Zaid Shoorbajee – Page 12 – WindowsTechs.com

Open source project looks to give legal safe harbor for ethical hackers

Posted on August 3, 2018 by Zaid Shoorbajee

A new program aims to provide white hat hackers and companies running bug bounty and vulnerability disclosure programs with open source legal guidelines to avoid issues sometimes associated with security research. Launched jointly on Thursday by Bugcrowd and Amit Elazari, a University of California Berkeley doctoral candidate, Disclose.io can be adopted by any organization running a bug bounty or disclosure program. The initiative offers boilerplate language that a company can use as terms between it and security researchers who want to disclose a bug. Bugcrowd asserts that current laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) have a chilling effect on security research. Research conducted in order to find software vulnerabilities is often perceived as malicious hacking, Bugcrowd explains. “The ambiguity of existing laws and lack of framework surrounding protocols for ‘good faith’ security testing has sometimes resulted in legal threats, unlawful […]

The post Open source project looks to give legal safe harbor for ethical hackers appeared first on Cyberscoop.

Continue reading Open source project looks to give legal safe harbor for ethical hackers→

Cisco to acquire Duo Security for $2.35 billion

Posted on August 2, 2018 by Zaid Shoorbajee

Cisco is planning to buy Duo Security, a company that provides enterprises with secure multi-factor authentication services, for $2.35 billion, the two companies announced on Thursday. Duo Security is largely seen as a leader in the multi-factor authentication space and is best known for its “zero-trust” security platform, which helps companies verify the identity and trust of the various user endpoints on their networks. Based in Ann Arbor, Michigan with other offices in the U.S. and London, the company has raised more than $121 million in venture capital funding since it was founded in 2010. “Cisco created the modern IT infrastructure, and together we will rapidly accelerate our mission of securing access for all users, with any device, connecting to any application, on any network,” said Duo CEO Dug Song in a statement. “By joining forces with the world’s largest networking and enterprise security company, we have a unique opportunity […]

The post Cisco to acquire Duo Security for $2.35 billion appeared first on Cyberscoop.

Continue reading Cisco to acquire Duo Security for $2.35 billion→

Mimecast acquires threat detection company Solebit

Posted on July 31, 2018 by Zaid Shoorbajee

Mimecast, a publicly traded email security company, is acquiring cybersecurity software startup Solebit in an $88 million cash deal, the two companies announced Tuesday. Based in San Francisco with offices in Tel Aviv, Israel, Solebit develops software that helps enterprises detect cyberthreats on their networks. The company boasts that its platform does this in a signatureless way and without using sandboxing. It was founded in 2014 by former members of the Israeli Defense Forces, according to its website, and has raised $13 million in venture capital funding. Solebit’s threat detection capabilities are already integrated into Mimecast’s products, according to the announcement. “We’re excited to welcome Solebit into the Mimecast family, as it helps us to offer customers a new approach that fundamentally improves their cybersecurity and resilience efficacy in the most efficient way on the market,” said Mimecast CEO Peter Bauer in a statement. Headquartered in London, Mimecast markets a […]

The post Mimecast acquires threat detection company Solebit appeared first on Cyberscoop.

Continue reading Mimecast acquires threat detection company Solebit→

HP launches printer bug bounty program with Bugcrowd

Posted on July 31, 2018 by Zaid Shoorbajee

HP, the Palo Alto, California tech giant, announced Tuesday it will be inviting white hat hackers to probe its printers for bugs that attackers could exploit for malicious purposes. Shivaun Albright, HP’s chief technologist of print security, described the program as complementary to existing security features built into HP printers. “We have some features in our devices to detect when attacks occur,” Albright told CyberScoop. “But if you look at it, recognizing that a device can it protect against all current and future attacks, what we wanted to do was go beyond what’s happening in the industry.” The HP printer bug bounty program will be managed by Bugcrowd, a prominent bug bounty platform. HP’s program will be private, meaning researchers who already have some experience with Bugcrowd will be invited to join. Albright said the program will be a pilot that could lead HP to open it up to the […]

The post HP launches printer bug bounty program with Bugcrowd appeared first on Cyberscoop.

Continue reading HP launches printer bug bounty program with Bugcrowd→

NetSpectre attack can exploit CPUs to leak information remotely, researchers say

Posted on July 27, 2018 by Zaid Shoorbajee

Researchers now say it’s possible to use the infamous Spectre vulnerability in a way that does not require direct access to a victim’s device. Researchers from the Graz University of Technology in Austria write in a paper published Thursday that they can exploit the Spectre flaw remotely without having to run code on the target machine. Such an attack, dubbed NetSpectre, would allow hackers to trick applications into leaking private information, albeit very slowly. “The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory,” the researchers explain. Spectre is a CPU flaw affecting most modern computers that was revealed by researchers in January. It was originally thought that attackers trying to exploit it would need to somehow install malware on a victim’s device, either by tricking them into downloading malicious code or by running malicious JavaScript on a website the victim visited. […]

The post NetSpectre attack can exploit CPUs to leak information remotely, researchers say appeared first on Cyberscoop.

