Connect with us

Hacking

Uber Welcomes Hackers with Its First-Ever Bug Bounty Program

Published

on

In a friendly nod to roping in and not employing white-hat hackers to look through its code to uncover vulnerabilities and possible weaknesses to exploit, Uber has announced a bug bounty program for security researchers or white-hat hackers.

With its first ever bug-bounty program, Uber has revealed that it will reward and pay independent security researchers with thousands of dollars for finding vulnerabilities in its websites and its apps across different platforms.

Uber is launching its official bug bounty program on popular platform HackerOne. Notably, Uber is also trying to keep white-hat hackers on its side with a “loyalty system” that rewards hackers with bonuses for repeated disclosures of bugs, exploits and other vulnerabilities on Uber’s platform. Essentially, they are rewarded with compounding interest on their rewards, if they stay loyal to the company.

Notably, hackers will have up to 90 days to identify bugs in Uber’s system. Before Uber starts paying them however, hackers will need to disclose at least four bugs in Uber’s platform. Hackers who find a fifth bug will gain a bonus that’s equal to 10 percent of the average of the previous four bugs. This feature, according to Uber, will serve as a “loyalty program” to ensure that hackers are encouraged to keep searching for bugs in Uber

Uber Tiers

‘Medium’ issues that are discovered will be rewarded with $3,000 for discovery while the reward could go up to $10,000 for critical issues.

‘Critical issues’ include any hackable exploits that involve information pertaining to drivers’ social security numbers, credit card details, bank account numbers, driving license images and more. A hack that results full account compromise of the rider or driver’s account is also considered as a critical issue. So too does payment or driver invoice information exposure, like a breach. Any potential access to Uber’s source code is also considered a critical issue. As are vulnerabilities leading to the compromise of Uber employee accounts, by circumventing two-factor authentication.

The second tier, deemed as Significant Issues rewards hackers $5,000. Exploits that are considered will include Cross-site Scripting concerns that can damage Uber’s brand by smearing the home-mage. Missing authorization checks that could lead to the exposue of email addresses, date of birth, phone numbers and names will also be considered.

Finally, ‘Medium Issues’ constitute the third tier, at $3,000 where rate limiting concerns, account validation bypasses and other smaller exploits – relatively speaking – are rewarded.

In the past, Uber has suffered massive breaches including one that occurred in May 2014 which affected nearly 50,000 drivers. The company was only able to discover the breach four months later in September 2014 before finally making news of the breach public in March 2015.

Uber has, in the past, even agreed to pay $20,000 as a fine for the explicit ‘failure to provide timely notice to drivers’ about a breach that occurred in 2014.

 Featured image from Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4 stars on average, based on 1 rated postsSamburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.




Feedback or Requests?

Breaches

Mt. Gox vs. Bithumb: That Was Then, This Is Now

Published

on

Bithumb now shares something in common with the Tokyo-based shuttered bitcoin exchange Mt. Gox — both suffered a hack on about the same date, June 19. It’s a club that no exchange wants to belong to and that Bithumb happened on the seven-year anniversary of Mt. Gox’s maiden attack has to be more than an eerie coincidence.

It’s a stark reminder of the risks involved with keeping funds on an unregulated exchange, vulnerabilities that cost South Korea’s Bithumb some $36.6 million in digital cash and Mt. Gox $450 million in hacked bitcoin and its future. The Mt. Gox theft unfolded over a series of hacks that culminated in 2014. Though it’s still early on in the Bithumb hack, it appears the South Korean exchange will recover from the security breach. So what do we know now that we didn’t on June 19, 2011?

Then vs. Now

Former Coinbase official Nick Tomaino, who is also the founder of crypto fund 1 confirmation, reflected on the Mt. Gox hack in what proved to be a prescient tweet given the Bithumb attack that was about to surface.

