Bug Bounty Hunters Say They Aren’t Welcome in India

Bug Bounty Hunters Say They Aren't Welcome in India

HIGHLIGHTS

  • Bug bounty hunters are hackers who warn companies about security flaws
  • They do this for both rewards, and recognition
  • They say Indian firms pay less, and don’t like talking of vulnerabilities

The recent Wannacry global ransomware attack, and closer to home, the Zomato user data breach, where millions of user logins were compromised, have forced all of us to be much more conscious of digital security. A key part of this ecosystem is the community of ethical hackers, also called bug bounty hunters, these are people who work with companies to patch security flaws. While big bounty program have been standards worldwide for several years, Indian companies like Zomato are only now following suit.

A bug bounty program is a vulnerability reward program instituted by corporates for ethical hackers. Hackers report bugs and vulnerabilities of websites or apps from corporates, who, in turn, recognise and compensate these hackers. Gadgets 360 spoke to a couple of ethical hackers told us that that they normally try and work with foreign companies, who are more open to paying bounties, and offer richer rewards to boot, when compared to their Indian counterparts.

Manish Bhattacharya, an ethical hacker born and raised in Bihar, said he paid off his educational loan through bug bounty programs from Facebook, GitHub, Shopify, and others. Some years ago, he had reported two clickjacking issues for Facebook – where a real link gets replaced by a malicious one, which could serve ads, or even malware. For this, he was paid $5,000 (over Rs. 3.22 lakhs today) by Facebook.

Anand Prakash has his own cyber-security startup, called AppSecure India, based out of Bengaluru. He is on Facebook’s ‘White Hat Bug Bounty Program’, which recognises and rewards security researchers who report vulnerabilities in Facebook’s services. In 2016, he has also found a bug in Uber that could let any hacker take multiple rides without paying for them. Uber gave him $5,000 in return.

anand prakash hacker ethical hacker

Anand Prakash runs his own security firm, AppSecure India

For Bhattacharya, bug bounty hunting has been, well, bountiful. He now works for a security firm in the United States. Prakash is on the list of Forbes Asia’s 30 under 30 (2017) and runs his security audit firm.

The ethics of bug bounties
Many companies such as Microsoft, Facebook, and Google are openhanded to bug bounty hunters. Bugcrowd maintains a list of websites that have a rewards program. But it’s important to remember that there are a bunch of rules that define what is ethical hacking.

“The difference [between ethical hacking and unethical hacking] lies primarily in the intent. and access rights,” says Amit Sethi, Chief Information Officer, AXIS Bank. “One is authorised and the other is unauthorised. Technology-wise there’s no difference per se.”

Bhattacharya and Prakash also agree with the corporate ethical code.

“If I have permission from the company to test their website or they have a bug bounty program then only I’ll go for bug hunting,” says Bhattacharya. “I’ll never test any government/ bank website without their written permission.”

“Hackers exploiting bugs and leaking user data is unethical. Recent Zomato hack was a perfect example of an unethical hack,” adds Prakash. “The hacker should not have forced the company to run a bounty program by leaking their data.”

manish bhattacharya hacker ethical hacker

Manish Bhattacharya works for a security firm in the US

The argument could be made that the hacker pushed the company to improve its security and institute a program that will only help users – but in the process, the data of millions of users was up for sale, as Prakash points out.

Indian companies don’t like to talk about vulnerabilities
As the hackers we spoke to mentioned, Indian companies aren’t typically welcoming of their efforts. Uber told Gadgets 360 that it has paid more than $860,000 – approximately Rs. 5.5 crore – in the last year to security researchers around the world. Of this, there were six researchers from India in Uber’s top 50 list. India topped Facebook’s bug bounty list last year, but things are very different when you look at Indian companies.

Global players award Indian hackers consistently, says Sandeep Sharma, a research analyst for IDC. “But, when it comes to Indian corporates, the picture isn’t as rosy,” Sharma explains. “Indian enterprises still have a long way to go as far as proactive security implementations are concerned.”

Why haven’t Indian corporates been encouraging when it comes to bug bounty programs? Startups we approached refused to be a part of this story. According to reports, Snapdeal, Ola, and Swiggy all have private bug-bounty programs, but none of these companies wanted to talk about why bug bounty hunters don’t get due credit in India.

