Hack at Capital One set to accelerate bug finders
Growing number of major companies are encouraging the hacker community to find potential vulnerabilities in their computer networks before malicious operators do
When Ali Tutuncu found a vulnerability in Capital One Financial’s software in March, the company fixed the flaw in 20 days.
An independent security researcher, Mr Tutuncu said the bank thanked him and added him to its page of fame.
“They did not pay financially,” he said. “Still, it was a nice experience.”
Capital One is among a relatively small group of major companies that are encouraging the typically anti-establishment hacker community - and security researchers too - to find potential vulnerabilities in their computer networks before malicious hackers do. Some of the programmes offer cash rewards, called bug bounties, of as much as $200,000 (Dh734,500).
The bank is crediting its Responsible Disclosure Programme with helping them track down a Seattle woman who had allegedly infiltrated their computer network. Paige Thompson, 33, allegedly accessed a huge amount of data: more than 100 million people, including names, addresses, dates of birth and about 140,000 Social Security numbers.
That’s a black eye for a company that’s touted its tech savviness and the hack has sent Capital One Shares tumbling 11 per cent in the past week. But it appears the damage could have been worse: Capital One said it was unlikely the information was used for fraud or disseminated to others.
Ms Thompson was charged on July 29 with computer abuse and fraud. Her arrest marks a major success for cyber tip lines and one that is likely to encourage other companies to start their own. Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, said he couldn’t recall tip that was wrapped up so quickly.
“From the time they submitted to the time it was submitted, to the time it was shut down to the time there was an arrest, there’s no example I think that comes close to that,” he said.
Alex Rice, co-founder and chief technology officer of HackerOne, which manages “hacker-powered security” platforms for Capital One and other companies, said, “Usually vulnerability disclosure programmes are not uncovering criminal activity. But it is phenomenal that it works out that way.”
Jennifer Bayuk, a former risk cybersecurity executive at several major banks including JP Morgan, said if banks don’t already have vulnerability disclosure programmes, they are likely looking at them now. “They’re probably looking at the Capital One news and meeting with legal as we speak.”
There appears to be plenty of room for growth. A 2018 HackerOne report concluded that 93 per cent of the world’s largest public companies don’t have a policy to handle “critical bug reports” submitted by outsiders.
The tip that led to Ms Thompson’s arrest came in on July 17, when an unnamed “external security researcher” emailed Capital One’s disclosure programme saying that leaked data was being stored on a publicly accessible file at GitHub, which allows users to manage and store software projects.
Capital One provided few details when asked about its cyber tip line. A public page about the bank’s programme at HackerOne shows that it has received at least 30 reports of security flaws since it started in January. HackerOne declined to say how many of those reports were validated security flaws.
“White Hat” hacker programmes have been around for years, but they have become more formalised as the volume and severity of threats has increased. Some companies manage their own vulnerability disclosure efforts. Companies like HackerOne and BugCrowd offer services to analyse incoming tips and, if warranted, pass them on to their client’s security team.
“You have to filter it out pretty carefully before you realise what’s real and what’s not,” said Dave Aitel, chief technical officer at Cyxtera Technologies, which provides security for computer networks and cybersecurity services.
Vulnerability disclosure programmes allow companies to crowdsource security, tapping researchers with a diverse background of skills to stress test computer infrastructure. Ethical hackers and security researchers with specialised skills may discover a flaw that a company’s internal security team missed, or a flaw that may have not been included within the scope of a bank’s security risk assessment, Mr Bayuk said.
The programmes run from invitation-only disclosure programmes, which are often used by companies in regulated spaces like financial services and health care, to tip lines that are open to all comers. It’s seen as an alternative to traditional “penetration testing,” where companies hire outside firms to test the security of its networks.
Some companies, like Capital One, provide policies agreeing not to prosecute security researchers for finding bugs in its systems as long as they abide by specific protocols.
Still, inviting hackers to rummage through a computer network isn’t without some risks, since they could come across customer identities or even potentially damage the system, Mr Bayuk said. If a hacker or security researcher were to come across personally identifiable information on Capital One’s services, the company advises them to immediately purge the data and contact the company, according to the programme guidelines.
Some financial intuitions stop short of offering financial rewards due to a fear it could encourage criminal behavior, Mr Bayuk said.
But organisations that offer financial rewards to hackers or security researchers typically get more tips, he said. The amount of the bug bounties depend on the quality of the information provided by the tipster and the severity of the hack, and rewards range from a couple hundred dollars to hundreds of thousands of dollars.
Apple, for instance, will pay out as much as $50,000 for pointing out a bug that allows a hacker to access iCloud account data on Apple servers, and as much as $200,000 for vulnerabilities in its secure boot firmware components, which blocks malware when a phone starts, according to the company’s iOS security guide. On Monday, Microsoft announced that it was doubling the top bounty reward, to $40,000, for finding bugs in Azure, the company’s competitor to Amazon Web Services.
Goldman Sachs has had a private disclosure programme in place since January 2018 and awarded $40,500 since it was started, said Patrick Lenihan, a bank spokesman. Goldman offers a maximum payout of $15,000 to people who identify vulnerabilities, although awards are usually around $1,000, Mr Lenihan said.
In recent weeks, it also started a public programme - offering incentives to people who identify flaws such as “unauthorized access to sensitive information.” It too has a maximum reward of $15,000 but that’s likely to increase as it expands, Mr Lenihan said.
Even if Capital One offered cash rewards, it’s not clear that the unnamed tipster would have netted a huge reward. That’s because the information provided was more of a heads-up about a leaked data, rather than a detailed report outlining a major flaw, Mr Aitel said.
“You’re not going make a ton of money saying, ‘Hey, I think someone has your information on a Github account,’ ” he said, adding, “They might send you a thank you T-shirt. They definitely owe you a thank you T-shirt.”
Updated: August 7, 2019 02:08 PM