Facebook Says SMS Spam Received by Two-Factor Authentication Users Was a Bug

Facebook Says SMS Spam Received by Two-Factor Authentication Users Was a Bug

HIGHLIGHTS

  • Facebook users had been getting SMS notifications after signing up for 2F
  • Users’ responses to notifications would appear as status updates on Faceb
  • Facebook acknowledged the issue and promised a fix

Facebook users, over the past week, have reportedly been getting SMS notifications from the social media website after signing up for the two-factor authentication security feature. While the two-factor authentication is a vital part of protecting online accounts by adding a second layer of security, the text messages, interestingly, were not related to any security features. This gave rise to speculation that Facebook was trying to increase user engagement However, Facebook has now responded to the issue saying that it was a bug, and that such notifications were not meant to be sent.

While two-factor authentication is considered a vital measure of security, requiring an attacker to have both the user’s password and physical access to a registered device before being able to log into the user’s account. However, on Facebook, the system appears to have ended up being a problem for its users, thanks to SMS notifications. Interestingly, users also complained that if they replied to the SMS notifications, these would appear as status updates on Facebook.

Alex Stamos, Facebook Chief Security Officer, explains in a blog post that it was not Facebook’s intention to send non-security-related SMS notifications to phone numbers, and also apologised for the inconvenience caused to users. He wrote, “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications.”

Facebook has also promised that the bug will be fixed soon. “We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days,” said Stamos.

Responding to why users responses to SMS notifications would appear as status updates, Facebook again said it was an unintended consequence, and was enabled by an older functionality where users could post to Facebook via text message. This functionality would soon be deprecated, Facebook said.

While you wait for Facebook to come out with a fix, you can go to Settings > Notifications to switch off text notifications. You can also use a code generator app and a U2F key instead of providing your phone numbers to Facebook when enabling 2FA.

[“Source-gadgets.ndtv”]

Bug Bounty Hunters Say They Aren’t Welcome in India

Bug Bounty Hunters Say They Aren't Welcome in India

HIGHLIGHTS

  • Bug bounty hunters are hackers who warn companies about security flaws
  • They do this for both rewards, and recognition
  • They say Indian firms pay less, and don’t like talking of vulnerabilities

The recent Wannacry global ransomware attack, and closer to home, the Zomato user data breach, where millions of user logins were compromised, have forced all of us to be much more conscious of digital security. A key part of this ecosystem is the community of ethical hackers, also called bug bounty hunters, these are people who work with companies to patch security flaws. While big bounty program have been standards worldwide for several years, Indian companies like Zomato are only now following suit.

A bug bounty program is a vulnerability reward program instituted by corporates for ethical hackers. Hackers report bugs and vulnerabilities of websites or apps from corporates, who, in turn, recognise and compensate these hackers. Gadgets 360 spoke to a couple of ethical hackers told us that that they normally try and work with foreign companies, who are more open to paying bounties, and offer richer rewards to boot, when compared to their Indian counterparts.

Manish Bhattacharya, an ethical hacker born and raised in Bihar, said he paid off his educational loan through bug bounty programs from Facebook, GitHub, Shopify, and others. Some years ago, he had reported two clickjacking issues for Facebook – where a real link gets replaced by a malicious one, which could serve ads, or even malware. For this, he was paid $5,000 (over Rs. 3.22 lakhs today) by Facebook.

Anand Prakash has his own cyber-security startup, called AppSecure India, based out of Bengaluru. He is on Facebook’s ‘White Hat Bug Bounty Program’, which recognises and rewards security researchers who report vulnerabilities in Facebook’s services. In 2016, he has also found a bug in Uber that could let any hacker take multiple rides without paying for them. Uber gave him $5,000 in return.

anand prakash hacker ethical hacker

Anand Prakash runs his own security firm, AppSecure India

For Bhattacharya, bug bounty hunting has been, well, bountiful. He now works for a security firm in the United States. Prakash is on the list of Forbes Asia’s 30 under 30 (2017) and runs his security audit firm.

The ethics of bug bounties
Many companies such as Microsoft, Facebook, and Google are openhanded to bug bounty hunters. Bugcrowd maintains a list of websites that have a rewards program. But it’s important to remember that there are a bunch of rules that define what is ethical hacking.

“The difference [between ethical hacking and unethical hacking] lies primarily in the intent. and access rights,” says Amit Sethi, Chief Information Officer, AXIS Bank. “One is authorised and the other is unauthorised. Technology-wise there’s no difference per se.”

Bhattacharya and Prakash also agree with the corporate ethical code.

“If I have permission from the company to test their website or they have a bug bounty program then only I’ll go for bug hunting,” says Bhattacharya. “I’ll never test any government/ bank website without their written permission.”

“Hackers exploiting bugs and leaking user data is unethical. Recent Zomato hack was a perfect example of an unethical hack,” adds Prakash. “The hacker should not have forced the company to run a bounty program by leaking their data.”

manish bhattacharya hacker ethical hacker

Manish Bhattacharya works for a security firm in the US

The argument could be made that the hacker pushed the company to improve its security and institute a program that will only help users – but in the process, the data of millions of users was up for sale, as Prakash points out.

Indian companies don’t like to talk about vulnerabilities
As the hackers we spoke to mentioned, Indian companies aren’t typically welcoming of their efforts. Uber told Gadgets 360 that it has paid more than $860,000 – approximately Rs. 5.5 crore – in the last year to security researchers around the world. Of this, there were six researchers from India in Uber’s top 50 list. India topped Facebook’s bug bounty list last year, but things are very different when you look at Indian companies.

Global players award Indian hackers consistently, says Sandeep Sharma, a research analyst for IDC. “But, when it comes to Indian corporates, the picture isn’t as rosy,” Sharma explains. “Indian enterprises still have a long way to go as far as proactive security implementations are concerned.”

Why haven’t Indian corporates been encouraging when it comes to bug bounty programs? Startups we approached refused to be a part of this story. According to reports, Snapdeal, Ola, and Swiggy all have private bug-bounty programs, but none of these companies wanted to talk about why bug bounty hunters don’t get due credit in India.

Swiggy CTO and co-founder Rahul Jaimani instead pointed out that the company encourages bug bounties, as long as it’s done in an ethical manner, and ties up with credible third-party bug bounty platforms on an invite only basis. He added that Swiggy supports ethical hacking, as long as the researchers comply with Swiggy’s ethical and responsible disclosure norms. He also added that the terms and conditions of the website and app mention that unethical techniques used against the system are liable under the cyber security law, as per the IPC and Information Technology Act.

We asked Zomato the same question too, but the company wasn’t available for comment. Zomato had a bug bounty program on HackerOne for a while and after the recent Zomato hack, its CEO Deepinder Goyal tweeted, “Had never offered money as part of the program. That’s what’s going to change now.”

zomto culture 1495085835107 zomato

After the company was hacked, Zomato now offers money as part of its bug bounty program

This attitude is a problem as far as most bug bounty hunters are concerned – apart from money, recognition is a big driver as it helps to build a career in ethical hacking, explains Bhattacharya.

“Right now, India is full of startups, most of them don’t have – or they don’t want to spend – extra budget to hire a full-time security guy,” he says. “Most companies don’t trust an independent individual with their security; they prefer a security firm instead. Few startups like Ola, Paytm have bug bounty. But, their rewards don’t match the international standards, so bug hunters don’t spend time with these programs.”

Change remains slow
Axis Bank has an Innovation Lab that experiments with bug bounty. “It would be an incremental step in our efforts towards robust and secure software development and testing,” says Axis’ Sethi. In India, banking and financial service firms have been proactive about security solutions, adds AppSecure’s Prakash, who also told us that his security firm saw a sudden surge of fin-tech corporate customers, after WannaCry and the Zomato hacks.

