Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LKNOG3 - Bug Bounty

17 views

Published on

Presentation by Pasan Lamahewa on Bug Bounty at Lanka Network Operators Groups conference

Published in: Internet
  • Be the first to comment

  • Be the first to like this

LKNOG3 - Bug Bounty

  1. 1. | Pasan Rawana Lamahewa
  2. 2. | Pasan Rawana Lamahewa
  3. 3. ILLUSIVE MINDS ARE AT WORK Your home, business and Organizations are at risk PROTECT YOUR SELF TODAY |Pasan Rawana Lamahewa
  4. 4. | Pasan Rawana Lamahewa Lets get Friendly First I am not a hacker I am a Bug Bounty Hunter I break security not Heart 💘 PASAN RAWANA LAMAHEWA  Civil Aviation Pilot Trainee  Undergrad in Cyber Security  Undergrad in Biz Management  Undergrad in IATA  Cyber Security Researcher  Lyricist Security Researcher with a FACE
  5. 5. TOPIC S  Understanding Bug Bounty  Bug Bounty Programs  Why Bug Bounty Programs Important in todays’ Context  Bug Bounty Platforms  Bug Bounty Hunter  Type of Hackers  How to Start a Bug Bounty Program  Forums of Incident Response and Security Teams  Crowdsource platforms  Rewards  My experience as a Security Researcher  Things to Consider  Useful Links  Questions | Pasan Rawana Lamahewa
  6. 6. What is Bug Bounty Bounty and bounty hunting dates back to many centuries and synonymous with England and USA | Pasan Rawana Lamahewa Bug Bounty Hunting
  7. 7. | Pasan Rawana Lamahewa  The IT Teams at many organizations don’t have enough time or they lack in skills to think “beyond the routine” in order to identify and squash bugs in their systems.  So organizations ‘reach out to private individuals for help’. This is called a Bug Bounty Program.  The Bug Bounty Hunter uses his tools to break into systems, write up a vulnerability report to the organization who issued the bounty and then get paid or rewarded.
  8. 8. A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP) could be simply defined as an organizational initiative that rewards & recognize individual who discover flaws/loopholes in software/systems/web and ACTING ETHICALLY to report them to the organization. In other words BBP/VRP is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and rewards. | Pasan Rawana Lamahewa
  9. 9. | Pasan Rawana Lamahewa Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 HISTORY
  10. 10. WHY BUG BOUNTY PROGRAM Bug bounty program is not Fighting the Fire with Fire, but prevention of fire! It takes a White Hacker to think before a bad guy creeps in. Remember the story of Frank Abagnale, the most talented fraudster in history, who ended up helping FBI. The winning formula for any organization is to recognize cyber security researcher who helped discover vulnerabilities. This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities/loopholes before the bad guys creep in. In other words: Getting Ahead. This is all about Bug Bounty Program. | Pasan Rawana Lamahewa
  11. 11. Hacking takes place in Vicious Minds & Divine Minds • Divine Minds White Hackers Black Hackers Gray Hackers | Pasan Rawana Lamahewa
  12. 12. As organizations implements latest with technology, so the destructive minds are getting more and more sophisticated | Pasan Rawana Lamahewa Organizations and their IT professionals are aware of this impending danger, but many believe they are satisfactorily protected, they can swiftly restore or that their organizations are too small to be observed by vicious minds.
  13. 13. Why Bug Bounty Program Bugs exist in any software or system, and that is a fact. Cybercrimes are committed using a computer or computer technology or smart phone as primary tool. Types of Criminals • Social Engineer - manipulates human minds • Phisher - information / password theft • Hacker - blocking systems • Disgruntle Employee - information theft / blocking systems • Ransom Artist - spread malware /demand ransom | Pasan Rawana Lamahewa
  14. 14. Common Vulnerabilities SQL Injection flaws. Cross Site Scripting - XSS Broken Authentication. Insecure Direct Object References. Cross Site Request Forgery. - CSRF Security Misconfiguration. Insecure Cryptographic Storage. Sensitive data Exposure Failure to restrict URL Access. Missing function Level Access Control Using Components with known vulnerabilities Invalidated redirects and forwards | Pasan Rawana Lamahewa
  15. 15. Critical Vulnerabilities Source & Information Credit to: 2019 edescan vulnerability Stats report: Eoin & The Security | Pasan Rawana Lamahewa
