Saturday, 8 December 2012

Crowdsourcing Hacking...

Introduction

Nowadays because of the recession things such as drug trafficking and prostitution don't pay as much as it used to.  Don't believe me? In 2003, hacker-created computer viruses alone cost businesses $55 billion—nearly double the damage they inflicted in 2002 (SecurityStats.com 2004). In 2000 the total cost of all hack attacks to the world economy was estimated at a staggering $1.5 trillion (PricewaterhouseCoopers 2000). In a 2004 survey of American companies and government agencies conducted by the Computer Security Institute, over half of respondents indicated a computer security breach in the past 12 months and 100 percent of respondents indicated a Web site related incident over the same period (CSI 2004).

If anything these figures probably understate the volume of hacker-related security breaches. Firms, especially financial institutions, are extremely reluctant to report hacker-related break-ins for fear of how this may affect customers’ and stockholders’ impressions of their security. In the survey of American businesses conducted jointly by CSI and the FBI, nearly 50 percent of firms that experienced system intrusion over the last year stated that they did not report this intrusion to anyone. The primary reason cited for this was the perceived negative impact on company image or stock (CSI 2004: 13-14), and similar findings have been corroborated by others (see for instance, United Nations 1994; Schell et al 2002: 40). What can we say about the enigmatic community of computer hackers and what can we do about the cost these hackers impose? Hacking has been industrialized, organized cyber crime is more powerful than ever and the penetration testing community proves to be insufficient. So what is the solution?



Well the solution is crowdsourcing the pen-testing activities. The term crowdsourcing was first used back in 2006, and has proved a popular way to outsource tasks to large groups or communities (i.e. “the crowd”), where small actions by large numbers can achieve quick results. This idea has now been adopted in the area of penetration testing.  And that is the reason that lots of companies release all this bounty hunter programs.

What Crowdsourcing is in detail

Crowdsourcing is a process that involves outsourcing tasks to a distributed group of people. This process can occur both online and offline. Crowdsourcing is different from an ordinary outsourcing since it is a task or problem that is outsourced to an undefined public rather than a specific body. An example of specific body is paid employees from a company.

Crowdsourcing is related to, but not the same as, human-based computation, which refers to the ways in which humans and computers can work together to solve problems. These two methods can be used together to accomplish tasks.

Crowdsourcers

There are a number of motivations for businesses to use crowdsourcing pen-testing to accomplish serious hacks. These include the ability to offload peak demand, access cheap labor and information, generate better results, access a wider array of talent than might be present world wide, and identify security issues that would have been too difficult to identify and mitigate by simply hiring a company to pentest the target company infrastructure.

Motivations

Many scholars of crowdsourcing suggest that there are both intrinsic and extrinsic motivations that cause people to contribute to crowdsourced tasks, and that these factors influence different types of contributors. For example, penetration test professionals that want to make a good name in the market would participate in the bounty hunter program. Another way to look at this would be to realize that hackers would either way try to hack your web site, why not give them the money instead of forcing them to go to the black market and monetize their effort?

Crowdsourcers motives

In the hacking realm there are three different types of hackers:
  1. Bad Hackers (Hacking for Notoriety)
  2. Good Hackers (Hacking only for learning)
  3. Fame-Driven Hacking (Hacking for fame)
  4. Greedy Hackers (Hacking for Profit)
From the mini analysis of the types of the hackers that are utilized in an crowdsource penetration test you can understand that crowdsource hacking has multiple benefits. The benefits are that all types of hackers get payed to report their findings to the web sites that run the bounty hunter programs. This essentially means that bounty hacking programs directly compete with the "crime market prices", a win win situation (both hackers and legitimate companies remain happy).

Bad Hackers: Hacking for Notoriety

The survey conducted by Schell et al (2000) suggests that only 11 percent of respondents are malevolently motivated.  However small the proportion of bad hackers may be, they are the most important to consider because they are responsible for the costly damage inflicted by hackers each year.  Contrary to other work which suggests that a substantial proportion of hackers are motivated by fame or reputation inside the hacking community, none of those surveyed by Schell et al noted this reason as their motivation.

Note: At this point it would be wise to mention that the survey is relatively old and does not represent the current hacking realm. 

Good Hackers

While the psychology of hacking is still in its nascent stages, initial research seems to have come to some consensus regarding what motivates hackers to hack.  Individual hackers and hacker gangs operate in the context of a larger underground social network or community consisting of similar individuals.  The best empirically grounded work that examines the hacker mind therefore draws primarily on interviews and surveys administered to members of this underground community. This obviously is not very helpful, but crowdsource hacking is still the best way to go, based on previous

The Economics of Fame-Driven Hacking

The fame-based drive of many hackers has particular implications for how this segment of the “hacker market” looks.  The “coin of the realm” for fame-driven hacking is, of course, fame.  How we model this “market” therefore differs from traditional markets in which money drives production and price adjusts to equilibrate suppliers and demanders. The fame-driven hacking “market” considers the relationship between fame and the quantity of hacking. This is were crowdsource pen testing fits in, fame driven hacking covers the psychological needs for the these types of hackers, if for example the bounty hunter program publishes the names of the hackers in a lets say a hall of fame section of the web site then these hackers get what they want (which is fame).  

Greedy Hackers: Hacking for Profit

A third class of hackers is driven by the profit potential of hacking activity.  These hackers are concerned with dollars not fame and may come from either pool of hackers, good or bad.  From the bad pool are hackers who engage in activities such as credit card fraud, stealing from banks, selling sensitive  information stolen from one company to another, or those who are hired by other criminals to do their bidding for a fee. Now if the price offered from the available bounty hunter program is a few hundred dollars and the worth of the company assets scoped in the bounty program worth a few thousand dollars, then the bounty hunting program might not be a true motive for an advanced hacker.    

Companies that do crowd hacking

The following peace of information is taken from Hatforce: "Want your web or mobile application to be tested on security. We test your application and charge the result, not the process. Findings guaranteed: You get 100€ if we find nothing!". There are a lot more companies that run bounty hacking programs.

Epilogue

It is known that Google Offered $1 Million totally in Hacker Bounties for Exploits Against Chrome. The next question would be, is internet becoming better with all these bounty hunter programs? I think that yes, you?

References: