How Bug Bounty Platform HackerOne Handled Its Own ‘Internal Threat’ Actor

Bug bounty platform HackerOne has “a steadfast commitment to disclosing security incidents,” according to a new blog post, “because we believe that sharing security information far and wide is essential to building a safer internet.”

But now they’ve had an incident of their own:
On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter’s disclosure was similar to an existing disclosure previously submitted through HackerOne… Upon investigation by the HackerOne Security team, we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate.

The blog post includes a detailed timeline of HackerOne’s investigation. (They remotely locked the laptop, later taking possession of it for analysis, along with reviewing all data accessed “during the entirety of their two and a half months of employment” and notification of seven customers “known or suspected to be in contact with threat actor.”)

“We are confident the insider access is now contained,” the post concludes — outlining how they’ll respond and the lessons learned. “We are happy that our previous investments in logging enabled an expedient investigation and response…. To ensure we can proactively detect and prevent future threats, we are adding additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data….”

“We are allocating additional engineering resources to invest further in internal models designed to identify anomalous access to disclosure data and trigger proactive investigative responses…. We are planning additional simulations designed to continuously evaluate and improve our ability to effectively resist insider threats.”

Read more of this story at Slashdot.

How the Higgs Boson Particle Ruined Peter Higgs’s Life

93-year-old Peter Higgs was awarded a Nobel Prize nine years ago after the Large Hadron Collider experiments finally confirmed of the existence Higgs boson particles he’d predicted back in 1964. “This discovery was a seminal moment in human culture,” says physicist Frank Close, who’s written the new book Elusive: How Peter Higgs Solved the Mystery of Mass .

But Scientific American reports there’s more to the story:
For years, the significance of the prediction was lost on most scientists, including Higgs himself. But gradually it became clear that the Higgs boson was not just an exotic sideshow in the particle circus but rather the main event. The particle and its associated Higgs field turned out to be responsible for giving all other particles mass and, in turn, creating the structure of galaxies, stars and planets that define our universe and enable our species… Yet the finding, however scientifically thrilling, pushed a press-shy Peter Higgs into the public eye. When he shared the Nobel Prize in Physics the next year, Higgs left his home in Edinburgh and camped out at a pub across town on the day of the announcement so the prize committee wouldn’t be able to reach him.

Physicist Close shares more details in an interview with Scientific American:

Close: One of the biggest shocks I had when I was interviewing him was when he said the discovery of the boson “ruined [his] life.” I thought, “How can it ruin your life when you have done some beautiful mathematics, and then it turns out you had mysteriously touched on the pulse of nature, and everything you’ve believed in has been shown to be correct, and you’ve won a Nobel Prize? How can these things amount to ruin?” He said, “My relatively peaceful existence was ending. My style is to work in isolation and occasionally have a bright idea.” He is a very retiring person who was being thrust into the limelight.

That, to my mind, is why Peter Higgs the person is still elusive to me even though I’ve known him for 40 years…

Higgs had spent two to three years really trying to understand a particular problem. And because he had done that hard work and was still trying to deepen his understanding of this very profound concept, when a paper turned up on his desk posing a related question, Higgs happened to have the answer because of the work he’d done. He sometimes says, “I’m primarily known for three weeks of my life.” I say, “Yes, Peter, but you spent two years preparing for that moment.”

Q: The discovery of the Higgs boson came nearly 50 years after Higgs’s prediction, and he said he never expected it to be found in his lifetime. What did it mean to him that the particle was finally detected?

He said to me that his first reaction was one of relief that it was indeed confirmed. At that moment he knew [the particle existed] after all, and he felt a profound sense of being moved that that was really the way it was in nature — and then panic that his life was going to change.

Read more of this story at Slashdot.

Google Launches Advanced API Security To Protect APIs From Growing Threats

Google today announced a preview of Advanced API Security, a new product headed to Google Cloud that’s designed to detect security threats as they relate to APIs. TechCrunch reports: Built on Apigee, Google’s platform for API management, the company says that customers can request access starting today. Short for “application programming interface,” APIs are documented connections between computers or between computer programs. API usage is on the rise, with one survey finding that more than 61.6% of developers relied on APIs more in 2021 than in 2020. But they’re also increasingly becoming the target of attacks. According to a 2018 report commissioned by cybersecurity vendor Imperva, two-thirds of organizations are exposing unsecured APIs to the public and partners.

