Inside the murky world of hackers for hire

Shortly after Christmas, 2011, Ruby Nealon sold the Nintendo Wii games console his mother had bought him to fund an Open University course in computer software. He was 11 and it was the start of his unconventional education as a computer prodigy, which led him to drop out of school and start a full time degree at 14.

Two years later, in 2016, when Nealon was just 16 and in the second year of his computer science degree at the University of Salford he made international news when he hacked into an online gaming platform called Steam, managing to publish a game on its service without permission. The game was called “Watch Paint Dry” and was accompanied by a detailed explanation of the problem he had found.

The incident caught the attention of the cybersecurity world and he was soon approached by the chief executive of a US company called HackerOne, which specialises in breaking into the computer systems of major firms including Uber, Facebook, Google, Dyson, Microsoft and MasterCard. It does this through “bug bounty” programmes, where companies invite hackers to attack them to find critical problems in their software in return for a reward.

“The problems can vary from small to large issues: the key thing is that regardless of the impact they would have, they’re caught before they can be used maliciously,” says Jack Whitton, a security researcher at Facebook and former bounty hunter. “The point of the programmes is not to point out that you have a lot of flaws, but to recognise them and fix them before they’re compromised.”

Nealon is one of 100,000 hackers in HackerOne’s network of self-employed and technically savvy security experts, the youngest of whom is 10 years old. They are paid monetary rewards of anything from a few hundred to tens of thousands of dollars depending on the severity of their findings. The most lucrative hacker has earnt $600,000 in two years.

Within months of joining HackerOne, Nealon had been paid $50,000. One of his biggest payouts was $13,000 from Airbnb, which he earnt in a day for finding multiple bugs that could have let a cyber criminal take over someone else’s account and charge their bookings to other businesses, and set up an account as an underage person.

“This is just in my spare time,” he says. “I don’t consider bug bounties work. Most of the hacking I do is a bit of a game. I see the money as an added bonus.”

Marten Mickos, chief executive of HackerOne, says, “The hackers we work with are young, skilled, and for them the internet is reality.” He adds that they can think creatively and spot problems that traditional security professionals might miss.

“Even the Department of Defense and the Pentagon [both HackerOne customers], some of the strongest organisations with the most powerful weapons, cannot see their own flaws,” says Mickos. “You’ll always need the objective outside view, because most people are blind to their own typos.”

HackerOne, founded in 2012, is growing rapidly. It has increased its customers from 300 last year to 800 currently, and its roster of hackers has more than trebled in the same period. While the company does not publish its earnings, it takes a 17pc cut from each bounty and it has facilitated around $15m rewards to date, $7m of which were awarded in 2016.

Earlier this year it raised $40m (£32m) to expand internationally, bringing its total funding to $74m. With the cash, it this week opened an international office in London.

The Silicon Valley company believes the potential market for its services in the UK, where it already works with 50 firms, is vast. “Anybody who develops software will ultimately need a bug bounty,” says Mickos. “The security industry used to be focused on secrecy and exclusivity. Old timers still question the model and say it will never work, that we can’t have amateurs here. But they’re always wrong. The smartest people in the world aren’t in the clubs, they’re out in the streets.”

Although British businesses have been slower to adopt the service than their US counterparts, HackerOne says the country has a wealth of untapped talent. “There’s something out of sync in the UK,” says Alex Rice, co-founder and chief technology officer of HackerOne. “On the one hand you have an amazing breadth of top hackers here, but organisations haven’t kept pace with the talent. There’s a bit of a missed opportunity with that much raw talent not being fulfilled in organisations.”

HackerOne’s move to the UK follows that of one of its main competitors, Synack, a company founded by former National Security Agency employees that connects its customers with a select group of hackers. Synack agrees that the UK has lagged behind the US in terms of security, but says it is catching up.

Read more…