When Ali Tutuncu found a vulnerability in Capital One Financial’s software in March, the company fixed the flaw in 20 days.
An independent security researcher, Mr Tutuncu said the bank thanked him and added him to its page of fame.
“They did not pay financially,” he said. “Still, it was a nice experience.”
Capital One is among a relatively small group of major companies that are encouraging the typically anti-establishment hacker community - and security researchers too - to find potential vulnerabilities in their computer networks before malicious hackers do. Some of the programmes offer cash rewards, called bug bounties, of as much as $200,000 (Dh734,500).
The bank is crediting its Responsible Disclosure Programme with helping them track down a Seattle woman who had allegedly infiltrated their computer network. Paige Thompson, 33, allegedly accessed a huge amount of data: more than 100 million people, including names, addresses, dates of birth and about 140,000 Social Security numbers.
That’s a black eye for a company that’s touted its tech savviness and the hack has sent Capital One Shares tumbling 11 per cent in the past week. But it appears the damage could have been worse: Capital One said it was unlikely the information was used for fraud or disseminated to others.
Ms Thompson was charged on July 29 with computer abuse and fraud. Her arrest marks a major success for cyber tip lines and one that is likely to encourage other companies to start their own. Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, said he couldn’t recall tip that was wrapped up so quickly.
“From the time they submitted to the time it was submitted, to the time it was shut down to the time there was an arrest, there’s no example I think that comes close to that,” he said.
Alex Rice, co-founder and chief technology officer of HackerOne, which manages “hacker-powered security” platforms for Capital One and other companies, said, “Usually vulnerability disclosure programmes are not uncovering criminal activity. But it is phenomenal that it works out that way.”
Jennifer Bayuk, a former risk cybersecurity executive at several major banks including JP Morgan, said if banks don’t already have vulnerability disclosure programmes, they are likely looking at them now. “They’re probably looking at the Capital One news and meeting with legal as we speak.”
There appears to be plenty of room for growth. A 2018 HackerOne report concluded that 93 per cent of the world’s largest public companies don’t have a policy to handle “critical bug reports” submitted by outsiders.
The tip that led to Ms Thompson’s arrest came in on July 17, when an unnamed “external security researcher” emailed Capital One’s disclosure programme saying that leaked data was being stored on a publicly accessible file at GitHub, which allows users to manage and store software projects.
Capital One provided few details when asked about its cyber tip line. A public page about the bank’s programme at HackerOne shows that it has received at least 30 reports of security flaws since it started in January. HackerOne declined to say how many of those reports were validated security flaws.
“White Hat” hacker programmes have been around for years, but they have become more formalised as the volume and severity of threats has increased. Some companies manage their own vulnerability disclosure efforts. Companies like HackerOne and BugCrowd offer services to analyse incoming tips and, if warranted, pass them on to their client’s security team.
“You have to filter it out pretty carefully before you realise what’s real and what’s not,” said Dave Aitel, chief technical officer at Cyxtera Technologies, which provides security for computer networks and cybersecurity services.
Vulnerability disclosure programmes allow companies to crowdsource security, tapping researchers with a diverse background of skills to stress test computer infrastructure. Ethical hackers and security researchers with specialised skills may discover a flaw that a company’s internal security team missed, or a flaw that may have not been included within the scope of a bank’s security risk assessment, Mr Bayuk said.
The programmes run from invitation-only disclosure programmes, which are often used by companies in regulated spaces like financial services and health care, to tip lines that are open to all comers. It’s seen as an alternative to traditional “penetration testing,” where companies hire outside firms to test the security of its networks.
Some companies, like Capital One, provide policies agreeing not to prosecute security researchers for finding bugs in its systems as long as they abide by specific protocols.
Still, inviting hackers to rummage through a computer network isn’t without some risks, since they could come across customer identities or even potentially damage the system, Mr Bayuk said. If a hacker or security researcher were to come across personally identifiable information on Capital One’s services, the company advises them to immediately purge the data and contact the company, according to the programme guidelines.
