Bug hunting may be fueling the push and pull of cyber attacks.
Earlier this year Hansa and Alphabay, two of the largest dark web destinations for the trade in illicit goods and services, including guns, drugs and criminals for hire, were shut down by law enforcement teams. The US proclaimed that the dark web was ‘no place to hide’.
The dark web has naturally developed an air of mystery; estimates suggest that the typically uglier sibling to the "clear web" may be some 500 times larger than the internet that we are all used to, although obviously it is difficult to measure what can’t easily be found.
Accessing the dark web typically requires use of an intermediary service to anonymise the entry point of the user’s computer to maintain the "untraceable" nature of his or her activities. Use of cryptocurrencies such as bitcoins have also strengthened the platform and fueled the growth of marketplaces for often criminal products. A common intermediary is the Tor service and browser combination, although others exist.
It seems that the days of anonymous browsing may be limited if the private business Zerodium is successful in tempting hackers to the even darker side. It has offered bounties of up to $1 million for compromises that can be used to hack and exploit the Tor infrastructure.
The business has stated that it intends to use the hacks "to help our government customers fight crime and make the world a better and safer place for all" (for a price!). It has also placed bounties on the typically encrypted and "secure" communication systems Signal, Telegram and WhatsApp.
The business of finding compromises and bugs in software, often called "bug bounties" has become a legitimate and highly profitable business for many grey hackers. The compromises they develop are often sold on to others desperate to gain access to the secretive, anonymous, private and hidden worlds they open up. Customers can include law enforcement agencies and governments.
Other systems developed to protect our privacy and increase our online safety, including the use of encrypted web access through HTTPS and SSL encryption, have also been turned from shield to sword. Increasingly we have seen sophisticated malware turning to the use of SSL encryption to make detection of their payloads even more difficult. Estimates suggest that over a third of global malware is using the encryption mechanism.
Good technologies can turn bad. We should be wary of becoming too complacent about the state of our businesses’ and our customers’ security – effective cyber security is a full time job!
The six-figure prize comes weeks after Zerodium placed $500,000 bounties on secure messenger applications, like Signal, Telegram and WhatsApp. The highest single bounty offered by the company is $1.5 million for an iPhone zero-day vulnerability allowing remote jailbreaking with persistence at zero clicks.