Who are the good and bad guys in software security?

Metaratings
29 Jul 2015
00:00
Article

As featured in DisruptiveViews

Have you ever wondered why most of the vulnerabilities in computing and mobile devices are found by hackers and security companies? I guess that’s pretty logical when you consider the hacker’s sole aim in life is to hack into systems, presumably to show how clever they are, and security firms depend on sales of their software to patch vulnerabilities.

Conspiracy theorists and sceptics might even suggest that the two may be working in unison to maintain their status and incomes. What a daunting thought! Perhaps we should add another element into the equation – the intentional addition of malware and flaws in codes by programmers of those systems testing to see if they can evade detection at first then claiming credit for exposing the flaw later. The mind boggles.

Ever wondered why hackers do what they do? According to an article in Betanews, Thycotic, a software firm specializing in privileged access password protection, conducted a survey of 127 hackers at Black Hat USA 2014 to try and understand their thinking.

The company found that more than half of the hackers (51%) were driven by the fun/thrill, while 19% were in it for the money. Few hackers fear getting caught with 86% confident they will never face repercussions for their activities.

It’s a shame the recipients of hacking exercises don’t enjoy the same fun/thrill as hackers, especially if are malicious, nor do they fear repercussions of their activities that are often not quite legal. There are others that seek notoriety amongst their peers from the ‘discoveries’ by being the ‘first’ – how else could you explain events like Black Hat that describes itself as is the most technical and relevant global information security event series in the world.

That probably explains why Joshua Drake, from Zimperium zLabs will be presenting his research on the very frightening Stagefright Android security flaw, at Black Hat USA on August 5 and DEF CON 23 on August. Maximum exposure to the very community that relies on securing systems for the rest of us – but am I the only one that sees the lines blurring.

It would appear that both the hacking and security communities have become dependent on each other. In fact, the most eloquent hackers are being gainfully employed to expose flaws in systems by the security guys paid to protect them. It’s not a bad gig is it? I’m not suggesting for one minute that there is collusion between the two, but it could be an area of concern for companies paying out for the combined services. After all, how would they know if the threats discovered are genuine and the consulting and subsequent patches applied necessary.

I remember interviewing Kaspersky Labs boss, Eugene Kaspersky, for Telecom TV some years back and asking, rather sheepishly, what he thought of sceptics that claimed anti-virus exponents might be behind the release of viruses in order to keep their sales going. His demeanour changed immediately and a cold Russian stare was all the answer I needed to move onto the next question.

Perhaps that was not the subtlest question for a novice interviewer to ask but it may be one corporate security heads should be asking their contractors and suppliers of system security software. No doubt, they will be met with the same cold stare, but who is there to police the policemen? We can’t be so naïve to believe they are all good guys, surely?

But getting back to the Stagefright discovery affecting 950 million Android devices, and the almost weekly discovery of another issue with Adobe Flash Player – you have to ask what is really going on. Are our programming and testing skills so poor that are unable to prevent the flawed software going out undetected?

If this is the case, hackers are either our saviours or disruptive twats out to make our lives a misery and security firms are our most valued suppliers or implicated in a sub-economy akin to ‘protection money’ rackets. What do you think?

Related content

Tags: