High-Tech Bridge

High-Tech Bridge
Private
Founded 2007
Headquarters Geneva, Switzerland
Key people
 Ilia Kolochenko (CEO)
Marsel Nizamutdinov (Chief Research Officer)[1]
Frederic Bourla (Chief Security Specialist)[2]
Stéphane Koch (Vice President)[2]
Services Computer security, Penetration Testing, Computer crime investigation, Web application security
Number of employees
 25
Website www.htbridge.com

High-Tech Bridge SA is a Geneva, Switzerland-based private information security company.[3] Founded in 2007, the company was named by Frost & Sullivan as an industry leader and best service provider among ethical hacking providers in Europe.[4][5] The company is known for its long-standing security research program, with issues identified in products from vendors such as Sony,[6] McAfee[7] Novell[8] in addition to hundreds of vulnerabilities reported on the OSVDB.[9] High-Tech Bridge also introduced the concept of hybrid web security assessment, which combines manual penetration testing and automated scanning, through its ImmuniWeb web security testing SaaS.[10]

The company is among 81 organizations, as at August 2013, that include CVE identifiers in their security advisories.[11]

History

High-Tech Bridge SA was founded at its current headquarters at World Trade Center, Geneva, Switzerland in 2007 by Ilia Kolochenko, who also lectures on cyber crime at the University of Applied Sciences and Arts in Western Switzerland, serves as its CEO.[12]

In August 2012, High-Tech Bridge's Security Research Lab was registered as CVE and CWE compatible by MITRE.[13] This registration was followed in June 2013 with ImmuniWeb achieving CVE and CWE compatible status,[14][15] making High-Tech Bridge one of only 24 organizations, globally, and the first in Switzerland, that have been able to achieve CWE compatible status.

Services

High-Tech Bridge's core business is in white hat computer penetration testing,[16] information security auditing, computer security consulting, source code review, computer forensics, among other services.[4][17] In 2012 the company was assessed by Frost & Sullivan as one of the leading European companies in the ethical hacking market.[18]

ImmuniWeb

High-Tech Bridge introduced the concept of hybrid web application security testing with the launch of ImmuniWeb[19] in August 2013.[20] ImmuniWeb's hybrid solution conducts automated vulnerability scanning and manual web application penetration testing in parallel. By including a manual element in the security scan, the hybrid approach seeks to eliminate false positives[15][17] ImmuniWeb uses a real penetration tester in conjunction with the automated vulnerability scanning.[21]

ImmuniWeb, is both CVE and CWE comptible. ImmuniWeb has been adopted [22] as part of the UN International Telecommunication Union's (ITU) toolset for ensuring that the websites of ITU Member States are secure.

Security Research

In September 2013 High-Tech Bridge reported a weakness, that could allow hackers to perform phishing attacks via access to users' browsing history on Nasdaq.com.[23][24]

The discovery of vulnerabilities in Yahoo! sites by High-Tech Bridge was widely reported,[25][26] leading to the t-shirt gate affair and changes in Yahoo's bug bounty program. High-Tech Bridge identified and reported four XSS vulnerabilities on Yahoo! domains, for which the company was awarded two gift vouchers to the value of $25.[27][28][29][30] The sparse reward offered to security researchers for identifying vulnerabilities on Yahoo! was criticized, sparking what came to be called t-shirt-gate,[31] a campaign against Yahoo! sending out T-shirts as thanks for discovering vulnerabilities. High-Tech Bridge's discovery of these vulnerabilities and the subsequent criticism of Yahoo!'s reward program led to Yahoo! rolling out a new vulnerability reporting policy which offers between $150 and $15,000 for reported issues, based on pre-established criteria.[26][32]

In December 2013, High-Tech Bridge research[33] on privacy in popular social networks and email services was cited[34][35] in a class action lawsuit for allegedly violating its members' privacy by scanning private messages sent on the social network. High-Tech Bridge also discovered vulnerabilities on the World Economic Forum that leaked the email addresses of attendees[36] as well as remote code execution vulnerabilities in PHP.[37] In December 2014, High-Tech Bridge identified the RansomWeb attack,[38] a development of RansomWare attacks, where hackers have started taking over webs servers, encrypting the data on them and demanding payment to unlock the files. The discovery[39] of a Drive-by download attack on an OsCommerce based site revealed how drive-by download attacks were being used to target specific site visitors.

Awards and recognition

High-Tech Bridge made the Online Trust Alliance (OTA) Members - Honor Roll three years in a row: 2012-2104.[40] The OTA Honor Roll, first awarded in 2010, analyses sites based on their domain, brand and consumer protection; site, server and infrastructure security; and data protection and privacy; and acknowledges those organizations with the best security and privacy policies.[41] Its web application, ImmuniWeb, was employed in determining the nominees for OTA's 2014 list.[18]

In 2015, High-Tech Bridge's ImmuniWeb was a finalist in the Info Security Products Guide Global Excellence Awards alongside Nessus, Tripwire's IP360 and BeyondTrust's Retina CS Enterprise Vulnerability Management. ImmuniWeb was nominated for Best Security Service (New or Updated version).[42]

ImmuniWeb was recognised in Frost & Sullivan's 2015 Market Insight as being 'the most complete hybrid offering available'.[43]

Organizational memberships

High-Tech Bridge is a member of a number of security-related organisations, including:

