Analysis Remember when Uber tried to cover up1 the fact its AWS datastore containing records on 57 million riders and drivers had been hacked ? And that it bunged the hackers $100,000 to shut them up, and then disguised the expense as a bug bounty payout?
Who could forget ? Certainly not shocked US lawmakers, who held a hearing in Washington, DC on Tuesday to consider whether anything has been learned from the sorry affair, and how legislation may help prevent future computer security cockups. Given that Congress has all but forgotten2 about Equifax3 fumbling sensitive data on 143 million Americans, and millions of others around the world, you may be forgiven for thinking politicians don’t actually care. Well, the Senate’s subcommittee4 on consumer protection, product safety, insurance, and data security at least went through the motions this week by inviting5 experts to testify, and an Uber executive to be contrite, on matters of hacking and whatnot.
It was suggested the proposed Data Security and Breach Notification Act6 could be effective in cracking down on corporations that are careless with people’s personal files. Introduced last November, the bill would “impose criminal penalties on corporate officials that willfully disguise breaches from the public,” according to Senator Bill Nelson (D-FL), cosponsor of the legislation and a hearing participant. For a sense of how many executives may be expected to go to jail over data breach deception if the bill becomes law, consider how many bank leaders responsible for the 2007-2008 financial crisis have been imprisoned: one7.
In prepared remarks at a hearing titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers,” subcommittee chairman Senator Jerry Moran (R-KS) said his goal was to learn why Uber had not immediately notified people about its 2016 breach and to have a discussion about how vulnerability disclosure programs can improve cybersecurity.
Uber chief information security officer John Flynn, in prepared remarks, reiterated previous statements from the ride hailing biz’s post-Kalanick leadership that “it was wrong not to disclose the breach earlier.”
He told senators that Uber has learned something from the public ignominy and lawsuits the company has endured as a result of being hacked.
“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he said. Flynn said Uber had quit using GitHub8 to store its proprietary code . The hacker who penetrated Uber’s defenses found credentials for the company’s AWS data store in a private GitHub repository, he explained, without detailing how the private repo was compromised.
He also said the transit-app biz has expanded its use of multi-factor authentication for AWS, implemented IP address whitelisting, refined its identity & access management permissions and authentication mechanisms, and implemented credential auto-expiration.
Flynn and other hearing participants expressed support for bug bounty programs as a way to improve online security, though some feel legitimate vulnerability disclosure isn’t always easy to separate from extortion. While supportive of bug bounty programs in general, Justin Brookman, director of privacy and technology policy at Consumers Union, a consumer advocacy group, said that state data breach notification laws, which first came into being in 2002, need to be reconciled with vulnerability disclosure programs to avoid alarming people unnecessarily about security flaws. Clearly, it would not be useful to mandate customer notifications every time a bug gets found, lest people start treating the messages like all the other app-oriented notifications they ignore.
Brookman also observed that there’s nothing inherently wrong with lobbying for a better bounty, even as he allowed that, “At some point, a request for more money may convey an implicit or explicit threat to sell the exploit or compromised data elsewhere if the demands are not met.”
He concluded that Congress needs to pass laws that provide companies with better incentives for investing in security. Marten Mickos, CEO of HackerOne, a platform for vulnerability disclosure and bug bounty programs, came out in favor of rewarding hackers for security research to no one’s surprise.
“Hackers are truly the immune system of the internet,” he said, citing numerous successful bug bounty hunting initiatives in government . He advocated for reform of the Computer Fraud and Abuse Act to remove penalties for actions that don’t harm people. He also called for the harmonization of state data breach notification laws and encouraged companies to develop better channels for reporting bugs.
Bug bounty boffin .. . Katie Moussouris
Katie Moussouris, founder and CEO of Luta Security and the person who convinced Microsoft to abandon9 its long-standing antipathy towards bug bounties, told legislators to look beyond bounty programs, noting that rewards create more bug hunters but don’t necessarily lead to more bug fixes. She recommended that legislative priorities should include support for better security education in all grade levels, and particularly for anyone involved in computer science programs . People have to learn secure coding and practices from the get-go, in other words.
In a phone interview with The Register, Moussouris said, “Everyone has gotten so enamored of bug bounties that they maybe have forgotten other investments in security that they should do first or alongside bounty programs.”
Bug bounty programs, she said, have been over-marketed as a solution to finding bugs. “They’re not a cost effective replacement for penetration testing,” she said. Moussouris said the hearing accomplished its goal, examining the use of bug bounties with regard to Uber’s payout . Flynn acknowledged Uber had made a mistake and didn’t make any excuses, she explained. “That’s what the public and Congress needed to hear,” she said. “What Congress needed to show was eventually you will be held accountable.”
The extent of that accountability depends on the letter of the law, and there Moussouris said legislators should proceed with care . Noting that Sen . Moran is working on a bill to harmonize the various different state breach notification laws, she said she advised him that any federal law should not aim to be a common denominator by adopting the weakest of state requirements.
She also said over-regulation would be equally problematic because it could encourage companies to remain willfully ignorant of being hacked to avoid liability.
