What happened?

The discovery of a backdoor in the liblzma package, key to the widely-used XZ compression library, highlights a deliberate attack on the software supply chain, particularly within open-source ecosystems.

Andres Freund, a developer at Microsoft noticed failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU, along with a longer than usual delay of 500ms on his SSH session, leading to him digging deeper into the issue. Upon profiling SSHd, it was evident that a significant amount of CPU time was being consumed by liblzma, but intriguingly, performance tools were unable to pinpoint any specific function responsible for this.In his own words below—this led to a series of elaborate coincidences, an incredible attention to detail, and insight, that led to him finding one of the most public displays of a motivated attacker to date:

Source: https://mastodon.social/@AndresFreundTec/112180406142695845

This investigation led to the groundbreaking revelation that the upstream XZ repository, along with XZ tarballs, had been compromised with a backdoor. His detailed technical analysis of the discovery is available for further reading, and goes into much more complete detail, here.

Timeline of events

One of the most intriguing parts of this discovery is that the backdoor introduction came from a maintainer of the XZ library, Jia Tan, who had contributed to the project for over two years, becoming a key maintainer and able to merge his own work, with this access he then proceeded to introduce a very elaborate backdoor.

Per https://boehs.org/node/everything-i-know-about-the-xz-backdoor the following timeline events is an excellently documented summary of what we currently know about the introduction of this vulnerability into XZ:

Source data https://boehs.org/node/everything-i-know-about-the-xz-backdoor

The exploit within the xz compression tool involved a series of manipulative contributions and patches by new, suspicious accounts over several years, leading to a backdoor that compromised the tool’s security. Through strategic pressure on project maintainers and subtle code changes, these contributors gained trust and inserted malicious code. This incident highlights vulnerabilities in open-source project management and the critical importance of thorough code review and maintainer support. It serves as a wake-up call for the tech community to reassess and strengthen the security practices surrounding open-source software.

Lasse Collin, the original maintainer of the XZ project, has since responded with a concise update on the XZ project incident, promising more information by the first week of April 2024. Currently, the XZ projects’ Git repositories are hosted on git.tukaani.org, following the removal of the xz.tukaani.org DNS name. This change has temporarily left the XZ projects without a homepage, an issue expected to be resolved shortly.

Notable, is the discovery of a backdoor within the XZ Utils 5.6.0 and 5.6.1 release tarballs, which were created and signed by Jia Tan. It’s important to note that tarballs signed by Collin currently appear  to be unaffected, as they were personally created by him. In the wake of these revelations, the GitHub accounts of both Lasse Collin (Larhzu) and Jia Tan have been suspended, and the xz.tukaani.org subdomain, which was hosted on GitHub pages, is currently unavailable. Lasse mentions that plans are being considered to possibly migrate this subdomain back to the main tukaani.org domain.

Collin clarifies that only he has had access to the main tukaani.org website, its Git repositories, and related files, whereas Jia Tan’s access was limited to GitHub-hosted components, specifically the xz.tukaani.org subdomain (due to being hosted on Github pages). This incident has prompted additional scrutiny and discussions within the tech community, with further details available through a breakdown by Andres Freund, an FAQ by thesamesam, and ongoing discussions in Gentoo and Debian bug reports.

Who appears immediately affected by this?

Linux users

Affected by CVE-2024-3094 are systems running XZ Utils versions 5.6.0 and 5.6.1, specifically Linux distributions that have adopted these newer releases, including Fedora 41 and Rawhide, and possibly some macOS versions, which has also received security updates for Safari and macOS. Red Hat Enterprise Linux (RHEL) is not affected. Users of Debian’s testing, unstable, and experimental branches, as well as Kali Linux users who updated within a specific March window, should seek updates or downgrade to a secure version.

Kali Linux users

Kali Linux was impacted by the CVE-2024-3094 vulnerability within the xz-utils package versions 5.6.0 to 5.6.1, posing a threat between March 26th and March 29th, 2024. Users who updated their system in this period need to apply the latest patches. However, installations not updated during these dates remain unaffected.