Swiggy CTO and co-founder Rahul Jaimani instead pointed out that the company encourages bug bounties, as long as it’s done in an ethical manner, and ties up with credible third-party bug bounty platforms on an invite only basis. He added that Swiggy supports ethical hacking, as long as the researchers comply with Swiggy’s ethical and responsible disclosure norms. He also added that the terms and conditions of the website and app mention that unethical techniques used against the system are liable under the cyber security law, as per the IPC and Information Technology Act.

We asked Zomato the same question too, but the company wasn’t available for comment. Zomato had a bug bounty program on HackerOne for a while and after the recent Zomato hack, its CEO Deepinder Goyal tweeted, “Had never offered money as part of the program. That’s what’s going to change now.”

zomto culture 1495085835107 zomato

After the company was hacked, Zomato now offers money as part of its bug bounty program

This attitude is a problem as far as most bug bounty hunters are concerned – apart from money, recognition is a big driver as it helps to build a career in ethical hacking, explains Bhattacharya.

“Right now, India is full of startups, most of them don’t have – or they don’t want to spend – extra budget to hire a full-time security guy,” he says. “Most companies don’t trust an independent individual with their security; they prefer a security firm instead. Few startups like Ola, Paytm have bug bounty. But, their rewards don’t match the international standards, so bug hunters don’t spend time with these programs.”

Change remains slow
Axis Bank has an Innovation Lab that experiments with bug bounty. “It would be an incremental step in our efforts towards robust and secure software development and testing,” says Axis’ Sethi. In India, banking and financial service firms have been proactive about security solutions, adds AppSecure’s Prakash, who also told us that his security firm saw a sudden surge of fin-tech corporate customers, after WannaCry and the Zomato hacks.

However, both Bhattacharya and Prakash say that the industry has largely been slow to react, even after high profile attacks on their infrastructure.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Tags: Bug Bounty, ethical hackers, security advisor, Cyber security, Malware, Ransomware, WannaCry, Zomato Hacked
[“Source-ndtv”]

Google Discloses Windows 10 Bug Under ‘Active Attack’; Microsoft Working on Fix

Google Discloses Windows 10 Bug Under 'Active Attack'; Microsoft Working on Fix

HIGHLIGHTS

  • Windows 10 vulnerability is win32k.sys system call
  • Google said it’s being “actively exploited”
  • Microsoft is unhappy with Google going public before patch

On Monday, Google’s Threat Analysis Group published details of a critical vulnerability in Microsoft’s Windows 10 that allows hackers to escape security sandboxes by using a system call with win32k.sys. The reason Google chose to go public with this knowledge is because it believes the vulnerability is being “actively exploited”.

Google had informed both Adobe and Microsoft of zero-day vulnerabilities only 10 days ago on October 21. While Adobe has already issued a patch for Flash – which is available via auto-updater or manual install – Microsoft has yet to send out an update for Windows 10 that blocks the use of this mechanism. And hence, as you’d expect, Microsoft isn’t happy with the disclosure.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” Microsoft conveyed to VentureBeat via a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”Google’s short disclosure period for “vulnerabilities under active attack” came into effect in May 2013, bringing it down from 60 days to just a week. Google noted that 7 days might be “an aggressive timeline and may be too short for some vendors to update their products” but it justified the urgency of its disclosures by saying that it’s still enough time to inform users and give some advice.

Issuing a fix for a web plug-in such as Adobe Flash is obviously much easier than patching an operating system, which is why Google’s policy for vulnerabilities under active attack has remained controversial. For now, you should check to see Flash is updated and install Windows patches the moment Microsoft issues them.

