Expert(s):
CTO and Founderfeature_status*/ ?>
Bugcrowd

Comments Dotted : 19
December 18, 2020

Cyber Security Predictions 2021: Experts’ Responses
Governments around the world will continue to adopt vulnerability disclosure as a default.
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense. Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence.....Read More
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense. Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.  Read Less
December 15, 2020

U.S. Government Victimized By Russian Cyberattacks – Expert Commentary
The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs.
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be.....Read More
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be more easily detected. The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs to maintain the integrity of the supplied software, as well as the systems and environments of all users of that software. What happened with Solarwinds could, and has, happened with open source software, and well as with other providers - The use of M.E.Doc in the NotPetya attacks in the Ukraine is a recent example, as was the 2011 attacks on the RSA SecureID authentication software. In this case, the breach of SolarWinds Orion’s code poses a major threat to the Federal Civilian Executive Branch agencies that were using its software, as well as the 425 Fortune companies in their client list, and many, many other organizations worldwide. The potential upside of this breach, as noted by Dmitry Alperovich, is that the incredible scope of its impact creates a dilemma for attacks when it comes to choosing what to exploit. This will shift the burden to incident response and threat hunting teams over the coming weeks to establish if the incident affects them, and if so, was the access provided by the breach used by APT29. Vulnerabilities exist in every platform and every company, and the number of exploitable and their potential impact compounds as developers innovate at unprecedented rates, in part due to the new demands of remote work and widespread access triggered by the COVID-19 pandemic. While there are still many questions remaining about this breach, government agencies must acknowledge the scale and distributed nature of the threats they face in the cyber domain, and realize that they need to accept the assistance of that army of allies who are offering to help defend against the legion of adversaries. Governments and private organizations around the globe have recognized the threats they face and are leaning into the benefit of well-run Vulnerability Disclosure Programs (VDPs) to roll out the red carpet to the digital locksmiths of the Internet, who work to counter and outsmart the adversary and - more importantly - to help create confidence in their constituents’ security ecosystem. The kind of security research and discovery of security issues that could frustrate the efforts of nation-states is happening whether there is an invitation or not, and the truth of this is making the implementation of a VDP an increasingly easy decision to make.  Read Less
September 23, 2020

Expert Commentary: New House Approved Legislation Risks Prosecuting Ethical Security Researchers
As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet.
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with.....Read More
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with - have an open field to exploit undiscovered vulnerabilities within voting systems. Another question that remains is whether this new bill will now make ethical security research of second hand and aftermarket voting equipment illegal by putting these machines into the protected computer class? If so, this bill will have practical impact on the ability for voting machine security research to be conducted in the first place/ As the legislation now awaits the POTUS’ signature for final approval, it would be remiss of cybersecurity industry leaders to ignore the fact that this legislation is a step in the wrong direction, as is any broadening of the scope of the CFAA. The Computer Fraud and Abuse Act (CFAA) was originally passed by Congress in response to growing threats from malicious actors, yet it serves as a barrier for the betterment of our society by barring security researchers from doing their job. Every time that it is broadened, good-faith hackers unfortunately are the ones most affected. As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet. This legislation would not only outlaw but also derail the efforts of security researchers in helping identify and resolve vulnerabilities that could potentially destroy an organization within the voting infrastructure, impacting democracy as a whole.  Read Less
September 04, 2020

Expert Commentary: Voatz Wrongly Accuses Ethical Hacker
Congress originally passed the CFAA in response to growing threats from malicious actors.
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary. To elaborate, if there’s a method of exploiting the system that.....Read More
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary. To elaborate, if there’s a method of exploiting the system that the organization is unaware of, they cannot possibly provide legal access to test it. In this case, Voatz would be leaving their voting system vulnerable to attack. Unauthorized access is one of the main purposes of security research - by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win. Congress originally passed the CFAA in response to growing threats from malicious actors. Unfortunately, the law is so broadly written that it criminalizes acts that otherwise violate a website’s terms of services, from lying about your name on a web form to the socially beneficial security testing that ethical security researchers undertake. The purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions. A broader interpretation of "exceeds unauthorized access" in CFAA works directly against the goals of a safer and more resilient internet. Moving forward, security researchers must also pay attention to organizations’ bug bounties to ensure they have safe harbor language.  Read Less
August 24, 2020

Expert Commentary: Uber Covers-up Ransom Payment For PII Of 57M Drivers
I highly advise other industry leaders to consider the value of the ethical security researcher community.
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for.....Read More
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for misunderstanding. In extortion, it's the other way around, and the threat of data exposure puts pressure on payment. Unfortunately, this incident has also negatively influenced the public’s perception of the hacker community, and of bug bounties in general. Historically, hackers were strictly viewed as malevolent, but the industry's understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community. In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security posture. Although Uber’s original issue was clearly on the side of bad faith, it has highlighted how blurry the line is between hacking that crosses legal lines into dark territory, and the kind of hacking which can be helpful. As leaders within the cybersecurity space, we have a moral obligation to support the next generation of Internet defenders as they advance the ethical hacker community forward. We must band together to fight the masses of bad actors by empowering the hackers that operate with integrity, and protecting them and their work. I highly advise other industry leaders to consider the value of the ethical security researcher community. As the Internet plays an instrumental role in both our daily work and personal lives, this community of cyber defenders around the world work to make the Internet a safer place for everyone.  Read Less
August 12, 2020

