How to make big bucks hunting cyber bugs

THINKSTOCKImage copyright

This month the US government is launching its first-ever bug bounty programme - a 20-day scheme for cybersecurity savvy citizens to have a go at finding flaws in the Department of Defense's public websites before the illegal hackers do.

There is a $150,000 (£106,000) pot for rewarding the finders of significant bugs.

Unauthorised hacks make headlines and can have catastrophic consequences for the organisation that suffers a breach, so many seek to crowdsource their security in addition to employing their own in-house experts, offering financial rewards - known as bounties - as an incentive.

Bugs are officially big business

Image copyrightGETTY IMAGES

Image captionUber launched its first bug bounty programme in March 2016

Last month Uber announced that it too was entering the bug bounty arena with a scheme of its own, while firms like Facebook and Microsoft have been running them for years.

Microsoft's top reward is currently up to $100,000 (£70,699) for "truly novel exploitation techniques against protections built into the latest version of our operating system" - or anything that bypasses all the security systems on the Windows platform.

Generally a bug bounty programme will pay a reward based on how significant the find is.

Facebook has so far paid out nearly $1m in bounties but the average pay-out in 2015 was $1,782 per bug - and its most prolific bug hunters were in India, Egypt, and Trinidad and Tobago, the social network says.

Job opportunities

"By having bug bounty programmes, companies make sure the best hackers look at their code," says computer scientist Gianluca Stringhini, assistant professor at University College London.

"The more eyes look at the programme, the more bugs they find.

It's also a way for these companies to identify talent."

There's no doubt that if you're a successful part-time bug hunter you might even get a job out of it - security researcher Chris Vickery got his current role after doing just that.

"When I found one of the databases of [software firm] MacKeeper, they turned around and said 'OK, we want to hire you to give us tips about data breaches'," he said.

"That was an awesome response."

Image copyrightGETTY IMAGES

Image captionMany security researchers bug hunt in their spare time.

So how do you go about it?

Belgian bug hunter Arne Swinnen is currently ranked number two in Facebook's so-called white hat hall of fame - a surprisingly long list of the people who have helped it make its various platforms more secure by finding and telling it about vunerabilities before the cybercriminals exploit them.

Mr Swinnen has a day job but in his spare time has netted around $15,000 (£10,604) finding system weaknesses in the last few months.

"Some bugs that I've found they took me a couple of days, others only take five minutes. My biggest bug so far got me $2,500 (£1,767) and only cost me five minutes of my time."

He started out by looking at Facebook-owned Instagram after researching bugs online and identifying that fewer bug bounty hunters appeared to have it in mind.

"I looked to see what it had - website, mobile apps - I looked at their functionalities, and then started to look for vulnerabilities," he explains.

Image copyrightARNE SWINNEN

Image captionArne Swinnen is number two on Facebook's bug bounty hall of fame

Mr Swinnen admits it isn't exactly his girlfriend's idea of a holiday - but it can be lucrative.

"It's my hobby, I like hunting, if you find something it's really a thrill," he told the BBC.

Right side of the law

Of course many companies without designated schemes will generally be appreciative of some security support. There are a few issues to be aware of though if you plan to fish in the wild, as it were - not least that unauthorised access of a system is illegal in many countries.

"In the UK, under the Computer Misuse Act, unauthorised access is a criminal offence - even if the door is wide open," says cybersecurity expert Prof Alan Woodward from Surrey University.

"You have to understand the law and how far you can push it. You also need to understand how the industry works because there are what you might think of as best practice [guidelines] - it's what responsible disclosure is all about."

Image copyrightGETTY IMAGES

Image captionUnder UK law, unauthorised access of an IT system is illegal.

Prof Woodward also warns about the responsibilities associated with handling any data you might find floating around, that perhaps isn't as encrypted or secure as it should be.

"You have a duty of care to whoever that data belongs to or is about," he adds.

"Some hackers perhaps feel they are above that but they are not.

"You have to be careful, it is a minefield - there is a fine line between probing for vulnerabilities and unauthorised access."

Stay alert

It is also a minefield for companies, especially small businesses who may well lack both the expertise and the resources to manage this global army of white hats - and the hackers hot on their heels.

"In general the problem is that when someone designs a programme they expect the user to play nicely.

"But an attacker could present an input that nobody thought about and that could make the programme play completely differently," says Gianluca Stringhini.

His basic advice to all firms is simple.

"Keep up with the news, see what new attacks are out there, make sure that whenever a new vulnerability is disclosed they update their systems - and keep an eye for general weird activity," he says.

Members of staff should also take note, he adds.

"You have systems you might develop but they might have holes - system administrators need to keep that in mind but so do end users, their data may not be safe."

These phone apps have got your number

Image copyrightGETTY IMAGES

Image captionThe databases of numbers have been compiled from the address books of users

The mobile phone numbers of former Prime Minister David Cameron, Labour leader Jeremy Corbyn, celebrities and millions of other people are being stored in databases that can be searched by the public.

While the numbers cannot be obtained simply by entering a name, data watchdogs are concerned about the way the information has been gathered.

These databases have been compiled by phone apps that promise to block spam calls and let people "reverse-look up" calls from numbers they do not recognise. But it appears many of the names and numbers have been gathered without their owners' knowledge.

The apps, which include Truecaller, Sync.me and CM Security, ask users to upload their phone's contact lists when they install them. That means they end up with huge databases - one app claims to have two billion numbers while another claims more than a billion.

These can then be searched to connect any number with a name, although you cannot put in a name and get a number. Searches can be conducted on the app provider's website without even installing the software.

The issue has been highlighted by Factwire, an investigative journalism organisation that found the numbers of leading Hong Kong lawmakers had been stored in the systems.

Celebrity calls

The BBC has found that many British numbers are also listed - including that of Mr Cameron, Mr Corbyn, Transport Secretary Chris Grayling, the Olympic diver Tom Daley and the music producer Pete Waterman.

We had those numbers already, as did Hong Kong-based Factwire when it conducted its searches.

Many numbers appear to be stored in the databases without the knowledge or consent of their owners.

For example, we found the number of the security researcher Rik Ferguson of Trend Micro in the database of Truecaller, which is based in Sweden. He told us he had not installed the app and had not consented to having his number stored.

Image copyrightPA

Image captionThe number of Olympic diver Tom Daley was stored in one database

He described the app as "highly deceptive" and questioned whether it broke data protection regulations.

"Data can only be collected for specific, explicitly stated and legitimate purposes, may not be kept for a longer period than is necessary and crucially only with the explicit and informed consent of the data subject," he said.

Consent required

There is also concern about the security of the data. In 2013 Truecaller suffered a data breach, admitting that it had fallen victim to a cyber-attack but insisting that no sensitive information had been exposed.

Truecaller told the BBC that it ensured strict protection of user data, which was safely stored in Sweden. The company said it did not share any information with external organisations and in a statement said: "Truecaller is not in violation of the data protection laws in Sweden, nor across the EU as a whole."

We asked the Information Commissioner, Britain's data protection regulator, about Truecaller. The ICO told us: "UK data protection law says businesses are required to process data fairly and lawfully. We're asking questions on behalf of UK citizens and are following up with the Swedish authorities."

Image copyrightREUTERS

Image captionThe apps gather data currently shared across many different devices

The security blogger Graham Cluley, whose mobile number is stored by one of the apps, says everyone needs to be more careful about what they share: "If you upload your address book, you're not just putting your own privacy at risk - but the privacy of everybody else in that address book."

Most of the apps mention in their terms and conditions that users should have permission from their contacts before sharing their data.

One of the apps, CM Security, has now halted its reverse-look up function. All of them say users can opt out if they do not want to have their numbers stored.

How to detect and remove negative energies at home using only a glass of water?

There are so many techniques that can help you detect negative energies in your home. Today we’re going to show you the simplest one which will detect negative energies and clear them from your home and maintain the harmony in your family.

We inhabit certain energies wherever we live. Our homes are a space of unity where many energies meet – our feelings, thoughts and emotions emit a certain type of energy, but also attract other energies. Family members, neighbors or visitors in our homes can bring in negative energies which may affect our mood and well-being.

The energy debris can be a result of negative emotions, thoughts, occurrences, and stress that you have experienced in your space.

Your house is like a sponge. Whatever transpires in your environment is absorbed into the walls, furniture, carpet, ceiling, and objects. Frequently, these negative energies accumulate in the corners and tucked away places. Also, if you had a negative event happen recently or a lot of sadness or fear, cleanse your space immediately!

Once they enter your home, negative energies impact your whole life.

They can cause your budget to fluctuate, break the relationships between family members and disrupt the harmony in your home. As a result, you will feel anxious, restless and broken, with no will to live. However, the symptoms may not be noticeable early, which is why it’s important to know how to detect the negative energy in your home.

Before starting, it’s important to know the reason for the disharmony – sometimes, even negative energies are not the culprit. However, if you can’t find the underlying problem, try this trick to detect negative energies:

Get a clear (transparent) glass and pour sea salt in it – it should cover about 1/3 of the glass. Top the glass off with 1/3 water and 1/3 white vinegar, then put it in the room where you think the bad vibes are most powerful.

Put the glass in a hidden spot and leave it for a full day. Make sure no one moves it from the spot. After 24 hours, examine the glass – if it’s just like you left it, there are no negative energies in that room. You can try the trick in another room and see what happens.

If the glass has smudges or a lot of bubbles, and is clearly not like you left it, it is a result of energy problems. In this case, repeat the procedure again with a new glass, and repeat until it’s as clean as you left it.

It is important to know that you need to throw away the content from the glass in the toilet, and flush the toilet, which will clear all the negative energy absorbed in your house.