The thing to note about Mt. Gox is that the Japan-based exchange in 2011 controlled most of the BTC trading volume, approximately three-quarters of it by average estimates — more if you ask Tomaino. Since bitcoin fever caught on in 2017, there are more than 500 cryptocurrency exchanges on which trading volume is shared. Binance boasts the highest trading volume and captures nearly 15% of bitcoin trading. It’s much less than Mt. Gox days but still a little high.

The other thing to note is that the Mt. Gox hack or actually hacks, as there were multiple attacks on the exchange over several years, was a mysterious event that was shrouded in controversy and mistrust of a key executive. Bithumb, on the other hand, confronted the hack seemingly right away on Twitter and has not let any grass grow under its feet in the interim, which is a key difference in the way Mt. Gox was handled.

Also, the bitcoin price didn’t tank in response to the Bithumb hack. It traded lower for a while, but less than 24 hours it was back in the green, which is a reflection of the fact that bitcoin trading is no longer dependent on a single exchange.

Charlie Lee, creator of Litecoin (LTC), the No. 6 cryptocurrency by market cap, was among the first to respond to the Bithumb hack. He tweeted:

Indeed, Bithumb does expect to be able to cover the losses via their reserves.

Crypto Security

It’s still early on in Bithumb’s security breach, and more details are sure to emerge in time. In the meantime, it’s a good idea to use the hack as an opportunity to examine the security of your cryptocurrency investment portfolio. There are several hardware wallet options out there for you to choose from — whether it’s Trezor or Ledger Nano S, to name a couple — and as Charlie Lee advised, “only keep on exchange coins that you are actively trading.”

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 36 rated postsGerelyn has been covering ICOs and the cryptocurrency market since mid-2017. She's also reported on fintech more broadly in addition to asset management, having previously specialized in institutional investing. She owns some BTC and ETH.




Feedback or Requests?

Continue Reading

Cybersecurity

NEM Theft Suggests Hacking Is More Lucrative than Mining

Published

on

The NEM Foundation has called off its search for the 523 million NEM tokens that were stolen from the Tokyo-based Coincheck exchange. Although the Foundation lauded the effectiveness of the search, the outcome proves yet again that cryptocurrency hackers are benefiting from the dark web, which provides an effective venue for laundering stolen funds.

Search for Stolen Coins Ends

In a statement published Mar. 19, the NEM Foundation informed its community that it had disabled the tracking mosaic used to monitor the movement of XEM funds tied to the massive heist of Coincheck in January. According to the post, the search ended on Mar. 18.

The statement reads:

“Beginning March 18, the NEM.io Foundation has disabled the tracking mosaic that was put into place to monitor XEM movements from the Coincheck theft. This effort was effective at reducing the hacker’s ability to liquidate stolen XEM and provided law enforcement with actionable information. We don’t plan to release further details due to the sensitive nature of this investigation.”

On. Jan. 26, hackers successfully made off with $530 million worth of XEM tokens, marking the biggest crypto heist on record. The theft propagated a new investigation into existing crypto exchanges by Japan’s Financial Services Authority (FSA). Domestic exchanges also announced plans to form a self-governing body to safeguard against illicit activity.

Hacked reported earlier this month that the Coincheck attackers had already laundered some 40% of the stolen NEM funds, primarily through the dark web. The stolen coins have reportedly made their way into exchanges in Japan, China and Canada.

Crypto Heists: A Growing Phenomenon

While the crypto economy has been highly lucrative for early adopters, cyber criminals have managed to steal huge sums of money. Unlike credit card fraud, the theft of major crypto exchanges has reshaped the digital currency market. This was most evident in 2014, when Mt Gox fell prey to a $480 million attack that eventually led to its demise.

As the Coincheck hack demonstrated, locating stolen funds and identifying perpetrators are extremely difficult. That said, NEM’s efforts to blacklist the tokens probably limited how much money the attackers were able to keep.

This brings us to an important question: is hacking more lucrative than legitimate crypto mining? To answer that question, we’ll begin by providing a rundown of the major crypto heists of the last four years.