References

  1. "Company Overview of High-Tech Bridge SA". Bloomberg Businessweek. Retrieved 1 September 2013.
  2. 2.0 2.1 "High-Tech Bridge CrunchBase profile". CrunchBase.
  3. "ImmuniWeb service launches to combine vulnerability scanning with manual pen testing". 1 August 2013. Retrieved 31 August 2013.
  4. 4.0 4.1 "The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments". Frost & Sullivan. Retrieved 31 August 2013.
  5. "High-Tech Bridge SA". Association suisse de la sécurité de l'information. Retrieved 31 August 2013.
  6. "Security Update Program for VAIO® Personal Computers". esupport.sony.com. Sony. Retrieved 20 January 2015.
  7. "McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability". kc.mcafee.com. McAfee. Retrieved 20 January 2015.
  8. "Security Vulnerability: GroupWise Client for Windows Remote Untrusted Pointer Dereference Vulnerability". www.novell.com. Novell. Retrieved 20 January 2015.
  9. "OSVDB vulnerabilities reported by High-Tech Bridge". www.OSVDB.org. Retrieved 18 January 2015.
  10. "Cloud-Based Vulnerability Management Solutions". www.tomsitpro.com. Retrieved 21 January 2015.
  11. "Organizations with CVE Identifiers in Advisories". 26 June 2013. Retrieved 1 September 2013.
  12. "Industry Support of OTA Online Trust Honor Roll". 8 June 2012. Retrieved 31 August 2013.
  13. "Product from High-Tech Bridge Now Registered as Officially "CWE-Compatible"". MITRE. Retrieved 7 August 2014.
  14. "1 Product from High Tech Bridge Now Registered as Officially "CWE-Compatible"". 26 June 2013. Retrieved 30 August 2013.
  15. 15.0 15.1 "Web application scanner and vulnerability assessment service launched in beta". SC Magazine. 1 August 2013. Retrieved 31 August 2013.
  16. Palmer, Maija (25 September 2014). "IT Bigs and glitches are the new frontier for bounty-hunters". The Financial Times (ft.com). Retrieved 27 October 2014.
  17. 17.0 17.1 "Infosecurity Exclusive: Major Media Organizations Still Vulnerable Despite High Profile Hacks". Info Security. 20 August 2013. Retrieved 7 September 2013.
  18. 18.0 18.1 "Exclusive First Look: ImmuniWeb by High-Tech Bridge". 19 July 2013. Retrieved 31 August 2013.
  19. Dawson, Freddie. "Hacking: Why Any Business Can Be At Risk And How To Prevent It". Forbes.com. Forbes. Retrieved 2 March 2015.
  20. Michael, Alexander. "You may think you have never been hacked... you just have not realised it yet". www.frost.com. Frost & Sullivan. Retrieved 4 August 2014.
  21. Cluley, Graham. "How ethical hackers found a (small) vulnerability on my website". Graham Cluley's Security Blog. Retrieved 3 March 2014.
  22. "ITU Telecom World 2013 sets agenda for far-reaching changes in ICT sector". Itu.int.
  23. Cartwright, Lachlan (16 September 2013). "Cypersecurity pro on Nasdaq website: 'I needed 10 minutes to hack'". New York Daily News.
  24. Cartwright, Lachlan (17 September 2013). "Nasdaq fixes hack-vulnerable website after Daily News exposes weak security". New York Daily News.
  25. "Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal". 3 October 2013.
  26. 26.0 26.1 Kirk, Jeremy (3 October 2013). "Yahoo security bounty program ditches T-shirts for cash". Retrieved 19 October 2013.
  27. Rubenking, Neil J. (1 October 2013). "Yahoo Offers Sad Bug Bounty: $12.50 in Company Swag". PC Magazine. Retrieved 19 October 2013.
  28. Bilton, Ricardo (1 October 2013). "‘I reported a major Yahoo security vulnerability and all I got was this lousy T-shirt’". Retrieved 19 October 2013.
  29. Frank, Blair Hanley (1 October 2013). "Researchers find critical vulnerabilities in Yahoo’s site, offered $12.50 per bug". Retrieved 19 October 2013.
  30. Hackney, Steve (7 October 2013). "Yahoo! Inc. (NASDAQ:YHOO) Removes Bugs Identified By High Tech Bridge". Retrieved 19 October 2013.
  31. Osborne, Charlie (3 October 2013). "Yahoo changes bug bounty policy following 't-shirt gate'". Retrieved 19 October 2013.
  32. Martinez, Ramses (2 October 2013). "So I’m the guy who sent the t-shirt out as a thank you". Retrieved 19 October 2013.
  33. "Social networks: can robots violate user privacy?".
  34. "Facebook sued for allegedly intercepting private messages".
  35. "Is Facebook spying on you?". CNBC.
  36. Hern, Alex (23 January 2014). "World Economic Forum website closes email address leak". The Guardian. Retrieved 23 January 2014.
  37. Brook, Chris. "PHP patches buffer overflow vulnerabilities". threatpost. Retrieved 27 October 2014.
  38. Fox-Brewster, Thomas. "RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses". Forbes.com. Retrieved 1 February 2015.
  39. Gallagher, Sean (13 April 2015). "Universal backdoor for e-commerce platform lets hackers shop for victims". arstechnica. Retrieved 14 April 2015.
  40. "2014 Online Trust Audit & Honor Roll" (PDF). 17 June 2013. Retrieved 23 June 2014.
  41. "2014 Honor Roll - Methodology".
  42. "Finalists for the 11th Annual 2015 Info Security's Global Excellence Awards". Info Security Products Guide. Retrieved 15 March 2015.
  43. Martin Hoff ter Heide. "The Rise of Hybrid Web Application Security Testing". www.frost.com. Retrieved 31 March 2015.(subscription required)
  44. "CVSS Adopters". FIRST. Retrieved 9 April 2014.
  45. "Global Partnerships". International Telecommunications Union. Retrieved 10 April 2014.

External links

See also