Author Archives: Shaun Waterman

The bug bounty market has some flaws of its own

Posted on by

In the wake of Microsoft’s announcement of a $250,000 reward for new hardware vulnerabilities, there’s growing concern that inflated bounties might be creating perverse incentives for young cybersecurity researchers and distorting the market for white-hat bug hunters. “If you can make considerably more money hunting bugs, there will be nobody left to fix them,” tweeted Katie Moussouris, a security researcher who created the first Microsoft program that rewarded those who reported vulnerabilities. “Those who do the hard work of code maintenance in corporations, dealing w [office] politics for a salary that’s ~1 bounty are 1 bad meeting away from rage quitting to hunt bugs full time,” the tweet concluded. “Motivations vary among hackers … but most are driven by some combination of three factors,” she told CyberScoop: Financial compensation, peer recognition and “the pursuit of intellectual happiness — loving what you do.” Moussouris would know. In addition to her practical […]

The post The bug bounty market has some flaws of its own appeared first on Cyberscoop.

Continue reading The bug bounty market has some flaws of its own

DMARC 2.0? New BIMI standard will help fight spoofing and phishing

Posted on by

Major email service providers are teaming up with large corporations like health insurers, financial service providers and social media giants to develop a new standard that will let commercial email senders securely display their logo next to the “from” name when a message is in a user’s inbox. Brand Indicators for Message Identification, or BIMI, aims to bolster sagging public trust in email, and thereby increase customer engagement with commercial marketing messages. But senders will have to use industry-standard email verification measures in order to leverage BIMI, and the logos will also appear on individual emails from employees of the sending company, as well as mass marketing messages. As a result, BIMI, will also help combat spoofing and phishing messages, according to Patrick Peterson, the founder and executive chairman of email security outfit Agari — one of the new standard’s authors. “We’re putting the trust back into email,” he told […]

The post DMARC 2.0? New BIMI standard will help fight spoofing and phishing appeared first on Cyberscoop.

Continue reading DMARC 2.0? New BIMI standard will help fight spoofing and phishing

Critical ManageEngine vulns affect majority of Fortune 500 companies

Posted on by

A new set of vulnerabilities in a network management tool used by nearly two-thirds of Fortune 500 companies is the latest example of how high-consequence IT software can serve as a launching pad for bigger breaches. Five vulnerabilities in the ManageEngine Applications Manager and one in the Event Log Analyzer were disclosed this week by cybersecurity firm Digital Defense, Inc. Digital Defense has worked with ManageEngine’s vendor, Zoho, on mitigating the vulnerabilities. The flaws have not yet been assigned a number in the CVE list, but some are likely to be rated critical, since they would allow an attacker to remotely take total control of an affected system. The vulnerability disclosures were reviewed for CyberScoop by security firm Tenable. “These are bona fide vulnerabilities,” said Tom Parsons, Tenable’s director of product management. “They would provide a good beach-head” for an attacker, because a software package like an application monitor “provides broad […]

The post Critical ManageEngine vulns affect majority of Fortune 500 companies appeared first on Cyberscoop.

Continue reading Critical ManageEngine vulns affect majority of Fortune 500 companies

NIST engineering guide update provides advice for securing legacy IT systems

Posted on by

The National Institute of Standards and Technology canonical Systems Security Engineering guide SP 800-160 provides a catalog of systems and procedures that developers can use to build secure IT networks from the ground up. The guide’s second volume, published Wednesday, shows developers how to use those procedures to shore up the security of older legacy IT systems in order to limit the access hackers have if they do manage to break in. Ron Ross, NIST fellow and the one of the agency’s cybersecurity experts, told CyberScoop it’s a needed corrective. “We’ve been too focused on penetration resistance, hardening the systems, trying to keep the bad guys out,” he said, “The problem is, with the incredibly complex IT systems we have today, there will always be an [effectively] unlimited supply of vulnerabilities that we can’t know about.” Nation-state hackers are sophisticated and persistent, Ross said: “The empirical data shows that you […]

The post NIST engineering guide update provides advice for securing legacy IT systems appeared first on Cyberscoop.

Continue reading NIST engineering guide update provides advice for securing legacy IT systems

EU needs one set of vulnerability disclosure rules, says expert task force

Posted on by

Cybersecurity researchers in the European Union need legal certainty and consistent standards across its 28 member states if they are to hunt for software vulnerabilities, according to a blue-ribbon commission established by the Center for European Policy Studies. “What we should avoid is that there are 27 or 28 different [legal] frameworks for coordinated vulnerability disclosure and also that there are different definitions being used — of hacking or vulnerability or disclosure — so that this again creates uncertainty for people working in the field,” said European Parliament member Marietje Schaake, chair of the CEPS Task Force on Software Vulnerability Disclosure. Only three of 28 member states currently have a policy on responsible disclosure, although 13 are in the stages of developing one, she told a recent roundtable at the European Parliament. Each member-state has been taking their own approach to vulnerability disclosure, Schaake said, “ranging from sophisticated thinking … […]

The post EU needs one set of vulnerability disclosure rules, says expert task force appeared first on Cyberscoop.