Bug bounty hunters/customers

In the bug bounty landscape, this hasn’t had any immediate impact – certainly not to the scale of Log4J, and other industry wide events. Given the complexity of the findings, and how quickly it was identified, this does look likely to remain the case for the immediate future.

However, given the variety of operating systems in use by the crowd, and customers alike, it’s prudent to check if you’re vulnerable, using the below.

How can I check if I’m running the vulnerable library?

To protect your system against the CVE-2024-3094 vulnerability in XZ Utils versions 5.6.0 and 5.6.1, you should first determine your system’s current version by executing xz –version in the command line. If your system is running one of the compromised versions, CISA advises downgrading to the secure XZ Utils version 5.4.6 Stable. Here’s a practical example for Linux users:

Check your version: Open a terminal and type 

for xz_p in $(type -a xz | awk ‘{print $NF}’ | uniq); do strings “$xz_p” | grep “xz (XZ Utils)” || echo “No match found for $xz_p”; done

(source: https://twitter.com/Kostastsale/status/1773890846250926445).

If your version is 5.6.0 or 5.6.1, proceed to downgrade.

For Debian-based systems, you might use:

sudo apt-get install xz-utils=5.4.6

On RPM-based systems, the command could be:

sudo yum downgrade xz-utils-5.4.6

Ensure to consult your distribution’s package management documentation for the exact command syntax. This precaution helps safeguard your system from unauthorized access attempts through this vulnerability.

While macOS users might not be directly vulnerable to CVE-2024-3094 due to the absence of systemd, it’s still wise to ensure the security of your system. macOS users should run brew upgrade xz to potentially downgrade or update xz to a version deemed safe by Homebrew’s repository, which could revert to the stable version 5.4.6, following CISA’s recommendations for mitigating this vulnerability. (brew update && brew upgrade –greedy && brew cleanup)

This proactive step helps maintain the overall integrity of your system against potential future exploits. This step is part of a comprehensive approach to maintain system security and mitigate risks associated with CVE-2024-3094.

Another way of quickly checking if you are running a vulnerable version, is to use the official detect.sh script from Openwall, link here.
Download it on the system you would like to check.

Run the following commands:
chmod +x detect.sh
./detect.sh

How did we respond at Bugcrowd?

Bugcrowd Internal Security & Engineering Teams

As any internal security team should, Bugcrowd used their internal Incident Response Plans (IRPs) to triage and appropriately validate whether any areas were affected by this supply chain issue, and whether there was any impact. Bugcrowd’s internal security team maintains a fully dynamic Software Bill of Materials (SBOM), including all transitive dependencies, for all code repositories and endpoints, allowing for prompt triage of all assets (instead of attempting to figure things out in retrospect). Based on this information, Bugcrowd was able to confirm that we were unaffected. We believe this type of preparedness will be beneficial for other teams too, so Bugcrowd intends to publish some of our SBOM code over time, in an open-source capacity (implying the code will be publicly available). 

Bugcrowd Triage

As situations develop that look like they could eventuate in large scales of critical findings, we monitor closely, and ensure we’re developing collateral in real time. This served us well with Log4J, and this event had the potential for being of a similar scale.

Upon being aware of CVE-2024-3094, we expanded our monitoring efforts beyond our primary channels to include social media, forums, slack channels, and press coverage. This strategy was set to ensure timely and accurate identification and triage of any developments related to this vulnerability. In the event of relevant discoveries, our plan was to assign a specialized internal team with dedicated staff across multiple regions, aimed at providing swift and precise evaluation of any findings linked to this issue.

Bugcrowd Customer Service

As we coordinated our internal response to CVE-2024-3094, our technical customer service teams, including TCSM and Support, were also briefed and prepared with statements for customers inquiring about the issue. These communications were designed to inform customers about the steps they needed to take to check their systems, as well as to provide transparency about Bugcrowd’s own security measures in response to the vulnerability.

