GM Bug Program Gets Mixed Notices

Two white-hat hackers, Charlie Miller and Chris Valasek, made headlines last year when they demonstrated how they couldhijack the control systems of a moving motor vehicle over the Internet. The move got the attention of the auto industry, and last weekGeneral Motors put in place a program to encourage more digital dabblers to alert the company when they find bugs in GM vehicles.

Working withHackerOne, GM published a set of guidelines for submitting flaws to the company. The guidelines, though, mostly describe what a bug finder must do to avoid prosecution.

For example, it advises researchers that they must not cause harm to GM customers or others; compromise the privacy or safety of customers; violate any criminal laws; reveal bugs until GM fixes them; be a resident of Cuba, Iran, North Korea, Sudan, Syria or Crimea; and be on the U.S. Treasury Department’s Specially Designated Nationals List.

There’s no mention in the guidelines that GM will compensate researchers for the hours of work typically spent uncovering vulnerabilities in software.

Demonstrating Leadership

“Working with hackers begins by having a clear way for potential vulnerabilities to be responsibly reported,” said HackerOne CTO Alex Rice.

“A vulnerability coordination process is an important security best practice for every technology company,” he told TechNewsWorld. “General Motors is demonstrating leadership in their field with this commitment.”

Ben Johnson, chief security strategist forBit9 + Carbon Black, also praised GM’s initiative.

“It’s a wise move to try and get a whole community to crowdsource the problem,” he told TechNewsWorld.

However, the popularity of the program remains uncertain, he said. “It will be interesting to see how many contribute versus how many take their chances and go rogue.”

No Rewards Program

The GM initiative lacks an important component of bug-bounty programs.

“It’s not a bug-bounty program unless you’re offering rewards,” said Casey Ellis, CEO ofBugcrowd. “To call something a bug-bounty program when there’s no reward devalues the work that the researchers are doing.”

GM’s initiative is a vulnerability disclosure program, he told TechNewsWorld. It’s creating a way for researchers to let GM know when a bug is discovered.

“They want to show they’re not hostile to what the researchers are doing,” Ellis said. “That’s a step in the right direction, but rewards would be better because they place the proper value on the research that’s being done.”

Bribe Bounties

While GM may not be paying bounties for bugs, it may be paying for them though other means, maintained Johannes Hoech, CMO ofIdentity Finder.

“Someone should ask GM how much they’re paying in bribes already,” he told TechNewsWorld.

“Companies pay this money all the time. Legit bug-bounty programs are essentially an attempt to legally harness what otherwise would continue to be illegal activities,” Hoech said.

“Beating the PR drums around suing researchers is useless and ineffective, because the folks that might respond to that threat are not the ones GM has to worry about anyhow,” he noted.

“In the meantime,” Hoech continued, “they miss out from the near-free intelligence that could be gathered via legit bug-bounty programs.”

DDoS Extortion

Europol last week announced that it carried out a major operation in December against a criminal gang that’s been combining two popular cyberthreats: distributed denial-of-service attacks and digital extortion.

During a worldwide operation against a group called DD4BC, Europol arrested a main target, detained another suspect, and, through multiple searches, seized an extensive amount of evidence, the agency said.

“This particular group is notorious and well-known in the security community,” said Rene Paap, product marketing manager atA10 Networks.

“They’re talented cybercriminals with vast resources,” he told TechNewsWorld.

“They’ve been drawing attention to themselves because they’re doing DDoS for ransom compared to hacktivists who do it to draw attention to a cause,” Paap added.

Mitigation Cheaper Than Ransom

DD4BC launches DDoS attacks against targets that are dependent on their online presence for their main revenue streams. After proving what they can do, the cybercriminals make a ransom demand, he said.

“They say if you don’t pay up today, the attacks will continue and the ransom will double,” Paap said.

Paying that ransom doesn’t make a lot of sense, noted Tim Matthews, vice president of marketing atImperva.

“First, there is no guarantee that the criminal will honor the agreement. Second, paying will only identify you or your organization as a mark, and the criminal may come back and ask for more,” he told TechNewsWorld.

“Once identified as an organization that will pay, others may catch wind and come your way,” Matthews added.

“In general,” he said, “DDoS mitigation services are available for monthly fees that are less than ransom amounts.”

Breach Diary

  • Jan. 11 KOIN TV in Portland, Oregon, reports U.S. Fish and Wildlife Service has asked some of its employees to relocate from their homes due to a data breach at the Malheur Wildlife National Refuge, which is being occupied by unauthorized people calling themselves “Citizens for Constitutional Freedom.”
  • Jan. 11. TaxAct warns an undisclosed number of users that their personal information may have been accessed by unauthorized parties. It believes its systems were compromised by an intruder who used username and passwords obtained from a source outside TaxAct.
  • Jan. 11. Interxion is warning its users that a breach of its CRM system has put at risk information on 23,200 customer records, The Register reports.
  • Jan. 11. ISACA releases survey of 2,920 members in 121 countries that finds 63 percent oppose giving governments backdoor access to encrypted information, and 59 percent believe privacy is being compromised in order to implement stronger cybersecurity laws.
  • Jan. 11. SC magazine reports that Citrix has been compromised by w0rm, a Russian hacker known for his attacks on the BBC, CNET, Adobe and Bank of America.
  • Jan. 12. eBay confirms it has patched an XSS vulnerability that placed the personal data of millions of users at risk.
  • Jan. 12. The personal data of some 18,000 fans of Faithless was stolen from the dance act’s website, The Independent reports.
  • Jan. 12. A Turkish court sentences Onur Kopak, 26, to 334 years in prison by for operating bogus banking websites used to steal credit card numbers and bank credentials.
  • Jan. 12. Microsoft discontinues support, including security patches, for Internet Explorer 8, 9 and 10.
  • Jan. 13. A Cloud Security Alliance survey of 209 security and high-tech professionals finds nearly a quarter of the respondents (24.9 percent) would pay a ransom to prevent a cyberattack, and 14 percent would pay more than US$1 million to do so.
  • Jan. 13. A survey by Cloudmark and Vanson Bourne finds the average cost of a spear phishing attack an a U.S. business to be $1.8 million.
  • Jan. 14. OpenSSH releases a patch for a critical vulnerability that could be exploited to expose private encryption keys. The flaw was found in an undocumented feature called “roaming” that supports the resumption of interrupted SSH connections.
  • Jan. 15. Affinity Gaming, an operator of 11 casinos in the United States, sues Trustwave for failing to stop a data breach it was hired to close, the Financial Times reports.
  • Jan. 15. Hyatt Hotels reveals that 250 hotels were affected by an attack on its payment card systems from August 13 to Dec. 8. The company said it did not know yet how many customers were affected by the attack.
  • Jan. 15. MaineGeneral Medical Center announces that an additional 2,000 people may have had their personal information compromised, including Social Security numbers, from an attack on its computer network in September. The facility originally estimated 118,000 people were affected by the attack.

Upcoming Security Events

  • Jan. 21. From Malicious to Unintentional — Combating Insider Threats. 1:30 p.m. ET. Webinar sponsored by MeriTalk, DLT and Symantec. Free with registration.
  • Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
  • Jan. 26. Cyber Security: The Business View. 11 a.m. ET. Dark Reading webinar. Free with registration.
  • Jan. 28. Understanding Malware Lateral Spread Used in High Value Attacks. Noon ET. Webinar sponsored by Cyphort. Free with registration.
  • Jan. 28. State of the Phish — A 360-Degree View. 1 p.m. ET. Webinar sponsored sponsored by Wombat Security Technologies. Free with registration.
  • Feb. 3. Building an IT Security Awareness Program That Really Works. 2 p.m. ET. InformationWeek DarkReading webinar. Free with registration.
  • Feb. 4. 2016 annual Worldwide Infrastructure Security Update. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 9. Start With Security. University of Washington Law School, 4293 Memorial Way NE, Seattle. Sponsored by Federal Trade Commission. Free.
  • Feb. 11. SecureWorld Charlotte. Charlotte Convention Center, 501 South College St., Charlotte, North Carolina. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Feb. 16. Architecting the Holy Grail of Network Security. 1 p.m. ET. Webinar sponsored by Spikes Security. Free with registration.
  • Feb. 20. B-Sides Seattle. The Commons Mixer Building, 15255 NE 40th St., Redmond, Washington. Tickets: participant, $15 plus $1.37 fee; super awesome donor participant, $100 plus $3.49 fee.
  • Feb. 28-29. B-Sides San Francisco. DNA Lounge, 375 11th St., San Francisco. Registration: $25.
  • Feb. 29-March 4. RSA USA 2016. The Moscone Center, 747 Howard St., San Francisco. Registration: full conference pass before Jan. 30, $1,895; before Feb. 27, $2,295; after Feb. 26, $2,595.
  • March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
  • March 18. Gartner Identity and Access Management Summit. London. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels