Bug Bounty แบบแมว ๆ

Version: [--VX.X--]
Date: [--YYYY-MM-DD--]
Author: [--Author--]
Responsible: [--Responsible--]
Confidentiality Class: [--Confidentiality Class--]
Version: 1.0
Date: 2017-09-30
Author: P. Morimoto
Responsible: P. Morimoto
Confidentiality Class: Public
Bug Bounty แบบแมว ๆ

All rights reserved
All rights reserved
All rights reserved
Advisor for information security
Expert for the implementation of security processes and policies
(ISO 27001, BS 25999, GSHB)
Leading company for technical security audits
Specialist for web application security according to ONR 17700
Independent of product manufacturers
Our customers are public authorities, financial institutions and
insurance companies in Central Europe
Sectoral orientation (defence, public, finance, industry)
SEC Consult – Who we are
3

All rights reserved
All rights reserved
All rights reserved
4
ISO/IEC 27001 Certificate
entire company within certification scope
certified since 16.01.2008

All rights reserved
All rights reserved
All rights reserved
5
SEC Consult Vulnerability Lab
European leading research lab for
the identification of
vulnerabilities and the analysis of
new technologies, products and
applications (security advisories)
Integral part of the education and
the further training of the security
experts at SEC Consult
Early information of our
customers due to SEC Consult
security alerts
Support of well-known manufacturers
to enhance the security of their
products
Companies and organisations SEC Consult has released security advisories for
(excerpt). For details see: http://www.sec-consult.com/72.html

All rights reserved
All rights reserved
All rights reserved
6
Who am I ? (Professional)
Pichaya Morimoto
IT Security Consultant
Certifications:
• Offensive Security Certified
Professional (OSCP)
• GIAC Web Application
Penetration Tester (GWAPT)
• Certified Ethical Hacker (CEH)
• CompTIA Security+
Published Security Advisories:
• 2014
- Privilege Escalation in Snort pfSense Package
- Wordpress TimThumb 2.8.13 WebShot RCE
- HybridAuth install.php PHP RCE
• 2015
- PHP MoAdmin 1.1.2 RCE
- Schedule Facebook Posts 1.5.6 SQL Injection
- Lime Survey Multiple Critical Vulnerabilities
• 2016
- Yeager CMS Multiple Critical Vulnerabilities
- ASUS DSL-N55U router Multiple Vulnerabilities
- LINE platform Multiple Vulnerabilities
• 2017
- Aruba AirWave 8.2.3 External Entity Injection

All rights reserved
All rights reserved
All rights reserved
7
Who am I ? (Personal)
Co-administrator of สอนแฮกเว็บแบบแมว ๆ *Former* CTF Player of Pwnladin Team
Co-administrator of 2600 Thailand Security Addict
http://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html

All rights reserved
All rights reserved
All rights reserved
8
OWASP Thailand
Meeting 3/2014
Topic: SQL Injection 101 :
It is not just about ' or '1'='1
OWASP Thailand
Meeting 5/2015
Topic: SQLi + Secure
Coding with Hands-on
OWASP Thailand
Meeting 7/2016
Topic: Security
Misconfiguration
OWASP Thailand
Meeting 2/2017
Topic: OWASP Top Ten
Proactive Controls 2016
….

All rights reserved
All rights reserved
All rights reserved
9
• Bug Bounty hunter
• Occasionally, kill bugs for free
Metasploit modules:
• exploit/multi/http/phpmoadmin_exec
• exploit/unix/webapp/hybridauth_install
_php_exec
• auxiliary/admin/http/limesurvey_file_
download
and a lot more private exploit
research and developments : )

All rights reserved
All rights reserved
All rights reserved
10
Hackers, Script Kiddies, Cyber Criminals
https://twitter.com/GhostSquadHack/status/820951470984036353
Notoriety, fun and curiosity

All rights reserved
All rights reserved
All rights reserved
11
Professional Cyber Criminal
http://www.reuters.com/article/us-usa-cyber-swift-exclusive/exclusive-swift-confirms-new-cyber-thefts-hacking-tactics-idUSKBN1412NT

All rights reserved
All rights reserved
All rights reserved
12
A Hacker + Critical Vulnerability = ?
• Keep Secret
• Hack For $$$$
• Full Disclosure
• Vulnerability Disclosure Program
• Bug Bounty Program

All rights reserved
All rights reserved
All rights reserved
13
Bug Bounty Program
“A deal offered by many websites and software developers
by which individuals can receive recognition and compensation
for reporting bugs, especially those pertaining to exploits and vulnerabilities.”
https://en.wikipedia.org/wiki/Bug_bounty_program
https://www.slideshare.net/bugcrowd/webinar-48444938

