A controversial activist is rallying other hackers to crack into scandal-ridden companies and spill their secrets — and offering cash rewards for the biggest leaks.
Phineas Fisher is offering up to $100,000 for damaging information about targets including U.S. oil company Halliburton and NSO Group, an Israeli firm that sells software to governments and that critics say helps authoritarian regimes stifle dissent. It's all part of a “Hacktivist Bug Hunting Program,” as Vice’s Lorenzo Franceschi-Bicchierai reports.
The cash incentive has the potential to reinvigorate the community of hacktivists, which has lagged in recent years with collectives such as Anonymous and LulzSec largely fading from mainstream view.
But it could create serious problems for the community of cybersecurity researchers who’ve spent years trying to distinguish their work from the illegal side of hacking -- and have even gotten many companies and government agencies to join programs that welcome ethical hackers to find bugs that could make their products safer. They fear a resurgence of vigilante hackers using their skills for what they perceive as social justice could blur those lines.
It could even imperil some legal protections ethical hackers have spent years fighting for, such as tighter restrictions on when companies can threaten researchers who find bugs in their products.
“There’s a lot of mystery and misinformation about hacking and as much as people in security professions understand what an ethical hacker is, the public at large is still as confused as ever,” Gabriella Coleman, a McGill University anthropologist who has written extensively about hacking groups, told me. “So, certainly, there are many gains that have been made but they always stand to be lost.”
Even the title “hacktivist bug hunting” seems to intentionally blur lines between the work done by ethical hackers, which is fully legal, and the work of hacktivists, which breaks the law but also sometimes exposes wrongdoing.
The phrase co-opts the term “bug bounty" — which legitimate companies and researchers use to describe cash rewards that organizations offer when ethical hackers find and disclose vulnerabilities in their networks — but morphs it into a reward for illegal activity.
“This is conflating ethical hacking with criminals and crimes and I’m pretty annoyed because that shapes how legislators and policymakers think about these things,” Katie Moussouris, founder of Luta Security, who set up the first government bug bounty at the Pentagon in 2016, told me.
There’s also a substantial danger that Russia and other U.S. adversaries could co-opt the hacktivist bounty program to selectively hack and leak information to sow political tumult and damage their enemies.
The Kremlin-backed hackers who released information from the Democratic National Committee in an effort to hurt Hillary Clinton’s 2016 campaign posed as a lone hacktivist called Guccifer 2.0, according to U.S. intelligence agencies. When the North Korean government hacked Sony Pictures Entertainment in 2014, it similarly posed as a hacktivist collective called Guardians of Peace.
The anonymity of hacktivism could make it easier for those nations to hide their activity, Andrew Thompson, a manager at the cybersecurity firm FireEye noted on Twitter.
Activism is a vehicle for information operations. Activists are often useful for malign actors. That doesn't invalidate activism or the intentions of activists. From this perspective, I have about zero percent trust in anything portrayed as hacktivism, which is "anonymous."— Andrew Thompson (@QW5kcmV3) November 17, 2019
Bug bounty programs have won widespread favor in government in recent years but are not without their own scandals. Uber, for example, was pilloried by lawmakers after it used its own bug bounty program as a cover to hide a data breach from customers and regulators by improperly paying off the hackers.
Phineas Fisher – who has never been identified and may be an individual or a group of people – argued in a manifesto outlining the hacktivist bug bounty that its sole goal is to support hackers that are leaking information in the public interest.
“Hacking to obtain and leak documents with public interest is one of the best ways for hackers to use their abilities to benefit society,” Phineas Fisher wrote. “I’m not trying to make anyone rich. I’m just trying to provide enough funds so that hackers can make a decent living doing a good job.”
Fisher also claimed, however, to be funding the operation using stolen money from hacking into a bank.
“I robbed a bank and gave the money away. Computer hacking is a powerful tool to fight economic inequality,” the manifesto states.