Tags: Google, Microsoft, Windows 10, Adobe, Adobe Flash
[“Source-Gadgets”]

Facebook Bug Bounty Program Awards Indians the Most for Finding Flaws

Facebook Bug Bounty Program Awards Indians the Most for Finding Flaws

HIGHLIGHTS

  • Facebook distributed a total of $611,471 to 149 researchers in H1 2016
  • Indians received the biggest share of the bounty in the period
  • Facebook received 9,000 security reports in first six months of 2016

Indians remain the biggest beneficiaries in Facebook’s Bug Bounty program, the company’s initiative to allow security researchers to find flaws on its platform. Joey Tyson, a security engineer at the company, wrote in a post that Indians lead the world when it comes to raking in the moolah, taking the biggest chunk of the $611,741 (roughly Rs 4.08 crores) distributed to 149 researchers via the program between January and June 2016.

(Also see: Bug Bounty Hunters and the Companies That Pay Them)

The USA and Mexico took the next two spots in the list of countries whose developers get the most money for finding bugs on Facebook. The company has distributed over $5 million among more than 900 researchers under the program in the five years since its inception.

India has been a dominant force in the Facebook bug bounty program over the past few years. Cyber-security researchers and developers from India had been awarded roughly Rs 4.8 crores since the program was started, according to data the company released in March this year. Facebook did not reveal the breakup of the bounty distribution for the first half of 2016.

Facebook’s Bug Bounty program lets white hat hackers report vulnerabilities in Facebook and its acquired companies and products, such as Instagram, Free Basics, Oculus, and Onavo. With the help of the Bug Bounty program, security researchers were able to report over 9,000 bugs on Facebook platforms in the first half of the year.

(Also see: Facebook Fixes Flaw That Could’ve Let Anyone Access Your Account)

This year, Facebook added WhatsApp to the program, expanded payment options to include Bitcoin, and switched to an automated payment process so researchers can be paid faster, Tyson said in the post. Additionally, the award notifications now include information on how the specific bounty was determined.

More changes are coming to the initiative, as Facebook plans to share more educational resources on security fundamentals and topics specific to our products.

Tags: Facebook, Facebook India, Facebook bug bounty, Facebook Security Researchers, White Hat Hackers

[“Source-Gadgets”]

Lenovo Z2 Plus Starts Receiving Its First Update; Brings Camera Improvements and Bug Fixes

Lenovo Z2 Plus Starts Receiving Its First Update; Brings Camera Improvements and Bug Fixes

Lenovo Z2 Plus Starts Receiving Its First Update; Brings Camera Improvements and Bug Fixes
HIGHLIGHTS
The latest update bumps ZUI version to 2.0.111
The update is 272MB in size
It brings improvements in low-light photography
The Lenovo Z2 Plus was launched in India just a week ago, and now a new software update has already started rolling out to its early adopters. This update brings camera app improvements and bug fixes. The latest update brings the ZUI to version 2.0.111 and is of 272MB in size.

As mentioned, the update introduces enhancements to the camera app on the Lenovo Z2 Plus. The update claims to improve low light photography and increase autofocus stability as well. It also comes with enhanced multi-language support, and improvements in the device’s display and overall system stability. The update also fixes issues related to notification and phone call of Chrono case.

(Also see: Lenovo Z2 Plus First Impressions)
Interestingly, even after the update, the security patch is still dated back to August 1, which means that the September security update will be rolled out separately. The Lenovo Z2 Plus smartphone is exclusively available via Amazon India and is priced at Rs. 17,999 for the 3GB RAM/ 32GB storage variant and Rs. 19,999 for the 4GB RAM/ 64GB storage variant.

Just to recap, the smartphone runs on Android 6.0.1 Marshmallow with the company’s own skin atop. It is a dual-SIM (4G+3G) smartphone that supports Nano-SIM cards. The Lenovo Z2 Plus sports a 5-inch full-HD (1080×1920 pixels) display, a Qualcomm Snapdragon 820 SoC, a 13-megapixel rear camera, and an 8-megapixel front-facing camera. The Lenovo Z2 Plus is powered by a 3500mAh battery, and supports 4G connectivity. There is also a U Touch 2.0 fingerprint sensor on the home button, which is claimed to deliver 99.7 percent accuracy.

Tags: Lenovo, Lenovo Z2 Plus, Mobiles, Android, Lenovo Z2 Plus Features, Lenovo Z2 Plus Specifications, Lenovo Z2 Plus India Launch, Lenovo Z2 Plus Update

[“Source-Gadgets”]