Some financial intuitions stop short of offering financial rewards due to a fear it could encourage criminal behavior, Mr Bayuk said.
But organisations that offer financial rewards to hackers or security researchers typically get more tips, he said. The amount of the bug bounties depend on the quality of the information provided by the tipster and the severity of the hack, and rewards range from a couple hundred dollars to hundreds of thousands of dollars.
Apple, for instance, will pay out as much as $50,000 for pointing out a bug that allows a hacker to access iCloud account data on Apple servers, and as much as $200,000 for vulnerabilities in its secure boot firmware components, which blocks malware when a phone starts, according to the company’s iOS security guide. On Monday, Microsoft announced that it was doubling the top bounty reward, to $40,000, for finding bugs in Azure, the company’s competitor to Amazon Web Services.
Goldman Sachs has had a private disclosure programme in place since January 2018 and awarded $40,500 since it was started, said Patrick Lenihan, a bank spokesman. Goldman offers a maximum payout of $15,000 to people who identify vulnerabilities, although awards are usually around $1,000, Mr Lenihan said.
In recent weeks, it also started a public programme - offering incentives to people who identify flaws such as “unauthorized access to sensitive information.” It too has a maximum reward of $15,000 but that’s likely to increase as it expands, Mr Lenihan said.
Even if Capital One offered cash rewards, it’s not clear that the unnamed tipster would have netted a huge reward. That’s because the information provided was more of a heads-up about a leaked data, rather than a detailed report outlining a major flaw, Mr Aitel said.
“You’re not going make a ton of money saying, ‘Hey, I think someone has your information on a Github account,’ ” he said, adding, “They might send you a thank you T-shirt. They definitely owe you a thank you T-shirt.”
UAE currency: the story behind the money in your pockets
Company profile
Company name: Nestrom
Started: 2017
Co-founders: Yousef Wadi, Kanaan Manasrah and Shadi Shalabi
Based: Jordan
Sector: Technology
Initial investment: Close to $100,000
Investors: Propeller, 500 Startups, Wamda Capital, Agrimatico, Techstars and some angel investors
How Apple's credit card works
The Apple Card looks different from a traditional credit card — there's no number on the front and the users' name is etched in metal. The card expands the company's digital Apple Pay services, marrying the physical card to a virtual one and integrating both with the iPhone. Its attributes include quick sign-up, elimination of most fees, strong security protections and cash back.
What does it cost?
Apple says there are no fees associated with the card. That means no late fee, no annual fee, no international fee and no over-the-limit fees. It also said it aims to have among the lowest interest rates in the industry. Users must have an iPhone to use the card, which comes at a cost. But they will earn cash back on their purchases — 3 per cent on Apple purchases, 2 per cent on those with the virtual card and 1 per cent with the physical card. Apple says it is the only card to provide those rewards in real time, so that cash earned can be used immediately.
What will the interest rate be?
The card doesn't come out until summer but Apple has said that as of March, the variable annual percentage rate on the card could be anywhere from 13.24 per cent to 24.24 per cent based on creditworthiness. That's in line with the rest of the market, according to analysts
What about security?
The physical card has no numbers so purchases are made with the embedded chip and the digital version lives in your Apple Wallet on your phone, where it's protected by fingerprints or facial recognition. That means that even if someone steals your phone, they won't be able to use the card to buy things.
Is it easy to use?
Apple says users will be able to sign up for the card in the Wallet app on their iPhone and begin using it almost immediately. It also tracks spending on the phone in a more user-friendly format, eliminating some of the gibberish that fills a traditional credit card statement. Plus it includes some budgeting tools, such as tracking spending and providing estimates of how much interest could be charged on a purchase to help people make an informed decision.
* Associated Press
How to increase your savings
- Have a plan for your savings.
- Decide on your emergency fund target and once that's achieved, assign your savings to another financial goal such as saving for a house or investing for retirement.
- Decide on a financial goal that is important to you and put your savings to work for you.
- It's important to have a purpose for your savings as it helps to keep you motivated to continue while also reducing the temptation to spend your savings.
