowd manage the payment process.
Like HackerOne and BugCrowd, other startups like Synack and Bug Bounty HQ hire teams of hackers to do private vulnerability-finding missions. The idea is simple: Companies will never find all the vulnerabilities on their own and would rather invest in researchers to find the flaws now than suffer the consequences when criminals find them later.
For all the holes discovered in Microsoft’s code, the security industry still largely sees Microsoft — criticized for years for the holes in its software — as a security success story. Many in the industry point to a 2002 memo from Bill Gates as a turning point.
In his memo, Gates said that for Microsoft to succeed, it would have to make security, privacy and resiliency its top priorities.
His memo was prescient: “Computing is already an important part of many people’s lives,” Gates wrote. “Within 10 years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”
Initially mocked by those in the security industry as a publicity stunt, the memo compelled Microsoft’s developers to start incorporating more secure coding techniques. And the company’s once sour relationship with the security research community began to improve. The company now routinely works, for example, with law enforcement to disrupt criminal botnet networks, which are networks of computers that have been infected by online criminals.
And while there have been setbacks and plenty of holes are still being discovered in Microsoft code, fears about the security of Microsoft’s applications have slowly subsided. Adobe and the Java programming platform have become more frequent targets for hackers.
“There is a lot to be learned from that,” said Jim Zemlin, the executive director of the Linux Foundation. “The problem is that Bill Gates can’t write a memo to the whole world. What we need is a new culture of norms.”
Security experts say bug bounty programs are useful but inherently reactive. They say the only way to get ahead in the cat-and-mouse game with hackers is to encourage developers to incorporate secure coding practices into the design.
“That is the real struggle,” Zemlin said. “Bug bounties are great at fixing potholes where they are today. But long term, we need to make a better investment in the overall health of the internet.”
Zemlin and others point to new training programs organized by the Linux Foundation and others that encourage developers to bone up on their secure coding skills, to eliminate the potential for bugs in code in the first place.
“There’s no quick fix, but if you have bug bounty programs, do threat modeling and train developers how to write secure code, you’re going to have a healthier internet,” Zemlin said. “Nation-states will always have offensive tools, but if you raise the bar on coding, at least those tools won’t get into the hands of as many rogue actors as quickly as they are today.”
The effort to stamp out bugs is not the only thing security experts are trying as a way to improve the security of computer networks and the broader internet.
The US government and technology companies are pushing websites to strengthen their security by using HTTPS encryption that protects information as it moves across the Internet.
HTTPS creates a private connection between a web browser and a website so would-be snoopers can’t peek at what a person is doing. A small lock appearing in the address bar of a browser is usually a good indication that a site is using it. Banks have deployed HTTPS for years, but more recently it has been adopted by e-commerce and technology sites like Google, Facebook and Yahoo. The Obama administration ordered all websites run by the executive branch of the federal government to adopt HTTPS by the end of 2016.
Here too, Google is lending its muscle to the effort. Last year, the search giant began raising the search rankings of websites that use HTTPS and lowering the rankings of those that do not.
In the European Union, countries are considering ways to couple that sort of aggressiveness with legal clout. Under current proposals, any company that collects and manages data about the region’s 500 million or so citizens must report a data breach within 72 hours and notify customers as soon as possible. If companies fail to do that, regulators could fine them as much as 2% of their global revenue, or a maximum of $1.1 million. The rules are being negotiated and could apply by 2018.
Are those rules an overreaction? Not if you consider the potential for security flaws in technologies that are just starting to be adopted, like internet-connected home heating systems and cars.