Hacker Reaction

[Natalie Omahony]

AState Department report on Russian online operations to promote conspiracy theories and misinformation. Some analysts also warn of "perception hacks," when relatively small-scale hacks are uncovered and then widely discussed by government officials, news organizations and on social media. Jon Elswick/AP hide caption

There's no easy answer, but at least there's a catchphrase: a "perception hack." This describes a relatively small-scale intrusion that probably won't cause much actual harm, yet it may have an outsized psychological impact once it's uncovered and enters the public bloodstream via government officials, news organizations and social media.

Four years ago, the Russians waged a major interference campaign that included hacking Democratic Party emails and creating false social media accounts to exploit political divisions. Despite the broad scale of the Russian effort, it received only modest attention before the balloting.

"In actuality, it was publicly available information that they obtained" and posed no threat to actual voting or vote counting, said Nina Jankowicz, who studies disinformation at the Wilson Center in Washington and is the author of How to Lose the Information War: Russia, Fake News, and the Future of Conflict. "It's very easy for people to be led astray by this sort of operation."

The attackers' intent was not clear. Normally, a hacker wants to go undetected. But it's also possible the hacker wants to get noticed, hoping the revelation will undermine public confidence in the election.

"Since our cyber defenses have been raised over the past couple of years, we see Russia rattling the handle to our cyber door," said Jankowicz. "This spreads fear and uncertainty within the American election system. I think this benefits Russia even if they don't gain access to any sensitive voter information on the other side of that door."

To combat potential threats, the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security, was established in 2018. The agency has set up a "rumor control" page on its web site.

"Foreign actors are attempting to spread disinformation and attempting to sway voters by executing influence operations," Evanina says. "To be clear, it would be very difficult for adversaries to interfere with or manipulate voting results at scale."

Thomas Rid, the author of Active Measures: The Secret History of Disinformation and Political Warfare, said the U.S. should be aware of perception hacks carried out by a foreign adversary during the election season.

Rid and other analysts say the riskiest period could be right after the election if the vote is close and the counting extends for days. Any rumor of election fraud or the mishandling of ballots could be easily exploited.

"I think the most dangerous scenario is that if we enter this protracted period of uncertainty," Rid said. "An adversary could jump in and create more uncertainty by claiming, rightly or wrongly, that there was some meddling."

The problem is, at the bottom of each email he says he "expects a bounty to be paid". Is this black mail? Is this his way of saying you'd better pay me or I'm going to wreak havoc? Or is this a typical and legitimate method for people to make a living without any nefarious intentions?

EDIT: For more clarification: He gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to be shown inside an iframe (enabling a technique called "clickjacking") and he also included an example of the code and instructions on how to prevent it.

A true "ethical hacker" would tell you what issue (s)he found in your system, not ask money for that; (s)he could offer to fix it as a contractor, but that would be after telling you what the actual problem is; and in any case, it's a completely different thing from just trying to scare you into paying.

While this might be blackmail, there are many possibilities for genuine good intents, too. Therefore, here's some more comprehensive thoughts on how one might handle unsolicited vulnerability reports. In short: you have every reason to be cautious, but you do not have to be rude.

Ethical hackers perform their analysis based on a contract typically with predefined targets and limitations. These might be ordered assignments or more loosely defined bug bounty programs, either directly or through a platform like HackerOne. In any case, an ethical hacker (or a white hat hacker) always has an explicit permission.

I have found several vulnerabilities by accident, without an intention to poke the system in any way. These cases are usually rather harsh, and I do hesitate whether not to report it at all, report it anonymously, or report it with my name, which would give me the possibility to help them with further questions. The reality is that because I did not have a permission, the receiver may interpret or handle my report with unexpected ways, possibly causing me legal charges or other problems. So far, they have been sympathetic towards me.

You are asked to pay for the findings, but without knowing the details you cannot be sure whether they are worth paying at all. Vulnerabilities comes in all shapes and sizes. Some of them are critical, and some are minor. Some may also seem problematic from outside, but are completely irrelevant to you, or within your accepted risk. One simply cannot sell vulnerabilities in pieces, bundles, kilograms, or liters.

A message suggested a reward for finding a web page protected by HTTP basic authentication, which indeed is not a secure authentication method. However, as it was only an extra layer of security before an actual login page, and not protecting any critical system anyway, it was not really a vulnerability at all. Therefore, the finding had zero value for the company.

A report of a missing SPF record. The explanation was correct and all, but the record was not missing! Instead of querying from DNS, the "bug bounty hunter" had used a web-based SPF lookup tool but used instead of example.com. Due to this syntax error it did not show the record.

Therefore, in order to judge the value, some details of the vulnerability must be disclosed. If someone who has found the vulnerability thinks giving out these details may result in losing the reward, the vulnerability may actually be worthless: known, easy to spot with automated tools, within accepted risk, too minor, or otherwise irrelevant. On the other hand, if the vulnerability is severe, it is often also so complex that giving some proof of concept will not completely help fixing it. The additional work required to describe and address the vulnerability is valuable and will be paid.

It's not unusual for someone who discovers a security vulnerability to be paid a bounty for their discovery. A lot of prominent open source projects and web sites have policies of paying a bounty for responsible disclosure of a vulnerability. I don't know how common it is for companies to pay a bounty without having some sort of bounty program set up in advance though.

How much should you pay? That's up to you. In my case, the vendor rated the bug as "critical" then it was patched. It could have led to serious compromise, but would have been difficult to do. I was paid a little under $5k for my efforts, which was near the top end of the range quoted on their web site.

Also, if they're just telling you about a known security vulnerability in a bit of third party software that's probably not worth much. e.g. if you were running an old version of WordPress and the bug was a known WordPress vulnerability.

A proper ethical hacker isn't trying to wreak havoc. Nor will they be selling the vulnerability to someone else if you don't pay. But that assumes you're dealing with a legit ethical hacker, not some troublemaker who's trying to rip you off or cause trouble.

After I earned my bounty, I did the maths, and figured I could potentially earn a living collecting bounties. It is possible. Whether that's what your guy is up to, who knows. Trying to collect bounties from companies that don't have formal bounty programs is a pretty risky way to go about it though, which counts against your guy IMHO.

Considering hiring a security person (not this "hacker") to evaluate your systems. Whatever form that takes, a one-off engagement to do a security assessment, a bounty, or a migration to a hosted platform to outsource operations to someone else.

Even if the "vulnerabilities" are real, you should not assume they areuseful unless you understand them in context yourself. For example, isthere any actual way to cause harm by embedding your site in aniframe? I get these spam "vulnerability" emails all the time, but thesite in question is a static marketing page with no user logincapability, so there is no possible use in performing a clickjackingattack on it. These people just run "vulnerability scanners" againstyour site, then ask you for money. They don't actually understand theoutput of the tools.

To say it more pointedly: given the two security issues mentioned by the "hacker" (SPF ?all and clickjacking), it is most likely that the hacker has not spent any significant time or effort specifically examining OP's site.

You may also feel that you do not care about security - this is perfectly fine assuming that you are aware of the consequences. Since you run an internet based business I think this is not an option.

If they don't react the proper way in a timely fasion, the hacker, the other security experts or the media involved may publicly disclose the bug, the failure of the bug bounty program and/or other details.

I have read computer law in graduate school, but speaking as an ethical hacker and bug bounty hunter myself, I never try to find vulnerabilities (known as pentesting) on websites I do not own or have express permission to test.

3a8082e126