Slashdot Mirror

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

An anonymous reader writes: WannaCry, once the greatest cybersecurity calamity in history, now doesn't work. A website critical to its function is now controlled by civic-minded security researchers, and the fixed deadline to pay the ransom has long passed. Yet WannaCry still accounts for 28% of ransomware attacks -- the most of any ransomware family. According to a new study by Kaspersky Lab, the defanged North Korea linked ransomware is still spreading uncontrollably. The spreading mechanism that passed WannaCry from victim to victim that was so virulent in the 2017 attack is still active, even if the ransomware itself isn't. The firm discovered that since the WannaCry outbreak in May 2017 has affected 74,621 users across the globe.

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai. From a report: The cloud delivery provider's latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month. It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts. Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world. From a report: A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations (a non-paywalled source), the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement. BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland."

According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A. Here's how Petya encrypts files on a system (video). News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well. From the report: "We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

Long-time Slashdot reader chicksdaddy quotes a report from Security Ledger: One of every five software vulnerabilities discovered in vehicles in the last three years are rated "critical" and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive. "These are the high priority 'hair on fire' vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component," the firm said in its report...

The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation... The result is that vehicle cybersecurity vulnerabilities are not solvable using "bolt-on" solutions, IOActive concluded...
The article argues we're years away from standards or regulations, while describing auto-makers as "wedded to the notion that keeping the details of their systems secret will ensure security."

schwit1 writes: "The database of the Philippine Commission on Elections has been breached and the personal information of 55 million voters potentially exposed in what could rank as the worst ever government data breach anywhere," according to Infosecurity Magazine.
The magazine attributes an initial web site breach to Anonymous, who were reportedly trying to persuade the commission to enable more security features on their automated vote-counting system before upcoming national elections on May 9. A second group named LulzSec Pilipinas then later posted the entire voter database online.

Trend Micro wrote that "Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Philippines' Commission on Elections." They report that the breached data even included 15.8 million fingerprint records, as well as 1.3 million records for overseas Filipino voters, including their passports' numbers and expiration dates, all stored in plain text.

Hugh Pickens DOT Com writes "L. J. Rick reports at BBC that Babolat has released a tennis racket with gyroscopes, accelerometers, and a piezoelectric sensor in the handle that can assess your every shot, sensing where the ball strikes the racquet and the quality of the contact. ... The sensor can gather data such as ball speed, accuracy, and angle, and will pair the info with devices over Bluetooth or USB. 'We integrated sensors inside the handle of the racquet, but it does not change the specification. And these sensors will analyze your tennis game, so your swing — your motion — and all this information will be collected by the racquet,' says Gael Moureaux. The International Tennis Federation, aware of the growing influx of hi-tech equipment into the sport, has set up a program called Player Analysis Technology (PAT) to regulate such 'virtual coaches' as the Babolat racquet. The governing body wants to be calling the shots on where and how innovation can be used, as in the past it has found itself having to ban some products like the so-called 'spaghetti-strung' racquets (with double stringing that are already on the market and in use. In conjunction with its PAT approval program, the ITF has also brought in a new rule — Rule 31 — to reflect the growing use of connected equipment, and its possible role in tournament play. Approved devices need to be secure and protected against unauthorized access, to prevent 'sporting espionage' whereby data could be stolen. Knowing when an opponent's right hand gets tired during the second set would be a huge advantage. Despite the innovations, one trainer does not think he is in danger of being upstaged by a smart racquet. 'I think that it's great for feedback but you still need someone to analyze it,' says tennis coach says Nik Snapes. 'At the end of the day it's the practice and the ability of someone that makes the player, not necessarily the equipment in their hand.'"

DW100 writes "Despite Google being fined €900,000 by Spanish authorities and €150,000 in France for its controversial privacy policies in recent months, an EU commissioner has admitted this is mere 'pocket money' to the company. Instead, a new legal regime that would have seen Google fined $1bn for breaching data protection laws is needed to make U.S. companies fear and respect the law in Europe. 'Is it surprising to anyone,' asked Commissioner Viviane Reding, 'that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not? Europeans need to get serious. And that is why our reform introduces stiff sanctions that can reach as much as 2% of the global annual turnover of a company. In the Google case, that would have meant a fine of EUR 731 million (USD 1 billion). A sum much harder to brush off.'"

CowboyRobot writes "A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations. The attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims' email server."

An anonymous reader writes "Just yesterday, the FTC, in conjunction with other government agencies, shut down an international telemarketing scam. A recent video has surfaced showing them in action, trying to scam one of the principals of a Canadian web start-up. Watch the scammers lie through their teeth to convince their 'victim' that he needs to buy a lifetime subscription to their anti-virus product."

An anonymous reader writes "After its recent success in the Berlin elections, the German Pirate Party scores 7.4% of votes for the state parliament of Saarland, earning them 4 seats out of 51. While the campaign didn't center around copyright issues and/or ACTA (the party's stance is well-known), it centered around open government, access to education, and participative governing models, effectively ridding the party of its 'one issue' notion."

supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."