  16. 16. | Pasan Rawana Lamahewa WHY BUG BOUNTY PROGRAMS ARE IMPORTANT Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing Security Researchers thinks differently and we the White Hat Hackers must think beyond the box, think beyond a “hacker’s thinking pattern” and “act ethically & responsibly”
  17. 17. How to Start a Bug Bounty Program  Evaluate your Organization, its Systems and IT / Security Team  Decide on a Bug Bounty / Reward System  Decide on a Flatform / Direct approach to Security Researcher  Prepare a draft Vulnerability Disclosure Policy  The Rules of Engagement - define the Scope of Bug Bounty Program  Decide on unquestionable clarity about the authorized conduct of the Security Researcher and decide what proof need to confirm a vulnerability and how both ethical hacker and organization share the findings.  Discuss with your Team, Senior Management and agree  Document > Validate> Authorization>Public Knowledge/Web | Pasan Rawana Lamahewa VERY IMPORTANT  Select your point person very carefully  Provide the contact details of your point person, he must be responsive and tech savvy  Provide the clear instructions about the program, along with the specifications of the overall surface which may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
  18. 18. BUG BOUNTY PROGRAM - LIFECYCLE Invite Security Researchers / Flatforms to test and find flaws ORGANIZATIONS Research PenTest/ SECURITY RESEARCHERS Vulnerabilities Found Not Found REPORT IT / Security Teams Validate the Issue Valid issues are REWARDED
  19. 19. Consider Bug Bounties Carefully bug bounty programs are all about creating a culture of openness, transparency, responsibility and above all the thrust. Even if an organization doesn't offer bug bounties, it is pertinent to establish a “vulnerability disclosure policy” or ethical disclosure policy: A legal statement stating that an organization will not prosecute ethical hackers who detect vulnerabilities in systems / webs and report them ethically . • Since a bounty program is about trust and transparency, an organization ethically be open about how it will pay, reward or recognize for vulnerability detection. | Pasan Rawana Lamahewa
  20. 20. Hand Pic your Goose for Golden Egg  Register in Good Flatforms  Research for Security Researchers  Conversation  Be Sure and mindful of side effects  Vulnerability Discloser Agreements  Connect and implement | Pasan Rawana Lamahewa SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
  21. 21. The Testimonies  Marten Mickos, CEO of bug bounty platform HackerOne, said we need Hackers. “Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.“ “Ethical Hackers are truly the immune system of the internet," he added.  Justin Brookman, director of the Privacy and Technology Policy Consumers Union, said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law.“ Google operates one of the largest bug bounty programs. Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing | Pasan Rawana Lamahewa
  22. 22. SOME HISTORY | Pasan Rawana Lamahewa Source WIKIPEDIA  Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real -Time Executive operating system. • Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.  In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication Corporation given the phrase 'Bugs Bounty’. • Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the Netscape Executive Team, everyone except the VP of Engineering did not agree thinking it to be a waste of time and resources. • However, Ridlinghafer was given an initial $50 budget to run with the proposal and the first official 'Bug Bounty' program was launched in 1995. • The program was such a huge success, it's mentioned in many of the books detailing Netscape's successes.
  23. 23. | Pasan Rawana Lamahewa  In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in 100’s of prominent high-tech companies, some of them are Facebook, Google, Apple, Microsoft, and Twitter.  While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne, a crowed sourcing platform.  In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs funded by Microsoft and Facebook. By June 2015, HackerOne's had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. In April the company announced 240% year-over-year customer growth in
  24. 24. Katie Moussouris had created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cyber security researchers. This is one of the first companies, along with Synack andBugCrowd, to utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of July 2018, HackerOne’s network consisted of approximately 200,000 researchers and had resolved 72,000 vulnarabilities across over 1,000 customer programs and HackerOne had paid $31 Million in bounties | Pasan Rawana Lamahewa
