This article can also be found in the Premium Editorial Download "Information Security magazine: IDSes takes aim: Emerging "target-based" systems improve intrusion defense."
Download it now to read this article plus other related content.
A $100,000 bounty awaited the tipster who provided the crucial info leading to the arrest of a Wells Fargo computer thief.
Edward Jonathan Krastof of Concord, Calif., faces charges of stealing computers from a Wells Fargo subsidiary that contained sensitive account-holder data. But the $100,000 reward posted by the bank will remain uncollected, because police used good old-fashioned shoe leather to solve the crime.
The Internet is repeatedly compared to the Old Wild West, mostly because of its sprawling growth, its lack of governance and rampant unchecked crime. Like the prairie sheriffs of lore, contemporary enterprises are turning to cash bounties to draw out tips that lead to the capture of the hackers and script-kiddies who plague their digital trading posts.
That's where the analogy ends. Unlike the bandits of the western frontier, hackers are less susceptible to the good citizen who comes forward with the location of a hideout.
First, it's a misnomer that hackers want to destroy the Internet. It's their playground, and they have an economy based on the trade of pilfered data. Destroying it means destroying their reason for being. Hackers have more to gain from the swapping of stolen credit card numbers than cashing in for a paltry $100,000.
Second, the digital underground is a brotherhood of sorts. Once indoctrinated, hackers will defend and protect one another. The good ones, the ones capable of great crimes and damage, know silence is their friend. Dropping dimes on fellow hackers will only make them pariahs.
Finally, the digital underground is a meritocracy. Hackers rise and fall based on their skill. On this point, the concept of a hacker bounty could actually feed the hacker community by giving them a new measure for their exploits.
Digital bounties aren't new, but frustrated enterprises and law enforcement agencies seem headed in a direction of offering up more rewards for the big fish of cybercrime. Now that Microsoft created a $5 million reward fund for the capture of virus writers, we may soon see similar funds for everything from exploiting open-mail relays to global worms.
"We support law enforcement's efforts to apprehend and prosecute Internet saboteurs, and part of how you deal with criminal acts is with deterrence," says Microsoft CEO Steve Ballmer, in an email interview with Information Security.
But don't rush to open your checkbook. It's been two months since Microsoft announced the first two rewards of $250,000 each for the capture of the creators of the Blaster worm and SoBig.F virus. Despite this hefty price on their heads, neither culprit has been caught.
Microsoft and investigators will likely say that the reward fund is helping to generate hundreds of valuable tips. True, but there's been dozens of rewards offered for those who assist in capturing hackers, and payouts and arrests are rare. A deterrent only works if people can see its impact.
My bet: Kevin Mitnick will get more hits on his $500 bounty for each hacker war story he uses in his upcoming book, The Art of Intrusion.
Malware creators are probably enjoying untold fame and adoration because of the high prices on their heads. Anyone can boast releasing a Klez variant, but few can claim the infamy of the Blaster and SoBig creators.
In infosecurity, we're always talking about putting a value on the data that we're trying to protect. Security managers often have a hard time determining this value because of the numerous intangibles in risk assessment calculations. But, in putting a bounty out for hackers, enterprises may be unwittingly signaling the value -- or at least what they perceive is the value -- of their data. And that creates a new benchmark for the digital underground.
Will rewards created by hacker victims make a difference? Probably not, but we now know that creating a global worm is worth at least $250,000. With that mark established, there's sure to be another pale-faced script-kiddie working on a worm in hopes of topping that reward.
Lawrence M. Walsh is executive editor of Information Security.
This was first published in January 2004