AES 12th May 2017 - Keeping an Eye on IT Security So You Don’t Have To

May 12, 2017  |  Javvad Malik

It’s about ethics in bug bounties

I’m a big fan of bug bounty programmes and responsible disclosure. I think they work well as additional checks and balances that may slip through the initial security reviews.

Bug bounty platforms are similar to a dating service. They pair up companies with researchers that will look for vulnerabilities within the defined scope and facilitate the payment of the bounty.

But what happens when a company that sells morally dubious (but not necessarily illegal) software wants to run a bounty? It puts the bounty provider in a bit of a dilemma. On one hand it could remain completely impartial and simply act as a conduit to help create secure software. On the other hand, they are facilitating the betterment of software that could be used for malicious purposes.

Such was the case when spyware company, FlexiSPY, showed interest in moving their bug bounty program to HackerOne. The resultant blog post illustrates some of the ups and downs in arriving at an answer.

Casey Ellis, CEO of BugCrowd was far more direct in his approach and dismissal of FlexiSPY

On the bright side of bug bounties

It’s great to see researchers rewarded for finding bugs and vulnerabilities fixed.

But for the rest of the security community, it’s always great to read a detailed writeup on how the researcher discovered the bug and validated it. It serves as a good learning experience for the rest of us.

Emergency Microsoft patch

It feels like the topic of responsible disclosure is never-ending. I’m going to add responsible disclosure to the list of things I won’t talk about in social settings, joining politics, religion, and passwords.

Last Friday, Google researcher Tavis Ormandy stated that he and fellow researcher Natalie Silvanovich had discovered “the worst Windows remote code exec in recent memory”

While no further details were released, it left many security professionals hanging over a nail-biting weekend to learn about this vulnerability.

Some disagreed with the approach and timing, stating that it was scaremongering, or an attempt to gain exposure.

Either way, Microsoft turned it around very quickly, earning the praise of Ormandy and others, and pushed a critical out-of-band update for the Microsoft Malware Protection Engine to plug the vulnerability.

The Government's Role in Insecurity

As much as I personally try to steer clear of politics, cyber security and politics are well and truly bed-fellows in this day and age. Whether it be hacking during elections, leaks, or spying.

The Guardian ran a piece entitled Cyber-insecurity is a gift for hackers, but it’s our own governments that create it. It’s a fascinating look at where democratic capitalism and cyber security intersect.

Criminal probe for Uber

The U.S DoD has begun a criminal investigation into Ubers use of technology that helped drivers identify and circumvent government officials who were trying to clamp down Uber in unapproved areas.

While this isn’t the first, nor is it likely to be the last time the company hits the headlines for all the wrong reasons. The interesting part is the use of technology and how we see that once well-funded organisations start developing their own tools it can become a digital wild west.

Won’t anyone think of the things?

The Internet of Things have found their way into any device imaginable. But despite security warnings, and some pretty big DDoS attacks courtesy of Mirai, it doesn’t look like manufacturers are upping their game.

Hackers look bank accounts with SS7 TFA flaw

The risk has been known for several years now, but it was believed to be low.

Many other similar risks exist in technology today. But the risk landscape is a rapidly changing one. What was perceived a low risk a few years ago, may not be so low today.

Therefore it's important to regularly review how the risk, or the company's risk appetite has changed and changes implemented before an incident occurs.

Share this with others

Tags: news

Get price Free trial