Uber, but for hacking: buf bounties are not without risk
You have undoubtedly heard it: Uber was hacked in October 2016. There is a lot of uncertainty about the situation, which is why we have listed a number of facts:
- Uber was informed that attackers found AWS keys and gained access to confidential material such as private data from customers.
- Uber paid $100,000 and arranged a Non-Disclosure Agreement with the persons involved, including the agreement that the data would be deleted.
While the article is sensational to say the least, there are a number of things that are important to look at. There have been several public cases in recent years where the effect on the companies involved has not always been undividedly positive. Facebook in 2015 and very recently DJI, the Chinese drone producer, are examples of this.
Bug bounties: not without risks
In recent years bug bounties became more popular. These are temporary or permanent projects where companies invite ethical hackers to test their applications and infrastructure. In exchange for the confidential reports the companies sometimes offer relatively high compensation. Uber also runs such a program and has undoubtedly achieved good results with it.
When considering a bug bounty it is always important to clearly document the rules. Which systems can be tested? Which absolutely not? Which actions are allowed or prohibited? The boundaries must be clear to all involved, as to avoid frustration on both sides.
In Uber’s case the hackers used found access keys to download data. Ethical hackers might say that this was necessary to illustrate the impact of their findings but it is actually enough to show the found keys.
There are huge advantages to starting a "bug bounty program", but think before you start. It is always useful to evaluate the internal processes around this.
Now, is there a data breach?
Imagine it happens to you. You work with the security community and discover that a quantity of data was found by one of the ethical hackers. Is that a data breach?
Some believe that it should not be interpreted as a breach, as long as it occurs within a clear process. That seems a bit far-fetched to us. If an employee loses a USB disk containing personal data after a meeting with an external party means there has been a data breach. Doesn’t it?
This is a very pertinent issue regarding GDPR. We use the principle: “if personal data is obtained by external unauthorized parties, there is a breach”. Therefore, it is important to let the company know in case of loss/it is important that these issues would be reported.
The natural reaction in these cases is mostly panic and for that reason we implemented the necessary process that offers us a plan of action. If we follow this, we can make the necessary preparations and ensure that all parties involved have clarity.
What will the future bring?
Without a doubt there will be several disagreements in the coming weeks about the usefulness of bug bounties, the definition of a data breach, and the risk of penetration testing in general.
At SpotIT we are convinced that a proper deployment of offensive security is necessary to better protect infrastructures and applications. Both by using bug bounties and more traditional penetration testing activities. With the right experience, clear agreements and processes, companies will continue to get added value from these activities.
On the other hand, we are convinced that companies must continuously prepare for a possible data breach. It is not enough to describe the processes and only take them out of the closet when a breach occurs. By performing table top exercises where certain scenarios are executed as if they were actually happening, companies can test their processes and continuously train the staff involved. It should no longer be a secondary issue. It must become a priority and be part of a total security strategy.
Finally, it is important to note that hackers are constantly looking for passwords and access keys. These are regularly found in applications, public code repositories, or through social engineering. Therefore, evaluate on a regular basis whether you are still in control of all key material yourself.
Feel free to contact us if you have any additional questions about these topics.
Time to talk?
Do you want to know how your security and network are doing?
With an in-depth audit we map out your security challenges and your entire network.