Category Archives: Katie Moussouris

Senators grill Uber CISO over 2016 breach, extortion incident

Posted on by

Senators rebuked Uber on Tuesday during a Senate Commerce subcommittee hearing over the company’s handling of the data breach it disclosed in November 2017, with one lawmaker calling the company’s decision to wait a year before publicly disclosing it “morally wrong and legally reprehensible.” Uber’s actions “violated not only the law but the norm of what should be expected,” said Sen. Richard Blumenthal, D-Conn., the subcommittee’s ranking member said. Uber revealed in November 2017 it paid $100,000 to delete data of 57 million users worldwide that was maliciously obtained by Florida-based hackers. The data included names, email addresses and phone numbers, and in some cases, encrypted passwords and driver’s license numbers. While Uber says that the hackers acted maliciously, the company paid them through HackerOne, which hosts Uber’s bug bounty program – a way for ethical hackers to receive payouts for informing companies about vulnerabilities. During the hearing, the lawmakers questioned Uber’s chief […]

The post Senators grill Uber CISO over 2016 breach, extortion incident appeared first on Cyberscoop.

Continue reading Senators grill Uber CISO over 2016 breach, extortion incident

The Wassenaar Arrangement’s latest language is making security researchers very happy

Posted on by

Security researchers are saying rewritten language that includes hacking tools in a treaty that regulates the global trade in weapons technology, saying it fixes rules that, if implemented in the U.S., would have outlawed much of the daily commerce of the cybersecurity industry. The recent agreement, reached at the annual plenary session of the Wassenaar Arrangement — a 42-nation arms control treaty to which the U.S. is a signatory — was broadly welcomed by policy makers, industry sources and security researchers. “We applaud the hard work of the U.S. interagency and our partners in industry, the research community, and foreign governments to clarify software and technology controls that could have had a negative impact on legitimate cybersecurity,”  Rob Joyce, White House Cybersecurity Coordinator, told CyberScoop. The changes provide exemptions to the export control requirements the treaty imposes on hacking tools. Cyber defenders and white hat security researchers engaged in vulnerability disclosure and […]

The post The Wassenaar Arrangement’s latest language is making security researchers very happy appeared first on Cyberscoop.

Continue reading The Wassenaar Arrangement’s latest language is making security researchers very happy

OWASP postpones publication of Top 10 app vulnerabilities draft

Posted on by

The Open Web Application Security Project (OWASP) has postponed publication of its canonical Top 10 list of web application vulnerabilities this week, saying it needs more time to review the unprecedented amounts of data it’s received. “We have data on 114,000 apps at the moment, but we got a lot of late submissions. That could rise to 120,000 or 130,000,” lead author Andrew van der Stock told CyberScoop. He said the team of volunteers preparing the new draft met over the weekend and agreed to push the scheduled Oct. 9 publication to Oct. 20. “We needed more time to analyze all this new data,” he said. “We still want to give people a month to comment” on the draft after it’s released, van der Stock said, but added the authors were determined to publish the final version before Thanksgiving. “We don’t want it to get lost in the holidays,” he concluded. OWASP is a […]

The post OWASP postpones publication of Top 10 app vulnerabilities draft appeared first on Cyberscoop.

Continue reading OWASP postpones publication of Top 10 app vulnerabilities draft

Black Hat attendees are very vocal about the VEP

Posted on by

As Black Hat USA is in full swing, Las Vegas buzzed with questions about the government’s process for disclosing newly discovered software vulnerabilities, even as the government is working to change the way the process works. At issue: What can fresh data examining zero days tell the public about whether the U.S. government secretly retains a new software vulnerability or reveals it to the manufacturer so it can be fixed. Retained vulnerabilities can be used to spy on U.S. adversaries, but — if rediscovered by foreign spies, cybercriminals or other hackers — they could also be used to wreak havoc on systems both inside and outside the U.S. “I’m gonna light it up,” cybersecurity researcher Katie Moussouris told CyberScoop about a planned debate on the subject. Because of the nature of the global software market — people and companies all over the world use the same programs — a high chance of rediscovery […]

The post Black Hat attendees are very vocal about the VEP appeared first on Cyberscoop.

Continue reading Black Hat attendees are very vocal about the VEP

Katie Moussouris on Bug Bounty Programs, Hack the Army, and Wassenaar

Posted on by

Katie Moussouris on how bug bounty programs have gone mainstream, the success of Hack the Pentagon and Hack the Army, and where things stand with the Wassenaar Arrangement. Continue reading Katie Moussouris on Bug Bounty Programs, Hack the Army, and Wassenaar

Wassenaar Renegotiation Will Be in Trump Administration’s Hands

Posted on by

Now that a proposed revision to the Wassenaar Arrangement has been rejected, it will be up to the Trump administration to decide whether to attempt to renegotiate again. Continue reading Wassenaar Renegotiation Will Be in Trump Administration’s Hands

Bug Hunters Prefer Communication Over Compensation

Posted on by

Results of a NTIA survey published today show that researchers prefer open communication with vendors over financial compensation when it comes to vulnerability disclosure. Continue reading Bug Hunters Prefer Communication Over Compensation

Army Bug Bounty Building New Relationships with Hackers

Posted on by

The government announced its second bug bounty program called Hack the Army, which will concentrate on finding bugs in recruiting websites and databases. Continue reading Army Bug Bounty Building New Relationships with Hackers

The Time Has Come to Hack the Planet

Posted on by

In this Threatpost Op-Ed, Katie Moussouris explains the significance of the newly free availability of ISO Standard 29147 Vulnerability disclosure, and why it keeps an important dialogue open between hackers and industry. Continue reading The Time Has Come to Hack the Planet