[BreachExchange] The Cybersecurity ‘Bug Bounty’ Crusade

Wed Aug 10 19:43:14 EDT 2016

http://edmdigest.com/opinion/the-cybersecurity-bug-bounty-crusade/

Find My Flaw … Please!

This is the idea of many industry leaders in the United States as the “bug
bounty” era has hit full swing. The likes of Uber, Apple, and even United
Airlines have enticed security professionals, and hackers, to seek out and
identify their “weaknesses” within their cyber arena. They have begun
offering money, and even airline miles, as “bounties” when weaknesses and
vulnerabilities are identified and shared with the company.

Bounty Programs: The Pros

The idea behind this strategy is fairly solid: The more who look and
analyze potential vulnerabilities allows for more to be identified.
Companies are eliciting the help of some of the world’s top hackers and
security specialists to conduct vulnerability tests of their cyber space.
The protection of personal information has been a top risk strategy for
many companies, especially following the leaks of information by Target in
2013, Sony in 2014, Ashley Madison in 2015, and many others.

Bounty Programs: The Cons

Companies are eliciting the help of some of the world’s top hackers and
security specialists to conduct vulnerability tests of their cyber space.
Sounding like a broken record here, but this can be seen as both a pro and
a con, as there is no way to only elicit legitimate researchers and not
black hat hackers.

It has also been seen, even with legitimate security researchers, that
neither group fully follows the guidelines set forth by the probed company
and often dig deeper into the workings of the systems than originally asked.

Is it Smart to Entice?

While there are split feelings on the efficiency and effectiveness of the
implementation of the bug bounty, there is one thing which is frequently
agreed upon — the probes often go much further than asked.

This was seen most recently when a legitimate researcher who probed and
found many weaknesses within Instagram's cyber-space. The researcher
managed to gain access to enormous amounts of personal data as well as
administrative login and passwords.

Instead of reporting this vulnerability to Instagram’s parent company,
Facebook, immediately, he took it further and began running secondary
weakness checks and even found the source code to Instagram. This could not
only be detrimental to the people whose data was accessed, but also
economically to Facebook.

Do Bounties Work?

This will only work if the information gained is acted upon immediately. As
noted at the beginning, United Airlines has joined the bug bounty crusade,
offering airline miles, recently awarding 1 million air-miles for the
finding of nearly 20 weak spots as rewards for responsibly disclosed bugs.

United Airlines stated that they take the safety, security, and privacy of
their customers seriously. Yet, one of the bugs found allowed the finding
researcher the ability to gain access to flight manifest, personal
information of passengers, credit card information, and even the ability to
change/cancel passenger’s flights. After submitting the information to
United, it took over six months, and a threat of releasing the bug to the
public by the researcher, before it was fixed.

Is this acceptable? Is this practice even something which should be
utilized, especially in critical infrastructure as airlines?

“Never open the door to a lesser evil, for other and greater ones
invariably slink in after it.” – Baltasar Gracián
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160810/5f3b3369/attachment.html>