What happens next?

One of the consequences of this finding is that Jia Tan contributed not only to this library, but also others, leading to a larger review effort being needed to see if other components may also be in a currently vulnerable state. Beyond that, the question becomes how to avoid these issues in the supply chain – or whether they can be avoided at all. Open Source software is the backbone of many services, and companies that we rely upon – and not everything can be closely scrutinized to the level of detail needed to avoid these attacks.

We’ve outlined our sources below, where updates can be found (the most notable for this event currently being @AndresFreundTec and boehs.org). Alternatively, if you’re concerned about this vulnerability and would like to have the most up to date information that we have available, please don’t hesitate to reach out to your technical customer success manager, and they can provide you with a more recent update.

Sources

1. https://www.openwall.com/lists/oss-security/2024/03/29/4
2. https://mastodon.social/@AndresFreundTec/112180406142695845
   https://x.com/AndresFreundTec/status/1774190743776866374
3. https://boehs.org/node/everything-i-know-about-the-xz-backdoor
4. https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
5. https://twitter.com/robmen/status/1774067844785086775
6. https://twitter.com/solardiz/status/1774101169293422922
7. https://www.openwall.com/lists/oss-security/2024/03/29/23
8. https://www.openwall.com/lists/oss-security/2024/03/29/27
9. https://twitter.com/gynvael/status/1774163197513404873
10. https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
11. https://www.cve.org/CVERecord?id=CVE-2024-3094
12. https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
13. https://www.kali.org/blog/about-the-xz-backdoor/
14. https://www.bugcrowd.com/blog/bugcrowds-log4j-response-behind-the-numbers/
15. https://www.openwall.com/lists/oss-security/2024/03/29/4/3
16. https://www.cisa.gov/news-events/alerts/2024/03/27/apple-released-security-updates-safari-and-macos
17. https://twitter.com/Kostastsale/status/1773890846250926445

Follow Michael on Twitter @codingo_ to keep up with his latest content! Want to discuss this with the Crowd? Join our Discord and sign up for a Researcher Account to get involved!

The post Supply Chain Backdoors, xz/liblzma, CVE-2024-3094, and what we currently know appeared first on Bugcrowd.

Today marks another significant milestone for Bugcrowd, and I’m thrilled to share that we successfully secured $102 million of strategic growth financing. This investment in Bugcrowd, led by General Catalyst, with participation from our long-term partners Rally Ventures and Costanoa Ventures, reflects our commitment to scaling up Bugcrowd’s AI-powered crowdsourced security platform.

In a landscape where threat actors increasingly deploy sophisticated AI techniques, Bugcrowd’s proactive approach to cybersecurity utilizes a crowdsourced AI-powered platform. This empowers organizations to identify and remediate security vulnerabilities before malicious actors can exploit them. The infusion of new funds will drive continued innovation on the Bugcrowd Platform and accelerate our growth across EMEA, APAC, and the U.S., both organically and through strategic M&A opportunities.

Our mission to redefine crowdsourced security is at the core of what we do, and this strategic investment underscores the dedication of our incredible team, the collaborative hacker community, and the trust our customers place in Bugcrowd’s innovative approach to proactive security.

With this investment, we welcome Mark Crane, Partner at General Catalyst, and Paul Sagan, Senior Advisor at General Catalyst, to the Bugcrowd Board of Directors. Paul Sagan will also take on the role of Board Chair. Joining our advisory board are Jeff Simon, Chief Security Officer at T-Mobile, and Prabhath Karanth, Vice President and Global Head of Security and Trust at Navan, serving alongside David Fairman, CIO & CSO – APAC at Netskope.

“I am honored to assume the role of Board Chair at Bugcrowd as they lead the way in the crowdsourced cybersecurity market,” said Paul Sagan, Senior Advisor at General Catalyst. “At this critical juncture for the company, marked by substantial growth and market expansion, along with a rapidly expanding team comprising industry leaders and a community of top-tier hackers, I look forward to providing ongoing support as Bugcrowd enables a new era of cybersecurity.”

Bugcrowd achieved remarkable success in the past year, with over 200 new clients, including notable names like OpenAI, T-Mobile, Rapyd, and ExpressVPN. Our team has grown by 130 new members, contributing to an overall business growth of more than 40% year-over-year, and our Pen Test as a Service (PTaaS) business surged by nearly 100%. Customers have tangibly improved their security postures through Bugcrowd’s Bug Bounty and Vulnerability Disclosure Program (VDP) offerings.

This journey has been incredible, and I look forward to our continued growth, innovation, and collaboration. 

Thank you to our customers, partners, employees, and, of course, the hacker community, for believing in Bugcrowd and helping us transform the crowdsourced security market.

The post Bugcrowd’s Latest Funding Tops $100M to Drive New Growth appeared first on Bugcrowd.

Ivanti vulnerability timeline

On December 3, Volexity noticed suspicious behavior tied to Ivanti Connect Secure and Ivanti Policy Secure solution products. In the process of doing threat hunting and research, they discovered 2 critical, easy-to-exploit vulnerabilities, as well as evidence of malicious exploitation. The first two CVEs were discovered January 10 (CVE-2023-46805 and CVE-2024-21887). There are at least 30,000 instances of this software across the internet, meaning there are massive opportunities for threat actors to exploit this vulnerability.

Ivanti put out a fixed timeline for organizations to expect patches, although that timeline has been pushed, presumably because of the complexity of the fix itself.

On February 1, two new CVEs were also announced, totaling in four CVEs:

• CVE-2023-46805 — CVSS 8.2/10.
• CVE-2024-21887 — CVSS 9.1/10. 
• CVE-2024-21888 — CVSS 8.8/10.
• CVE-2024-21893 — CVSS 8.2/10.

CISA mandate

On February 1, CISA, mandated that all federal civilian executive branch agencies disconnect all Ivanti VPN appliances as soon as possible and no later than 11:59PM on Friday February 2, 2024. This is an incredibly rare move by CISA. It points to an acknowledgement that organizations are out of time from an exploitation and risk standpoint and there is a massive amount of potential impact.

Since these vulnerabilities are relatively easy to exploit, threat actors can have a lot of impact very quickly. Given the nature of these exploited products, they tend to be in the center of everything within an organization. This gives threat actors a lot of optionality in terms of next steps after exploit.

This is an unprecedented move by CISA, and even if you aren’t a government agency, organizations should consider CISA’s advice as relevant in any industry. It is a strong indicator of the massive amount of potential risk.

Next steps for security leaders

The post Security Flash: CISA Order to Disconnect Ivanti Products appeared first on Bugcrowd.

Code Red was a beast unlike any other we had seen before. It marked a shift in the threat landscape, demonstrating sophistication and purpose not seen in its predecessors. It wasn’t created out of benign curiosity; its code laid the foundation for future attacks.

Episode 3: Code Red

The worm’s name came from the then-new cherry-flavored Mountain Dew, which researchers Marc Maiffert and Ryan Permeh were drinking when they discovered it. More sinister speculation theorized that Code Red was retaliation for the Hainan Island incident, where an American intelligence aircraft and Chinese interceptor jet collided in mid-air, resulting in an international dispute between the United States and China.

Another theory circled the infamous coding group 29A and a member called Wintermute. Known for creating sophisticated worms, it wouldn’t have been beyond them to create something as complex as Code Red. However, the destructive nature of Code Red wasn’t in line with 29A’s usual creations, casting some doubt on this theory.

The attack’s origin also remains a topic of debate, with some pointing to Makati City, Philippines, and others to a university in Guangdong, China. Code Red’s code contained comments written in English, and its potential test environment was traced back to the Philippines. But without definitive evidence, we can only speculate.

Ultimately, the true origins and creators of Code Red remain shrouded in mystery. However, one thing is sure: it forever changed our understanding of the internet-connected world.

