February

now browsing by tag

 
 

#hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020

Source: National Cyber Security – Produced By Gregory Evans

New web targets for the discerning hacker

Global awareness of hackers continued to ramp up throughout the month of February, with the launch of new and improved bug bounty programs and the realization that some heroes wear… black hoodies.

That was the feeling, at least, in the French city of Lille, which hosted a two-day live hacking event as part of the 2020 Forum International de la Cybersécurité, an annual security conference and trade show.

The event saw 100 hackers finding bugs in the systems of The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.

“Bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems,” Rodolphe Harand, manager of YesWeHack, the bug bounty platform that hosted the live hacking competition, told The Daily Swig.

Not long after the event, French cyber awareness site Cybermalveillance.gouv.fr announced that it was going public with its bug bounty program, one that it had been running privately on the YesWeHack platform since December 2019.

Bounties awarded for high risk and critical flaws are also set to double under the program’s public scope, The Daily Swig reported this month, alongside an interview with the Belgium-based platform intigriti, which has its sights set on global expansion.

If you’re interested in bug bounty market news, February was full of statistics related to payouts and hacker insights, as Facebook highlighted the $2 million it paid out to security researchers through its bug bounty program in 2019.

Dropbox also patted itself on the back, having doled out $1 million in cash to security researchers since its vulnerability rewards program began in 2014.

In related news, HackerOne published its 2020 Hacker Report, which found that although bug bounty payouts across the platform continue to rise, nearly two-thirds of security researchers (63%) have withheld the disclosure of security vulnerabilities on at least one occasion.

The reasons behind this were multifaceted, but the factors that stood out were fear of reprimand, lack of a clear reporting channel, and organizations being unresponsive to previous bug reports.

“I think we really need to disambiguate what people mean by the term ‘bug bounty’,” Casey Ellis, founder of Bugcrowd, told The Daily Swig in a recent chat about the uptake of IoT bug bounty programs.

“They are usually thinking about a public bug bounty, which definitely is the last line of defense.”

Read the full interview with Bugcrowd founder Casey Ellis.

The latest bug bounty programs for February 2020

February saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Celo

Program provider: HackerOne

Program type: Private bug bounty

Max reward: $15,000

Outline: Celo, an open banking platform, puts forward a private bug bounty program, with four of its domains in scope.

Notes: Quick responses to bug submissions and rewards based on the Common Vulnerability Scoring Standard are among Celo’s promises.

Visit the Celo bug bounty page at HackerOne for more info

Evernote

Program provider: HackerOne

Program type: Private bug bounty

Max reward: Undisclosed

Outline: The task management app has launched a private bug bounty program with few details aside from an expanded list of vulnerabilities it considers out of scope.

Notes: Evernote pitches itself as uber responsive, with plans to triage bugs within 10 business days of a successful report submission.

Visit the Evernote bug bounty page at HackerOne for more info

Google API Security Rewards Program

Program provider: HackerOne

Program type: Public bug bounty

Minimum reward: $50

Outline: Google has added another bug bounty program to its repertoire. Security researchers can now report vulnerabilities found in third-party applications accessing OAuth Restricted Scope.

Notes: “Developers of OAuth apps using restricted scopes, with more than 50,000 users, are automatically enrolled into the program after they have passed the security assessment requirement,” outlines the program. Theft of insecure private data through unauthorized access reaps a $1,000 reward. Vulnerabilities must be reported to the relevant app developer first.

Visit the Google API Security Rewards Program at Hackerone for more info

Kindred Group

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Online gambling operator Kindred Group has entered the bug bounty scene with HackerOne, putting its two platforms, which host brands like Unibet, bingo.com, iGame, and MariaCasino, in scope.

Notes: Remote code execution, SQL injection, and other critical bugs pay $2,500. Less severe vulnerabilities, such as Flash-based reflective XSS or captcha bypass, generate a $150 reward.

Visit the Kindred Group bug bounty page at HackerOne for full program details

Microsoft Azure – enhanced

Program provider: Independent

Program type: Public bug bounty

Max reward: $40,000

Outline: Microsoft’s established Azure Bounty Program has expanded its scope to include Azure Sphere to run alongside the general release of the IoT security platform.

Notes: “The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft says. Many low-severity issues are out of scope.

Visit the latest Microsoft blog post for full program details

Microsoft Xbox

Program provider: Independent

Program type: Public bug bounty

Max reward: $20,000

Outline: Awards range from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services, although Redmond says higher payouts are possible.

Notes: In-scope vulnerabilities include all the regular suspects with full PoC exploit: cross-site scripting, cross-site request forgery, insecure direct object references, insecure deserialization, code injection flaws, server-side code execution, significant security misconfiguration (when not caused by user), and exploits in third-party components.

Visit the Xbox bug bounty page for full program details

Monolith

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $10,000

Outline: Ethereum-based banking alternative Monolith has linked with HackerOne to let hackers find bugs in its smart contract wallet and the internet-facing Monolith platform.

Notes: “The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet,” Monolith says.

Visit the Monolith bug bounty page at HackerOne for full program details

TokenCoreX

Program provider: Independent

Program type: Public bug bounty

Max reward: $10,000

Outline: Developers at imToken, a popular cryptocurrency wallet, have launched a new bug bounty program covering the TokenCoreX library that underpins the application.

Notes: The program is a partnership with blockchain security specialists SlowMist, and covers defects in the implementation of the core encryption algorithm, along with vulnerabilities in chain-related logic code or the wallet application layer. