TOKYO — More companies and research institutions in Japan are doing their best to attract hackers from around the world, setting them loose on their own websites and digital services as a defense against malware-armed attackers who have gained the upper hand in the ongoing cybersecurity war.
The new strategy — offer bounties before being hit up for ransom — banks on so-called “white hat,” or ethical, hackers who can be hired through security startups.
Sony Interactive Entertainment, Sony’s video game unit, in June said it will pay up to $50,000 to hackers who detect bugs related to its PlayStation4 video game console. The announcement was posted on U.S. bug bounty platform HackerOne.
Bug bounty deals put hackers to work attacking their employers’ products and services, looking for security vulnerabilities that can be repaired before malicious hackers exploit them. These deals are offered by websites, organizations and software developers from around the world.
A lot of offers are listed on HackerOne, where last year about 4.2 billion yen ($40 million) of rewards were paid out.
In November, Line, a popular messaging app in Japan, Thailand and Taiwan, opened a bug bounty program on HackerOne. The company had been going it alone, paying around 20 million yen a year to bug hunters, but shifted to HackerOne “because we wanted many hackers to check on our services from different perspectives,” said Naohisa Ichihara, head of the company’s cybersecurity office.
Line has already paid out more than $100,000 in rewards, which has forced its internal engineers to spend a lot of time and effort patching holes spotted by the white hats. It’s time well spent, Ichikawa said. It “prompts our engineers to refine their skills so they won’t receive any more reports,” he said.
Pixiv, the operator of the namesake online community of artists in Japan, started using HackerOne last September. The Tokyo-based company had been using the Japanese platform BugBounty.jp, but “we thought we could show our security awareness to the world by using HackerOne,” Chief Technology Officer Atsushi Takayama said.
After pixiv began using HackerOne, hackers visited the company’s website in such large numbers that some services were affected. The company ended up receiving about 140 bug reports in a week. “We could detect some bugs that could pose risks if they were misused,” Takayama said.
“The question is what can we do to keep drawing the attention of hackers around the world,” Takayama went on. Proactively enticing hackers, not keeping them at bay, website operators have discovered, makes for good cybersecurity.
Many bug hunters are said to be young people. At HackerOne, 46% of the white hats are 24 or younger.
Kanta Nishitani is a white hat who has been put in charge of a penetration test at Tokyo-based security startup Ierae Security. He studied security technology on a foreign bug bounty platform, earning more than 6 million yen a year in bounties while a student.
Nishitani moved from a big tech company to Ierae Security in November. “I get excited when I can hack administrator privileges by combining several bugs of client companies,” he said.
He feels that he is at the forefront of security. It is said that many white hats who, like Nishitani, work for companies to search for bugs as a way to refine their hacking skills.
In April, five young Japanese who have been recognized globally for their security techniques began Ricerca Security in Tokyo’s Bunkyo Ward. The youngest of the five is a high school student.
Ricerca Security says it deploys “offensive security,” and President Ren Kimura calls himself and his colleagues “experts on attack techniques.”
Information Technology systems generally have multiple weak points. It is these that offensive security white hats look at from a black hat’s perspective, trying to determine which one to try to exploit, and how, in order to steal sensitive information or lock down a system.
To prepare for future cyberattacks that take advantage of “zero day” exploits — security vulnerabilities that have not been made public — an engineer must develop unique attack techniques.
Ricerca Security President Kimura decided to establish his company after realizing the importance of preparing for future cyberattacks from the viewpoint of the attacker. At the time, he was working as a researcher at Carnegie Mellon University, in the old American steel city of Pittsburgh.
The university boasts one of the world’s largest-scale academic-industrial security alliances.
After returning to Japan, Kimura founded Ricerca Security with his four like-minded partners who, he says, “can operate on the front lines.”
The four — Yuki Koike, Ryo Ichikawa, Kazuki Furukawa and Kaoru Otsuka — are well-known around the world.
Koike has shined since his junior and senior high school days in the world’s various top hacker technique tournaments.
When they were students, Ichikawa and Furukawa teamed up to participate in various hacker tournaments. Their team was No. 4 globally in 2019.
Otsuka, still a high school student, has demonstrated his ability by, among other achievements, hacking Apple’s iPhones.
Offensive security is difficult to learn about in Japan, and Koike doubts he would have been able to find employment at any other security company.
Ricerca Security boasts an attack method it alone discovered and has received inquiries about its report on the method from around the world.
It says it has also received requests from multiple domestic manufacturing and other companies regarding research on new attack methods and the development of a tool to automatically detect IT system vulnerabilities.