Tag Archive for: bounty

Bug Bounty Program pays off for cybersecurity at Virginia Tech

/in


Augusta Free Press

Published Sunday, May. 23, 2021, 9:17 am

Join AFP’s 100,000+ followers on Facebook

Purchase a subscription to AFP

Subscribe to AFP podcasts on iTunes and Spotify

News, press releases, letters to the editor: [email protected]

Advertising inquiries: [email protected]

business man computer
(© daviles – stock.adobe.com)

Not all hackers are up to no good. In fact, one of the most effective ways to prevent a security breach is to test cybersecurity defenses in much the same way a hacker would, by looking for vulnerabilities in your infrastructure. The main difference, of course, is that instead of exploiting vulnerabilities, you repair them.

In the cybersecurity world, this technique is called “red teaming.” It’s also the idea behind the new Virginia Tech Bug Bounty Program, which gives students and employees the opportunity to play hacker and earn cash rewards for identifying any vulnerabilities, or “bugs,” in specific university-owned domains.

Launched in March 2021, the Bug Bounty program is helping the IT Security Office (ITSO) expand the university’s cybersecurity efforts while engaging the Virginia Tech community.

“Cybersecurity at Virginia Tech has historically focused on defense capabilities [a.k.a. ‘blue teaming’], such as monitoring outbound traffic and encrypting sensitive data,” explained Brad Tilley, director of security architecture for the ITSO. “Red teaming plays offense to the blue team’s defense, taking a more active approach to cybersecurity by seeking out and flagging potential vulnerabilities before bad actors have a chance to exploit them.” Used in tandem, blue teaming and red teaming offer the best chance of maintaining secure systems and minimizing damage from external and internal threats.

However, scouring code for vulnerabilities can be a time-consuming process, even for the most skilled security analysts, and the ITSO red team staff is relatively small. “We realized that in order to grow our offensive capabilities given our resource constraints, we needed to look outside our own office,” Tilley said.

And what better place to look than right outside their office window?

“Virginia Tech has a huge and…

Source…

SecurityScorecard taps HackerOne to bring bug bounty data to security ratings

/in


Join Transform 2021 this July 12-16. Register for the AI event of the year.

HackerOne and SecurityScorecard have announced a platform integration that will showcase data from the ethical hacking community on a company’s digital scorecard.

SecurityScorecard, for the uninitiated, is a cybersecurity rating and risk-monitoring platform major companies such as Nokia, AXA, and Liberty Mutual use to monitor and assess security throughout their supply chain, including weaknesses in third-party vendors. It’s kind of like a credit score rating for security.

HackerOne, meanwhile, connects businesses with security researchers, or “white hat hackers,” who are financially incentivized to find software vulnerabilities before bad actors do. The HackerOne platform has powered bug bounty programs for major businesses, including Microsoft, Google, Intel, the U.S. Department of Defense, and Goldman Sachs. The San Francisco-based company recently touted major enterprise growth, with nearly half of its new sales stemming from businesses with over $1 billion in revenue.

Risk categories

SecurityScorecard uses 10 broad risk categories as part of its rating system, including endpoint security, network security, DNS health, and patching cadence. It also uses a risk category it calls “hacker chatter,” which automatically collects and analyzes conversations from popular public hacker community channels, such as private forums, social networks, and internet relay chat (IRC). It’s all about finding mentions of a business and its associated digital properties to assess whether any potential undisclosed exploits are being discussed.

This latest partnership with HackerOne builds on that basic concept, though it instead surfaces official bug bounty and vulnerability disclosure data gleaned from HackerOne’s API.

Above: HackerOne score in SecurityScorecard

For SecurityScorecard customers, a “hacker report” signal will appear on scorecards for companies that use HackerOne, though this is on an entirely opt-in basis.

Enterprises will be able to see recent security issues involving companies in their supply chain and take appropriate action — with the ability to download a CSV file…

Source…

Ledger Adds Bitcoin Bounty and New Data Security After Hack

/in


Matt Johnson, Ledger’s new Chief Information Security Officer (CISO), had no choice but to hit the ground not just running but, well, sprinting. His first week of work entailed scrutinizing the fallout from an extensive data dump of customer information, among other areas such as data security and increased attacks that would come as a byproduct of bitcoin pumping. 

In the aftermath of the largest hack in company history, and a little over a week after Johnson started, the hardware wallet company Ledger has announced its first measures to address the data breach and ensure such a hack doesn’t happen again. 

These include working with blockchain analytics firm Chainalysis to hunt the hackers, offering a 10 BTC bounty for information leading to the hacker’s arrest and creating a comprehensive review of what information the company holds onto, where it’s stored and how long it’s retained. 

The Ledger hack

Ledger publicly revealed that customer information had been compromised in July 2020. At the time, the company estimated 9,500 customers had been affected by the hack. In the following months, CoinDesk documented a string of convincing phishing attempts executed by the hackers, including emails that mimicked official Ledger correspondence and text messages. 

Then, in December 2020, a data dump “exposed 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets,” as CoinDesk reported.  The number of people affected was much higher than the original estimate of 9,500.  

A rash of SIM swaps were reported in the days following the data dump and some customers started getting extortion emails, including threats of violence. 

Now, Ledger has released new information about the hack, revealing that it was likely due, in part, to rogue actors at Shopify, its e-commerce partner at the time. 

Shopify’s rogue agents

On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported…

Source…

Bug bounty hunter snags $100,000 award for zero-day bug in ‘Sign in with Apple’ system – TechSpot

/in

Bug bounty hunter snags $ 100,000 award for zero-day bug in ‘Sign in with Apple’ system  TechSpot
“zero day exploit” – read more