O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Bug Bounty @ Swisscom
#cybsec16, Yverdon, Switzerland
Florian Badertscher, 04.10.2016
C1 - public
About me
• Security Analyst at Swisscom CSIRT, since 2015
– Incident handling
– Develop monitoring infrastructure
– Securi...
03/11/2016
3
C1-public,FlorianBadertscher,SwisscomCSIRT
Agenda
• Part 1: Bug Bounty @ Swisscom
• Part 2: Discussion
Bug Bounty @ Swisscom
Part 1
Why do we have a Bug Bounty program?
• There was an incident…
• 2 options:
– Going public with a press release
– De-escala...
The basic idea behind our program
Goals
• Central point of contact
• Streamlined process to handle vulnerability notificat...
Legal questions
Current situation
• Enable the payout of bounties
• All test-activities have to be within the bounds of th...
How do you start it?
• You probably won’t announce it with a big bang
• Simple page on the website
• Page on HackerOne
03/...
Results
Facts
• 200 submissions per year
• 75% web-related
• 50kCHF bounties per year
What works well?
• Quality of the re...
Results
More results
• Clear guidelines about publishing advisories
• Measure the effectiveness of the education
– Interna...
Return on investment
• Learn about vulnerabilities
• Gain insights into the situation at the frontlines
– All the low-impa...
What we are working on
• Include the program in our contracts
• Create awareness in the important departments
• Improve th...
Example: CPE
• Affected devices:
– Centro Grande / Centro Business
• Vulnerability:
– Did you see the talk from SCRT? J
– ...
Example: CPE
Swisscom devices are managed
• HDM (Home Device Manager) / ACS (Auto Configuration Server)
• TR-069 or CPE WA...
Example: CPE
• Challenges
– Update = replace the firmware
– Heavy functional testing necessary
– Many ISP’s use the softwa...
Example: CPE
Impact
• ~800’000 – 1’000’000 vulnerable devices deployed
• ~3’500 – 4’000 with remote administration enabled...
Questions? / Discussion
Part 2
Thank you!
Contact information / Links
Links
• https://www.swisscom.ch/en/about/sustainability/digital-
switzerland/security/bug-boun...
Próximos SlideShares
Carregando em…5
×

Bug Bounty @ Swisscom

Florian Badertscher, Cyber Security Conference 2016

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Bug Bounty @ Swisscom

  1. 1. Bug Bounty @ Swisscom #cybsec16, Yverdon, Switzerland Florian Badertscher, 04.10.2016 C1 - public
  2. 2. About me • Security Analyst at Swisscom CSIRT, since 2015 – Incident handling – Develop monitoring infrastructure – Security initiatives and projects – Responsible for the creation and running of the Bug Bounty program • Background as pen tester and IT security consultant / teacher 03/11/2016 2 C1-public,FlorianBadertscher,SwisscomCSIRT
  3. 3. 03/11/2016 3 C1-public,FlorianBadertscher,SwisscomCSIRT Agenda • Part 1: Bug Bounty @ Swisscom • Part 2: Discussion
  4. 4. Bug Bounty @ Swisscom Part 1
  5. 5. Why do we have a Bug Bounty program? • There was an incident… • 2 options: – Going public with a press release – De-escalate the situation using clear rules for both parties à a Bug Bounty program 03/11/2016 5 C1-public,FlorianBadertscher,SwisscomCSIRT
  6. 6. The basic idea behind our program Goals • Central point of contact • Streamlined process to handle vulnerability notifications • Set the rules • Create incentives • Create transparency about security issues Scope • All our services and products • We expect from the researcher to identify the system properly Bounties • Risk based approach • CHF 150 – CHF 10’000 03/11/2016 6 C1-public,FlorianBadertscher,SwisscomCSIRT
  7. 7. Legal questions Current situation • Enable the payout of bounties • All test-activities have to be within the bounds of the law – No permit to perform all kind of tests on our systems • And in reality..? Payout • Comply with sanctions / embargos – Identify the researcher and check all the lists • Our approach: leave it to the bank – No PayPal 03/11/2016 7 C1-public,FlorianBadertscher,SwisscomCSIRT
  8. 8. How do you start it? • You probably won’t announce it with a big bang • Simple page on the website • Page on HackerOne 03/11/2016 8 C1-public,FlorianBadertscher,SwisscomCSIRT
  9. 9. Results Facts • 200 submissions per year • 75% web-related • 50kCHF bounties per year What works well? • Quality of the reports • Some high-risk findings Where are our difficulties? • Find the owner of the system X with IP Y out of 3.4 Mio. • Convince the (external) dev/ops team to address the issue fast 03/11/2016 9 C1-public,FlorianBadertscher,SwisscomCSIRT
  10. 10. Results More results • Clear guidelines about publishing advisories • Measure the effectiveness of the education – Internal developed code has much less vulnerabilities • Spot your weak points – It shows you very clearly, where you’re good and where not 03/11/2016 10 C1-public,FlorianBadertscher,SwisscomCSIRT
  11. 11. Return on investment • Learn about vulnerabilities • Gain insights into the situation at the frontlines – All the low-impact submissions are useful as well • Clean-up old stuff • Create awareness for security • Secure software development and Bug Bounty programs complement each other perfectly • Push agile approaches 03/11/2016 11 C1-public,FlorianBadertscher,SwisscomCSIRT
  12. 12. What we are working on • Include the program in our contracts • Create awareness in the important departments • Improve the handling / tracking • Assign some more manpower 03/11/2016 12 C1-public,FlorianBadertscher,SwisscomCSIRT
  13. 13. Example: CPE • Affected devices: – Centro Grande / Centro Business • Vulnerability: – Did you see the talk from SCRT? J – Chain of vulnerabilities – Remote root access – Precondition: remote administration enabled / CSRF 03/11/2016 13 C1-public,FlorianBadertscher,SwisscomCSIRT
  14. 14. Example: CPE Swisscom devices are managed • HDM (Home Device Manager) / ACS (Auto Configuration Server) • TR-069 or CPE WAN Management Protocol (CWMP) • It is the responsibility of Swisscom to update the devices 03/11/2016 14 C1-public,FlorianBadertscher,SwisscomCSIRT
  15. 15. Example: CPE • Challenges – Update = replace the firmware – Heavy functional testing necessary – Many ISP’s use the software • Mitigation – Deploy a quick fix – Stopping remote exploitation – Prepare and test the complete fix – Solve the root cause – Coordinate with the vendor 03/11/2016 15 C1-public,FlorianBadertscher,SwisscomCSIRT
  16. 16. Example: CPE Impact • ~800’000 – 1’000’000 vulnerable devices deployed • ~3’500 – 4’000 with remote administration enabled Bounty • 3’000 CHF 03/11/2016 16 C1-public,FlorianBadertscher,SwisscomCSIRT
  17. 17. Questions? / Discussion Part 2
  18. 18. Thank you!
  19. 19. Contact information / Links Links • https://www.swisscom.ch/en/about/sustainability/digital- switzerland/security/bug-bounty.html • https://hackerone.com/swisscom/ Swisscom (Schweiz) AG GSE-MON Florian Badertscher Postfach 3050 Bern florian.badertscher@swisscom.com 03/11/2016 19 C1-public,FlorianBadertscher,SwisscomCSIRT

×