BrandPost: The Next Big Attack Vector: Your Supply Chain

Read Time:1 Minute, 3 Second

There’s an old security adage: a chain is only as strong as its weakest link. The sentiment long predates Information and Communications Technology (ICT), but it’s never been more relevant. With modern ICT connecting millions of systems worldwide, there are exponentially more “links” to worry about. That’s especially true when we shift our focus from defending against external threats, which organizations have gotten pretty good at, to those originating inside an organization’s sphere of trust. Here, we have work to do — starting with the ICT supply chain itself.

Today’s supply chains are a modern marvel. Vast webs of suppliers, manufacturers, integrators, shipping carriers, and others allow vendors to build ICT products more cost-effectively and to quickly deliver them to customers anywhere. But modern supply chains also increase the number of parties with access to those products — and the number of potential weak links that cybercriminals could seek to exploit. By targeting an organization’s hardware or software supply chain, hackers can compromise an ICT product before it’s even deployed. And, since that product is coming from a supplier the target implicitly trusts, the compromise may go undetected until it’s too late.

To read this article in full, please click here

Read More

curl-7.85.0-5.fc37

Read Time:12 Second

FEDORA-2022-d7ee33d4ad

Packages in this update:

curl-7.85.0-5.fc37

Update description:

smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
http: use the IDN decoded name in HSTS checks (CVE-2022-43551)

Read More

curl-7.82.0-12.fc36

Read Time:12 Second

FEDORA-2022-9836111c44

Packages in this update:

curl-7.82.0-12.fc36

Update description:

smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
http: use the IDN decoded name in HSTS checks (CVE-2022-43551)

Read More

Ukraine Intercepting Russian Soldiers’ Cell Phone Calls

Read Time:58 Second

They’re using commercial phones, which go through the Ukrainian telecom network:

“You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”

[…]

“Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

“But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.

Read More

Top bug bounty platforms for organizations to improve security

Read Time:4 Minute, 58 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What is a bug bounty platform?

As mentioned in Wikipedia: “A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities”.

For instance, Company ‘A’ wants to audit/test it’s apps i.e., web & mobile apps for security vulnerabilities & bugs, it will have two options:

1. Self-host bug bounty / responsible disclosure program

2. List bounty program on bug bounty platforms like Hackerone, BugCrowd etc.

How does a bug bounty program work?

Bug bounties help connect ethical hackers and a firm’s remediation team. A single bug bounty platform allows both parties to unite, communicate, and patch bugs quickly. Bug bounty program managers track the program’s progress by recording bounty payouts, number of vulnerabilities discovered and average resolution time.

Before launching a bug bounty program, the firm sets program scope and determines whether it’s private or public. Scope defines what systems are available for testing, how they will carry tests out, and how long the program will be open. Bug bounty programs can be either public or private. Private programs allow firms to make an invite-only program. Private programs aren’t visible to anyone online.

Mostly programs start as private, with the option to go public when firms decide they ’re ready. Private programs help firms pace their remediation efforts and avoid overwhelming their security teams with a lot of duplicate bug reports.

Public programs can accept submissions from the entire hacker community, allowing all hackers to test a firm’s assets. Because public programs are open, they frequently lead to a high number of bug reports (containing a lot of duplicates however).

Payout of each bounty is set based on the vulnerability’s criticality. Bounty prices can range from several hundred dollars to thousands of dollars, and, in some cases, millions.

Bounty programs give a social and professional element that attracts top-league hackers who are looking for community and a challenge. When a hacker discovers a bug, they submit a vulnerability report. This report shows what systems the bug impacts, how developers doing triage can replicate the bug, and its security risk level. These reports are transferred directly to the remediation teams that validates the bug. Upon validation of a bug, the ethical hacker receives payment for their finding.

Why launch a bug bounty program?

Some would say that why firms resort to bounty programs rather than hiring security professionals. Well, the answer is straightforward, some of them have their own security teams, however once we are talking about big firms like Facebook, Google, etc., they launch and develop loads of software, domains & other products continuously. With this huge list of assets, it nearly becomes impossible for the security teams to pen test all the targets.

Therefore, bounty programs may be an economical approach for firms to regularly check large numbers of assets. Plus, bug bounty programs encourage security researchers to contribute ethically to these firms and receive acknowledgment/bounties. That’s why it makes a lot of sense for big firms to use bug bounty programs.

However, for little budget firms, employing a bug bounty program won’t be their best choice as they may receive loads of vulnerabilities that they can’t afford to pay for due to their limited resources.

Top bug bounty platforms

HackerOne

In 2012, hackers and security leaders formed HackerOne because of their passion for making the internet safer. As the leader in Attack Resistance Management (ARM), HackerOne closes the security gap between what organizations own and what they can protect. ARM blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats.

HackerOne is used by big multinational companies such as Google, Yahoo, Twitter, PayPal, Starbucks, GitHub, etc. that have huge revenues and are also willing to pay large amounts to hackers.

Bugcrowd

Bugcrowd is another bug bounty platform that is a huge name in the bug bounty industry. Founded in 2011, it is one of the first, and one of the largest platforms.

Various companies trust Bugcrowd for hosting their vulnerability disclosure programs, and Bugcrowd also offers penetration testing services, and attack surface management.

Currently Bugcrowd has over 1400 bug bounty programs. It has come up with a SaaS solution that blends easily into your existing software lifecycle making it quite easy to run a successful bug bounty program.

Synack

Synack is an American technology company based in Redwood City, California. Synack’s business includes a vulnerability intelligence platform that automates the discovery of exploitable vulnerabilities for reconnaissance and turns them over to the company’s freelance hackers to create vulnerability reports for clients.

So, if you’re looking for not just a bug bounty service but also security guidance and training at the top level, Synack may be your way to go.

Intigriti

Intigriti helps companies protect themselves from cybercrime. It is a community of ethical hackers that provides continuous, realistic security testing to protect customer’s assets and brand.

This interactive platform features real-time reports of current vulnerabilities and commonly identifies crucial vulnerabilities within 48 hours.

Founded in 2016, Intigriti set out to conquer the limitations of traditional security testing. Today, the company is widely recognized for its innovative approach to security testing, impacting both customers’ security awareness and security researcher’s lives.

Immunefi (Focused on Web3):

Immunefi provides bug bounty hosting, consultation, and program management services to blockchain and smart contract projects.

Since its founding, Immunefi has become the leading bug bounty platform for Web3 with the world’s largest bounties and payouts.

Read More

Social media use can put companies at risk: Here are some ways to mitigate the danger

Read Time:42 Second

We live in a social world, but should our businesses? For many, the answer to that is increasingly no—that’s why laws and regulations have recently been put in place restricting access to some social media in certain situations because of the hidden risks of these seemingly innocuous platforms. The United States federal government and some US states, for example, have barred government-issued devices from the use of Chinese-owned TikTok, which allows users to create and share short videos with music, special effects, and other features.

The concern is that foreign-owned applications might share the information they collect with government intelligence agencies. That information includes personally identifiable information, keystroke patterns (PII), location information based on SIM card or IP address, app activity, browser and search history, and biometric information.

To read this article in full, please click here

Read More