Love this series? Check out the Max Headroom signal hijacking incident or the WANK Worm.

The post Unsolved Cyber Mysteries Volume 3: Code Red appeared first on Bugcrowd.

The UK Government’s spring consultation on updating the CMA was a really important issue for us to highlight because, under the current act, hacking of any kind remains technically illegal in the UK. Dating back to 1990, the act doesn’t differentiate between ‘hacking for good’ and hacking for malicious purposes.

The current act is out of date with reality. In 2023, an ever-increasing number of CISOs and organizations across the world are benefiting from the skills of hackers via crowdsourced cyber security platforms like Bugcrowd. This includes, in the UK, many vulnerability disclosure program (VDP) customers, who have no intention of pursuing the very researchers that seek out vulnerabilities for the public good.

Why it Matters

The letter of the existing CMA law is at odds with current policy statements. For example, the UK Government’s National Cyber Strategy 2022 states that it aims to develop “valuable and trusted relationships with the security researcher community, delivering a reduction in vulnerabilities across the government estate.” However, the appropriate legal protection for researchers and ethical hackers are not in place. 

Bugcrowd founder and CTO, Casey Ellis, has offered advice to the UK Government via his involvement with the Hacker Policy Council. This is a coalition of organizations with deep security expertise that advises legislators around the world, many of which are wrestling with similar issues. The world has simply moved forward and legislators clearly need to react.

Protection for hackers has extensive support from business. In its 2021 report, the State of Cybersecurity Resilience 2021, Accenture found that 81% of business leaders believe the cost of staying ahead of cybersecurity attackers to be “unsustainable.” This perception of a ‘losing battle’ has helped fuel interest in Bugcrowd’s crowdsourced approach to cybersecurity during the last two years.

The Need for UK Legislation to Support Hackers

While many regulators around the world are grappling with the same issues as the UK to create legislation, there’s also plenty of best practice legislation already in place for them to reference. In the US, there have been at least 43 instances since 2014 of vulnerability disclosure programs or bug bounty being mentioned in relation to a bill, law, policy, or directive that was proposed and in some cases established/signed into law. Given the global nature of both bad actors and the security researcher community, consistency between jurisdictions will only help in the prosecution of bad actors and the protection of good-faith hackers.

Following public consultations, the UK Government typically issues a response, usually several months later. After its January 2022 consultation on proposals for legislation to improve the UK’s cyber resilience closed, a response was published in November. We could see the response to the recent CMA consultation any time from now.

It’s part of our mission here at Bugcrowd to stand up for and represent the ethical hacker community, so we’ll be looking at the UK Government’s response carefully on the community’s behalf, whenever it comes. You’ll find Bugcrowd at Black Hat Europe in London this December. Find us there and tell us what you think.

The post New UK Legislation Must Protect Good-Faith Hackers appeared first on Bugcrowd.

It’s time to join Bugcrowd Founder and CTO (Chief Terror Officer) Casey Ellis for another spooky episode about the original act of hacktivism.

Episode 2: WANK Worm

“Hacktivism” is a form of digital activism that leverages technological expertise to promote social or political change. It operates in a virtual realm, often employing tactics like website defacement or exposure of sensitive information. Hacktivism has become more prominent in the news cycle due to the collective known as Anonymous. Anonymous is a loosely organized group of individuals who engage in various forms of digital protest.

Before Anonymous and Hacktivism was widely known, there was the iconic WANK Worm. WANK Worm is a prime example of how hacking can be used to get your message across. 

The story of WANK Worm begins in 1989, during a year of particular political unrest. Between the Berlin Wall and the Tiananmen Square massacre, many activists were making their voices heard. 

One of the many controversial events of the year was the planned launch of NASA’s Galileo Probe. This was controversial because many saw the plutonium-powered satellite as the first step toward the nuclearization of space. Two days before the mission launched, NASA employees showed up to work to find a bizarre message popping up on their screens. 

