Collaborate Disseminate
The federal computer crime law prohibits “computer trespass.” This includes both “accessing” a computer without authorization, and “exceeding the scope of authorization” to access a computer. If these terms seem vague and ambiguous to you, well,… Continue reading What the Van Buren Case Means For Security Researchers
Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs — a process that is commonplace in the private sector. Now, to put an end to the feet-dragging, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs). CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It’s the latest sign that federal officials are warming to white-hat hackers from various walks of life. “We believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” CISA Assistant Director […]
The post CISA orders agencies to set up vulnerability disclosure programs appeared first on CyberScoop.
Continue reading CISA orders agencies to set up vulnerability disclosure programs
White-hat hackers using never-before-seen zero days against popular applications and devices against competed at two-day gathering in Chengdu. Continue reading Tianfu Cup Round-Up: Safari, Chrome, D-Link Routers and Office 365 Successfully Hacked
Chief information security officers working at high-profile enterprises know their jobs are as much about guarding their organization’s brand reputation and trust as they are about IT security. But to ensure that trust, CISOs need to know whether their security investments are actually working, and that calls for having metrics that matter to senior management, according to a new report. “It’s all about measurement,” says Home Depot CISO Stephen Ward, in remarks quoted in “The 2019 Trust Report,” released by Synack. “CISOs need a way to present security to their executive team and board in a way that clearly demonstrates and measures business risk to the organization. The executive team doesn’t want to talk about security — they want to talk about risk.” The report provides CISOs with a framework for using data from their security programs to gain a clearer sense of their organization’s ability to withstand damaging cyberattacks […]
The post How to demonstrate trust in cybersecurity practices with organization leaders appeared first on CyberScoop.
Continue reading How to demonstrate trust in cybersecurity practices with organization leaders
A survey of 200 cybersecurity decision-makers suggests the chronic shortage of cybersecurity is driving organizations to embrace alternative crowdsourcing approaches to application penetration testing. The survey, which was conducted by Enterprise Str… Continue reading Survey: Cybersecurity Crowdsourcing Achieves Acceptance
The automotive industry is looking to step up its collaboration with cybersecurity researchers to identify software and hardware bugs in order to better protect vehicles which are becoming more connected and automated. “We’ve begun to actively develop relationships with the researcher community to encourage them to look at our vehicles and to let us know if they find vulnerabilities,” Harry Lightsey, an executive at General Motors, said Tuesday at the Wilson Center in Washington, D.C. A case in point is a workshop in Detroit next week that will show industry representatives how to set up an effective vulnerability disclosure program, a practice that enlists outside researchers to find bugs in an organization’s equipment. The workshop’s goal will be to “understand what a vulnerability disclosure program is, how to stand one up, what the pitfalls are,” Faye Francy told CyberScoop after the Wilson Center event. She heads the Automotive Information Sharing […]
The post Automotive companies are warming up to vulnerability disclosure programs appeared first on Cyberscoop.
Continue reading Automotive companies are warming up to vulnerability disclosure programs
After an “exhaustive” review of the agency’s security practices, the Consumer Financial Protection Bureau will resume collecting consumers’ personal data, acting agency director Mick Mulvaney told employees Thursday. An independent security assessment “concluded that ‘externally facing bureau systems appear to be well-secured,’” Mulvaney said. CFPB has a mandate to collect consumer data on things like credit cards and mortgages. The agency’s cybersecurity practices drew the scrutiny of lawmakers in April, when Mulvaney told the Senate Committee on Banking, Housing, and Urban Affairs that the agency had suffered roughly 240 data security breaches and 800 suspected breaches. An CFPB spokesperson told CyberScoop the breaches of personally identifiable information happened before Mulvaney took the agency’s helm in November 2017. “When I first arrived at the bureau, I was concerned that the information the bureau collects about consumers could fall prey to hackers or other actors,” Mulvaney said in an email to agency staff […]
The post After security testing, CFPB to resume collecting consumer data appeared first on Cyberscoop.
Continue reading After security testing, CFPB to resume collecting consumer data
The House Foreign Affairs Committee on Wednesday advanced a bill that would establish a bug bounty program at the State Department, the latest effort by lawmakers and security gurus to encourage agencies to use ethical hackers to secure their networks. The Hack Your State Department Act would task the Secretary of State with setting up a vulnerability disclosure process for researchers to hunt for and disclose flaws in the department’s public-facing websites and applications. The program, which would emulate the Hack the Pentagon project the Defense Department carried out in 2016, would pay researchers for finding vulnerabilities of which State officials were unaware. “Any agency or private sector company should have an independent way of testing security,” Rep. Ted Lieu, D-Calif., the bill’s sponsor, told CyberScoop. “This is one of the ways to do it – get an independent check on the strength of the cybersecurity system.” “A lot of these […]
The post House panel advances State Department bug bounty bill appeared first on Cyberscoop.
Continue reading House panel advances State Department bug bounty bill
The U.S. Copyright Office is calling for wide-ranging reforms of an anti-piracy law that critics say restricts the “right to tinker” and puts white-hat cybersecurity researchers in legal jeopardy. In a little-noticed report published last week, the office questions the “overall operation and effectiveness” of Section 1201 of the Digital Millennium Copyright Act, or DMCA. The section makes it a federal crime to to circumvent or get around special “technological protection measures,” designed to prevent piracy of digital products. The law was designed to protect movies, recorded music or books from endless duplication and distribution online. Critics of the section say that — because so many things now include software, and most has some form of anti-piracy protection — it’s effectively illegal to repair, tinker with or even look for security flaws in almost any kind of “smart” or connected product, despite an exemption under the la for security testing. “The current exemption includes a requirement that security researchers obtain prior permission” for any […]
The post U.S. Copyright Office seeks changes to anti-piracy law derided by white-hat hackers appeared first on Cyberscoop.
Continue reading U.S. Copyright Office seeks changes to anti-piracy law derided by white-hat hackers
HackerOne announced a free version of its platform for open source projects. Continue reading HackerOne Offers Open Source Projects Free Access to Platform