Expert Commentary: Unsecured databases exposes 3.1M+ patients’ data
Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place.
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database. This highlights the overall .....Read More
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database. This highlights the overall failure of both public and private sector organizations to cooperate with ethical security researchers. Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place. This is because humans are prone to error and, when developers feel rushed to bring a new product or innovation to market, they will make mistakes along the way. Historically, NoSQL databases like Elasticsearch and MongoDB have been subject to bulk erasure and ransoming. That being said, exposed Elasticsearch instances on the internet will be found, and organizations with VDPs in place will have a greater chance of closing these up before they can be exploited by adversaries. With a VDP, organizations will be able to be proactively alerted of vulnerabilities by ethical researchers before they can be exploited in the wild. Speed is the natural enemy of security, and the best way to remain secure and beat attackers is by thinking like one – even organizations with in-house security teams can benefit from having outside help. In this instance, having a VDP would have allowed Adit to secure their database before it could have been deleted and the data possibly stolen.  Read Less
July 23, 2020

Expert Commentary: Apple iOS Security Research Device Program
Speed is the natural enemy of security in software development.
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result. To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s.....Read More
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result. To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s playbook and work with outside researchers. Speed is the natural enemy of security in software development, and no organization is safe, even companies with in-house security teams. The news is dampened by their legal battle with Corellium over copyright infringement, since Corellium developed and sold software that allows researchers to hunt for potential iPhone vulnerabilities, but is ultimately a good and exciting move by Apple.  Read Less
July 15, 2020

Expert Insight On SAP Critical Bug Allows Unrestricted Access to ERP, CRM
The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability.
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the.....Read More
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the vulnerability in question would allow an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization. With crowdsourced security, the global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations. Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.  Read Less
May 20, 2020

Industry Experts On Verizon DBiR 2020
Whitehat hacking can be an advantageous way to mitigate exploits and improve organizations' cyber postures.
The 2020 Verizon Data Breach Investigations Report (DBIR) is a yearly staple for the security industry, and this year's report is no exception. According to the report, 43% of breaches were attacks on web applications, more than doubling the results from last year. Organizations need to understand the importance of knowing their infrastructure because web applications provide easy entry points for cybercriminals. Web applications are what we interact with as users, but it's more than that: The.....Read More
The 2020 Verizon Data Breach Investigations Report (DBIR) is a yearly staple for the security industry, and this year's report is no exception. According to the report, 43% of breaches were attacks on web applications, more than doubling the results from last year. Organizations need to understand the importance of knowing their infrastructure because web applications provide easy entry points for cybercriminals. Web applications are what we interact with as users, but it's more than that: The technologies and infrastructure which powers the businesses we rely on are ever increasingly built on top of web technologies. With cybercriminals utilizing hacking techniques to exploit web applications, whitehat hacking can be an advantageous way to mitigate exploits and improve organizations' cyber postures. 70% of breaches involve hacking; the same philosophy can be applied to defending organizations by implementing crowdsourced security. Whitehat hackers think like our adversaries, but want to do good, helping organizations find vulnerabilities before the bad guys do. Web application vulnerabilities have always been the top submitted vulnerabilities (90%) across our programs and correspondingly account for the highest percentage of overall rewards paid.  Read Less
April 01, 2020

Industry Leaders And Cybersecurity Experts Insight On Marriott International Data Breach
The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security.
Like the OPM, Anthem, Dulles and the 2018 Marriott breach, this breach is just another in a long string of attacks targeting US officials. Think about it, officials from the NSA, CIA, FBI, DoD stay at Marriott hotels, including possibly diplomats, business people or intelligence officials as they travel around the globe. The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security--alarm bells should be.....Read More
Like the OPM, Anthem, Dulles and the 2018 Marriott breach, this breach is just another in a long string of attacks targeting US officials. Think about it, officials from the NSA, CIA, FBI, DoD stay at Marriott hotels, including possibly diplomats, business people or intelligence officials as they travel around the globe. The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security--alarm bells should be going off. The hospitality industry continues to demonstrate a greater need for stronger security measures - especially since this is the second security incident affecting Marriott in the past two years. This attack emphasizes the need for the hospitality industry to take security seriously. Hotels collect more private personal information than most enterprise organizations (birthdays, passport numbers, email and mailing addresses, and phone numbers). Cybercriminals know what types of organizations collect troves of sensitive data, and given the amount of valuable information at hand, hospitality organizations can no longer afford to ignore their vulnerabilities.  Read Less