It’s about ethics in bug bounties
I’m a big fan of bug bounty programmes and responsible disclosure. I think they work well as additional checks and balances that may slip through the initial security reviews.
Bug bounty platforms are similar to a dating service. They pair up companies with researchers that will look for vulnerabilities within the defined scope and facilitate the payment of the bounty.
But what happens when a company that sells morally dubious (but not necessarily illegal) software wants to run a bounty? It puts the bounty provider in a bit of a dilemma. On one hand it could remain completely impartial and simply act as a conduit to help create secure software. On the other hand, they are facilitating the betterment of software that could be used for malicious purposes.
Such was the case when spyware company, FlexiSPY, showed interest in moving their bug bounty program to HackerOne. The resultant blog post illustrates some of the ups and downs in arriving at an answer.
Casey Ellis, CEO of BugCrowd was far more direct in his approach and dismissal of FlexiSPY
On the bright side of bug bounties
It’s great to see researchers rewarded for finding bugs and vulnerabilities fixed.
But for the rest of the security community, it’s always great to read a detailed writeup on how the researcher discovered the bug and validated it. It serves as a good learning experience for the rest of us.
Emergency Microsoft patch
It feels like the topic of responsible disclosure is never-ending. I’m going to add responsible disclosure to the list of things I won’t talk about in social settings, joining politics, religion, and passwords.
Last Friday, Google researcher Tavis Ormandy stated that he and fellow researcher Natalie Silvanovich had discovered “the worst Windows remote code exec in recent memory”
While no further details were released, it left many security professionals hanging over a nail-biting weekend to learn about this vulnerability.
Some disagreed with the approach and timing, stating that it was scaremongering, or an attempt to gain exposure.
Either way, Microsoft turned it around very quickly, earning the praise of Ormandy and others, and pushed a critical out-of-band update for the Microsoft Malware Protection Engine to plug the vulnerability.
- MS plugs crazy bad bug with emergency pathc&
- Crazy bad bug in microsoft’s windows malware scanner can be used to install malware
The Government's Role in Insecurity
As much as I personally try to steer clear of politics, cyber security and politics are well and truly bed-fellows in this day and age. Whether it be hacking during elections, leaks, or spying.
The Guardian ran a piece entitled Cyber-insecurity is a gift for hackers, but it’s our own governments that create it. It’s a fascinating look at where democratic capitalism and cyber security intersect.
- Chris Doman published a timeline of events leading up to the Macron Leaks
- The great British Brexit robbery, how our democracy was hijacked
- Hackers came, but the French were prepared
Criminal probe for Uber
The U.S DoD has begun a criminal investigation into Ubers use of technology that helped drivers identify and circumvent government officials who were trying to clamp down Uber in unapproved areas.
While this isn’t the first, nor is it likely to be the last time the company hits the headlines for all the wrong reasons. The interesting part is the use of technology and how we see that once well-funded organisations start developing their own tools it can become a digital wild west.
Won’t anyone think of the things?
The Internet of Things have found their way into any device imaginable. But despite security warnings, and some pretty big DDoS attacks courtesy of Mirai, it doesn’t look like manufacturers are upping their game.
- Now it looks like there’s a new IoT botnet in town that goes by the name of Persirai which targets IP cameras.
- 120,000 IoT cameras vulnerable to new Persirai botnet say researchers
- OTX pulse Persirai
Hackers look bank accounts with SS7 TFA flaw
The risk has been known for several years now, but it was believed to be low.
Many other similar risks exist in technology today. But the risk landscape is a rapidly changing one. What was perceived a low risk a few years ago, may not be so low today.
Therefore it's important to regularly review how the risk, or the company's risk appetite has changed and changes implemented before an incident occurs.
- Hackers plunder bank accounts via SS7 TFA flaw – risk known ‘for years’
- So hey, you should stop using texts for two-factor authentication
- The difference between two factor and two step authentication
Article Link: http://feeds.feedblitz.com/~/318027030/0/alienvault-blogs~AES-th-May-Keeping-an-Eye-on-IT-Security-So-You-Don’t-Have-To