Samsung Offers Up to 1.4 Billion Won in Rewards... White-Hat Hackers Tempted by Promises of "Monthly Foreign Car Money" [Cover-Up 5]

ChatGPT Development

There are two types of hackers in the world: black-hat hackers, who maliciously steal information, and white-hat hackers, who defend against their attacks. As black-hat hackers have begun to amass astronomical sums in ransom payments using hard-to-trace cryptocurrencies, white-hat hackers have started to receive discreet offers. These offers promise generous compensation if they cross over into the world of "dirty money." Hyungseok Jang, a 32-year-old team leader working as a white-hat hacker at cybersecurity company Steelyon, is one of those who has received such "devilish temptations." In an interview with Asia Economy last month, he said, "I've been contacted several times by hacker organizations saying, 'Let's work together' or 'Let's collaborate on research.' One organization even promised to pay me the equivalent of a mid-sized foreign sedan every month if I joined their team."

He began his career as a white-hat hacker in 2014 at the Cyber Operations Command of the South Korean military. He has officially reported security vulnerabilities in Google Chrome, Microsoft Edge, Windows operating systems, and document editors.

White-hat hacker Hyungseok Jang, team leader at cybersecurity company Steelyon, is being interviewed by Asia Economy. Photo by Yujin Park

- How do black-hat hackers make their offers?

Lists of white-hat hackers who are skilled at finding vulnerabilities that can easily be exploited on corporate websites are used by black-hat hackers as a means to recruit them. They discreetly reach out by finding the social media accounts of proven white-hat hackers. In my case, I was contacted via X (formerly Twitter) with an invitation to work together. Sometimes, they offer large sums of money in exchange for information about vulnerabilities we discover, even if we don't join their organization long-term. The amount offered is much higher than the official rewards paid by companies for reporting vulnerabilities?at least two to three times more, and sometimes up to ten times as much.

- What happens if a vulnerability falls into the hands of a black-hat hacker?

The reason black-hat hackers are willing to pay so much is that leaked information can put a company in tremendous danger. I've received offers to sell vulnerabilities, but I've never replied. Not only myself, but many hackers around me place great importance on ethical responsibility. The most frightening thing is not knowing where or how a vulnerability sold for money might end up. A perfectly healthy company could collapse in an instant, and in extreme cases, a hostile nation could buy the vulnerability and use it to launch missiles or cause a nuclear power plant to explode. There have been cases in the past where nuclear facilities were damaged by cyberattacks. In the industry, it is often suspected that certain hacker organizations are backed by governments or nation-states. Some international reports have indicated that certain countries have provided funding to hacking groups to carry out zero-day attacks (exploiting vulnerabilities before security updates are released) in order to strengthen their cyberattack capabilities.

- How do white-hat hackers discover vulnerabilities?

A vulnerability is, literally, a "gap in security." Even programs that appear to function well often have unexpected mistakes hidden within. For example, a web browser consists of countless lines of code and complex operations. If memory is mishandled or incorrect values are processed in certain situations, vulnerabilities can arise that hackers can exploit. White-hat hackers meticulously analyze how programs operate to find these gaps. They may use a technique called "fuzzing," which involves automatically inputting a variety of values to see if any abnormal reactions occur, or they may read the code directly to identify suspicious flows. Just as an old door might open with a slight shake, code can also have unnoticed weak spots. Experienced white-hat hackers can quickly sense these "feelings."

- Can you give a concrete example?

On poorly secured websites, the "file upload" feature is risky. Hackers can upload ransomware executables in places meant for documents or photos like PDFs or JPGs. If there is a vulnerability in the "login" feature, even administrator accounts can be compromised. One method is for a hacker to enter ' OR 1=1 -- in the user ID field. At first glance, it looks like a string of symbols, but it actually means "let everything through, regardless of the condition." If a website's security is breached, it may mistake this for a legitimate request and reveal internal information. When reading through website or program code, white-hat hackers can spot flows that look like vulnerabilities. When this appears, they recognize it as a danger.

- How do companies resolve vulnerabilities?

A vulnerability is like a hole in a website, and ransomware is the weapon. To avoid attacks, the first step is to block vulnerabilities. Once a white-hat hacker reports a problem, the company's internal developers take action. Based on our reports, they patch (fix) the issue to close the holes that hackers could exploit. Large corporations and global tech companies offer bounties for vulnerabilities, encouraging white-hat hackers to report them officially. Depending on the severity of the vulnerability, the reward can range from as little as 300,000 to 500,000 KRW, to as much as hundreds of millions of KRW. In the case of Samsung Electronics, the reward ranges from a minimum of $200 to a maximum of $1 million (approximately 280,000 to 140 million KRW). Some companies even hold quarterly award ceremonies, providing hotels and flights to invite white-hat hackers. The nickname of the reporting white-hat hacker, along with details of the vulnerability and the reward amount, are posted on each company's security response site. This becomes part of a white-hat hacker's career. Ironically, it is these career achievements that attract black-hat hackers.

▲The rewards Google has given to white-hat hackers who officially reported vulnerabilities over the past five years (2020?2024). Last year, the total amount paid to white-hat hackers was $11,842,651, which is approximately 16.5 billion KRW.

▲List of white hackers who discovered security vulnerabilities in Samsung mobile devices such as smartphones and tablets. Samsung selects 10 people each year to be inducted into the Hall of Fame. 'SVE' refers to the unique identification number assigned by Samsung to track and manage vulnerabilities.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.