class=”sc-29f61514-0 fQbOYE”>
The most important rule when it comes to IT security is: absolute security does not exist. Anyone who recognizes this will sooner or later end up in Sandro Nafzger’s office. The 38-year-old is CEO of Bug Bounty Switzerland, which specializes in detecting vulnerabilities in computer systems.
The headquarters of the insect hunters is located in the middle of the diplomatic quarter of Bern, not far from the Chinese embassy: old building, parquet floors, stucco on the ceiling. Black baseball caps with the start-up logo are lined up on the USM furniture. Flat screens and a portrait of the three founders hang on the wall. It resembles a hip software booth in Silicon Valley that programs computer games.
And to some extent it is also a game that Sandro Nafzger and his 21 employees organize here. But one with a serious background. It means: Find the mistake! Because if someone else finds him first, someone with bad intentions, for example, then the newspapers will soon be in the news: “Supermeltdown!” – and confidence in IT security is destroyed.
Decriminalized hacking
A server vulnerability was also exploited by the bandits who stole critical data from Interlaken-based company Xplain in June and uploaded it to the dark web. These include secret Fedpol security measures or sensitive extracts from the hooligan database. How the mess came about is currently the subject of several investigations. In order to be better protected in the future, the Federal National Center for Cybersecurity (NCSC) has also been working with Bug Bounty Switzerland since the end of 2022.
The heart of Bug Bounty is a platform on which so-called ethical hackers can register. The trophies are advertised on this platform: company X offers 3,000 francs for the detection of critical vulnerabilities, company Y 15,000. Breaking into computer systems is usually a criminal offence. Hacking is decriminalized when bug bounty clients explicitly order IT professionals around the world to do it.
Sandro Nafzger wants to bring about a cultural change in Switzerland. Thinking that 100% safety is something that can ever be achieved is a thing of the past. Today is about learning how to deal with the new vulnerability, Nafzger said. In short: no IT system is perfect, there are weaknesses almost everywhere. “It’s all the more important that it’s the good guys who spot these weaknesses.”
Swiss bank did not pay enough
A large Swiss bank also dared to step out of its comfort zone last week. She offered the ethical hackers CHF 3,000 for each critical vulnerability discovered. At first nothing happened. So was the system safe? Sandro Nafzger picked up the phone and called some computer freaks: “What’s going on?” It’s not worth it, he was told. After the bank increased the bounty tenfold, it took a short night for a serious security issue to surface.
The federal government has launched five bug bounty programs to date. The systems and applications of four units of the federal administration were or are being controlled by ethical hackers. Since then, 19 hackers have pointed out 54 vulnerabilities. Of these, 27 have been accepted and awarded, 2 are still being assessed by the NCSC and 25 have been declared invalid.
The majority of the vulnerabilities found are of “medium criticality”. If an error were critical, it should be corrected immediately. If the threat is medium, remediation is performed “based on the release schedule”, i.e. in the next project step. Since the launch of the bug bounty program, the federal government has paid out a total of CHF 13,950 to ethical hackers. For the 2021 pilot program, which identified ten weaknesses in the FDFA and in the parliamentary services, the cost was nearly CHF 10,000.
“Look, we have nothing to hide”
Ideally, bug bounty programs provide a paradigm shift in bug culture. Sandro Nafzger: “If a company no longer sees a vulnerability as a catastrophe, but as a unique opportunity to reinvent itself, a lot has already been achieved.” Essentially, it sums up Samuel Beckett’s famous quote, “Fail again, fail better.”
Whoever lets ethical hackers loose on their systems invests in a better relationship of trust with the population, says Nafzger: “Look, we have nothing to hide.” This “digital trust” is crucial for all IT projects, especially in the federal government, which wants to promote digital patient records or e-voting in the coming years.
Crime on the internet is pulsating, cyber-attacks are on the rise. Assuming you’re safe is a dangerous misconception, says Sandro Nafzger. “If you can’t find fault, you just haven’t looked hard enough.”
Source:Blick
I am Liam Livingstone and I work in a news website. My main job is to write articles for the 24 Instant News. My specialty is covering politics and current affairs, which I’m passionate about. I have worked in this field for more than 5 years now and it’s been an amazing journey. With each passing day, my knowledge increases as well as my experience of the world we live in today.
