Military cybersecurity forces, like the Navy's Cyber Forces, have expanded, but the US government still relies on private contractors and hackers to suss out security flaws. Via the US Navy
In today's world, public enemy number one isn't likely to be the tough, tatted thug on a wanted poster. More and more, it'll be the brainy hacker in front of a computer screen, silently crafting cyberattacks from his workspace. And so are the good guys.
Governments need white hat hackers to sniff out security holes and bugs in computer systems, before the wrong person finds them first—and they're willing to pay. Countries shell out hundreds of thousands of dollars to companies like ReVuln, the security firm profiled Sunday by the New York Times.
ReVuln's customers—which include Russia, North Korea, and, you guessed it, the NSA—are looking for flaws in their own networks so they can fix them, and in enemy networks, so they can exploit them. A simple error in code can give the buyer full access into software, reported the Times. The hackers are there to sniff it out.
The practice of paying "bug bounties" for hackers that hunt out security flaws has been around for ages. Microsoft, Google and Facebook have all spent thousands to find and fix bugs in their own products. Though making sure your Chrome browser is working properly is a worthy endeavor, the stakes with governmental systems can be much higher. Considering how much work is effectively outsourced via boutnies, it's a pretty crazy thought to think that a relatively small group of private citizens are an important line of defense against cyberespionage and worse.
That's not to mention the threats at home. White hats from the security firm iSEC uncovered a security flaw that sent a shiver down consumers' spines last week. They discovered they could hack into a Verizon device used to amplify wi-fi signals and turn it into a spy machine that could listen in on the cellphone conversations of any nearby Verizon customers.
The signal-boosting device, known as a femtocell, has been something of an Achilles' heel for cybersecurity. Since it's essentially a tiny cellphone tower, it can pick up all the phone signals nearby. When it’s breached, the hacker can listen in on the calls of any Verizon customer nearby.
While phone-tapping is nothing the US government isn't already doing, imagine what could happen if the wrong person hacked in. "This is about how ordinary people would attack ordinary people," iSEC's Tom Ritter told Reuters.
The Verizon bug is a reminder that white hats hold a lot of power, and more so all the time. It also begs the question, what's to make computer whizzes use their power for good deeds instead of devious and criminal ones? The government wants it to be a no-brainer. Help us and get rich, or don’t, and go to federal prison with Andrew "weev" Auernheimer, the hacker currently serving 41 months for discovering a security flaw in how AT&T was storing user data and giving it to Gawker.
To this end, a growing number of university programs, like the one at NYU's Polytechnic Institute, are training young programmers for careers in cybersecurity. NYU-Poly holds "Hack Nights" that mimic real-world scenarios for students to practice. As the saying goes, to catch a criminal you have to think like one. In a sense, young white hat hackers have to be taught illegal behavior so they can stop it.
Uncle Sam wants these good guy hackers. With so much hanging in the balance, they'd do well to get on the hacker community's good side. So far, not so good. In past years the NSA has gone to the DefCon hacker conference to hunt for recruits. This year, still bristling from the NSA spying scandal, conference organizers have asked the feds to sit this one out.
Meanwhile, the security experts that exposed the Verizon femtocell flaw will be there, speaking in more detail about how they spotted the bug. Verizon has said it fixed the problem, but experts don’t believe that’s true: An NPR reporter yesterday had iSEC successfully break into her cellphone and listen in on a conversation to demonstrate how easy it is to do.
It will be up to white hat hackers to help the Verizon fix this security breach before it gets out of control. Too bad the government won't be there to learn a thing or two.