Continue reading NetSpectre attack can exploit CPUs to leak information remotely, researchers say→

Agari: Most agencies on track for DMARC deadline

Posted on July 26, 2018 by Zaid Shoorbajee

Most federal agency web domains are on track to meet a requirement that protects them from email spoofing, according to a report from email security company Agari. The requirement in question is Domain-based Message Authentication, Reporting and Conformance (DMARC), a policy that gives network administrators more visibility and control over how their domain is being used with regard to email. Without it, malicious actors can send emails that appear to be from a trusted source, such as a .gov website, to unsuspecting victims. The Department of Homeland Security issued a binding operational directive (BOD) in October 2017 that required all agencies to protect their domains with the highest level of DMARC within one year. With the deadline less than three months away, Agari reports that most domains are on track to meeting the requirements, and just over half have already done so. DMARC can be implemented on three levels of […]

The post Agari: Most agencies on track for DMARC deadline appeared first on Cyberscoop.

Continue reading Agari: Most agencies on track for DMARC deadline→

Pentagon lays out plan to secure websites in response to lawmaker inquiry

Posted on July 25, 2018 by Zaid Shoorbajee

The Department of Defense says it has a plan to make sure that all of its public-facing websites are configured in a way that doesn’t put the security of their visitors at risk. In a letter responding to a lawmaker dated July 20, DOD Chief Information Officer Dana Deasy wrote that the department plans by the end of 2018 to fix issues with trust certificates and encryption that are present across many websites affiliated with it. Certain issues will take longer, he said, will at least have a definitive plan by the end of the year. “The Department is working hard to ensure DoD inspires trust among citizens and partners in its digital interactions across our missions, business, and entitlements roles,” Deasy wrote. Deasy laid out the plan in response to a May letter from Sen. Ron Wyden, D-Ore., that raised questions about the issue of insecure websites. Wyden initially […]

The post Pentagon lays out plan to secure websites in response to lawmaker inquiry appeared first on Cyberscoop.

Continue reading Pentagon lays out plan to secure websites in response to lawmaker inquiry→

Private sector played critical role in WannaCry attribution, ODNI official says

Posted on July 20, 2018 by Zaid Shoorbajee

Private sector security companies had a key role in the U.S. government’s attribution of last year’s WannaCry ransomware epidemic to North Korea, an official at the Office of the Director of National Intelligence (ODNI) said on Friday. Speaking at a Washington Post Live event, Tonya Ugoretz, director of ODNI’s Cyber Threat Intelligence Integration Center (CTIIC), said that the small agency she leads acted as a liaison to get critical information about the global attack from the private sector to U.S. intelligence agencies. Ugoretz said that CTIIC learned of information about WannaCry that had been fed to Department of Homeland Security by its private sector partners. The information would play an important role in the attribution to North Korea months later, Ugoretz explained. CTIIC comprises staff from intelligence, law enforcement and other federal agencies with the goal of helping coordinate responses to cyberthreats. “DHS had that by virtue of their private sector relationships, and we asked […]

The post Private sector played critical role in WannaCry attribution, ODNI official says appeared first on Cyberscoop.

Continue reading Private sector played critical role in WannaCry attribution, ODNI official says→

Utilities will have stricter cybersecurity reporting requirements under new ruling

Posted on July 19, 2018 by Zaid Shoorbajee

U.S. regulators are laying down stricter reporting requirements for electrical utilities that experience cybersecurity lapses. The Federal Energy Regulatory Commission (FERC) said Thursday that utilities will have to report attempts by attackers, even if they don’t have an immediate effect, that ultimately make it easier to “harm reliable operation of the nation’s bulk electric system.” Current requirements only make utilities report incidents that result in an actual compromise or disruption. “Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” FERC Chairman Kevin McIntyre said in a statement. “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats.” The new standards will come by way of the North American Electric Reliability Corporation (NERC), a quasi-governmental body that implements FERC’s rulings for electrical utilities. NERC will have to develop standards […]

The post Utilities will have stricter cybersecurity reporting requirements under new ruling appeared first on Cyberscoop.

Continue reading Utilities will have stricter cybersecurity reporting requirements under new ruling→

Hundreds of thousands of voter records found exposed on misconfigured server: report

Posted on July 18, 2018 by Zaid Shoorbajee

Yet another misconfigured Amazon S3 bucket has exposed the sensitive information of unsuspecting people. This time, hundreds of thousands of voters’ information was left open for the taking by a Virginia robocalling firm called Robocent, according to Bob Diachenko, a security researcher at cybersecurity firm Kromtech. Diachenko wrote in a LinkedIn blog post Wednesday that he discovered a trove of about 26,000 files, including audio files with pre-recorded political messages and spreadsheets containing voter information, in the leaky server. The voter data, according to Diachenko, includes names, phone numbers, addresses, political affiliations, birth dates, genders, jurisdictions and some demographic information. The Robocent files were accessible to anyone who did a specialized web search for “voters,” said Diachenko. By the time it was identified by Kromtech, the server had already been indexed by GrayhatWarfare, another website that scans the internet for open S3 buckets. Diachenko says he disclosed the finding to Robocent […]

The post Hundreds of thousands of voter records found exposed on misconfigured server: report appeared first on Cyberscoop.

Continue reading Hundreds of thousands of voter records found exposed on misconfigured server: report→