Hack Naked News 114 March 7, 2017
From Paul's Security Weekly
- Howard Schmidt - Howard Schmidt, one of our industry’s renowned experts on public policy for cyber security passed away last week at the age of 67. Schmidt served as the top White House cybersecurity advisor under two presidents, in addition to his roles as CISO at Microsoft and eBay. Most notably he was the cybersecurity coordinator under President Barack Obama and as White House special advisor for cybersecurity under President George W. Bush. For those not familiar with his career, please take some time out of your busy week to remember him and learn about his accomplishments.
- HackerOne Offers Open Source Projects Free Access to Platform - If you are involved with an open-source project, check out HackerOne's new program providing a free framework for bug bounty programs. The HackerOne Community Edition service was announced this week and grants qualifying open-source projects free access to the professional edition of HackerOne, though HackerOne will still receive 20% of all bounties, the services are otherwise free provided you meet the requirements. To qualify open-source projects must be older than three months old, active, and covered by an Open Source Initiative (OSI) license that allows software to be freely used, modified and shared. This is a great contribution to the community and one I hope will help open-source project get some much needed eyes on security bugs.
- That big scary 1.4bn leak was basically nothing but email addresses - Last Friday, Twitter user Chris Vickery reported that he was going public on today with a massive data breach of 1.37 billion records. Turns out that the leak was 1.37 billion email addresses amassed by River City Media (RCM) – an internet marketing biz apparently based in Jackson, Wyoming, that claims to emit up to a billion emails a day. Those emails you ask? Yea, their SPAM and marketing crud. This is what happens when someone forgets to put a password on the database, whoops! Spamhaus has blacklisted the RCM's entire infrastructure, meaning less SPAM for us! A happy ending indeed.
- Google, Microsoft Bump Bug Bounties - If you're into the bug bounty thing, now you can earn more money from some of the industry's software giants. Google's priority remains remote code execution flaws, which can now earn you up to US$31,337. Google's ceiling for payments used to be $20,000. Microsoft's also increased its payouts, but only for two months and for a handful of services, including outlook.com and office.com, which we can only speculate needed further security testing. Full details are on the way from both companies, so best to check their individual programs for more information, and security bugs...
- To Keep Tor Hack Source Code Secret, DOJ Dismisses Child Porn Case - During operation Playpen the FBI seized and operated the a known child pornography site for 13 days before closing it down. During that period, the FBI deployed a Tor exploit that allowed them to find out those users’ real IP addresses. Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website. Truly a case of top secret information, bringing to light the fact that the data itself isn't always the secret, but how its obtained is even more secret.
- Active Defense Bill Raises Concerns Of Potential Consequences - A new bill aims to make "hacking back" legal! The Active Cyber Defense Certainty Act identifies victims as those suffering from persistent unauthorized intrusions of their computers. According to the proposed bill, active cyber defense would constitute measures taken by the victims that include accessing the attacker’s computer without authorization in order to learn enough information for attribution that can be shared with law enforcement. The bill specifies that victims cannot cause destruction, or endanger public health or safety. This is truly a double-edged sword, while its aimed at protecting the victims, what happens when attackers use it to wiggle out of convictions? Also, how do you really know who you are attacking? We'll keep you posted on how this one turns out.
- Wikileaks publishes docs from what it says is trove of CIA hacking tools - Wikileaks has published the first in a series of documents that discloses some CIA hacking tools. These tools, WikiLeaks claimed, "permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide, and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied." That doesn't mean the CIA has broken encryption on those tools—WikiLeaks' claim is based on their ability to "root" those devices. Go figure, a spy agency is using hacking to spy on people...
Expert Commentary: Jason Wood, Paladin Security
Jason Wood of Paladin Security explains Ransomware for Dummies