All rights reserved
All rights reserved
All rights reserved
14
Europol: What’s it gonna be ?
https://www.europol.europa.eu/publications-documents/cyber-crime-vs-cyber-security-what-will-you-choose-poster
Cybersecurity Expert
Skills in coding, gaming, computer
programming and anything IT-related
are in high demand by the public and
private sectors. There are many careers
and professional opportunities available.
Cyber Criminal
Young people getting involved with
cybercrime could face:
- A visit and a warning from police
- Being arrested, a penalty or fine
- Prison, for serious offences
- Criminal records which can affect your
education, future career prospects and
traveling overseas options

All rights reserved
All rights reserved
All rights reserved
15
Bug Bounty for Hackers ( YOU ! )
• Make $$$$ legally from home or anywhere J
• In high demand for IT security career
• Add results to your resume !
https://www.linkedin.com/in/icheernoom/

All rights reserved
All rights reserved
All rights reserved
16
• Hall of Fame
https://bugbounty.linecorp.com/en/halloffame/2016/

All rights reserved
All rights reserved
All rights reserved
Bug Bounty for Hackers ( Me )
17
Special Contributor in LINE Security Bug Bounty Program
• https://bugbounty.linecorp.com/en/halloffame/ (2017)
• https://bugbounty.linecorp.com/en/halloffame/2016/ (2016)

All rights reserved
All rights reserved
All rights reserved
18
https://www.blognone.com/node/79729
2016:
Student + Part-time Bug Bounty Hunter
NOW:
IT Security Professional @ Central Online

All rights reserved
All rights reserved
All rights reserved
19
https://www.facebook.com/whitehat/thanks
https://en.wikipedia.org/wiki/Bug_bounty_program#/media/File:Facebook_t-shirt_with_whitehat_debit_card_for_Hackers.jpg
Facebook Hall of Fame for White Hat hackers
2016
• Suvicha Buakhom (สุวิชา บัวคอม)
2015
• Kittinan Srithaworn (ตั#น)
2014
• Suphannee Sivakorn

All rights reserved
All rights reserved
All rights reserved
20
Bug Bounty for Organizations
• Reduce security risk for your products and services
• Cost effective approach for security testing
• Lower costs compared to Pentest services *Oops!*
• Pay high reward only for high quality bugs J
• Good security reputation
http://www.360logica.com/blog/wp-content/uploads/2014/05/Bug-Bounty-Programs-A-Big-Security-Measure.jpg

All rights reserved
All rights reserved
All rights reserved
21
Success Stories - GitHub on HackerOne platform
Neil Matatall, Security Engineer, Github
https://www.hackerone.com/sites/default/files/2017-05/Case%20Study%20-%20GitHub%20-%20FINAL.pdf
“When we use third parties,
we ask them to focus on a
specific area. With bounties,
researchers look at anything
and everything.”
"This ensures that the amount
of time a bug exists will be
shorter than it would’ve been
without a bounty program."
"It doesn't fully replace manual assessment
work, but it certainly complements it nicely"

All rights reserved
All rights reserved
All rights reserved
22
Success Stories - GitHub on HackerOne platform
Neil Matatall, Security Engineer, Github
https://www.hackerone.com/assets/images/landing/resources/downloads/Bug-Bounty-Field-Manual-complete-ebook.pdf
• As of March 2017, paid $80,000 (2.6 Million Baht)
• 73 submissions
• 6% valid bug (48 out of 795 reports) "Financially, a bounty
program is cheaper than a
full-time employee or a third-
party consulting firm, so
we’d be spending more
money without it."

All rights reserved
All rights reserved
All rights reserved
23
Success Stories - HackerOne platform

All rights reserved
All rights reserved
All rights reserved
I like it, sounds good to me
24
Question:
Shall my company start Bug Bounty Program now?
Answer:
Stop there! Please learn things from HackerOne
1. Bug Bounty Readiness Assessment Questionnaire
https://drive.google.com/file/d/0Bw2srC8rsYIRUDZJU1R0UmJLTG8/view
2. Bug Bounty Field Manual
https://www.hackerone.com/resources/bug-bounty-field-manual
(https://www.hackerone.com/assets/images/landing/resources/
downloads/Bug-Bounty-Field-Manual-complete-ebook.pdf)

All rights reserved
All rights reserved
All rights reserved
What if …
25
• We do vulnerability scan frequently
• We do pentest for newly developed system and/or quarterly
• We have dedicated IT security team (blue team and/or red team)
• We have a variety of internal and external webapps and mobile APIs
• We often receive vulnerability reports from security researchers
=
Please consider Bug Bounty Program J

All rights reserved
All rights reserved
All rights reserved
What if …
26
• My company has never done VA and/or Pentest
• We have no IT security team
• We have only a small webapp
• We have never received any vulnerability report
=
Bug Bounty Program is not yet for you !