However, both Bhattacharya and Prakash say that the industry has largely been slow to react, even after high profile attacks on their infrastructure.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Tags: Bug Bounty, ethical hackers, security advisor, Cyber security, Malware, Ransomware, WannaCry, Zomato Hacked
[“Source-ndtv”]

Google Discloses Windows 10 Bug Under ‘Active Attack’; Microsoft Working on Fix

Google Discloses Windows 10 Bug Under 'Active Attack'; Microsoft Working on Fix

HIGHLIGHTS

  • Windows 10 vulnerability is win32k.sys system call
  • Google said it’s being “actively exploited”
  • Microsoft is unhappy with Google going public before patch

On Monday, Google’s Threat Analysis Group published details of a critical vulnerability in Microsoft’s Windows 10 that allows hackers to escape security sandboxes by using a system call with win32k.sys. The reason Google chose to go public with this knowledge is because it believes the vulnerability is being “actively exploited”.

Google had informed both Adobe and Microsoft of zero-day vulnerabilities only 10 days ago on October 21. While Adobe has already issued a patch for Flash – which is available via auto-updater or manual install – Microsoft has yet to send out an update for Windows 10 that blocks the use of this mechanism. And hence, as you’d expect, Microsoft isn’t happy with the disclosure.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” Microsoft conveyed to VentureBeat via a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”Google’s short disclosure period for “vulnerabilities under active attack” came into effect in May 2013, bringing it down from 60 days to just a week. Google noted that 7 days might be “an aggressive timeline and may be too short for some vendors to update their products” but it justified the urgency of its disclosures by saying that it’s still enough time to inform users and give some advice.

Issuing a fix for a web plug-in such as Adobe Flash is obviously much easier than patching an operating system, which is why Google’s policy for vulnerabilities under active attack has remained controversial. For now, you should check to see Flash is updated and install Windows patches the moment Microsoft issues them.

Tags: Google, Microsoft, Windows 10, Adobe, Adobe Flash
[“Source-Gadgets”]

Facebook Bug Bounty Program Awards Indians the Most for Finding Flaws

Facebook Bug Bounty Program Awards Indians the Most for Finding Flaws

HIGHLIGHTS

  • Facebook distributed a total of $611,471 to 149 researchers in H1 2016
  • Indians received the biggest share of the bounty in the period
  • Facebook received 9,000 security reports in first six months of 2016

Indians remain the biggest beneficiaries in Facebook’s Bug Bounty program, the company’s initiative to allow security researchers to find flaws on its platform. Joey Tyson, a security engineer at the company, wrote in a post that Indians lead the world when it comes to raking in the moolah, taking the biggest chunk of the $611,741 (roughly Rs 4.08 crores) distributed to 149 researchers via the program between January and June 2016.

(Also see: Bug Bounty Hunters and the Companies That Pay Them)

The USA and Mexico took the next two spots in the list of countries whose developers get the most money for finding bugs on Facebook. The company has distributed over $5 million among more than 900 researchers under the program in the five years since its inception.

India has been a dominant force in the Facebook bug bounty program over the past few years. Cyber-security researchers and developers from India had been awarded roughly Rs 4.8 crores since the program was started, according to data the company released in March this year. Facebook did not reveal the breakup of the bounty distribution for the first half of 2016.

Facebook’s Bug Bounty program lets white hat hackers report vulnerabilities in Facebook and its acquired companies and products, such as Instagram, Free Basics, Oculus, and Onavo. With the help of the Bug Bounty program, security researchers were able to report over 9,000 bugs on Facebook platforms in the first half of the year.

(Also see: Facebook Fixes Flaw That Could’ve Let Anyone Access Your Account)

This year, Facebook added WhatsApp to the program, expanded payment options to include Bitcoin, and switched to an automated payment process so researchers can be paid faster, Tyson said in the post. Additionally, the award notifications now include information on how the specific bounty was determined.

More changes are coming to the initiative, as Facebook plans to share more educational resources on security fundamentals and topics specific to our products.

Tags: Facebook, Facebook India, Facebook bug bounty, Facebook Security Researchers, White Hat Hackers

[“Source-Gadgets”]