Google Play Security Reward Program

21

October

2017

No ratings yet.

App security is nowadays a widely-discussed issue. Lots of apps have problems with guarantee full safety for users. Google Play is therefore working with an independent bug bounty platform, HackersOne, and the developers of popular Android apps to implement the Google Play Security Reward Program. Hackers that identify vulnerabilities in an in-scope app and reports it directly to the app’s developer will be rewarded with $1,000 (Chin, 2017). Many big firms are currently participating within the program: Alibaba, Dropbox, Snapchat and Tinder. 13 apps are currently participating as trial period, hereafter Google will open the program to the larger community.

Finding and eradicating vulnerabilities is an important aspect of cybersecurity. Rosenstein (2017), an US Deputy Attorney General put forward that every company should consider promulgating a vulnerability disclosure policy (VDP). A VDP is a public invitation for ‘ethical hackers’ to report vulnerabilities. HackerOne is the leading platform with over 950 customers. They are following an ISO-29147 compliant solution designed to receive, resolve, and respond to security vulnerabilities discovered by third-party researchers, academics or other members of the public.

We can state that a VDP policy is a must these days, giving ethical hackers clear guidelines and encourage them to report potentially unknown and harmful security vulnerabilities (HackerOne, 2017). Five critical components of a VDP are Promise, Process, Scope, Preferences and “Safe Harbor” and will be elaborated below:

Promise: Convey the mission behind the policy and explain your commitment to security, customers and others.
Process: Detail how finders should submit reports and what information you would like to see.
Scope: Specify what is allowed and what is not allowed.
Preferences: Make a set of non-binding expectations to evaluate reports.
“Safe Harbor”: Say that reporters will not be penalized.

Following these steps, the intelligence of hackers will be used in a correct way to provide security for applications.

References:
Chin, M. (2017). Google is offering $1000 to anyone who can hack Tinder, Snapchat, Dropbox, and more. [Online] Mashable. Available at: http://mashable.com/2017/10/20/google-play-bounty-program/?utm_cid=hp-h-9#ofPSvBM3VmqN [Accessed 20 Oct. 2017].

HackerOne. (2017). Here are the 5 critical components of a Vulnerability Disclosure Policy. [Online] HackerOne. Available at: https://ma.hacker.one/rs/168-NAU-732/images/5-critical-elements-vdp-guide-1pager.pdf [Accessed 20 Oct. 2017].

Rosenstein, R., J. (2017) US Deputy Attorney General Recommends Every Company Create a Vulnerability Disclosure Policy. [Online] HackerOne. Available at: https://www.hackerone.com/blog/US-Deputy-Attorney-General-Recommends-Every-Company-Create-a-Vulnerability-Disclosure-Policy-VDP [Accessed 20 Oct. 2017].

Please rate this

Dangerous Side Effects of the Internet of Things

21

October

2017

No ratings yet.

In October of 2016, 100,000 unsecured Internet of Things (IoT) devices took the domain name provider Dyn down with a massive distributed denial-of-service (DDoS) attack. As a result, many websites like Netflix and Twitter were offline for a short time. This dangerous side effect of IoT is caused by botnets. The term botnet simply means a group of internet-connected devices controlled by a central system. By using a botnet, hackers create a flood of fake requests to a website or network resource so that legitimate users cannot access it (Marr, 2017). Since a decade, botnets are active. IoT has made the problem much worse with a big number of inexpensive devices that connect to the internet, who have little or no built-in security. They are easy targets for hackers and nowadays botnet attacks are still a problem.

Echeverria and Zhou (2017) discovered this year botnets with over 350,000 and 500,000 bots. But how can we stop hackers from using botnets? The best defense would be for everything online to run only secure software, so botnets couldn’t be created in the first place. The problem is that most IoT devices are not designed with security in mind and often have no way of being patched. This may have led to the existence of an even more evolved IoT botnet that has already secretly infected a million organizations. This new botnet, called “IOTroop” is growing at fast pace and has over 100 additional functions than Mirai had when the bot took Dyn down (Barth, 2017).

The discovery of such big botnets is alarming news for businesses and consumers around the globe. Manufacturers of IoT devices need to invest in software or systems to secure the devices and guarantee safety. Otherwise, the next attack could cause major troubles because operators may not be adequately prepared for the next major IoT-based DDOS attack.

References:
Barth, B. (2017). One year after Mirai, a new IoT botnet threat emerges. [Online] SC Media. Available at: https://digitalstrategy.rsm.nl//2017/10/17/botnet-of-things/ [Accessed 20 Oct. 2017].

Echeverria, J., Zhou S. (2017). Cybersecurity Experts Uncover Dormant Botnet of 350,000 Twitter Accounts. [Online} MIT Technology Review. Available at: https://www.technologyreview.com/s/603404/cybersecurity-experts-uncover-dormant-botnet-of-350000-twitter-accounts/ [Accessed 20 Oct. 2017].

Marr, B. (2017). Botnets: The Dangerous Side Effects Of The Internet Of Things. [Online] Forbes. Available at: https://www.forbes.com/sites/bernardmarr/2017/03/07/botnets-the-dangerous-side-effects-of-the-internet-of-things/#442d201e3304 [Accessed 20 Oct. 2017].

Please rate this