“Your system has been officially WANKed.” 

Watch this episode to find out what happened with this giggle-inducing worm, the impact it had on NASA, and the daunting risks and costs of hacktivism.

The post Unsolved Cyber Mysteries Volume 2: The WANK Worm appeared first on Bugcrowd.

To celebrate, we’re excited to launch Bugcrowd’s brand new series, Unsolved Cyber Mysteries. Unsolved Cyber Mysteries is a micro docuseries that retells the real stories of everyday people who were swept up in extraordinary breaches, unexplained leaks, and outbreaks of sensitive data. This hair-raising series, hosted by Bugcrowd Founder and CTO (Chief Terror Officer) Casey Ellis, unites security practitioners and true crime junkies in the astounding, creepy, and downright terrifying stories of cybersecurity gone wrong. 

Episode 1: The Max Headroom Signal Hijacking

The year was 1987. The Simpsons just premiered on The Tracey Ullman Show, U.S. President Ronald Reagan delivered his famous speech at the Berlin Wall, and Guns N’ Roses released their career-making debut album. 

On the evening of November 22, Chicago locals tuned into WGN-TV’s 9 O’clock news. Just as WGN Sports Anchor, Dan Roan, began discussing the Chicago Bears win against the Detroit Lions at Soldier Field earlier that day, TV screens everywhere suddenly went black for 10 seconds. 

An unknown person in a Max Headroom mask appeared on screen for approximately 30 seconds, accompanied with the eerie noise of static. For those who don’t know, Max Headroom is a fictional character debuted in 1985 in the movie Max Headroom: 20 Minutes into the Future. 

The person in the mask appeared to be dancing in front of a swaying metal background. WGN engineers initially thwarted the attack by changing the studio-to-transmitter frequency used to transmit the broadcast signal. The total interruption lasted 33 seconds and left viewers, sound engineers, and broadcasters alike flummoxed. 

About two hours later during an episode of Dr. Who, airing on the WTTW network, the Max impersonator showed up again. This time, the video clip had sound. Viewers heard distorted audio of the hacker speaking and singing, although most of the statements were random and seemingly inexplicable, like quoting New Coke’s advertising slogan, “catch the wave.” 

Unfortunately, this hijack was less G-rated than the WGN one. Instead of just dancing, the Max impersonator raised the stakes, holding up a middle finger, exposing his rear end, and showing themselves getting spanked with a flyswatter. This intrusion lasted longer, for about 1 minute and 22 seconds. 

Feeling mystified? So was the rest of Chicago (and the world). Don’t miss the first episode of Unsolved Cyber Mysteries to learn more about this hijack, the reaction, explanations of possible motivations, and a breakdown of the impact. 

The post Introducing Unsolved Cyber Mysteries and the Case of the Max Headroom Signal Hijacking appeared first on Bugcrowd.

A “threat actor” might sound like a character from some doomed Greek tragedy, but in today’s world they actually inhabit the digital stage, as individuals or groups that attack digital devices, networks or computer systems. 

“Fighting threat actors at T-Mobile is an all-day, everyday team sport,” says Mark Clancy SVP of cybersecurity at T-Mobile. “Like all major companies, we face actors from around the globe with the intent to steal information, abuse our systems, or disrupt our operations. Services we provide to customers and partners on the internet are a frequent target of interest by these actors and ensuring these free from security flaws with our bug bounty program is essential.”

Which is why the company turned to Bugcrowd, the leading provider of crowdsourced security, which provides a platform that uses something called a “bug bounty” program, which employs ethical hackers to locate platform vulnerabilities and address them before bad guys find them. And even just two months into their partnership, Clancy says T-Mobile is benefiting.

“The key to a good bug bounty program is to find things you did not know about before and mitigate them quickly,” he says. “We have been very happy with the rigor and velocity of execution as we ramped up the partnership.”