Since 2014, hackers have made off with more than $1.3 billion in stolen coins. The biggest losses are as follows:

  • Coincheck: $530 million (2018)
  • Mt Gox: $480 million (2014)
  • Parity Wallet: $155 million (2017)
  • Bitfinex: $65 million (2016)
  • NiceHash: $63 million (2017)
  • DAO: $50 million (2016)
  • Tether: $31 million (2017)

For all of 2017, it is estimated that hackers stole nearly $400 million from ICOs. That’s roughly 10% of the total amount raised for the year.

Mining Profitability

Cryptocurrency mining has spearheaded a multi-billion-dollar industry. The recent crackdown on mining rigs in China means there is a large void in the market that several jurisdictions, including Canada and India, are rushing to fill. During the height of bitcoin’s surge, crypto miners earned roughly $240,000 every ten minutes. Miners now earn roughly half that, based on current price levels.

Of course, this doesn’t factor the cost of electricity, power consumption, hardware, manpower and other fees needed to operate a mining operation. These variables, combined with the unknown trajectory of crypto prices, make profitability a lot harder to gauge.

The yearly decline in profitability is also a critical, albeit elusive variable in pricing the success of a mining operation. This variable is tied to the number of miners that join the network – a figure that is extremely difficult to predict. Against this backdrop, 99bitcoins.com has developed a bitcoin mining calculator that provides simple guidance on whether a certain mining operation is profitable.

Other digital currencies provide a potentially more lucrative opportunity to join the mining business. For example, Monero can still be mined with a basic desktop computer. With an average block time of two minutes, users can mine the coin casually using the spare computing power of their home PC.

However, it appears that hackers have already taken over the Monero mining business. There are several recent cases of hackers embedding malware to hijack the computing power of other systems. The Australian government was also a victim of this hacking attempt.

Cryptomining is such a new phenomenon that there are few guidelines in place to ensure trust. Selecting a company to work with an a fair compensation model are two important questions every potential miner needs to consider.

As cryptocurrencies appreciate in value, the allure of cyber crime will continue to grow. As NEM, Mt Gox and other large-scale thefts demonstrate, criminals are succeeding in their quest to compromise online exchanges.

With respect to mining, profitability remains an elusive question, especially with the recent downturn in the market. That said, there are many alternative motivations involved in mining digital currency, including supporting the network, influencing the market and using additional revenues to fund other business operations.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
6 votes, average: 4.00 out of 56 votes, average: 4.00 out of 56 votes, average: 4.00 out of 56 votes, average: 4.00 out of 56 votes, average: 4.00 out of 5 (6 votes, average: 4.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 547 rated postsSam Bourgi is Chief Editor to Hacked.com, where he specializes in cryptocurrency, economics and the broader financial markets. Sam has nearly eight years of progressive experience as an analyst, writer and financial market commentator where he has contributed to the world's foremost newscasts.




Feedback or Requests?

Continue Reading

Cryptocurrencies

Spectre And Meltdown Madness: What It Means For Ethereum

Published

on

To anyone who talks in terms of a cryptocurrency bubble, consider the following fun facts. In the short period of a few days following the bombshell announcement of Meltdown and Spectre, crypto prices responded in the following manner:

Bitcoin +18%

ETH +41%

Litecoin +30%

In my view, this is clear evidence of a market that is responding rationally to information coming from responsible sources. To appreciate what all the noise is about you must appreciate what Meltdown and Spectre are and why they present a danger to the big companies providing cloud storage for the corporate world.

Once this is clear, then you will better appreciate why Ether’s 41%+ short-term price spike left the others in the dust. But first lets dig into the Meltdown and Spectre situation.

The Secret Got Out

 On January 3 the secret about a new class of security vulnerabilities leaked out to the public. Not only was this seriously bad news but the leak also gave hackers advanced notice before anyone could begin to fix the twin problems.

The degree of seriousness is in the fact that almost all major microprocessor chips are vulnerable. This opens the door to hackers stealing information from personal as well as cloud services.

