News
Netgear launches bug bounty program
After the uproar around their router exploits, Netgear is now launching a bug bounty program. They will reward up to $15.000 for the most valuable flaws, being the ones that allow for access of cloud storage files or live feeds of customers, or remote access vulnerabilities.
FTC issues public challenge to improve IoT patching
The FTC has issued a call for papers, asking for an innovative way to patch already-installed IoT devices. This might be an app, a device or a cloud-based application. The most promising proposal will receive a $25.000 price.
MongoDB databases actively hijacked for extortion
There is currently a hijacking attack underway where insecure MongoDB installations get blocked off until the respective company pays 0.2 bitcoins. So far they've seen 3.000 databases get compromised.
Bruce Schneier explaining the concept of "class breaks"
When asked "what scientific concept should be more widely known", Schneier explains the concept of a "class break", where a particular security flaw breaks not just one system, but an entire class of systems.
IoT Trust Framework: The foundation for future IoT certification programs
The Online Trust Alliance (OTA) has released an updated IoT Trust Framework, to aid developers, retailers and purchasers in establishing a firm baseline for security and privacy. The framework will be used for future IoT certification programs.
Ransomware is evolving into "Doxware"
Ransomware is evolving is something dubbed 'Doxware'. The files are no longer just encrypted, the attackers will also look at the contents of the hijacked files and threaten to release sensitive information based on sensitive pictures, conversations and documents. This makes the attack harder to automate, but also far more likely to result in a ransom payment.
Box.com fixed flaw with Google-indexable shared folders
It was possible for Box shared folders and links to be indexed by Google, causing sensitive documents of Dell and other companies to be findable with a Google query. It does seem that it required someone to share that link in a 'public' place, which is of course a big no-no.
Explained: domain-generating algorithms
A short and sweet insight in how ever-changing domain names, used by botnets, are determined. They need to be predictable so the software knows to which domain it needs to reach out, and the malware controller needs to know which domain to register in advance so he can take control.
Hijacking 120.000 domains in AWS, Google Cloud, Rackspace and Digital Ocean
This blog post describes an attack where you can hijack a domain if it was once hosted on Google/AWS/Rackspace/DigitalOcean, but has since been deleted without changing nameservers. It seems that only Google has made an effort to fully mitigate this issue.
An incident response consultant writes about what he saw this year
Someone who is a full-time incident response consultant writes about what his breached clients had in common. Interesting to read through. Hackernews thread here.
Taking a look at Leakedsource
An article by Wired about LeakedSource, a service that notifies you when your data shows up in a security breach. It spreads awareness, and forces companies to come clean on data breaches, but might raise some ethical questions.
How the 2011 hack of DigiNotar changed the internet’s infrastructure
In this article the writer looks back at the notorious breach of the certificate issuer Diginotar in 2011, and what it has meant for the Internet since.
SQL injection attack is now a legal company name in the UK
Someone in the UK has registered the company name "; DROP TABLE "COMPANIES";-- LTD".
As someone mentions in the comments: little Bobby Tables has grown up :)