Ethical Hacking for IoT Security: A First Look into Bug Bounty Programs and Responsible Disclosure

The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.Comment: Pre-print version for conference publication at ICTRS 201

Friendly Hackers to the Rescue: How Organizations Perceive Crowdsourced Vulnerability Discovery

Over the past years, crowdsourcing has increasingly been used for the discovery of vulnerabilities in software. While some organizations have extensively used crowdsourced vulnerability discovery, other organizations have been very hesitant in embracing this method. In this paper, we report the results of a qualitative study that reveals organizational concerns and fears in relation to crowdsourced vulnerability discovery. The study is based on 36 key informant interviews with various organizations. The study reveals a set of pre-adoption fears (i.e., lacking managerial expertise, low quality submissions, distrust in security professionals, cost escalation, lack of motivation of security professionals) as well as the post-adoption issues actually experienced. The study also identifies countermeasures that adopting organizations have used to mitigate fears and minimize issues. Implications for research and practice are discussed

A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities

Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on the disclosure of web vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and late 2017. According to the empirical results based on a dataset covering nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a community-based platform for the dissemination of web vulnerabilities. The platform has also attracted many productive hackers, (ii) but there exists a large productivity gap, which likely relates to (iii) a knowledge gap and the use of automated tools for web vulnerability discovery. While the platform (iv) has been exceptionally fast to evaluate new vulnerability submissions, (v) the patching times of the web vulnerabilities disseminated have been long. With these empirical results and the accompanying theoretical discussion, the paper contributes to the small but rapidly growing amount of research on bug bounties. In addition, the paper makes a practical contribution by discussing the business models behind bug bounties from the viewpoints of platforms, ecosystems, and vulnerability markets.Comment: 17th Annual Workshop on the Economics of Information Security, Innsbruck, https://weis2018.econinfosec.org

From black to white: the regulation of ethical hacking in Spain

Cyber-attacks are exponentially growing, and their impact on systems, people, and organizations increases. Among other challenges, cyber-attacks prevention must tackle the fact that many software systems are marketed with security vulnerabilities due to the companies’ need to reduce time-to-market. One strategy to reduce security vulnerabilities is ethical hacking. However, while ethical hacking can bring many advantages, it also comes with many challenges. This paper introduces a comprehensive study of the possibilities and limitations of ethical hacking in Spain, both empirical and normative. On the empirical side, the paper presents the results of a Delphi study with cyber security experts in Spain on their opinions about the regulation of ethical hacking. In the normative study, the paper critically reviews the possibilities open by the International, European and Spanish law for regulating ethical hacking. The conclusions of this paper offer a roadmap for harnessing ethical hacking to improve cyber security.Security and Global Affair

Reframing Bitcoin and Tax Compliance

This Article argues that, contrary to the common belief that Bitcoin enables tax evasion, the Internal Revenue Service (“IRS”) can increasingly police transactions in Bitcoin. First, commercial and technical intermediaries have emerged as part of Bitcoin’s ecosystem. This diverse set of intermediaries can facilitate tax enforcement, as the litigation over the IRS’s summons on Coinbase—the largest domestic digital asset exchange—and subsequent IRS efforts show. These intermediaries could report transactions to the IRS or even, one day, withhold and remit tax payments. Second, the publicly visible, trustworthy nature of Bitcoin’s blockchain—its unique role as a shared truth—allows tax authorities to observe transaction flows. This renders Bitcoin unusually regulable for tax purposes, as recent efforts by the IRS to rely on Bitcoin’s blockchain to police tax evasion demonstrate. The Article offers a proposal by which the IRS might make better use of Bitcoin’s blockchain: the IRS can tailor an existing program to reward technically savvy whistleblowers who scour Bitcoin’s blockchain and determine identities that correspond to public Bitcoin addresses at issue

The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.

Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy. Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk. However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations ‘can have a chilling effect’, with security researchers ‘discentivise[d]’ to find vulnerabilities. Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendors’ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally

DATA INSECURITY LAW

By broad consensus, data security laws have failed to stem a rising tide of data breaches. Lawmakers and commentators blame these failures on some combination of underenforcement and the laws failure to recognize the full range of data breach harms. Proposed solutions would augment or expand existing data security laws. These proposed solutions share a fatal flaw: they are rooted in traditional theories of deterrence by punishment. Data security laws come in three forms: duties to protect data, duties to notify consumers after a breach, and post-breach remedies. Almost every data security law is enforced through sanctions, most of which are applied after a company discovers a data breach. In theory, companies increase their data security efforts to avoid sanctions. While appropriate for companies that purchase software, this approach is ineffective when applied to companies that build and provide software as an online service. In the cloud context, improving cybersecurity practices increases expected sanctions. And the cloud context matters. Online data security implicates almost all personal data; online services hold the lion’s share of personal data and offline firms rely heavily on cloud software to operate their businesses. This Article calls for a new approach to data security regulation, founded on a systemic view of data security practice. By focusing on system-level incentives instead of individual outcomes, lawmakers can bring data security law back into harmony with policy goals

A Case Study on Software Vulnerability Coordination

Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list. Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated. Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling. Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics. Conclusion: [...

Bug bounty -ohjelmat osana julkishallinnon tietoturvaa

Tässä tutkimuksessa perehdytään bug bounty -ohjelmien käyttämiseen julkishallinnossa. Tutkimuksessa selvitetään, mitä bug bounty -ohjelmat ovat, miten ne toimivat ja mitä hyötyjä ja riskejä niiden käyttämiseen liittyy. Tämän ohella perehdytään tietoturvaan teoreettisesta näkökulmasta, sekä julkishallinnon ja tietoturvan väliseen yhteyteen. Lisäksi käydään läpi tieto- ja viestintärikoksia koskevaa lainsäädäntöä peilaten sitä ohjelmiin osallistumiseen ja ohjelmien järjestämiseen. Tutkimuksen tarkoituksena on selvittää, millä perusteilla bug bounty -ohjelmien järjestäminen ja niihin osallistuminen kotimaisessa julkishallinnossa ovat Suomen lain mukaisia. Lisäksi tarkoituksena on vastata kysymykseen, kuka päättää ohjelman käynnistämisestä julkishallinnossa. Taustatavoitteena on myös tuoda bug bounty -ohjelmia tai julkishallinnon tietojärjestelmiin liittyviä tietoturvaliitännäisiä yksityiskohtia yleisesti ottaen tiettävämmäksi juridiikan kentällä. Tutkimus edustaa oikeusinformatiikan tutkimusalaa. Oikeudenaloista tutkimus voidaan asemoida informaatio-oikeuden ja ICT-oikeuden rajapinnalle. Näitä kolmea yhdistää kiinnostus taloustieteellistä näkökulmaa kohtaan, mistä syystä tutkimuksessa on perehdytty ohjelmien järjestämiseen myös taloustieteen perspektiivistä. Tutkimuksen rikosoikeudellista osiota sen sijaan on lähestytty oikeusdogmatiikan näkökulmasta. Lähdemateriaali koostuu suurelta osin ICT-alan bug bounty -ohjelmia tai muuta tietoturvan testausta käsittelevistä artikkeleista, sillä aihetta on lähestytty juridiikan näkökulmasta vain vähäisesti myös kansainvälisellä tasolla. Erityisesti tutkimuksen rikosoikeudellisen analyysin kohdalla myös Verohallinnon Tulorekisteriä koskevan ohjelman sääntöjä on käytetty lähteenä, rikoslain kriminalisointeja näihin sääntöihin peilattaessa. Kuten jo tutkimuksen otsikosta käy ilmi, bug bounty -ohjelmat voivat olla osa julkishallinnossa käytettävien tietojärjestelmien tietoturvaa – yksinään ne eivät riitä, vaan tietoturvan ylläpidossa ja testaamisessa on käytettävä myös muita menetelmiä. Tietojärjestelmän tuotantoympäristöön kohdistuvan bug bounty -ohjelman järjestäminen ja ohjelmaan osallistuminen on pääsääntöisesti voimassaolevan lainsäädännön mukaista toimintaa, tiettyjen rikosoikeudellisten kriminalisointien kohdalla ohjelmaan osallistuva henkilö saattaa kuitenkin syyllistyä rikokseen. Erityisesti on korostettava ohjelman sääntöjen merkitystä loukatun suostumuksen lähteenä: ohjelmien sääntöjen laatimisen kohdalla tulisi vastaisuudessa kiinnittää tarkemmin huomiota juridisiin yksityiskohtiin