i3 - July/August 2017 - 13

By Mike Bergman

Tech

PIPE LINE

Opening Up
To Hackers

PashaIgnatov/iStock

hen we hear the term
"hacker," we often
think of some nefarious high-tech evildoer straight
out of the movies. But many in
the broad hacker community
"practice ethics." The researcher
who discovers a security problem makes a reasonable effort
to notify the manufacturer and
gives them time to fix it, before
publishing the research. This is
called "coordinated disclosure."

In fact, when you read about a hacked product,
it's often old news. The hacker actually contacted
the manufacturer months ago and the fix is being
distributed, so the hacker is publishing the research
now that it's safe (or perhaps, safer).
In the best-case scenario, the process works as described.
Sometimes the manufacturer will pay the researcher
a "bug bounty," based on the severity of the bug.
So how does this process work? Recently CTA took
a look at the traffic on the Network Security section
of Reddit.com. We looked at all original content in
a 48-hour period by the hackers, security engineers
and researchers that upload to that site.
We found that more than half of the postings related to
product security defects fell into this best-case scenario,
with about one company in eight paying a bounty for the
help. Bounties vary in size from the cash equivalent of
"a nice dinner with the spouse" up to "I'll go car shopping."
On the other hand, one-fifth of the postings say nothing of any attempt to contact anyone. This "publish to the
world" approach is believed by some to be ethical also.
But you can usually tell when a hacker is working for the
greater good - for example, they will register the vulnerability with a public database. There are signs that the
hacker is on the dark side, too, such as describing how
much "fun" this particular exploit is, or encouraging the
reader to "get on out there and flog those browsers!"
In between these two extremes is something the
industry can and should fix. In about a quarter of the
cases, the researcher describes making a good-faith
effort to contact the company but failing to find a path
C TA . t e c h / i 3

Hardware
Industry
Continues
Progress
Deploying
IPv6
In the "Pipeline" column
in the March issue of
i3, "Design It Well," we
reported that about
88 percent of units
shipped in the top ten
consumer device categories in 2015 were
IPv6-enabled. IPv6 is
the latest addressing
scheme for the internet
and is the version to support the tens of billions
of devices in the Internet
of Things. This number
was up from about
84 percent in 2014.
We're pleased to
report that the industry
has made further progress. Just over 90 percent of units shipping
in the top ten categories
in 2016 were IPv6enabled. Connected TVs
made the most gains -
now at 60 percent of
units shipped - followed
by gaming consoles and
wireless printers.

to the right department. This is an
unfortunate but common occurrence.
I've been contacted by researchers who
had found security problems in a retailer's house-branded product and wanted
to get in touch with the right people
at the manufacturer. Because the product
was a "white label" device, they had to
go through the retailer. No one they contacted at the retailer could help them,
and I could not either.

What Can You Do for Your Product?
One quick and inexpensive opportunity
is to make it easy for white hat researchers
to contact you. Have your IT department
set up and monitor an email address
for "security," in the format security@
yourdomain.com, and publish this information on your website's "Contact Us"
page. CTA monitors security@CTA.tech,
for example. Even better, follow an industry standard such as ISO/IEC 29147
for your disclosure process and have
a dedicated page on your site for coordinated disclosure.
By opening up a friendly path to the
security community, you can get their help
in improving your product and gain some
control over when and how the story is
presented to the public.
JULY/AUGUST 2017

https://www.reddit.com/r/netsec/ https://www.reddit.com/r/netsec/ http://www.cta.tech

i3 - July/August 2017

Table of Contents for the Digital Edition of i3 - July/August 2017