“These are not easy problems to solve,” she said.
- ^ tried to cover up (www.theregister.co.uk)
- ^ all but forgotten (www.politico.com)
- ^ Equifax (www.theregister.co.uk)
- ^ subcommittee (www.commerce.senate.gov)
- ^ inviting (www.commerce.senate.gov)
- ^ Data Security and Breach Notification Act (www.congress.gov)
- ^ one (www.nytimes.com)
- ^ quit using GitHub (www.theregister.co.uk)
- ^ to abandon (www.theregister.co.uk)
Belgian soldiers stand guard outside Brussels’ Central railway station | Philippe Huguen/AFP via Getty Images
Also on Europe s front pages: France boosts its attractiveness and UK hosts another royal wedding.
1/23/18, 8:51 AM CET
Die Welt and S ddeutsche Zeitung focused on German President Frank-Walter Steinmeier s take on the coalition talks between the Social Democrats and Angela Merkel s conservatives . Europe, he said, is waiting for a German government that can bring peace and order back to crisis regions in this world, Die Welt reported2 . Frankfurter Allgemeine led with the joint message of Chancellor Angela Merkel and French President Emmanuel Macron, in which the two leaders announced their intention to work together more closely.
Le Figaro reported on Justice Minister Nicole Belloubet being forced by trade unions to tackle overpopulation and radical Islamic conversion in prisons . Lib ration and Le Monde looked at Macron s decision to welcome foreign investors at Versailles to show off the country s boost in foreign investments over the last five years. According to Lib ration3, the event said as much about the attractiveness of the French economy as it did about the head of state s talent for setting a scene.
De Tijd reported that foreign companies are creating a record number of jobs in Flanders, and De Standaard s front page looked at the controversial issue of funding local health centers4 . On the terror threat level in Belgium being lowered5 to unlikely, Le Soir s headline read: The threat fades, security stays, referring to government plans to keep soldiers on patrol in Brussels streets.
The British press had another royal engagement to occupy front pages this morning, as Princess Eugenie announced that she will marry her long-term boyfriend Jack Brooksbank at Windsor Castle in the fall . Comparisons to Prince Harry and Meghan Markle, who will marry there in May, were common, with the Daily Metro s headline reading: Anything Meghan can do
In political news, the Guardian reported on the head of Britain s National Security Centre warning that it s only a matter of time until Britain suffers a major cyberattack . The Times reported that Foreign Secretary Boris Johnson is urging the prime minister to greenlight a 5 billion annual cash injection into the National Health Service.
Related stories on these topics:
A heroic security guard and an off-duty medic were in the right place at the right time when a premature baby suddenly stopped breathing in an Asda1 supermarket. The pair have now been hailed as heroes after the baby’s2 mum, Terri-ann Russell Auckland, claimed that their swift action saved the life of her son. Ronny Auckland was born 13 weeks early in October and had developed bronchitis.
He began having breathing difficulties in the chilled aisle of Asda s Holles Street store in Grimsby around 2pm on Boxing Day. Security guard, Shaun Walsh, who is a trained First Aider was alerted by fellow staff and immediately starting giving Ronny cardiopulmonary resuscitation on the floor of the aisle, while hospital medic, Neil Franklin, blew into the baby s mouth. Minutes later paramedics from East Midlands Ambulance Service were on the scene and the infant was taken to hospital, reports the Grimsby Telegraph3 .
Terri-ann, 31, of Weelsby Street said: I can t thank them enough . I owe them everything for saving my boy s life.
They deserve all the praise in the world for what they did.
You don t know what to do is that situation . I just froze . Luckily they were there. The mother-of-two boys said: It just shows how everyone should be trained in First Aid.
Terri-ann Russell Auckland was shopping with her 13-week-old son, Ronny, when he suddenly had trouble breathing (Image: Grimsby Telegraph/BPM Media)
Today she was at Ronny s bedside in the Rainforest ward of the hospital. Shaun, who has worked for Asda for nine years said his firm regularly updated his First Aid training. He said: A staff member came running to me and said there was a boy not breathing.
When I got there his face was blue . There was a crowd of people around him so we got them out the way and myself and the off-duty medic got him breathing again . I was giving chest compressions and the other gent got his airways going .
There are not many people who would have been able to do it.
But because we are trained it worked.
It paid off . It shows we are not just big bad security guards, there to get abuse from people. Shaun, 44, said: We just do what we are trained to do . You cope with whatever you are faced with . We don t just take abuse from people who are doing something wrong . We help people as well.
He told how the hospital medic shook his hand and thanked him and left the store. Shaun also went back to work to complete his shift. He had not originally be allocated the shift on Boxing Day but volunteered his services that day.
The mother posted a message on social media to thank Shaun and the other lifesaver in which she said Big thank you to Shaun and the other guy . I don t know what I would have done without you. She had been at Asda with her sister Sara Geddes to buy balloons for her other son Bobby s 7th birthday yesterday. Asda s people trading manager, Moira Pembleton said: We are all incredibly proud of Shaun .
he did an amazing job . Everyone else around was running around but he stayed calm throughout . It was an emotional moment for everyone.