- Carol Glynn, founder of Conscious Finance Coaching
A Dog's Journey
Directed by: Gail Mancuso
Starring: Dennis Quaid, Josh Gad, Marg Helgenberger, Betty Gilpin, Kathryn Prescott
3 out of 5 stars
The team
Photographer: Mateusz Stefanowski at Art Factory
Videographer: Jear Valasquez
Fashion director: Sarah Maisey
Make-up: Gulum Erzincan at Art Factory
Model: Randa at Art Factory Videographer’s assistant: Zanong Magat
Photographer’s assistant: Sophia Shlykova
With thanks to Jubail Mangrove Park, Jubail Island, Abu Dhabi
Dengue%20fever%20symptoms
%3Cul%3E%0A%3Cli%3EHigh%20fever%3C%2Fli%3E%0A%3Cli%3EIntense%20pain%20behind%20your%20eyes%3C%2Fli%3E%0A%3Cli%3ESevere%20headache%3C%2Fli%3E%0A%3Cli%3EMuscle%20and%20joint%20pains%3C%2Fli%3E%0A%3Cli%3ENausea%3C%2Fli%3E%0A%3Cli%3EVomiting%3C%2Fli%3E%0A%3Cli%3ESwollen%20glands%3C%2Fli%3E%0A%3Cli%3ERash%3C%2Fli%3E%0A%3C%2Ful%3E%0A%3Cp%3EIf%20symptoms%20occur%2C%20they%20usually%20last%20for%20two-seven%20days%3C%2Fp%3E%0A
Another way to earn air miles
In addition to the Emirates and Etihad programmes, there is the Air Miles Middle East card, which offers members the ability to choose any airline, has no black-out dates and no restrictions on seat availability. Air Miles is linked up to HSBC credit cards and can also be earned through retail partners such as Spinneys, Sharaf DG and The Toy Store.
An Emirates Dubai-London round-trip ticket costs 180,000 miles on the Air Miles website. But customers earn these ‘miles’ at a much faster rate than airline miles. Adidas offers two air miles per Dh1 spent. Air Miles has partnerships with websites as well, so booking.com and agoda.com offer three miles per Dh1 spent.
“If you use your HSBC credit card when shopping at our partners, you are able to earn Air Miles twice which will mean you can get that flight reward faster and for less spend,” says Paul Lacey, the managing director for Europe, Middle East and India for Aimia, which owns and operates Air Miles Middle East.
The specs
Engine: four-litre V6 and 3.5-litre V6 twin-turbo
Transmission: six-speed and 10-speed
Power: 271 and 409 horsepower
Torque: 385 and 650Nm
Price: from Dh229,900 to Dh355,000
Breast cancer in men: the facts
1) Breast cancer is men is rare but can develop rapidly. It usually occurs in those over the ages of 60, but can occasionally affect younger men.
2) Symptoms can include a lump, discharge, swollen glands or a rash.
3) People with a history of cancer in the family can be more susceptible.
4) Treatments include surgery and chemotherapy but early diagnosis is the key.
5) Anyone concerned is urged to contact their doctor
UAE rugby in numbers
5 - Year sponsorship deal between Hesco and Jebel Ali Dragons
700 - Dubai Hurricanes had more than 700 playing members last season between their mini and youth, men's and women's teams
Dh600,000 - Dubai Exiles' budget for pitch and court hire next season, for their rugby, netball and cricket teams
Dh1.8m - Dubai Hurricanes' overall budget for next season
Dh2.8m - Dubai Exiles’ overall budget for next season
Overview
Cricket World Cup League Two: Nepal, Oman, United States tri-series, Tribhuvan University, Kathmandu
Fixtures
Wednesday February 5, Oman v Nepal
Thursday, February 6, Oman v United States
Saturday, February 8, United States v Nepal
Sunday, February 9, Oman v Nepal
Tuesday, February 11, Oman v United States
Wednesday, February 12, United States v Nepal
Company%20Profile
%3Cp%3E%3Cstrong%3EName%3A%20%3C%2Fstrong%3EDirect%20Debit%20System%3Cbr%3E%3Cstrong%3EStarted%3A%3C%2Fstrong%3E%20Sept%202017%3Cbr%3E%3Cstrong%3EBased%3A%3C%2Fstrong%3E%20UAE%20with%20a%20subsidiary%20in%20the%20UK%3Cbr%3E%3Cstrong%3EIndustry%3A%3C%2Fstrong%3E%20FinTech%3Cbr%3E%3Cstrong%3EFunding%3A%3C%2Fstrong%3E%20Undisclosed%3Cbr%3E%3Cstrong%3EInvestors%3A%3C%2Fstrong%3E%20Elaine%20Jones%3Cbr%3E%3Cstrong%3ENumber%20of%20employees%3A%3C%2Fstrong%3E%208%3Cbr%3E%3C%2Fp%3E%0A
Getting there
The flights
Flydubai operates up to seven flights a week to Helsinki. Return fares to Helsinki from Dubai start from Dh1,545 in Economy and Dh7,560 in Business Class.
