Issue 6

Netgear launches bug bounty program

After the uproar around their router exploits, Netgear is now launching a bug bounty program. They will reward up to $15.000 for the most valuable flaws, being the ones that allow for access of cloud storage files or live feeds of customers, or remote access vulnerabilities.

securityweek.com

 

FTC issues public challenge to improve IoT patching

The FTC has issued a call for papers, asking for an innovative way to patch already-installed IoT devices. This might be an app, a device or a cloud-based application. The most promising proposal will receive a $25.000 price.

threatpost.com

 

MongoDB databases actively hijacked for extortion

There is currently a hijacking attack underway where insecure MongoDB installations get blocked off until the respective company pays 0.2 bitcoins. So far they've seen 3.000 databases get compromised.

securityweek.com

 

Bruce Schneier explaining the concept of "class breaks"

When asked "what scientific concept should be more widely known", Schneier explains the concept of a "class break", where a particular security flaw breaks not just one system, but an entire class of systems.

schneier.com

 

IoT Trust Framework: The foundation for future IoT certification programs

The Online Trust Alliance (OTA) has released an updated IoT Trust Framework, to aid developers, retailers and purchasers in establishing a firm baseline for security and privacy. The framework will be used for future IoT certification programs.

helpnetsecurity.com

 

Ransomware is evolving into "Doxware"

Ransomware is evolving is something dubbed 'Doxware'. The files are no longer just encrypted, the attackers will also look at the contents of the hijacked files and threaten to release sensitive information based on sensitive pictures, conversations and documents. This makes the attack harder to automate, but also far more likely to result in a ransom payment.

darkreading.com

 

Box.com fixed flaw with Google-indexable shared folders

It was possible for Box shared folders and links to be indexed by Google, causing sensitive documents of Dell and other companies to be findable with a Google query. It does seem that it required someone to share that link in a 'public' place, which is of course a big no-no.

threatpost.com

 

Explained: domain-generating algorithms

A short and sweet insight in how ever-changing domain names, used by botnets, are determined. They need to be predictable so the software knows to which domain it needs to reach out, and the malware controller needs to know which domain to register in advance so he can take control.

darkreading.com

 

Hijacking 120.000 domains in AWS, Google Cloud, Rackspace and Digital Ocean

This blog post describes an attack where you can hijack a domain if it was once hosted on Google/AWS/Rackspace/DigitalOcean, but has since been deleted without changing nameservers. It seems that only Google has made an effort to fully mitigate this issue.

thehackerblog.com

 

An incident response consultant writes about what he saw this year

Someone who is a full-time incident response consultant writes about what his breached clients had in common. Interesting to read through. Hackernews thread here.

medium.com

 

Taking a look at Leakedsource

An article by Wired about LeakedSource, a service that notifies you when your data shows up in a security breach. It spreads awareness, and forces companies to come clean on data breaches, but might raise some ethical questions.

wired.com

 

How the 2011 hack of DigiNotar changed the internet’s infrastructure

In this article the writer looks back at the notorious breach of the certificate issuer Diginotar in 2011, and what it has meant for the Internet since.

slate.com

 

SQL injection attack is now a legal company name in the UK

Someone in the UK has registered the company name "; DROP TABLE "COMPANIES";-- LTD".
As someone mentions in the comments: little Bobby Tables has grown up :)

schneier.com