Bug Bounties Entice Researchers to Don White Hats

Bug bounty programs are used by individual software makers to improve the quality of their products, but they can have incidental benefits for all software makers, too. One of those is to encourage bug hunters to wear a white hat instead of a black one.

“An overwhelming majority of people have a vested interest in a secure Internet,” explained Alex Rice, CTO of HackerOne.

“When you make it easy for hackers to do the right thing, the majority will,” he told TechNewsWorld.

Adam Ely, co-founder of Bluebox, identified three primary markets for software flaws. The first is bug bounty programs. “This is the easiest place to submit the bug,” he told TechNewsWorld.

Moreover, many flaws just aren’t worth very much on the second market — the online underground. “Most bugs found in bug bounty programs are trivial and have little value to attackers, thus the company’s program is more profitable and less work — though high severity bugs earn more in the black market,” Ely said.

Inclined to Be Ethical

The third market — governments — can be the most lucrative for a bug hunter, but it’s also the most difficult to crack.

“Selling to a government is harder, as it requires the proper contacts and only certain, high severity bugs are of interest,” Ely explained.

“Those two requirements,” he added, “are why most people who find bugs will not be able to go this route.”

Even if they had an opportunity to sell their findings to the dark side, many wouldn’t do so, maintained David Lindsay, a senior security product manager at Coverity.

“A lot of researchers want to do the right thing, and even at the expense of money will disclose a vulnerability to a company,” he told TechNewsWorld.

That’s particularly true for researchers attracted to bounty programs, observed Eduardo Vela Nava, a security engineer with Google, which has a large and successful bug bounty program.

“The target audience of bug bounty programs are researchers who want to keep users safe,” he told TechNewsWorld. “They would continue to report the bugs they find with or without a reward.”

Snow Days

Kids aren’t the only ones who get to stay home on snowy days. Some companies allow their workers to punch in from home on those days also. That can present a security problem for an organization.

While a company’s road warriors may have their equipment properly secured from a host of nasty things outside the corporate firewall, workers who only occasionally work from home and use a family machine to do so can pose a risk to a company. That’s especially true if they’re using VPN software.

“You’re giving these home machines that you have no control over access to your corporate network,” explained Sergio Galindo, general manager of GFI Software.

“That’s one of the scariest things for an IT administrator,” he told TechNewsWorld, “allowing a machine into your network that you don’t know anything about.”

Galindo recommends taking measures to secure computers of employees who need to use a VPN before the snow starts falling.

“You need to make sure there’s some agreement in place around anti-virus and some sort of malware protection on that computer,” he said.

Virtual Mata Haris

Governments have been using women to coax intelligence from men throughout history, but a group of supporters of Syrian President Bashar al-Assad have brought the ruse into the virtual world.

Using fake Facebook profiles and Skype, members of the group posing as women persuaded some opponents of the Assad regime to download malware that pilfered 7.7 gigabytes of data, some of it exposing insights into military operations against the government.

The pro-Assad hackers would set up a Skype account and choose a female avatar, explained Nart Villeneuve, senior threat intelligence researcher at FireEye. “Then they’d contact these fighters in Syria and engage in flirtatious chats with them,” he told TechNewsWorld.

Eventually the “women” would send a picture — typically clipped from news sites — of themselves to their targets. Although the picture file had an image extension, it was actually an executable file that displayed a picture as promised, but also planted malware on the target’s machine.

An examination by FireEye of the chat sessions between the virtual women and men revealed a common question: What are you running Skype on?

“The reason they did that,” Villeneuve said, “was the attackers had a diverse malware arsenal, so if the target was on Android, the attackers could deliver Android malware to them instead of Windows malware.”

Breach Diary

  • Feb. 2. FireEye releases report revealing 7.7GB of data was stolen from forces opposed to the regime of Syrian President Bashar al-Assad. Attackers posed as women on Skype and Facebook and tricked targets into downloading malware onto their systems.
  • Feb. 3. U. S. District Court Judge Edward Davila tentatively approves $1.25 million settlement of class-action lawsuit resulting from 2012 data breach at LinkedIn.
  • Feb. 3. Target appoints third CIO since 2013 data breach resulting in the theft of personal information of some 70 million customers. New executive vice president and CIO is Mike McNamara, who was serving as CIO at UK-based Tesco PLC, a grocery and general merchandise retailer.
  • Feb. 3. CIA whistleblower John Kiriakou released to home confiniement after serving two years in federal prison for revealing that waterboarding was an official U.S. policy approved by the highest levels of government.
  • Feb. 3. Crypto anarchist collective unSystem announces launch of Darkleaks, an exchange powered by bitcoin technology designed to allow information to be traded anonymously for digital money.
  • Feb. 4. Bills introduced in U.S. House and Senate to update the nearly 20-year-old Electronic Communications Privacy Act. House bill was filed by Representatives Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) and the Senate bill by Senators Mike Lee (R-Utah) and Patrick Leahy (D-Vt.).
  • Feb. 5. Anthem Inc., the second largest health insurer in the United States, reports a database with 80 million customer records has been breached by hackers. Information stolen from the database included names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data. The company said there was no evidence that credit card or medical information was compromised.
  • Feb. 5. Amy Pascal resigns as head of Sony Entertainment Pictures. A number of embarrassing emails penned by Pascal were exposed by system intruders after a devastating cyberattack on Sony earlier this year.
  • Feb. 5. Iovation releases report on dating site fraud. Among its findings: In 2014, 1.37 percent of all transactions on online dating sites were fraudulent, compared to 1.24 percent for all other industries monitored by the company.
  • Feb. 6. UK’s Investigatory Powers Tribunal declares regulations covering access by Britain’s GCHQ to emails and phone records intercepted by the U.S. National Security Agency breached human rights law.

Upcoming Security Events

  • Feb. 10-12. International Disaster Conference and Exposition (IDCE). Ernest N. Morial Convention Center, New Orleans. Registration: government, nonprofit, academia, $150; private sector, $450.
  • Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Open sessions pass: $25; conference pass: $165; SecureWorld plus training: $545.
  • Feb. 12. President Obama’s New Personal Data Notification & Protection Act: Overview, Analysis, and Challenges. 3 p.m. ET. webinar sponsored by ID Experts. Free with registration.
  • Feb. 17. Cyber Threat Spotlight: Social Domains–Fraud’s New Frontier. 1 p.m. ET. BrandProtect webinar. Free with registration.
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • Feb. 19. Secure Because Math: Understanding Machine Learning-Based Security Products. 2 p.m. ET. Black Hat webcast. Free with registration.
  • Feb. 21. B-Sides Tampa. The Museum of Science and Industry, 4801 E. Fowler Ave., Tampa, Florida. Free.
  • Feb. 21. B-Sides Indianapolis. DeveloperTown 5255 Winthrop Ave., Indianapolis, Indiana. Fee: $10.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 11. Intelligence Squared U.S. Debates: The U.S. Should Adopt The “Right To Be Forgotten” Online. 6:45 p.m. Merkin Concert Hall, Goodman House, 129 W. 67th Street, New York City. Tickets: $40; student, $12.
  • March 12. B-Sides Ljubljana. Poligon Creative Centre, Tobačna ulica 5, Ljubljana, Slovenia. Free.
  • March 12-13. B-Sides Austin. WinGate Williamson Conference Center, Round Rock, Texas. Fee: $15/day.
  • March 14. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta. Free.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: $25; conference pass: $295; SecureWorld plus training: $695.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Mo. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Md. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels