Author Archives: Patrick Howell O'Neill

‘Highly critical’ Drupal security flaw prompts urgent patch

Posted on by

A highly critical security patch was released on Wednesday for the popular Drupal content management system, which powers some of the world’s most visited websites. The message from the developers is simple: Drop everything and patch now. Update now — Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 — https://t.co/uwzodrmegc — Drupal Security (@drupalsecurity) March 28, 2018 The new update fixes a remote code execution vulnerability that “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” All it takes is for an anonymous user to visit a targeted page and they can see, modify and delete private data. No attacks have been detected yet, but the Drupal team and experts believe they will commence in short order. Given the severity of the issue, the Drupal team has provided updates to older versions of the software it had stopped supporting. […]

The post ‘Highly critical’ Drupal security flaw prompts urgent patch appeared first on Cyberscoop.

Continue reading ‘Highly critical’ Drupal security flaw prompts urgent patch

FBI has unit solely devoted to its ‘going dark’ problem

Posted on by

The FBI has formed a unit inside its Operational Technology Division (OTD) to specifically address law enforcement’s efforts to bypass encryption on various devices, a problem it refers to as “going dark.” The unit comes as a result of a Justice Department’s Inspector General report that finds poor communication within the FBI during its prolonged encryption battle with Apple in 2016. The new “going dark” unit is designed to help streamline technical investigations within the FBI, including finding a weak point into various iPhone models. The IG issued a report Tuesday that examines the FBI’s work during the San Bernardino terror attack investigation. That investigation led to a subsequent debate over the FBI’s inability to access shooter Syed Farook’s iPhone. The device, an iPhone5c, was protected by built-in encryption. The report concluded that none of the FBI’s public testimony was false — they did not have the capability to access the iPhone’s contents — but poor […]

The post FBI has unit solely devoted to its ‘going dark’ problem appeared first on Cyberscoop.

Continue reading FBI has unit solely devoted to its ‘going dark’ problem

With cryptojacking rising, exploit kits rapidly decline

Posted on by

Hackers don’t play favorites. Criminals rob banks because that’s where the money is and, for a long time, hackers deployed exploit kits because that’s what worked. But exploit kit development cratered by 62 percent in 2017 driven by the rise of cryptojacking, improved browser security and specific victim targeting, according to a new report from Recorded Future. An exploit kit is software that automates the process of identifying and exploiting vulnerabilities on targets. They’re relatively easy to use and can be powerful when deployed. The exploit kit business has been around for well over a decade, providing a steady income for illicit developers and serious weapons for cybercriminals. The 2017 decline follows major shifts in the exploit kit landscape dating back to 2016, when a number of the leaders in the exploit kit market ceased operations. That trend is credited in large part to the decline in available zero day vulnerabilities. Cryptojacking […]

The post With cryptojacking rising, exploit kits rapidly decline appeared first on Cyberscoop.

Continue reading With cryptojacking rising, exploit kits rapidly decline

The internet’s most important security protocol is finally moving forward

Posted on by

The long-simmering battle over the future of the internet’s most important security protocol is over: TLS 1.3 was approved by the Internet Engineering Task Force after over four years and 28 drafts of back and forth. TLS secures a huge swath of the internet. HTTPS-enabled websites, like the one you’re visiting, is possible thanks to TLS. TLS is also used to secure email, voice, video and messaging. The newest version, TLS 1.3, is the biggest change in the standard’s two decades of existence. The biggest battle of note over TLS 1.3 was prompted by a push from the Financial Services Roundtable to include and standardize interception so that banks and other data center owners could more easily decrypt connections in order to comply with regulations, implement data loss protection, detect intrusions and malware, capture packets, and mitigate denial of service attacks. Opponents called in an intentional weakness that could put the entire […]

The post The internet’s most important security protocol is finally moving forward appeared first on Cyberscoop.

Continue reading The internet’s most important security protocol is finally moving forward

Netflix launches a public bug bounty program

Posted on by

Netflix announced a public bug bounty program through Bugcrowd on Thursday, the latest win for an industry and a company that’s growing at an insane clip. Last month, Bugcrowd took in a $26 million round of funding after opening new offices in London and Sydney. Netflix has had a vulnerability disclosure program since 2013. Over the past five years, the program expanded in both scope and bounty size, including a $15,000 payout on an unspecified critical vulnerability. That amount continues to be the monetary ceiling for bounties under the public program. The decision to go public opens up the service to any vulnerability hunter signed up with Bugcrowd. That means the California-based streaming service joins everyone from the U.S. military to Mastercard and Twilio in launching a public bug bounty program. Merely having a program is rarely enough. In a climate where security researchers and journalists have been targeted by litigious tech firms, […]

The post Netflix launches a public bug bounty program appeared first on Cyberscoop.

Continue reading Netflix launches a public bug bounty program

Dropbox revamps vulnerability disclosure policy, with hopes that other companies follow suit

Posted on by

Dropbox updated its vulnerability disclosure policy Wednesday, not only looking to clarify its relationship with cybersecurity researchers, but also attempting to set a standard for the rest of the tech industry. The San Francisco file-hosting company said the move is a response to “decades of abuse, threats, and bullying” against researchers who find and describe bugs in commercial software. Lawsuits are common, and journalists as well as traditional researchers can be caught up in fights over vulnerability disclosures. The highest-profile ongoing lawsuit is Keeper Security’s defamation suit against Ars Technica journalist Dan Goodin about an article that described flaws in Keeper’s password manager. Dropbox’s new policy — which the company invited others in the industry to use as a template — was updated with the following elements: A clear statement that external security research is welcomed. A pledge to not initiate legal action for security research conducted pursuant to the policy, including good faith, […]

The post Dropbox revamps vulnerability disclosure policy, with hopes that other companies follow suit appeared first on Cyberscoop.

Continue reading Dropbox revamps vulnerability disclosure policy, with hopes that other companies follow suit

Google Cloud gains federal certification, adds a suite of new security features

Posted on by

Google Cloud, the fastest growing cloud business in an booming industry, announced a long list of new security features on Wednesday including denial-of-service protection, data transparency and a “Cloud Security Command Center” designed to give customers visibility into where sensitive data is located, firewall rules and resource deployment. The command center is only in alpha right now, but it’s designed expressly to let teams know which data is open to the internet, which personally identifiable information and even which are vulnerable to cross-site scripting (XSS) vulnerabilities. “Administrators can identify threats like botnets, cryptocurrency mining, and suspicious network traffic with built-in anomaly detection developed by the Google Security team, as well as integrate insights from vendors such as Cloudflare, CrowdStrike, RedLock, Palo Alto Networks, and Qualys to help detect DDoS attacks, compromised endpoints, compliance policy violations, network intrusions, and instance vulnerabilities and threats,” Google announced in a Wednesday blog post. “With ongoing security analytics […]

The post Google Cloud gains federal certification, adds a suite of new security features appeared first on Cyberscoop.

Continue reading Google Cloud gains federal certification, adds a suite of new security features

Google’s director of information security engineering is leaving the company

Posted on by

Michał Zalewski, Google’s director of information security engineering for the past 11 years, is leaving the tech giant, according to a tweet he published Tuesday. Zalewski leads an international team of around 100 engineers with broad and significant responsibilities, including code audit, penetration testing and vulnerability management for products ranging from Gmail to the company’s self-driving car technology. The team maintains “the last line of defense against software flaws by performing offensive exercises in-house and engaging with the broad research community,” Zalewski wrote on his LinkedIn profile. “An example of this is the massive Google Vulnerability Reward Program, initiated in 2010 and the first of its kind.” It’s not yet clear who will replace Zalewski at Google or what he’ll do next. Google and Zalewski did not respond to a request for comment. Before Google, Zalewski was T-Mobile’s chief security specialist for four years. He’s also an information security author, security tool […]

The post Google’s director of information security engineering is leaving the company appeared first on Cyberscoop.

Continue reading Google’s director of information security engineering is leaving the company

Senate Intelligence Committee pushes for improvements to election cybersecurity

Posted on by

The Senate Intelligence Committee on Tuesday published recommendations to improve election infrastructure cybersecurity as the 2018 election season is set to kick into high gear. The effort comes after numerous reports that Russian-linked entities tried to penetrate election systems in the weeks before the 2016 election. “It is clear the Russian government was looking for vulnerabilities in our election systems, ” Sen. Richard Burr, R-N.C., said. “There is no evidence any vote was changed.” The committee urged its peers to “urgently pass legislation” increasing assistance to states to hire technology staff, update software, contract cybersecurity vendors and conduct security audits. “There were 40 states that were operating with election equipment that was a decade old,” said Sen. Mark Warner, D-Va. “Much of that equipment had outdated software you weren’t able to upgrade even if you chose to.” The Senate Intelligence Committee’s number one recommendation is to ensure that states, not the […]

The post Senate Intelligence Committee pushes for improvements to election cybersecurity appeared first on Cyberscoop.

Continue reading Senate Intelligence Committee pushes for improvements to election cybersecurity

Facebook CISO Alex Stamos to leave the company

Posted on by

Facebook chief information security officer Alex Stamos is leaving the company, the New York Times reported on Monday. Stamos is reportedly leaving after a fight among Facebook executives over how the social network should deal with disinformation and propaganda. Shortly after the story broke, Stamos tweeted that he still works for the company, but is focusing more on election security and disinformation. Despite the rumors, I’m still fully engaged with my work at Facebook. It’s true that my role did change. I’m currently spending more time exploring emerging security risks and working on election security. — Alex Stamos (@alexstamos) March 19, 2018 Stamos was previously the CISO at Yahoo. He left that company after engineers began scanning all incoming email on behalf of the U.S. government. The New York Times story says that Stamos tried to quit in December after the extent of Russia’s disinformation campaigns were made public, but he has since […]

The post Facebook CISO Alex Stamos to leave the company appeared first on Cyberscoop.

Continue reading Facebook CISO Alex Stamos to leave the company