SlideShare a Scribd company logo

Bug Bounty @ Swisscom

Cyber Security Alliance
Cyber Security Alliance

Florian Badertscher presents on Swisscom's Bug Bounty program. Swisscom started the program after an incident to provide a central point of contact for vulnerability reports and incentives for researchers. The program offers bounties from 150-10,000 CHF depending on risk. It receives around 200 submissions per year, mostly for web vulnerabilities. The program helps Swisscom identify issues and improve security awareness, though coordinating fixes can be challenging.

Technology
1 of 19
Download to read offline
Bug Bounty @ Swisscom #cybsec16, Yverdon, Switzerland Florian Badertscher, 04.10.2016 C1 - public
About me • Security Analyst at Swisscom CSIRT, since 2015 – Incident handling – Develop monitoring infrastructure – Security initiatives and projects – Responsible for the creation and running of the Bug Bounty program • Background as pen tester and IT security consultant / teacher 03/11/2016 2 C1-public,FlorianBadertscher,SwisscomCSIRT
03/11/2016 3 C1-public,FlorianBadertscher,SwisscomCSIRT Agenda • Part 1: Bug Bounty @ Swisscom • Part 2: Discussion
Bug Bounty @ Swisscom Part 1
Why do we have a Bug Bounty program? • There was an incident… • 2 options: – Going public with a press release – De-escalate the situation using clear rules for both parties à a Bug Bounty program 03/11/2016 5 C1-public,FlorianBadertscher,SwisscomCSIRT
The basic idea behind our program Goals • Central point of contact • Streamlined process to handle vulnerability notifications • Set the rules • Create incentives • Create transparency about security issues Scope • All our services and products • We expect from the researcher to identify the system properly Bounties • Risk based approach • CHF 150 – CHF 10’000 03/11/2016 6 C1-public,FlorianBadertscher,SwisscomCSIRT
Legal questions Current situation • Enable the payout of bounties • All test-activities have to be within the bounds of the law – No permit to perform all kind of tests on our systems • And in reality..? Payout • Comply with sanctions / embargos – Identify the researcher and check all the lists • Our approach: leave it to the bank – No PayPal 03/11/2016 7 C1-public,FlorianBadertscher,SwisscomCSIRT
How do you start it? • You probably won’t announce it with a big bang • Simple page on the website • Page on HackerOne 03/11/2016 8 C1-public,FlorianBadertscher,SwisscomCSIRT
Results Facts • 200 submissions per year • 75% web-related • 50kCHF bounties per year What works well? • Quality of the reports • Some high-risk findings Where are our difficulties? • Find the owner of the system X with IP Y out of 3.4 Mio. • Convince the (external) dev/ops team to address the issue fast 03/11/2016 9 C1-public,FlorianBadertscher,SwisscomCSIRT
Results More results • Clear guidelines about publishing advisories • Measure the effectiveness of the education – Internal developed code has much less vulnerabilities • Spot your weak points – It shows you very clearly, where you’re good and where not 03/11/2016 10 C1-public,FlorianBadertscher,SwisscomCSIRT
Return on investment • Learn about vulnerabilities • Gain insights into the situation at the frontlines – All the low-impact submissions are useful as well • Clean-up old stuff • Create awareness for security • Secure software development and Bug Bounty programs complement each other perfectly • Push agile approaches 03/11/2016 11 C1-public,FlorianBadertscher,SwisscomCSIRT
What we are working on • Include the program in our contracts • Create awareness in the important departments • Improve the handling / tracking • Assign some more manpower 03/11/2016 12 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE • Affected devices: – Centro Grande / Centro Business • Vulnerability: – Did you see the talk from SCRT? J – Chain of vulnerabilities – Remote root access – Precondition: remote administration enabled / CSRF 03/11/2016 13 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE Swisscom devices are managed • HDM (Home Device Manager) / ACS (Auto Configuration Server) • TR-069 or CPE WAN Management Protocol (CWMP) • It is the responsibility of Swisscom to update the devices 03/11/2016 14 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE • Challenges – Update = replace the firmware – Heavy functional testing necessary – Many ISP’s use the software • Mitigation – Deploy a quick fix – Stopping remote exploitation – Prepare and test the complete fix – Solve the root cause – Coordinate with the vendor 03/11/2016 15 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE Impact • ~800’000 – 1’000’000 vulnerable devices deployed • ~3’500 – 4’000 with remote administration enabled Bounty • 3’000 CHF 03/11/2016 16 C1-public,FlorianBadertscher,SwisscomCSIRT
Questions? / Discussion Part 2
Thank you!
Contact information / Links Links • https://www.swisscom.ch/en/about/sustainability/digital- switzerland/security/bug-bounty.html • https://hackerone.com/swisscom/ Swisscom (Schweiz) AG GSE-MON Florian Badertscher Postfach 3050 Bern florian.badertscher@swisscom.com 03/11/2016 19 C1-public,FlorianBadertscher,SwisscomCSIRT

Recommended

You can't teach an old dog new tricks
You can't teach an old dog new tricksYou can't teach an old dog new tricks
You can't teach an old dog new tricksWatchful Software
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners Cyber Security Alliance
 
Integrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroomIntegrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroomBarbara Oakley
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Cyber Security Alliance
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetAPNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...MyNOG
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Capgemini
 
Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0Maikel Meeuwse
 

Recommended

You can't teach an old dog new tricks
You can't teach an old dog new tricksYou can't teach an old dog new tricks
You can't teach an old dog new tricksWatchful Software
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners Cyber Security Alliance
 
Integrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroomIntegrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroomBarbara Oakley
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Cyber Security Alliance
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetAPNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...MyNOG
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Capgemini
 
Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0Maikel Meeuwse
 
20180528 reflex presentation
20180528 reflex presentation20180528 reflex presentation
20180528 reflex presentationJavier Núñez, CAIA
 
ba_interview_assignment.pptx
ba_interview_assignment.pptxba_interview_assignment.pptx
ba_interview_assignment.pptxssuser991a01
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10FRSecure
 
Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfAssociation for Project Management
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
SAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicSAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicRichard Williams
 
What legacy will your project leave
What legacy will your project leaveWhat legacy will your project leave
What legacy will your project leaveGreg Hyde
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaWatchful Software
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Stu r36 b
Stu r36 bStu r36 b
Stu r36 bSelectedPresentations
 
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxpriestmanmable
 
PMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsPMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsDaniel_Mccrea
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Ray Bugg
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
2016-02-03 research seminar
2016-02-03 research seminar2016-02-03 research seminar
2016-02-03 research seminarifi8106tlu
 
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016Martin Thompson
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 

More Related Content

Similar to Bug Bounty @ Swisscom

ba_interview_assignment.pptx
ba_interview_assignment.pptxba_interview_assignment.pptx
ba_interview_assignment.pptxssuser991a01
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10FRSecure
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
SAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicSAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicRichard Williams
 
What legacy will your project leave
What legacy will your project leaveWhat legacy will your project leave
What legacy will your project leaveGreg Hyde
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaWatchful Software
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxpriestmanmable
 
PMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsPMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsDaniel_Mccrea
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Ray Bugg
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
2016-02-03 research seminar
2016-02-03 research seminar2016-02-03 research seminar
2016-02-03 research seminarifi8106tlu
 
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016Martin Thompson
 

Similar to Bug Bounty @ Swisscom (20)

20180528 reflex presentation
20180528 reflex presentation20180528 reflex presentation
20180528 reflex presentation
 
ba_interview_assignment.pptx
ba_interview_assignment.pptxba_interview_assignment.pptx
ba_interview_assignment.pptx
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10
 
Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdf
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
SAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicSAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global Pandemic
 
What legacy will your project leave
What legacy will your project leaveWhat legacy will your project leave
What legacy will your project leave
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemma
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Stu r36 b
Stu r36 bStu r36 b
Stu r36 b
 
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
 
PMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsPMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for Professionals
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
2016-02-03 research seminar
2016-02-03 research seminar2016-02-03 research seminar
2016-02-03 research seminar
 
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
 

More from Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

More from Cyber Security Alliance (20)

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Colt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinalColt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinal
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Bug Bounty @ Swisscom

  • 1. Bug Bounty @ Swisscom #cybsec16, Yverdon, Switzerland Florian Badertscher, 04.10.2016 C1 - public
  • 2. About me • Security Analyst at Swisscom CSIRT, since 2015 – Incident handling – Develop monitoring infrastructure – Security initiatives and projects – Responsible for the creation and running of the Bug Bounty program • Background as pen tester and IT security consultant / teacher 03/11/2016 2 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 4. Bug Bounty @ Swisscom Part 1
  • 5. Why do we have a Bug Bounty program? • There was an incident… • 2 options: – Going public with a press release – De-escalate the situation using clear rules for both parties à a Bug Bounty program 03/11/2016 5 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 6. The basic idea behind our program Goals • Central point of contact • Streamlined process to handle vulnerability notifications • Set the rules • Create incentives • Create transparency about security issues Scope • All our services and products • We expect from the researcher to identify the system properly Bounties • Risk based approach • CHF 150 – CHF 10’000 03/11/2016 6 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 7. Legal questions Current situation • Enable the payout of bounties • All test-activities have to be within the bounds of the law – No permit to perform all kind of tests on our systems • And in reality..? Payout • Comply with sanctions / embargos – Identify the researcher and check all the lists • Our approach: leave it to the bank – No PayPal 03/11/2016 7 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 8. How do you start it? • You probably won’t announce it with a big bang • Simple page on the website • Page on HackerOne 03/11/2016 8 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 9. Results Facts • 200 submissions per year • 75% web-related • 50kCHF bounties per year What works well? • Quality of the reports • Some high-risk findings Where are our difficulties? • Find the owner of the system X with IP Y out of 3.4 Mio. • Convince the (external) dev/ops team to address the issue fast 03/11/2016 9 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 10. Results More results • Clear guidelines about publishing advisories • Measure the effectiveness of the education – Internal developed code has much less vulnerabilities • Spot your weak points – It shows you very clearly, where you’re good and where not 03/11/2016 10 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 11. Return on investment • Learn about vulnerabilities • Gain insights into the situation at the frontlines – All the low-impact submissions are useful as well • Clean-up old stuff • Create awareness for security • Secure software development and Bug Bounty programs complement each other perfectly • Push agile approaches 03/11/2016 11 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 12. What we are working on • Include the program in our contracts • Create awareness in the important departments • Improve the handling / tracking • Assign some more manpower 03/11/2016 12 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 13. Example: CPE • Affected devices: – Centro Grande / Centro Business • Vulnerability: – Did you see the talk from SCRT? J – Chain of vulnerabilities – Remote root access – Precondition: remote administration enabled / CSRF 03/11/2016 13 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 14. Example: CPE Swisscom devices are managed • HDM (Home Device Manager) / ACS (Auto Configuration Server) • TR-069 or CPE WAN Management Protocol (CWMP) • It is the responsibility of Swisscom to update the devices 03/11/2016 14 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 15. Example: CPE • Challenges – Update = replace the firmware – Heavy functional testing necessary – Many ISP’s use the software • Mitigation – Deploy a quick fix – Stopping remote exploitation – Prepare and test the complete fix – Solve the root cause – Coordinate with the vendor 03/11/2016 15 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 16. Example: CPE Impact • ~800’000 – 1’000’000 vulnerable devices deployed • ~3’500 – 4’000 with remote administration enabled Bounty • 3’000 CHF 03/11/2016 16 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 19. Contact information / Links Links • https://www.swisscom.ch/en/about/sustainability/digital- switzerland/security/bug-bounty.html • https://hackerone.com/swisscom/ Swisscom (Schweiz) AG GSE-MON Florian Badertscher Postfach 3050 Bern florian.badertscher@swisscom.com 03/11/2016 19 C1-public,FlorianBadertscher,SwisscomCSIRT