You can do the same the next day if you still feel bad vibes around you. Repeat the procedure until the water in the glass is the same as you left it.

THE HINDU SHIVA ‘DANCE OF DESTRUCTION’ FILMED INSIDE CERN COLLIDER

So why, one might ask, has a very bizarre movie been filmed on location there featuring the Shiva 'Dance Of Destruction'? Yes, in fact, a statue of Nataraja depicting the Hindu god Shiva was dedicated there on-site back in 2004 when CERN was first constructed.

HE LHC IS THE LARGEST MACHINE IN THE WORLD. IT TOOK 

THOUSANDS OF SCIENTISTS, ENGINEERS AND TECHNICIANS

 DECADES TO PLAN AND BUILD, AND IT CONTINUES TO

 OPERATE AT THE VERY BOUNDARIES OF SCIENTIFIC

 KNOWLEDGE.

“And the LORD said unto Satan, Whence comest thou? Then Satan answered the LORD, and said, From going to and fro in the earth, and from walking up and down in it.” 

The Large Hadron Collider (LHC) is the world’s largest and most powerful particle accelerator. It first started up on 10 September 2008, and remains the latest addition to CERN’s accelerator complex. The LHC consists of a 27-kilometer ring of superconducting magnets with a number of accelerating structures to boost the energy of the particles along the way.

CERN, the European Organization for Nuclear Research, has its headquarters in Geneva. At present, its Member States are Austria, Belgium, Bulgaria, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Italy, the Netherlands, Norway, Poland, Portugal, the Slovak Republic, Spain, Sweden, Switzerland and the United Kingdom. India, Israel, Japan, the Russian Federation, the United States of America, Turkey, the European Commission and UNESCO have observer status. CERN Council is the body in which the representatives of the 20 Member States of the Organization decide on scientific programmes and financial resources.

So why, one might ask, has a very bizarre movie been filmed on location there featuring the Shiva ‘Dance Of Destruction‘? Yes, in fact, a statue of Nataraja depicting the Hindu god Shiva was dedicated there on-site back in 2004 when CERN was first constructed.

Now here is where it gets interesting. The significance of the Lord Nataraja sculpture is that the Hindu god Shiva is shown as first destroying the world, then recreating it. A Bengali chant talking about this says:

“Because You love the Burning-ground, I have made a Burning-ground of my heart – That You, Dark One, hunter of the Burning-ground, May dance Your eternal dance.”

The bible clearly tells us that the Hindu “dark one” who inhabits the “burning ground” is none other than Satan himself. Is the picture starting to become clear to you now?

The same “science” that inspired the builders of the Tower of Babel, men who like Satan said they did not need God to reach Heaven, is also behind the work of the people at CERN. People who have dedicated the whole of their research to the “dark one”.

There are no accidents and no coincidences. The New World Order is sending a clear-cut message. They are awaiting for the appearance of their lord, the Antichrist, and will attempt to destroy the world and recreate it in his image. The bible tells us how it all will end:

“But tidings out of the east and out of the north shall trouble him: therefore he shall go forth with great fury to destroy, and utterly to make away many. And he shall plant the tabernacles of his palace between the seas in the glorious holy mountain; yet he shall come to his end, and none shall help him.” Daniel 11:44,45 9 (KJV)

Demonetisation: Where you can still use old Rs 500 notes

While old Rs 1,000 notes are no longer valid for transactions, Rs 500 notes can still be used until December 15. Here is a list of places where you can still use old Rs 500 notes:

1.

With a doctor's prescription, at government hospitals and pharmacies

2.

For making payments at all pharmacies but with proof by carrying a doctor's prescription and a form of ID.

3.

Railway ticketing counters, ticket counters of government or state-run buses and ticketing counters at airports.

4.

Milk booths operating under central and state governments.

5.

Purchase of petrol, diesel and gas at stations operated by state-run oil companies.

6.

At crematoria and burial grounds.

7.

At international airports, arriving and departing passengers can also use old Rs 500 notes.

8.

For foreign tourists to exchange currency.

9.

Purchases at consumer cooperative stores.

10.

Purchase of cooking gas cylinders.

11.

Payment to catering services during rail travel.

12.

Purchasing tickets at suburban, metro rail services.

13.

Purchase of entry tickets for any monument maintained by the Archaeological Survey of India.

14.

Fees, charges, taxes or penalties, payable to the central, state governments, municipal and local bodies.

15.

Payments for utility charges, including water and electricity. Restricted only to individuals or households for payment of only arrears or current charges and no advance payments are allowed.

16.

For court fees.

17.

For buying seeds from designated centres.

18.

School fees of up to Rs 2,000 per student in central, state government, municipality and local-body schools.

19.

Fees in central, state government colleges.

20.

Top-up of pre-paid mobile SIM for up to Rs 500 per recharge.

21.

Purchase from consumer cooperative stores limited to Rs 5,000 at a time.