The stay
Golden Crown Igloos in Levi offer stays from Dh1,215 per person per night for a superior igloo; www.leviniglut.net
Panorama Hotel in Levi is conveniently located at the top of Levi fell, a short walk from the gondola. Stays start from Dh292 per night based on two people sharing; www. golevi.fi/en/accommodation/hotel-levi-panorama
Arctic Treehouse Hotel in Rovaniemi offers stays from Dh1,379 per night based on two people sharing; www.arctictreehousehotel.com
Who's who in Yemen conflict
Houthis: Iran-backed rebels who occupy Sanaa and run unrecognised government
Yemeni government: Exiled government in Aden led by eight-member Presidential Leadership Council
Southern Transitional Council: Faction in Yemeni government that seeks autonomy for the south
Habrish 'rebels': Tribal-backed forces feuding with STC over control of oil in government territory
match info
Athletic Bilbao 1 (Muniain 37')
Atletico Madrid 1 (Costa 39')
Man of the match Iker Muniain (Athletic Bilbao)
The specs
Engine: 2.0-litre 4-cyl, 48V hybrid
Transmission: eight-speed automatic
Power: 325bhp
Torque: 450Nm
Price: Dh359,000
On sale: now
More from Neighbourhood Watch
Fireball
Moscow claimed it hit the largest military fuel storage facility in Ukraine, triggering a huge fireball at the site.
A plume of black smoke rose from a fuel storage facility in the village of Kalynivka outside Kyiv on Friday after Russia said it had destroyed the military site with Kalibr cruise missiles.
"On the evening of March 24, Kalibr high-precision sea-based cruise missiles attacked a fuel base in the village of Kalynivka near Kyiv," the Russian defence ministry said in a statement.
Ukraine confirmed the strike, saying the village some 40 kilometres south-west of Kyiv was targeted.
Long Shot
Director: Jonathan Levine
Starring: Charlize Theron, Seth Rogan
Four stars
Company profile
Date started: January, 2014
Founders: Mike Dawson, Varuna Singh, and Benita Rowe
Based: Dubai
Sector: Education technology
Size: Five employees
Investment: $100,000 from the ExpoLive Innovation Grant programme in 2018 and an initial $30,000 pre-seed investment from the Turn8 Accelerator in 2014. Most of the projects are government funded.
Partners/incubators: Turn8 Accelerator; In5 Innovation Centre; Expo Live Innovation Impact Grant Programme; Dubai Future Accelerators; FHI 360; VSO and Consult and Coach for a Cause (C3)
Guardians%20of%20the%20Galaxy%20Vol%203
%3Cp%3E%3Cstrong%3EDirector%3A%20%3C%2Fstrong%3EJames%20Gunn%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStars%3A%3C%2Fstrong%3E%20Chris%20Pratt%2C%20Zoe%20Saldana%2C%20Dave%20Bautista%2C%20Vin%20Diesel%2C%20Bradley%20Cooper%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ERating%3A%3C%2Fstrong%3E%204%2F5%3C%2Fp%3E%0A
Profile of Foodics
Founders: Ahmad AlZaini and Mosab AlOthmani
Based: Riyadh
Sector: Software
Employees: 150
Amount raised: $8m through seed and Series A - Series B raise ongoing
Funders: Raed Advanced Investment Co, Al-Riyadh Al Walid Investment Co, 500 Falcons, SWM Investment, AlShoaibah SPV, Faith Capital, Technology Investments Co, Savour Holding, Future Resources, Derayah Custody Co.