All rights reserved
All rights reserved
All rights reserved
27
A Hacker + Critical Vulnerability = ?
• Keep Secret
• Hack For $$$$
• Full Disclosure
• Vulnerability Disclosure Program
• Bug Bounty Program

All rights reserved
All rights reserved
All rights reserved
Must Have: Vulnerability Disclosure Program
28
responsible.disclosure@citi.com
https://online.citi.com/US/JRS/pands/detail.do?ID=ReportingVulnerability
security.disclosures@rbs.co.uk
http://personal.rbs.co.uk/personal/security-centre/responsible-disclosure.html

All rights reserved
All rights reserved
All rights reserved
Must Have: Vulnerability Disclosure Program
29
1. Create security contacts
• security@<company-domain>
• alert@<company-domain>
2. Vulnerability Disclosure Program Policy
• Guidelines
• Scope / Out of scope
• How to report a vulnerability ?
• Optional: HOF, Swags, Bounties
Hint: Open Source Responsible Disclosure Framework
https://github.com/bugcrowd/disclosure-policy
Forward emails to your IT guys

All rights reserved
All rights reserved
All rights reserved
30
BugCrowd's Open Source Responsible Disclosure Framework
https://github.com/bugcrowd/disclosure-policy

All rights reserved
All rights reserved
All rights reserved
31
Bug Bounty Program - Do’s and Don’ts
• Understand the program policy
• Avoid out of scope issues
• Be patient for reported issues
• Use your test accounts for PoC
• Do not cross the lines
• Avoid business impact at all costs
• Do not harm the system availability (No DoS)
• No physical attacks and social engineering
• Do not disclosure other users’ data
https://en-gb.facebook.com/whitehat

All rights reserved
All rights reserved
All rights reserved
35
Eligible Bugs
https://www.facebook.com/notes/facebook-security/
link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766/

All rights reserved
All rights reserved
All rights reserved
For any further questions contact
your SEC Consult Expert.
Pichaya Morimoto
p.morimoto@sec-consult.com
SEC Consult (Thailand) Co., Ltd.
29/1 Piyaplace Langsuan Building, 16B
Soi Langsuan, Lumpini, Pathumwan
Bangkok 10330, Thailand
www.sec-consult.com

All rights reserved
All rights reserved
All rights reserved
46
Contact
GERMANY
SEC Consult Unternehmensberatung Deutschland GmbH
Bockenheimer Landstraße 17-19
60325 Frankfurt / Main
Tel +49 69 175 373 43 | Fax +49 69 175 373 44
Email office-frankfurt@sec-consult.com
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Mooslackengasse 17
1190 Vienna
Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15
Email office@sec-consult.com
LITHUANIA
UAB Critical Security, a SEC Consult company
Sauletekio al. 15-311
10224 Vilnius
Tel +370 5 2195535
Email office-vilnius@sec-consult.com
RUSSIA
CJCS Security Monitor
5th Donskoy proyezd, 15, Bldg. 6
119334, Moscow
Tel +7 495 662 1414
Email info@securitymonitor.ru
SINGAPORE
SEC Consult Singapore PTE. LTD
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Email office-singapore@sec-consult.com
CANADA
i-SEC Consult Inc.
100 René-Lévesque West, Suite 2500
Montréal (Quebec) H3B 5C9
Email office-montreal@sec-consult.com
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Komarigasse 14/1
2700 Wiener Neustadt
Tel +43 1 890 30 43 0
Email office@sec-consult.com
THAILAND
SEC Consult (Thailand) Co., Ltd.
29/1 Piyaplace Langsuan Building 16th Floor, 16B
Soi Langsuan, Ploen Chit Road
Lumpini, Patumwan | Bangkok 10330
Tel +66 02 041 1146
Email office-bangkok@sec-consult.com
www.sec-consult.com

Bug Bounty แบบแมว ๆ

Recommended

Recommended

More Related Content

Similar to Bug Bounty แบบแมว ๆ

Similar to Bug Bounty แบบแมว ๆ (20)

More from Pichaya Morimoto

More from Pichaya Morimoto (12)

Recently uploaded

Recently uploaded (20)

Bug Bounty แบบแมว ๆ