After the uproar around their router exploits, Netgear is now launching a bug bounty program. They will reward up to $15.000 for the most valuable flaws, being the ones that allow for access of cloud storage files or live feeds of customers, or remote access vulnerabilities.
The FTC has issued a call for papers, asking for an innovative way to patch already-installed IoT devices. This might be an app, a device or a cloud-based application. The most promising proposal will receive a $25.000 price.
There is currently a hijacking attack underway where insecure MongoDB installations get blocked off until the respective company pays 0.2 bitcoins. So far they've seen 3.000 databases get compromised.
When asked "what scientific concept should be more widely known", Schneier explains the concept of a "class break", where a particular security flaw breaks not just one system, but an entire class of systems.
The Online Trust Alliance (OTA) has released an updated IoT Trust Framework, to aid developers, retailers and purchasers in establishing a firm baseline for security and privacy. The framework will be used for future IoT certification programs.
Ransomware is evolving is something dubbed 'Doxware'. The files are no longer just encrypted, the attackers will also look at the contents of the hijacked files and threaten to release sensitive information based on sensitive pictures, conversations and documents. This makes the attack harder to automate, but also far more likely to result in a ransom payment.
It was possible for Box shared folders and links to be indexed by Google, causing sensitive documents of Dell and other companies to be findable with a Google query. It does seem that it required someone to share that link in a 'public' place, which is of course a big no-no.
A short and sweet insight in how ever-changing domain names, used by botnets, are determined. They need to be predictable so the software knows to which domain it needs to reach out, and the malware controller needs to know which domain to register in advance so he can take control.
This blog post describes an attack where you can hijack a domain if it was once hosted on Google/AWS/Rackspace/DigitalOcean, but has since been deleted without changing nameservers. It seems that only Google has made an effort to fully mitigate this issue.
Someone who is a full-time incident response consultant writes about what his breached clients had in common. Interesting to read through. Hackernews thread here.
An article by Wired about LeakedSource, a service that notifies you when your data shows up in a security breach. It spreads awareness, and forces companies to come clean on data breaches, but might raise some ethical questions.
In this article the writer looks back at the notorious breach of the certificate issuer Diginotar in 2011, and what it has meant for the Internet since.
Someone in the UK has registered the company name "; DROP TABLE "COMPANIES";-- LTD".
As someone mentions in the comments: little Bobby Tables has grown up :)