ABSTRACT: This was a very fun project to work on. The topic we chose was very straightforward and informative. While researching I learned a lot about cybersecurity.
PRESENTATION
PROPOSAL
Topic: Bug Bounty Program: White Hat Hackers
Group: Markus Chmiel, Chenhao Li, Eduardo De Leon, Melson Heo, Bismah Hasan
Abstract:
Cybersecurity has become an important subject in our modern society. The vast network that is the internet is host to a plethora of sensitive data, both personal and clientele. Managing a database online without the utilization of standardized cybersecurity mechanisms can put a business at risk of exposure. A company’s reputation and customer satisfaction rely on the safety of the customer’s data tended to by the company. Moreover, the impact of cybercrime, stealing online data, has accumulated to be more than $4 trillion dollars in damages. Overall, more awareness needs to be focused on the consequences of insecure cybersecurity. We propose a program that targets databases that seek to identify flaws within their online infrastructure and to improve upon their cybersecurity defenses. Our company is referred to as a Bug Bounty Program, which essentially is a group of friendly hackers, coders, and data analysts, who pick apart and diagnose code for their customers. This practice is already in place and not widely adopted, however, we wish to change that. Our group has devised a plan to deploy a group of initially 20 hackers in which companies can apply to contract them for a certain security problem and reward them for their work. We will only employ top of the line coders, and pay in salary. Our revenue will be produced through the commission of rewards from contracting out our hackers. An estimated budget of $2.2 million will need to be acquired to produce this company.
Introduction
Historically speaking, we are considered to be in the information age, a period of time characterized by the change from an industrial dependent society to our current age; in which, our economy is fundamentally driven by information-based technologies. This age was brought into existence through the creation of the computer and the internet. The computer allows us to store and manipulate data, electronically encoded information. And, through the means of satellites, terrestrial microwave linking, and cable fiber-linking servers, the internet enables computers to transmit and receive data to another computer from anywhere in the world. The transition to a digital information-based society and the development of the internet has opened access to a wide variety of information to virtually everyone on the planet. The basis of media, advertisement, socialization, schooling, banking, and other very important aspects of our society have taken a new form on the internet (See Appendix A).
The number of active internet users in 2018 was reported to be about half the world population (around 3.7 billion users). Moreover, from 2010 to 2016, an average of 640,000 people everyday went online for the very first time (Roser, 2015). Companies and government agencies have taken advantage of the large number of users online and have created websites to increase the exposure of useful information, communication, and marketplaces. In the moment of completing this proposal, approximately 1.7 billion websites are currently on the internet (“Total Number”, nd).
That said, individuals on the internet today are making numerous online accounts to connect with a variety of databases including but not limited to banking, online marketplaces, government records, and social media. A study of 20,000 people conducted by Dashlane in 2015 found that the average internet user had 90 online accounts. Furthermore, their findings concluded that roughly 130 accounts are associated with one email address (“Uncovering Password”, 2018). Each account is personalized to the corresponding information of its owner; some accounts may contain more confidential information than others. Accounts are protected through user-passwords and the website’s firewall, cybersecurity defense mechanism; however, intruders (hackers) are able to bypass industry-standardized cyber protections. Once a hacker has bypassed the code of the database, they can target accounts with sensitive information and use it for their benefits. It is even plausible that a hacker can obtain information without the account owner noticing. A study conducted by Cisco, a multinternation technology and internet conglomerate, found that the average cost per cybersecurity attack due to malware (sending corrupt data) in 2017 was estimated to be an average of $2.4 million. Additionally, the damage cost of ransomware (targeted data that is sold back to its owner) had risen to $10 billion in 2019 (“Cisco”, 2020). Cyber Security has become more necessary as more users operate on the internet. Individuals and company websites are at risk of exposure to their sensitive data. A company’s reputation can be majorly based on its cybersecurity if it’s products are only on the internet. Little to no cybersecurity will dissuade users from indulging in the product because they have the reason to fear their data could be in danger. Hackers are going nowhere and to make matters worse, it is predicted that the annual cost of cybercrime damages in 2020 is estimated to reach $5 trillion (“Cyber Security”, 2019).
In this paper, our group proposes to launch a friendly hacker program organized to help web-developers to improve security on their products (i.e. websites, applications, operating system, etc.). Coded programs are not always 100% bug-free, there are always going to be some way hackers will exploit the program and use it to their advantage. It is not worth the time and money for developers to constantly look for bugs and exploits while they have other work to do. If a hacker has found an exploit, they can lay under the radar and take advantage of the exploit as long as possible. According to Cyber Security Statistics, it can take up to 6 months before a company even notices a data breach (“Cyber Security”, 2019). By then if the program/application is used widely by the general public, millions of individuals can be affected.
By opening our program, White Hat Hacker, companies can hire professional hackers to find any security flaws that are in their system. By doing so, they can patch up any exploit in a safe and controlled environment. In reward, these companies give out huge sums of money to these hackers and lessen the chance of a security flaw. Previous instances of this program include companies such as Facebook in 2011, which hired 21-year-old Geoge Hotz who had been involved in a months-long court battle against Sony because he had hacked into the company’s PlayStation 3 platform (“Why Companies”, 2016). Netflix launched a bug bounty program offering up to $15000, twitter, dropbox, and General Motors are also offering up giant bounties for discovering any bugs or security flaws. Furthermore, a hacker group known as HackerOne has made 20% commission from companies and has paid out more than $24 million to their networks of hackers (“Meet the”, 2018). These examples prove that a bug bounty program works and it is a win-win scenario. Companies are able to fix up bugs and increase their security, while our hackers are able to make a living.
Proposed Program
Company: White Hat Hackers
Website: (https://markusc6133.wixsite.com/website)
Audience: We open our program to companies that need help finding online exploits and even improve upon the cybersecurity of their product.
Purpose: The mission statement of White Hat Hackers, is to defend and enhance the cyber defense mechanisms within our customer’s product. Our program is open to small and large companies that wish to improve upon their cybersecurity measures. Overall, our goal is to guarantee customer user satisfaction by decreasing the number of flaws within their online infrastructure.
Overview: Our company will have no physical place of business. All operations will be conducted online through our website. On our website, we will have all the necessary steps needed to apply for our program. Additionally, we will also have a tab where hackers can apply to join our team. However, our group is selective and only the most qualified individuals are invited to join.
How to join the Bug Bounty Program: There are a few requirements before anyone can apply to enlist in our bug bounty program. The requirements are as follows:
- You must have a company (some sort of legal representation for your association)
- Your company must have at least 5,000 active users
- The company must operate within legal boundaries
- A reward must be offered
Required Resources/Education for Hacker Applicants: To become a white hat hacker, it is recommended to have a bachelor’s or a master’s degree in Information Security, Computer Science, Mathematics, and some security-related IT certifications. Some of the skills that make a good white hat hacker stand out are the possession of strong oral and organization skills, the ability to problem-solve and be able to remain calm under pressure (“Staff”, 2019).
Innovation Process
Data Planning(adjusting/updating code to fix a bug whilst maintaining the same functionality of the application): After our member has finished a project, they are required to send a detailed report to the specific company on what flaws are in their code and solutions to a fix. This can be achieved by writing pseudocode if the problem is code-heavy, or to help the company update their software or hardware so their technology is up to date.
COST: For the program, each member will receive an average of $30,000 base salary. Throughout the year, they can earn more by taking on projects that we offer. Beside the $30,000 salary, we will be taking in 15-20% commission from the member for each successful task.
Set up services cost: $300,000~ (Patents, Founding company, Logo, Website)
Workers’ salary: $30,000/hacker – (20 initial workers = $600,000)
Advertisement: $200,000~ (Ads reaching out to companies in need of cyber help i.e social media, forums, google ads, etc)
Licensing / LLC: $400,000~ (Necessary applications and certifications for our hackers)
Insurance: $500,000~ (Even we are at risk of cyber crime)
Server Cost: $200,000~ (Annual Cost to run our website and applications)
Total Cost: $2,200,00~ (revenue from commission will cover initial cost)
TIME: The time required is dependent on the project that they are assigned to. This is where the companies can make a deadline on a set project.
Tactics/Standard Testing Methods: The tests that we off will vary but it is not limited to DDoS attacks (Denial of Service), which is flooding the server with overwhelming requests using bots, that will eventually force the server to shut down, and Password Attacks, where we test your server encryptions and stability to make sure a password leak does not happen.
MATERIALS: It is recommended that our members carry these of the following items or softwares
- Arduino or a Raspberry pi -Keylogger
- GPU -Virtual Private Server
With these materials, our members should have the bare minimum to start a project. The Raspberry pi and the Arduino allow the user to write special codes that can steal data and to gather information by connecting to a victim’s computer. The keylogger is used to capture keystrokes for passwords hacking, and to record user inputs. The GPU’s job is to crack the password by using brute force. Finally, the Virtual Private Servers job is to allow our members to try to take control of the computer/server remotely.
References
4 Challenges for Computer Scientists in the 21st Century. (2020, January 27). Retrieved from https://www.oxford-royale.com/articles/4-challenges-computer-scientists/#aId=eb6fd124-f5f1-4700-a7c5-df8f0e7df57b
Cyber Security Statistics for 2019 (n.d.). Retrieved from https://www.cyberdefensemagazine.com/cyber-security-statistics-for-2019/
Cisco Cybersecurity Report Series – Download PDFs. (2020, May 1). Retrieved from https://www.cisco.com/c/en/us/products/security/security-reports.html
Lin, M. (2017, September 7). Cybersecurity: What Every CEO and CFO Should Know. Retrieved from https://www.toptal.com/finance/finance-directors/cyber-security
Meet the companies connecting white hat hackers with cold hard cash. (2018, March 22). Retrieved from https://uncubed.com/daily/san-franciscos-hackerone-connects-white-hat-hackers-with-cold-hard-cash/
Roser, M., Ritchie, H., & Ortiz-Ospina, E. (2015, July 14). Internet. Retrieved from https://ourworldindata.org/internet
Roser, M., Ritchie, H., & Ortiz-Ospina, E. (2015, July 14). Internet. Retrieved from https://ourworldindata.org/internet#growth-of-the-internet
Staff, B. E. (2019, June 17). Top Tips For Becoming a White Hat Hacker. Retrieved from https://www.businessnewsdaily.com/10713-white-hat-hacker-career.html
Total number of Websites. (n.d.). Retrieved from https://www.internetlivestats.com/total-number-of-websites/
Uncovering Password Habits: Are Users’ Password Security Habits Improving? (Infographic). (2018, December 14). Retrieved from https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic
Why Companies Hire Skilled Hackers. (2016, July 27). Retrieved from https://online.maryville.edu/blog/why-top-companies-hire-hackers/
Appendix
Technology and Internet Statistics
The organization “Our World Data” colletects information on information-based technologies, active internet users, and related data. The company collects its information via real-time statistics, and surveying online users (Roser, 2015).
Figure A1)
Firegure A2)
This entry is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license.
