The good, the bad and the hole-y
‘White-hat hackers’: collecting bounties finding holes in companies’ IT
Having a reliable and bug-free website is an essential success factor in our digital age. That’s true for any major company, but it’s especially vital for banks. Cyber security is therefore a number-one priority. But just like burglars sometimes manage to break into the most high-security buildings, even the most secure website in the world won’t be invulnerable to attack. ‘Our job is to cover all the bases, but hackers only need one chink in the armour to be able to slip in.’
This prompted Rabobank to launch a hotline several years ago which ethical computer hackers can use to report what they believe to be weaknesses in our websites and systems. The bank’s security experts assess the report received and resolve the issue if necessary. If the person who made the report turns out to be right, they receive a reward that reflects the value of their discovery – provided they have played by the rules and have not caused any damage. These ethical computer hackers are also known as ‘white-hat hackers’ – a nod to classic westerns, in which the good guys were known to wear white cowboy hats to mark them out from the black-hat-wearing bad guys.
Different type of knowledge
‘The hotline is a way to draw expertise from outside into the organisation,’ Bart Steijlen explains. As a security tester at Rabobank, he is part of a team that investigates incoming reports: by simulating the problem, they check whether the weakness reported actually qualifies as a problem. ‘White-hat hackers give us access to a different type of knowledge: there is less of a barrier between them and the “dark side”, so to speak. They have different information sources than the bank and tend to be more in tune with what’s happening in the digital underworld, which means they’re aware of the latest attack strategies. Organisations such as ours attempt to anticipate those in securing our sites.’
Hotline: not a sign of weakness
Steijlen puts in his own hours as a white-hat hacker in his spare time, trawling other companies’ websites. ‘I see it as a hobby, it’s about the challenge more than anything else. If a company has a hotline, I think to myself: “Let’s see how far we can get…”’ It’s anything but a sign of weakness when a company asks hackers to test the security of their website, as Steijlen explains. ‘It’s actually the opposite: the fact that you operate a hotline in the first place shows that your company already has quite a solid security system in place. If your website is a security hazard, you’re first going to try to work out the problem with your own team. The last thing you want is for teens who are just messing around (known as “script kiddies” or “skiddies”) to break into your site. They don’t really know what they’re doing and are unaware of the risks involved. They could well end up deleting an entire database. That’s something a professional hacker would never do.’
‘Operating a hotline shows that your company already has quite a solid security system in place. If your website is a security hazard, you’re first going to try to work out the problem with your own team.’
There are other white-hat hackers who, like Steijlen, are IT professionals and enjoy spending their free time looking for loopholes in companies’ security systems. It’s the thrill that drives them, rather than the reward. It turns out that a lot of the reports received by the Rabo hotline are from outside the Netherlands. ‘We receive a fair number of reports from India, the former Yugoslavia, Italy and other foreign countries. White-hat hackers from these places tend to be more interested in the reward than in the challenge itself. We also regularly receive automated scans from bounty hunters, often from India. They’ll flood your system with automated scripts in hopes of making a little money. Most of these reports only reveal low-level security threats whose risk is negligible and which are of no great interest to us. The types of reports that really make us sit up and take notice, involving high-level security threats, are almost never sent by robots. Detecting those types of risks still requires a human eye.’
A T-shirt or a tidy sum
The rewards received by white-hat hackers depend on the potential impact of the bug they are reporting. People who report low-level security threats receive small sums at most, while the rewards are obviously greater for high-level threats. ‘We have a table that lists the rewards for the different types of reports we receive. But the general idea is to acknowledge their contribution with a modest financial reward,’ says Steijlen, stressing the word “modest”. ‘Smaller businesses might give just a T-shirt or a gift voucher.’ Still, white-hat hackers have occasionally been known to hit pay dirt: 10-year-old Jani from Finland recently reported a leak in Instagram and ended up receiving a 10,000-euro bug bounty. Jani discovered he could use malicious code to delete any post on Instagram’s servers, regardless of the sender. Steijlen: ‘I’m relieved to say we haven’t run up against a security leak of that scale at Rabobank yet.’
Collaborating and sharing best practices
Rabobank has been running the hotline for several years now. The bank’s Chief Information Security Officer, Wim Hafkamp, was involved in the initiative from the start: ‘We have received several hundreds of reports since we started out in 2013, including some valuable tips. Four other banks in the Netherlands operate similar hotlines; we entered into agreements with them at the time. Both Rabobank and the other banks are extremely positive about the hotline.’
‘We would like to share this best practice and encourage other organisations to create similar hotlines,’ Hafkamp says. Rabobank and the CIO Platform Nederland (an independent association for IT departments of public and private organisations) therefore decided to draft the ‘Coordinated Vulnerability Disclosure Manifesto’. In signing this letter of intent, the organisations involved declare their support for the concept of a hotline for IT security leaks and their intention to establish such a hotline within their own environments.
Several dozens of organisations signed the manifesto on 12 May 2016 during the “High Level Meeting Cybersecurity”, an event organised by the Netherlands Ministry of Security and Justice in the context of the country’s current EU Presidency.
The signatories include major players in the healthcare, transport, energy and financial industries. Additional information about the manifesto is available on the CIO Platform website and from the National Cyber Security Centre.