When Israeli researcher Yosi Dahan told United Airlines that he had found a security flaw in its website, he thought the company would be quick to act. So he was surprised when, two weeks later he had still not received a response from the company.
Dahan — a so-called “ethical hacker” who find security holes at a company and tells them about it – was especially shocked because United Airlines had recently launched a program which rewards security researchers with air miles for finding security flaws in its network.
“It was around two weeks ago and I didn’t get any reply from the bug bounty program from the dedicated email address and I decided to reach out to employees from United using LinkedIn,” Dahan, who runs his own research firm called Turrisio Cybersecurity, told CNBC by phone.
“I told them that I found the vulnerability, but I didn’t get any response so I decided to escalate this issue to the media.”
The security flaw discovered by Dahan enabled hackers to write a code that would block many of United Airlines MileagePlus customers’ accounts. Essentially, Dahan found a way to spam a person’s account with incorrect passwords and lock them out.
Last week, one of Google’s security chiefs told CNBC that companies should “respect” hackers that break into their networks and pay them. But Dahan’s experience highlights the stark reality of “white hat hacking” – that some companies still find it difficult to embrace unknown researchers finding flaws in their networks.
After CNBC contacted United Airlines, the company fixed the security hole.
“We are committed to providing our customers secure access to their accounts, and we fixed this issue. We have responded to Mr Dahan, and will continue to thoroughly review all submissions through and in accordance with the Bug Bounty program,” the company told CNBC by email.
Finding that helpful hacker
Cyberattacks are one of the biggest threats facing businesses, and the cost of data breaches at companies is expected to hit $2.1 trillion globally by 2019, according to Juniper Research. While some firms are spending more on shoring up their defenses internally, independent researchers can often give another perspective on security flaws.
In a bid to make companies more comfortable with the idea, some Silicon Valley giants have official programs for hackers to inform them about security holes and get paid for their work.
View the original content and more from this author here: http://ift.tt/1JX1fHp
from hacker samurai http://ift.tt/1GfO7aX
via IFTTT
No comments:
Post a Comment