  25. 25. • Facebook operates a large bug bounty program • HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories. • Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451. | Pasan Rawana Lamahewa
  26. 26. REWARDS In year 2018 HackerOne paid $11Millions in Bounties | Pasan Rawana Lamahewa
  27. 27. | Pasan Rawana Lamahewa
  28. 28. | Pasan Rawana Lamahewa
  29. 29. | Pasan Rawana Lamahewa
  30. 30. | Pasan Rawana Lamahewa 10: Even More Facebook Data Exposure When: April 2018 The payout: $8,000 The bug: Data exposure by third-party app. 9: Google Administrative Authentication Bypass When: February 2018 The payout: $13,337 The bug: Broken authentication for YouTube TV’s admin panel. 8:Shopify Open to Takeovers When: December 2017-February 2018 The payout: $15,250 Free Games from Valve When: November 2018 The payout: $20,000 The bug: An API exploit allowing generation of game activation keys. 7.Google’s RCE Flaw When: May 2018 The payout: $36,337 The bug: A remote code execution flaw in Google’s deployment environment. 6. Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. 5: Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also the largest ever bounty payout from Facebook of $50,000.
  31. 31. | Pasan Rawana Lamahewa 4.New Variants of Spectre When: July 2018 The payout: $100,000 The bug: New subvariants of the Spectre processor vulnerability. 3 Two Google Pixel Bugs When: August 2017-January 2018 The payout: $112,500 The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone. 2. Hack the Marines and Hack the Air Force When: October-November 2018 The payout: $150,000 from the Marines; $130,000 from the Air Force The bug: Hundreds of security vulnerabilities. 1. Oath’s Days of Bounties When: April and November 2018 The payout: Over $400,000 - twice The bug: Hundreds of bugs across two hacking events. Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000. Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
  32. 32. | Pasan Rawana Lamahewa DOs  Earlier the better  Be the user first  Understand the logic to break it  Think beyond mind set of Black or Gray Hacker  Have custom methods/payloads  Not just XSS, CSRF, IDOR, SQL  Act Ethically and Report  Be professional Approach for happy hunting DON’Ts × XSS, Cntrl C, Cntrl V everywhere × Easy way is not the right way × Half filled submissions & reports × Unethical / irresponsible behavior × Unethical disclosure × Unethical reporting × Selfishness × Abusing info /data accessed × Don’t do BEG HUNTING / Never beg for rewards
  33. 33. MOTIVATORS FOR A SECURITY RESEARCHER Motivator #1 Set Self Target Motivator #2 Recognition Motivator #3 Money Motivator #4 Self Satisfaction – “I am not a Common Hacker wearing a Black Hat” “I keep on Collecting and Counting my White Hats” | Pasan Rawana Lamahewa
  34. 34. My Experience Types of Organizations 1. The Genius - take ethical reports very seriously, rewards, recognizes and partner with the security researcher. 2. The Bulletproof – Never recognize or acknowledge and think they are Immortals. 3. Mr. Know it All– oops, we knew this before you and planning to fix 4. The Blind & Deaf – Never response 5. The Neutrals – a bug?, bug bounty program ?! News to us, anyway thank you, we’ll look into this. | Pasan Rawana Lamahewa
  35. 35. My Experience The “Fixed Line Telecommunication Company” in a South Asian Country | Pasan Rawana Lamahewa I reported a serious flaw in their system, which can certainly expose subscribers sensitive information and many more, if found by a bad guy. It has now passed 8 months since my responsible responsible reporting of this vulnerability to their IT Team, no action has been initiated to de-bug it to-date This is a good example for organizations and its IT Professionals are thinking that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are liabilities to their customers and to the society.
  36. 36. Useful Links https://www.hackerone.com https://www.bugcrowd.com https://www.openbugbounty.org | Pasan Rawana Lamahewa HackerOne Bugcrowd Vulnerability Lab Fire Bounty
  37. 37. Please feel free to contact me | Pasan Rawana Lamahewa pasanrlamahewa@gmail.com 🐦 https://twitter.com/Pasan_Rav
  38. 38. Happy to be with you all and gain knowledge in my pursue of Cyber Security Ethical Research | Pasan Rawana Lamahewa

×