[BreachExchange] Ethical hacking: The Zomato case highlights how the government should use bug bounty programmes

[Audrey McNeil]

https://scroll.in/article/838633/the-zomato-case-
highlights-how-the-government-should-use-the-skills-of-ethical-hackers

Last week, a hacker broke into the database of Zomato, India’s largest
online restaurant guide, and accessed five vital details – names, emails,
numeric user IDs, user names and password hashes – of around 17 million
users. The hacker then offered up the details for sale on the darknet
before entering into negotiations with the company. The incident set alarm
bells ringing in the country’s cyber security network as internet users
often use the same passwords for multiple accounts, including social
network sites, mailbox services and banking applications.

Soon after, Zomato posted a series of blogs with details about what had
gone wrong. It also said the security breach in this case was the work of
an “ethical hacker” who merely wished to draw the company’s attention to
the vulnerabilities of its database and to convince it to launch a bug
bounty programme – thus reviving focus on a subject that has gained
prominence in the field of global cyber security in the past six-seven
years.

A bug bounty programme, also known as a vulnerability reward programme, is
a deal offered by some websites and software developers under which
individuals can receive remuneration, in cash or kind or in terms of
recognition, for reporting bugs. While many companies, including Google,
Microsoft and Facebook, have invested millions in bug bounty programmes,
government and security agencies in some countries, too, have been
experimenting with these over the past year. Last year, the United States
Department of Defence launched a bug bounty programme titled “Hack the
Pentagon”, the federal government’s first bug bounty initiative, followed
by “Hack the Air Force” launched in April. Both were launched on the
platform HackerOne, and Zomato has said it will be introducing its bug
bounty programme on the same platform.

In India, even Union ministries and elite security agencies, apart from
government bodies, have been victims of a wide range of cyber attacks, from
website defacement to ransomware. On multiple occasions, including one
reported in April, websites of government agencies and universities in
India have fallen prey to mass cyber attacks allegedly executed by groups
of Pakistan-based hackers. However, cyber security experts said the
government agencies are still oblivious of the bug bounty experiment on the
ground.

“Bug bounty programmes have been effective worldwide,” said Pavan Duggal,
an advocate and expert in cyber security. “Global giants are investing in
bug bounty programmes today and it is high time government agencies in
India also considered it.

Indians top bug hunters

While the thought of government agencies in India investing in bug bounty
programmes might still seem farfetched, the country happens to be the
largest contributor of bug hunters worldwide, according to various security
researchers and a report published by leading bug bounty platform Bugcrowd.
Indian hackers top the charts globally both in terms of numbers and payout.
For instance, Facebook invested around $5 million on bug bounty programmes
between 2011 and 2016 and the top three countries based on the number of
payouts were India, followed by the United States and Mexico.

“It appears that the Indian government lacks the will to invest in cyber
security,” said Kislay Chaudhary, a cyber security expert and consultant to
several Central government agencies. “The global figures also indicate that
India is a bank of talent in the field of cyber security. If only the
government had the will to utilise it.”

Some bug hunters provide their services for free to non-governmental
associations. At times, they receive gifts or merchandise as a token of
gratitude, said an ethical hacker who did not wish to be identified. He
added that all it takes for a website to open itself up to a bug bounty
programme is to put up a notification and to collaborate with a bug bounty
platform.

But many organisations, including government agencies, refrain from doing
so fearing two things.

Chaudhary explained, “First, they feel that an open bug bounty programme
will attract more black hats [hackers with malicious intentions] to the
website.” He added, “But what they fail to understand is that an unchecked
and vulnerable website can be targeted by black hats anyway and at any
time, despite having experienced that on multiple occasions.”

According to Vineet Kumar, a cyber expert and consultant to several
government agencies, the other reason could be a matter of investment.
“There is a perception that making oneself available for a bug bounty
programme would imply one’s failure in investing enough in cyber security
through internal resources.”

Better late than never

Despite the reluctance, there has been gradual acceptance of cyber security
measures by government bodies in recent years. Kumar said that in the last
two to three years, some government agencies have opened their websites up
to checks and challenges periodically (mostly once a year) in collaboration
with private partners. “These are not exactly bug bounty initiatives but at
least they make the effort to invite programmers, cyber security experts
and hackers to examine systems for a limited time period and point out
vulnerabilities and give solutions. One example would be the India Smart
Grid Forum [a public-private partnership initiative of the Union Ministry
of Power for development of smart grid technologies in the Indian power
sector].”

The cyber expert added, “Investing in bug bounty programmes is far more
economical than investing in periodic cyber security audits or employing
ethical hackers for bug hunting round the year.”

Kumar’s Jharkand-based non-governmental body, Cyber Peace Foundation, wants
to organise a cyber security challenge later this year to emphasise on the
role and importance of bug bounty programmes among other security measures,
and is currently in talks with some Central government agencies regarding
this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170602/cedbc320/attachment.html>