Boulder shooting victims
• Denny Strong, 20
• Neven Stanisic, 23
• Rikki Olds, 25
• Tralona Bartkowiak, 49
• Suzanne Fountain, 59
• Teri Leiker, 51
• Eric Talley, 51
• Kevin Mahoney, 61
• Lynn Murray, 62
• Jody Waters, 65
The Details
Kabir Singh
Produced by: Cinestaan Studios, T-Series
Directed by: Sandeep Reddy Vanga
Starring: Shahid Kapoor, Kiara Advani, Suresh Oberoi, Soham Majumdar, Arjun Pahwa
Rating: 2.5/5
Profile of Udrive
Date started: March 2016
Founder: Hasib Khan
Based: Dubai
Employees: 40
Amount raised (to date): $3.25m – $750,000 seed funding in 2017 and a Seed round of $2.5m last year. Raised $1.3m from Eureeca investors in January 2021 as part of a Series A round with a $5m target.
COMPANY PROFILE
Name: HyperSpace
Started: 2020
Founders: Alexander Heller, Rama Allen and Desi Gonzalez
Based: Dubai, UAE
Sector: Entertainment
Number of staff: 210
Investment raised: $75 million from investors including Galaxy Interactive, Riyadh Season, Sega Ventures and Apis Venture Partners
Other workplace saving schemes
- The UAE government announced a retirement savings plan for private and free zone sector employees in 2023.
- Dubai’s savings retirement scheme for foreign employees working in the emirate’s government and public sector came into effect in 2022.
- National Bonds unveiled a Golden Pension Scheme in 2022 to help private-sector foreign employees with their financial planning.
- In April 2021, Hayah Insurance unveiled a workplace savings plan to help UAE employees save for their retirement.
- Lunate, an Abu Dhabi-based investment manager, has launched a fund that will allow UAE private companies to offer employees investment returns on end-of-service benefits.
yallacompare profile
Date of launch: 2014
Founder: Jon Richards, founder and chief executive; Samer Chebab, co-founder and chief operating officer, and Jonathan Rawlings, co-founder and chief financial officer
Based: Media City, Dubai
Sector: Financial services
Size: 120 employees
Investors: 2014: $500,000 in a seed round led by Mulverhill Associates; 2015: $3m in Series A funding led by STC Ventures (managed by Iris Capital), Wamda and Dubai Silicon Oasis Authority; 2019: $8m in Series B funding with the same investors as Series A along with Precinct Partners, Saned and Argo Ventures (the VC arm of multinational insurer Argo Group)
Our legal advisor
Ahmad El Sayed is Senior Associate at Charles Russell Speechlys, a law firm headquartered in London with offices in the UK, Europe, the Middle East and Hong Kong.
Experience: Commercial litigator who has assisted clients with overseas judgments before UAE courts. His specialties are cases related to banking, real estate, shareholder disputes, company liquidations and criminal matters as well as employment related litigation.
Education: Sagesse University, Beirut, Lebanon, in 2005.
The specs
Engine: 4.0-litre V8
Power: 503hp at 6,000rpm
Torque: 685Nm at 2,000rpm
Transmission: 8-speed auto
Price: from Dh850,000
On sale: now
FROM%20THE%20ASHES
%3Cp%3EDirector%3A%20Khalid%20Fahad%3C%2Fp%3E%0A%3Cp%3EStarring%3A%20Shaima%20Al%20Tayeb%2C%20Wafa%20Muhamad%2C%20Hamss%20Bandar%3C%2Fp%3E%0A%3Cp%3ERating%3A%203%2F5%3C%2Fp%3E%0A