Researchers claim that Meltdown can be fixed with a patch. Shortly thereafter about every major player announced their patch. But there are two issues here. Will the patches fully solve they problem?

Casting A Cloud Over The Cloud

When a corporation becomes a cloud customer, even the largest share machines with other customers. This is the basic flaw in the centralized structure of cloud storage. Contrast this with the decentralized structure of blockchain technology and you begin to appreciate the force behind the sudden price spike in cryptocurrencies that we highlighted above.

Even though security tools and protocols are designed to separate customers date, the recently discovered Meltdown and Spectre flaws still leave serious vulnerabilities.

Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers.

Secondly, reports on cloud services like Amazon, Google and Microsoft claim that it creates as much as 30% slower computation speeds. That clearly won’t make for happy customers.

Jerky NetFlix

Virtually everyone reviewing the situation believes individual computer users are the least vulnerable. That may be true. Hackers are in the hunt for the biggest prize and that would be the big three cloud companies. But how do you think families are going to react if their Netflix stalls and buffers every few minutes?

In the final analysis, the Meltdown flaw affects virtually every computer chip fabricated by Intel in use today. You are talking about 90% of the Internet and business world. But Meltdown is just one flaw.

Spectre is the other flaw and this one is the more insidious of the two. There is no known fix. Intel, AMD and others have claimed how complex a project it would be for hackers to breech the Spectre vulnerability. That is pretty hollow comfort. After all, hasn’t the FBI security been breeched. Those guys were supposed to be airtight.

Boom Days For Blockchain

In so many ways, last year marked a tipping point in the spread and acceptance of blockchain technology. The uses for Bitcoin are probably best gauged by its record $20,000 price in December. For Ethereum, it may have been marked by the formation of the Enterprise Ethereum Alliance (EEA) in February and rise to over 300 members at year-end.

No sooner has 2018 begun that the Meltdown and Spectre flaws created unexpected excitement for investors in cryptocurrencies. If I were a software salesman out of work, I would be sending my resume to every crypto company offering to peddle their blockchain. It could be the easiest job since selling web design services in 1995.

The Ethereum platform with its smart contracts is not the only crypto capable of addressing this newly uncovered opportunity created by Meltdown and Spectre. You can safely bet this will attract many players and for good reason, today’s blockchain technology is a long way from fast enough for mass adoption. Blockchain security may be a step or two better in it present form than cloud storage, but it has its security issues as well.

Building the Ethereum Moat

 EEA founder Jeremy Millar is clearly a brand ambassador for Ethereum. He believes that CEOs hear the chatter about blockchain and are pre sold not having a clear picture what can be accomplished or the money saved using this technology. The important thing is for IT departments to have a respected brand to attach to their recommendations.

The EEA seeks to connect and inform and through this pioneering process spread the gospel of Ethereum. So far this is beginning to build a brand franchise for Ethereum.

The EEA is the largest blockchain body and is committed to using open-source Ethereum technology for enterprise blockchain solutions. EEA expects to see great advances in these areas in 2018 with Ethereum technologies.

It also helps when Wall Street banks uncover the potential for billions in savings on the trading desks through the applications of the Ethereum platform.

So, if you though the last year held plenty of excitement, the Meltdown and Spectre flaws promise to make this year every bit as much fun.

Featured image courtesy of Shutterstock.

 

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
14 votes, average: 4.14 out of 514 votes, average: 4.14 out of 514 votes, average: 4.14 out of 514 votes, average: 4.14 out of 514 votes, average: 4.14 out of 5 (14 votes, average: 4.14 out of 5)
You need to be a registered member to rate this.
Loading...

4.4 stars on average, based on 96 rated postsJames Waggoner is a veteran Wall Street analyst and hedge fund manager who has spent the past few years researching the fintech possibilities of cryptocurrencies. He has a special passion for writing about the future of crypto.




Feedback or Requests?

Continue Reading

5 of 15 Seats Available

Learn more here.

Recent Comments

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending