Article by Chris Orr
I might possibly be in the wrong business. Google announced recently that teenage hacker “Pinkie Pie” was awarded $60,000 for finding and reporting a bug in the company’s Chrome web browser. Apparently this is not even the first time he has accomplished this feat; he shared a similar prize in February of 2012, according to this article on CNN.com.
This brings to mind a couple of questions: 1. Why do hackers have all the cool nick names? 2. For every exploit that a white or grey hat finds and reports to a company…how many go undetected and remain a threat?
Returning to the idea that companies spend huge amounts of money on security to protect their assets; firewalls, intrusion detection, anti-malware and all sort of appliances designed to keep the bad guy out and it’s a hole in one of the most widely used applications that could pose one of the greatest threats.
Ruminate on that for a moment. An application that gets used daily by every single employee in an organization can have more holes in it than Swiss cheese at a grenade throwing contest…
The same article discusses how Facebook will pay $500 for each bug or vulnerability found on its web applications. Apparently anyone with a modicum of hacking skills can just about make a living poking holes in other people’s stuff. I wonder what kind of hacker names would surface around the Facebook water cooler…
I would imagine that names like Wonderbr3d, or Athl33ts F00t would probably pop up or how about Fl33t W33k for some kid hacker thinking of joining the Navy. I like Phr33k of N@ture as a hacker name too.
Sometimes it’s hard to connect security to the business when you have to explain to your decidedly non-technical boss that these are the kinds of people you are trying to detect. All of the hardware in the world won’t stop that same boss from using his or her web browser to visit a webpage where the hacker has planted their malware flag.
Continuous monitoring of both internal and external activity can mitigate much of this risk. Combining file integrity monitoring with security compliance with a dash of log management and SIEM will allow the Security Ninja to proactively detect poorly configured servers, routers and desktops. This enables them to better protect the environment from the teenage kid with names like flux tr0jan.
By the way…you better keep an eye out for the next Google Pwnium contest…for $60,000 you might find me competing for the money…just look for: M4573R(master) H4X00R(hacker)… By the way you can go here to get your own hacker nickname…
Cross-posted from Tripwire's State of Security