Advanced API Security specializes in two tasks: identifying API misconfigurations and detecting bots. The service regularly assesses managed APIs and provides recommended actions when it detects configuration issues, and it uses preconfigured rules to provide a way to identify malicious bots within API traffic. Each rule represents a different type of unusual traffic from a single IP address; if an API traffic pattern meets any of the rules, Advanced API Security reports it as a bot. […] With the launch of Advanced API Security, Google is evidently seeking to bolster its security offerings under Apigee, which it acquired in 2016 for over half a billion dollars. But the company is also responding to increased competition in the API security segment. “Misconfigured APIs are one of the leading reasons for API security incidents. While identifying and resolving API misconfigurations is a top priority for many organizations, the configuration management process is time consuming and requires considerable resources,” Vikas Ananda, head of product at Google Cloud, said in a blog post shared with TechCrunch ahead of the announcement. “Advanced API Security makes it easier for API teams to identify API proxies that do not conform to security standards… Additionally, Advanced API Security speeds up the process of identifying data breaches by identifying bots that successfully resulted in the HTTP 200 OK success status response code.”

Read more of this story at Slashdot.

MIT Engineers Design Engine That Converts Heat To Electricity With Over 40% Efficiency

Engineers at MIT and the National Renewable Energy Laboratory (NREL) have designed a heat engine with no moving parts. It converts heat to electricity with over 40% efficiency — making it more efficient than steam turbines, the industrial standard. MIT Technology Review reports: The invention is a thermophotovoltaic (TPV) cell, similar to a solar panel’s photovoltaic cells, that passively captures high-energy photons from a white-hot heat source. It can generate electricity from sources that reach 1,900 to 2,400C — too hot for turbines, with their moving parts. The previous record efficiency for a TPV cell was 32%, but the team improved this performance by using materials that are able to convert higher-temperature, higher-energy photons. The researchers plan to incorporate the TPV cells into a grid-scale thermal battery. The system would absorb excess energy from renewable sources such as the sun and store that energy in heavily insulated banks of hot graphite. Cells would convert the heat into electricity and dispatch it to a power grid when needed.

The researchers have now successfully demonstrated the main parts of the system in small-scale experiments; the experimental TPV cells are about a centimeter square. They are working to integrate the parts to demonstrate a fully operational system. From there, they hope to scale up the system to replace fossil-fuel plants on the power grid. Coauthor Asegun Henry, a professor of mechanical engineering, envisions TPV cells about 10,000 feet square and operating in climate-controlled warehouses to draw power from huge banks of stored solar energy.

Read more of this story at Slashdot.

Extreme Temperatures In Major Latin American Cities Could Be Linked To Nearly 1 Million Deaths

Rodrigo Perez Ortega writes via Science Magazine: With climate change, heat waves and cold fronts are worsening and taking lives worldwide: about 5 million in the past 20 years, according to at least one study. In a new study published today in Nature Medicine, an international team of researchers estimates that almost 900,000 deaths in the years between 2002 and 2015 could be attributable to extreme temperatures alone in major Latin American cities. This is the most detailed estimate in Latin America, and the first ever for some cities.

To estimate how many people died from intense heat or cold, researchers with the Urban Health in Latin America project — which studies how urban environments and policies impact the health of city residents in Latin America — looked at mortality data between 2002 and 2015 from registries of 326 cities with more than 100,000 residents, in nine countries throughout Latin America. They calculated the average daily temperatures and estimated the temperature range for each city from a public data set of atmospheric conditions. If a death occurred either on the 18 hottest or the 18 coldest days that each city experienced in a typical year, they linked it to extreme temperatures. Using a statistical model, the researchers compared the risk of dying on very hot and cold days, and this risk with the risk of dying on temperate days. They found that in Latin American metropolises, nearly 6% — almost 1 million — of all deaths between those years happened on days of extreme heat and cold. They also created an interactive map with the data for individual cities.

When the team analyzed the specific cause of these deaths in the registries, they found — consistent with previous studies — that extreme temperatures are often linked to deaths from cardiovascular and respiratory diseases. Extreme heat makes the heart pump more blood and causes dehydration and pulmonary stress. Extreme cold, on the other hand, can make the heart pump less blood and cause hypotension and, in some cases, organ failure. The team also found older adults are especially vulnerable to extreme temperatures, with 7.5% of deaths among them correlated to extreme heat and cold during the study period. Although the numbers varied from year to year, in 2015, for instance, more than 16,000 deaths — out of nearly 855,000 — among people ages 65 or older were attributable to extreme temperatures. Latin America’s aging population is projected to rise more quickly than other parts of the world — from 9% in 2020 to 19% in 2050, by some estimates (PDF). […] Although deaths on extremely cold days — about 785,000 — were much higher than those on extremely hot days — about 103,000 — overall there were more days with intense cold, which could explain this difference. But for some cities, such as Buenos Aires, Rio de Janeiro, and Merida, heat is more deadly than cold: The researchers estimated that on very hot days, the chance of dying increases by 5.7% for every 1C increase in temperature.

Read more of this story at Slashdot.