So how exactly does a bug bounty program work? Here, on the heels of both companies attending the preeminent cybersecurity conference Black Hat in Las Vegas recently, we talk to Casey Ellis, founder and CTO of Bugcrowd to find out more about bug bounty programs and how his company is working with T-Mobile to help keep its customers safe.

What is a bug bounty program and what kinds of companies have them?

A bug bounty program is a sponsored, organized effort that compensates ethical hackers for surfacing and reporting otherwise unknown network and software security vulnerabilities, enabling the digital connected business to manage and reduce their cybersecurity risks. The combination of the diversity of participants and the “pay on success” model is orders of magnitude more effective than traditional consulting approaches to risk discovery. 

Bug bounty programs have continued to grow in scope and popularity, partly due to current security resource models and cost. They can help close the gap between security and development.

Because of the nature of crowdsourced security, there is a misconception that only tech companies use bug bounty programs. This simply isn’t true. Most industries leverage bug bounty programs, even highly regulated industries such as financial services and government. 

Can you walk us through the concept behind crowdsourced security, and how that drives your particular bug bounty program?

The idea behind crowdsourced security is really a simple one — I wanted to build a platform that connects the latent potential of those who hack in good faith around the world with as much of the global cybersecurity community as possible. Crowdsourced security provides the internet builders and defenders with an army of allies to take back control and outpace threat actors.  

So many of the pain points that inspired crowdsourced security a decade ago still exist today — multiplying attack surfaces, under resourced and overburdened teams, and cutting-edge threat actors.

Crowdsourced security helps organizations stay ahead of attackers before they even think about striking, empowering organizations to proactively safeguard their brand and intellectual property while taking back control.

How does this all work with partnership between T-Mobile and Bugcrowd?

Here at Bugcrowd, we love working with customers like T-Mobile who are so committed to protecting their customers, employees, partners and brand. T-Mobile’s bug bounty program launched in July as an opportunity for hackers to hunt on T-Mobile’s applications and systems in order to find potential security vulnerabilities and report them. From there, T-Mobile evaluates the reported vulnerabilities and promptly takes appropriate action.

To encourage research and responsible disclosure of security vulnerabilities, T-Mobile is inviting ethical hackers to work on this program and have a chance to earn a range of payments, dependent on the criticality of the vulnerability submitted. 

It has been really amazing to watch the success of this program over such a short time since launch — we’re seeing incredibly fast remediation times. We’re proud to partner with T-Mobile to help keep their systems secure.

How do you see cybersecurity evolving over the next few years?

Traditionally in security, we fall back on the fundamentals, which is the right place to start. The simple things are vital for a reason. Do them well and ensure that your organization is capable of “outrunning the other guy” before it attempts to “outrun the bear.”

That being said, we’re really entering a new era of cybersecurity, and I believe security is going to become a lot less predictable. One reason for this is the impact of generative AI becoming mainstream. Aspects of hacking are being automated, creating a swath of new techniques, threats, vulnerabilities and opportunities for impact. A broader variety of threat actors now have access to more powerful tools to create a bigger impact faster. If you want to learn more about this, I recommend checking out Bugcrowd’s newest report, Inside the Mind of a Hacker, which dives into the ways hackers are leveraging generative AI.

What makes you confident that Bugcrowd will be ready for this future, and able to continue to help companies like T-Mobile keep threat actors at bay?

At Bugcrowd, we talk a lot about the “burglars and locksmiths” of cybersecurity. Think of threat actors as burglars and the hackers helping organizations through crowdsourced security programs as locksmiths. Both parties use creative ways to try to open a locked door, but only locksmiths have good intentions.

Even though there are a lot of concerns out there about the ways threat actors are going to leverage generative AI, we can’t forget that the locksmiths have access to the same cutting-edge AI technology. According to the “Inside the Mind of a Hacker Report,” 94% of hackers plan to start using AI in the future to help them ethically hack. I’m really encouraged by the ways I’m seeing the hacker community leverage generative AI as a way to streamline their security research workflows.