The person or group rose to fame by hacking and releasing data from surveillance and spyware vendors, including the British-German firm Gamma Group in 2014 and the Italian company Hacking Team in 2015 – both of which proved embarrassing for the firms’ government and law enforcement clients.
PINGED, PATCHED, PWNED
PINGED: The international police agency Interpol plans to condemn the spread of warrant-proof encryption services today, claiming in a statement they protect child sex predators, people briefed on the matter told Joseph Menn at Reuters. The FBI introduced the resolution at an Interpol conference in Lyon, France, and it will be released without a formal vote by the other countries in attendance, sources told Joseph.
“Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format,” a draft of the resolution seen by Reuters said.
The resolution echoes a recent joint letter from law enforcement officials at the U.S. Justice Department, the United Kingdom and Australia to Facebook, urging the company to reverse its decision to use end-to-end encryption for its Messenger product.
Interpol did not respond to a request for comment from Reuters on Sunday. The FBI referred questions to Interpol.
PATCHED: The Trump administration today will announce a two-week stay on its ban preventing U.S. companies from doing business with China-based Huawei, David Shepardson and Steve Holland at Reuters report. That will probably will be followed by a longer grace period, similar to the last 90-day extension, but the decision is awaiting regulatory approval, sources tell Reuters.
This will mark the third time the Trump administration has delayed its ban on sales to Huawei, which it first imposed more than six months ago amid concerns about Chinese spying. Security hawks from both parties have blasted the White House for failing to follow through on the May order. President Trump has also promised to exempt some companies from the ban, but so far no licenses have been approved.
PWNED: The United States and its Western allies are urging opposition to a Russian-led cybercrime resolution up for vote at the United Nations today, my colleague Ellen Nakashima reports. Opponents allege the proposal is a thinly veiled effort to endorse Russian and Chinese-style state control of the Internet.
U.S. officials fear the resolution would give authoritarian states a U.N.-endorsed standard to justify blocking opposition speech and monitoring dissidents online, a State Department official speaking on the condition of anonymity told Ellen. Human rights groups also fear such an approach could criminalize Internet activity that is protected by human rights laws.
The United Nations already has guidelines for international cybercrime cooperation set by a 2001 treaty, but neither China nor Russia signed the treaty.
— Cybersecurity news from the public sector:
— About 70 percent of U.S. adults say their personal data is less secure against hacking now than it was five years ago, according to a study released Friday by the Pew Research center. Only 6 percent believe their data is more secure today than in the past.
— More cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency celebrated its first anniversary this weekend by touting some accomplishments:
We conducted more than 2,800 infrastructure security and cybersecurity assessments and exercises throughout the year.— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 16, 2019
We shared more than 3 million cyber threat indicators with federal and private sector partners to help to stop cyber-attacks in their tracks.— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 16, 2019
The agency also highlighted its work tackling big 2020 priorities including the upcoming elections and protecting next-generation 5G telecom networks.
And as part of our #Protect2020 effort, we’ve provided free technical cybersecurity assistance, continuous information sharing, exercise support, and expertise to election offices and campaigns supporting all 50 states, over 2000 local and territorial election offices.— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 16, 2019
- New York University’s Center for Cybersecurity, the Journal of National Security Law & Policy will host an event titled “Catching the Cybercriminal: Reforming Global Law Enforcement” at 9 a.m.
— Coming up:
The Senate Homeland Security Subcommittee on Investigations will host a hearing to examine securing the United States research enterprise from China's talent recruitment plans on Tuesday at 10am
The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation will host a hearing on "The Road to 2020: Defending Against Election Interference" on Tuesday at 2pm.
- The House Financial Services Committee will host a hearing on the role of big data in financial services on Thursday at 9:30 a.m.
- The 2019 International Conference on Cyber Conflict U.S. (CyCon U.S.) will take place 18-20 Nov 2019 in at the Crystal Gateway Marriott in Arlington, VA.
- CYBERWARCON takes place on Thursday in Arlington, Va.