Bug Bounties, CVE, and Hackers

Author: Nathan Reymer

But it’s not all doom and gloom, not if the current trend of security exploits being found and fixed is any indication. Bug bounties and events held by companies to hack their software is making your digital life a little safer ever day.

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It’s a dictionary of publicly known information security vulnerabilities and exposures. Bugs that are found and reported get a CVE identifier, a brief description of the vulnerability, and any references or advisories.

Black and White Hats

There are two distinctions for what people think are hackers. Blackhats are the ones people seem to think are wearing masks, stealing all your personal photos and leaking them onto the internet. Then there are whitehats, people who hack for the benefit of society, finding and reporting bugs to the company so that they can fix them, then ultimately releasing their research, and in most cases the company pays them a Bug bounty.

Bug Bounties

So assuming someone finds and exploits these holes, how much can they make if the company has a bug bounty program? It varies widely depending on the size of the company, and the robustness of the software. For example: United airlines rewarded 1 Million air miles for a bug found in their system, whereas Facebook issued $1 Million to 320 people who reported issues. Microsoft has also awarded researchers $100,000 for exploits on Windows 8 systems. However, not all bugs come with big rewards. Heartbleed (CVE-2014-0160), which effected 66% of the worlds internet servers, was only awarded $15,000, although it should be mentioned that the heart bleed bug was discovered in Open Source software from OpenSSL.

Notable Exploits

HeartBleed (CVE-2014-0160)

Heartbleed is one the most recent, and most widespread exploits in the last few years. It exploits encryption, specifically SSL/TLS communication, and could steal information from severs 64K bytes at a time, letting attackers to discover secret keys and passwords. There is also no way to detect if someone has used this exploit, administrators can only assume they have been compromised if the OpenSSL version they were running is vulnerable.

Apple GoTo Fail (CVE-2014-1266)

Another recent massive exploit was an SSL/TLS bug built into iOS and OSX devices. It was made possible by an incorrect switching statement in Apples code that skipped over the verification of SSL. This is different than the Heartbleed bug because you can’t steal private keys or information. Instead, this exploit was a Man In The Middle Attack (MITM) where someone could spoof a website and trick iOS and OSX into thinking it was the real website, complete with SSL verification. This attack could have been used to fake banking websites and steal log in credentials that appeared to be from legitimate websites.

Venmo

While I couldn’t find a CVE for this bug, it allowed a user to steal up to $3,000 in 2 minutes using Venmos text authentication and Siri. The attacker could use Siri to enable SMS notifications then read and send the 6 digit verification code without access to the persons device, letting an attacker talk their way into the maximum transaction allowed by Venmo, $2,999.99

PS3 Fail0verfl0w

q-80

Again I couldn’t find a CVE entry for this exploit, but the attack vector was based off of Sony’s random number cryptography function, which was incorrectly coded to only return the a static number. Using this information, they could sign their own software and the PS3 wouldn’t know it hadn’t come from Sony. It had the same valid signature they possessed, and a user could install whatever applications or firmware they wanted. This lead to a surge in homebrew and PS3 game piracy. Because this exploit was built into the hardware of the PS3, it was unfixable by software, and new hardware had to be developed to fix this bug.

QuadRooter (CVE-2016-2503, CVE-2016-2504, CVE-2016-2059, CVE-2016-5340)

Named from the 4 CVE’s the exploit uses, QuadRooter allows an attacker to use any of the 4 exploits to gain privilege escalations and root the devices of any new Qualcomm based Android phones. Seeing as Qualcomm is a popular designer of chipsets, with 65% share of the market, over 900 million devices were effected. Unlike Apple, Android software updates need to come from the manufacturer of the phone, and some models are never updated, leaving phones open to the attack even if they are fairly new.

CVE count per year

screen-shot-2016-11-03-at-12-05-25-am

Tracing back from 1999, 2014 seems to have the most CVE’s, with 7946. October of this year alone had 678 CVE’s disclosed. It might be shocking to see these numbers, with the general safety we assume in our day to day lives, but for every patched CVE the software we use gets more and more bug and exploit free.

Controversial Bounties and Bugs

The case of Instagram’s Million Dollar bug bounty is an interesting series of events. Wesley Wineberg saw Facebooks “Whitehat bounty program” online and had seen Facebooks claim that: “If there’s a million-dollar bug, we will pay it out”. Wesley discovered an exploit that gave him source code, data, photos, and SSL certificates, a bug he thought was worth a large sum of money. After detailing his findings to Facebook they reviewed his case and determined that he “violated expectations of preserving user privacy” which disqualified him from the bounty program. After Wesley detailed his findings online, with Facebooks permission, the CEO of his employer was contacted and was told that Wesley had accessed sensitive data, that his exploit was trivial, and that Facebook wanted the findings covered up. Wesley didn’t realistically expect a “Million Dollar Payout”, but he expected a threatening phone call to his CEO even less. In the end Facebook did end up paying Wesley $2,500 and Wesley published his findings. In his own words he said, “”I’d like to think I’m on the good guys’ side when it comes to security research, so hopefully my findings will be seen in that light.””

Another Side

When someone finds an exploit and reports it to a company there is a normal deadline of 90 days to have the bug fixed, then publish your findings. Publishing findings early can have both positive and negative effects on the software being exploited. Firstly, if the company is made aware and is actively working on a  solution, the release of the findings before a solution is patched could provide a healthy incentive to the team working on the patch to finish it. Of course if the bug was difficult to patch and someone released their findings early it could also have disastrous effects. Blackhats being made aware of the flaw and exploiting it for themselves could inflict damage on the company or other users. In the recent case of Googles findings on Adobe Flash exploits in Windows 8, and 10, (CVE-2016-7855) Google published their findings only 7 days after they had been discovered, and no fix had been released by Microsoft. Some thought the disclosure was justified because the bug was being actively exploited, but others were wary that the increased attention could bring in more black hats. Although releasing the findings was a decision, not releasing them would have also been a decision. The impacts of both could be debated, but with it out in the open Microsoft has addressed the issue and is sending the patch to all effected machines on November 8th.

Ethics and Bug Bounties.

Like with anything, the world isn’t just back and white. There are also greyhats that violate laws or ethics, but they don’t have the same intent a black hat hacker does. Instead of reporting the bug, they may offer to fix it for a price, or incentive. To determine the ethics behind bug bounties it comes down to the two big sides of hacking. The whitehats, and the blackhats. Obviously the whitehat hackers are the ethical of the two, using their abilities and knowledge for “good” and legal purposes certainly lines with Kantanism, and can  lead fulfilling careers as penetration testers, or pen-testers. Allowing a developer to patch their software and improve their security while also getting paid sounds like the better, more ethical option. So why then do  blackhat hackers exist? Well, depending of the severity of the exploit, a blackhat hacker could sell their findings to criminal organizations for a larger sum of money than  they would receive if they contacted the company. Alternatively blackhats hack  for the fun and thrill of it, breaking into phones or cloud accounts and releasing photos being one of the more recent events to happen.

At the end of the day, Bug Bounty programs and ethical hackers make our daily digital lives safer by providing information that ultimately increases security. Whether a whitehat is motivated by money, or the exciting nature of finding exploits I think we can all agree that the digital world is a safer place thanks to them.

Advertisements