There are a lot of juicy targets for hackers these days. Millions of people are working from home, companies are working on valuable therapeutics and vaccines for COVID-19 and virtual private network software is vulnerable. One of the ways companies fight attacks is to try to fix bugs in their software before they can be exploited. They do it by hiring ethical hackers and paying them to find those holes.
I spoke with Jesse Kinser, who works as the chief information security officer for the precision health care company LifeOmic. And she moonlights as a hacker, finding jobs using the crowdsourced hack platform Synack. She said there’s a lot more competition these days. The following is an edited transcript of our conversation.
Jesse Kinser: Bug bounty platforms have been around for a while now, probably five or six years. Synack is a great platform. You can go on there [and] companies will actually go in, create a program and allow you to hack on them. They invite these ethical hackers to come in and find holes in their products or solutions. A company that maybe has a large website, they put that as a target on the Synack platform, invite the hackers to come in, find these bugs and then they pay them money for the bugs that they find.
Molly Wood: Is the money good?
Kinser: Yeah. It definitely differs, based on how complicated the bug is. If it’s something easy, you’re probably not going to get a whole lot of money. But if you find a really complicated bug that maybe really shows true impact and finds critical data and exposes that, then you’re going to get paid quite a bit of money. Definitely thousands of dollars. There are hackers out there [who] can make $1 million a year.
Wood: I wonder about the list of targets. Companies, you said, are sometimes posting and looking for vulnerabilities themselves. Does it always have to be at the company’s invitation?
Kinser: Yeah, for the most part. There can be a gray area here, and that’s what’s challenging about this industry. There’s not a really good defined law that allows people like myself to go in and test against these companies and report things. But the companies that do sign up for this, they give you a very well-defined scope. They say, “These are the things you can go hack against, but don’t touch these other things.” That allows us to go in and know that we are covered and we can ethically hack against these without getting sued and getting in trouble.
Wood: I would assume that there must be some frustration. Sometimes you’re thinking, “I know that there’s a vulnerability here, but this company is unwilling to accept that possibility,” maybe?
Kinser: For sure. I’ve definitely ran across that in my past. I found different vulnerabilities and systems, just stumbled upon things, and yet they don’t have a responsible way for me to disclose that to them, and it’s been challenging. I have to just email random email addresses at the company or hope that their support people can point me to their security team. A lot of times there’s pushback. People get on the defensive whenever you find an issue with their system, rather than accepting that and wanting to fix it.
Wood: How has this activity changed, if at all, during the pandemic? Are there more people with more time wanting to do this work, or maybe more companies saying, “We could use the help”?
Kinser: There’s definitely different industries and companies that are having a lot more traffic than usual with COVID-19. A lot more people working from home, companies are opening up firewalls and such so people can work from their house or somewhere else that’s nontraditional to their standard day to day, so that introduces more bugs. There’s more companies that are coming online to support this. They say, “Hey, come help us find these issues that we may have introduced during COVID-19.” And then, of course, there are more hackers that are available, because people are getting laid off, there’s typical economy issues. This is something where you can go out, and you could make money, and you can do it on your own time.
Wood: In terms of companies that you’re seeing invite ethical hacking, are you seeing specific industries coming online now saying, “Make sure we’re secure”?
Kinser: I have a vested interest in the health care space, so I try to pick out the programs that are focused around that and hack on those. But I have noticed there aren’t that many health care programs out there that will allow us to hack against them. I think that it has a lot to do with HIPAA [the federal law restricting release of medical information] and a lot of the regulation around the industry. But there are people that are trying to break through that, because there are ways to invite these hackers in without breaking all of the laws and rules surrounding that. I think we’re slowly starting to see that transition, and I think COVID-19 is going to push that further along than it probably would have pre-COVID19. Everybody right now is thirsty for information about COVID-19, and that’s what hackers love. They want people to open up emails and just randomly click links that say COVID-19 so they can steal their information. I think it’s definitely going to change the way we see things around the health care industry going forward, but it’s slow and steady wins the race.
Wood: If you’re seeing more hackers on the scene, then does that become more competitive? Does it push prices down?
Kinser: Yeah. I would say that it’s definitely a competitive thing. We’re all in it to make money and find these bugs and such, but another important piece of it is learning from each other. Security is tough. None of us really know how to do it completely 100% accurately. There’s no such thing as a completely secure product. Us as hackers, we take what we know and we do the very best we can, and then we share our tools with others and let them build upon that. Together we make things better.
Related links: More insight from Molly Wood
The BBC reported on Monday that the University of California, San Francisco, which is working on a potential COVID-19 vaccine, was the target of a ransomeware attack at the beginning of June. The institution apparently paid a little over $1 million to recover access to data stolen from its medical school.
In very bad news for security admins, Palo Alto Networks, which makes corporate firewall software and VPN hardware, disclosed a security vulnerability — the kind that someone like Jesse Kinser might have uncovered. The vulnerability makes it way too easy for hackers to break into a corporate network by targeting someone who’s remotely connected to that network. The company has rolled out a fix, but U.S. Cyber Command warned that foreign state-sponsored hackers are going to be on this flaw like white on rice. So hurry up, IT admins. The vulnerability is so bad that security officials ranked it as a rare 10 out of 10 on the industry standard Common Vulnerability Scoring System.
With everything going on, the literal last thing you think you want to worry about is hackers. Sorry, man. Wash your hands, wear a mask and do not click on any suspicious links or open any weird attachments, because your work here is never done.