Continue reading EU needs one set of vulnerability disclosure rules, says expert task force

Feds still dragging in DMARC configuration

Posted on by

It’s been more than a month since a mandatory Department of Homeland Security deadline passed for federal agencies to adopt security measures that stop attackers spoofing email — but more than a third have still failed to do so, according to an analysis of public records. What’s arguably worse is those that have implemented the measure called DMARC — Domain-based Message Authentication, Reporting and Conformance — have in many cases misconfigured it, meaning they remain exposed to spoofing. Federal IT specialists “aren’t picking up on the issue of subdomains,” explained Ian Breeze, a product manager at Easy Solutions, a vendor that provides software and advice to organizations seeking to implement DMARC, “They’re leaving their email subdomains open to fraud.” How DMARC works DMARC works by creating a public record that email systems can check to determine whether a message sender is in fact authorized to transmit on behalf of a […]

The post Feds still dragging in DMARC configuration appeared first on Cyberscoop.

Continue reading Feds still dragging in DMARC configuration

The reason NATO’s recent cyber wargames were so unique

Posted on by

European and U.S. cyber warriors wargamed unique responses to nation-state attacks in a recent training exercise held by NATO, allowing operators inside simulated civilian networks that illustrate the tactical complexity and legal gray areas that dog cyberwarfare operations in real life. Dubbed Crossed Swords, the exercise was conducted on computer networks of civilian infrastructure providers like phone and power companies in order to simulate an attack hardened military systems. “What we wanted to do is match the real-world environment in which cyber operations take place and show the interdependencies between military and civilian networks,” said Aare Reintam, project manager of technical exercises at the center, “The legal issue were maybe two percent” of what went into the exercise. The exercise, staged by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia earlier this month, comes as European countries like Sweden and Italy gear up to combat possible Russian […]

The post The reason NATO’s recent cyber wargames were so unique appeared first on Cyberscoop.

Continue reading The reason NATO’s recent cyber wargames were so unique

Banks preparing for heightened New York cybersecurity laws to take effect

Posted on by

This week, senior executives from more than 3,000 banks, insurers and other financial services companies doing business in New York will have to personally certify that their computer networks are protected by a cybersecurity program appropriate for their organization’s risk profile. The certification, imposed by the state’s banking regulator as part of its state cybersecurity rules, is the first in a slew of new requirements that will come into effect this year in New York — one of the leading centers of the global banking system. The requirement for personal certification is being compared to the post-Enron Sarbanes-Oxley corporate governance reforms that upended boardrooms across the country. The so-called SOX regulations require one of the company’s top executives to sign off on the integrity and accuracy of its financial information. In the same way, attorney Craig Newman told CyberScoop, the new regulations from New York’s Department of Financial Services (DFS) […]

The post Banks preparing for heightened New York cybersecurity laws to take effect appeared first on Cyberscoop.

Continue reading Banks preparing for heightened New York cybersecurity laws to take effect

Experts push back on Trump administration’s call to respond to cyberattacks with nukes

Posted on by

The U.S. might consider using nuclear weapons in response to a cyberattack that killed civilians and destroyed infrastructure, a defense official said Friday after rolling out a new Trump administration policy. The new Nuclear Posture Review (NPR), Deputy Defense Secretary Patrick Shanahan told reporters at the Pentagon, states that “in the context of a non-nuclear attack against the U.S. or our allies that was strategic in nature, that involved substantial impacts to our infrastructure or people, we would consider that context in evaluating an appropriate response that might involve nuclear weapons.” Shanahan also insisted that the new policy, although more explicit about the kind of non-nuclear attack that might trigger a nuclear response, did not lower the threshold for the U.S. use of atomic weapons and did not change U.S. policy. “It’s been the long-standing policy of the U.S. to maintain some ambiguity around the circumstances under which we would […]

The post Experts push back on Trump administration’s call to respond to cyberattacks with nukes appeared first on Cyberscoop.

Continue reading Experts push back on Trump administration’s call to respond to cyberattacks with nukes

The small government agency creating a policy to stop botnets

Posted on by

When White House officials were drafting the cybersecurity executive order that President Donald Trump signed last May, they faced a problem: Making the internet more secure against massive botnet attacks  while taking coordinated action between a bewildering variety of stakeholders from a dozen different industries. Action was essential: The threat from huge automated attacks — like the one that brought the stopped internet traffic it its tracks in October 2016 — was growing exponentially as the “Internet of Things” connected billions of insecure devices to the larger global network. But forcing industry to act through regulation was off the table in an administration committed to cutting red tape. Instead, officials approached a small agency within the Commerce Department, the National Telecommunications and Information Administration, which was acquiring a reputation for addressing complex cybersecurity problems using a new model of policymaking. NTIA’s multi-stakeholder process “was generating a lot of interest” early […]

The post The small government agency creating a policy to stop botnets appeared first on Cyberscoop.

Continue reading The small government agency creating a policy to stop botnets