It’s exciting to partner with industry leaders like T-Mobile, because together we can really make a difference in cybersecurity. By continuing to empower hackers on crowdsourced security platforms, we start to level the playing field, ultimately helping organizations keep their systems and data secure. 

T-Mobile and Bugcrowd launched a revamped public bug bounty program on August 30, 2023. Security researchers can earn up to $10,000 per vulnerability found. To learn more or sign up, check out Bugcrowd.com/T-Mobile.

The post How T-Mobile Is Using a New Bug Bounty Program to Keep Customers Safe from Harm appeared first on Bugcrowd.

In this 3-2 vote, the SEC approved major steps forward, including organizations being required to disclose cyber incidents within four days of determining the criticality of the incident. The final requirements can be found here. 

Key Takeaways

There is a lot to absorb in this ruling, so we’ve highlighted a few key, high-level takeaways from the final rule here. 

1. Organizations must disclose material cyber incidents within four days of determining the criticality of the incident. Exceptions do exist, including in the event that the Attorney General determines there is a public safety or national security, in which case the Attorney General can request a delay.
2. Organizations must outline, “in sufficient detail for a reasonable investor to understand those processes,” what processes are in place for “assessing, identifying, and managing material risks.” 
3. Organizations must disclose board oversight for cyber risk(s) and any committees in place to specifically focus on it. 
4. Disclosure of the management team’s expertise, in addition to processes that exist internally, for identifying and remediating cyber risk to the board. 
5. Disclosure of if and how the management team reports on cyber risk to the board.

Impact

To be in a position to responsibly comply, it is imperative that organizations have the process, plans, and policies in place to identify, assign criticality to an incident, and quickly mitigate and remediate the weakness exploited to ensure they can meet the four-day reporting requirement. Among other things, that could require organizations to:

• Provide a clear, unambiguous method for the public at large to report vulnerabilities under safe harbor, as well as a process for validating, prioritizing, and remediating them.
• Do continuous, proactive stress testing of the attack surface to uncover hidden risk–going beyond what passive scanning can achieve today.
• Do high-intensity (human-driven) penetration testing more frequently, going beyond traditional compliance-driven goals.
• Install a remediation process that keeps pace with today’s continuous development cycles. 
• Adopt rich reporting and analytics to enable KPIs for tracking all of the above.

According to Bugcrowd CTO and Founder Casey Ellis, “the balancing act between transparency and security underpins the complex landscape of modern digital threats, and to see the SEC acknowledging this fact and driving policy in this direction is a hugely positive thing, despite the complexity it involves. The SEC’s new rules around heightened cybersecurity transparency for publicly traded companies are a double-edged sword—while the drive for standardized disclosure is a positive step in risk management, enhancing investor awareness, and bolstering corporate governance and public confidence, the regulation’s insistence on rapid public reporting of material cyber incidents potentially introduces a significant security threat, and incentivizes a range of other unintended consequences. Disclosure before a breach has been adequately contained or mitigated could provide attackers with crucial information, exacerbating the breach’s damage and the improving an attackers ability to evade prosecution. As companies adjust to these new standards, the onus is on corporate communications, legal, and security teams to collaborate effectively, ensuring robust risk management processes are in place, while also being prepared to act swiftly when breaches occur.”

As hackers continue to play a vital role for organizations looking to deploy security solutions, increased regulatory action will continue to provide more opportunities to do so. The need for hackers has never been higher in organizations, as the collective creativity and expertise of hackers helps organizations expand their security capabilities quickly.

How Bugcrowd Can Help

A “checkbox” approach to security is no longer good enough. Organizations should adopt risk-reducing security measures such as Bug Bounty programs, high-impact Penetration Testing as a Service, and Vulnerability Disclosure Programs (VDP) to support a security strategy that is as relentless as the constant threat landscape–ideally, via a unified SaaS platform that is fully integrated with DevSec workflows. Find out more about how Bugcrowd can help you stay compliant with this SEC rule here. 

The post Breaking News: SEC Adopts New Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.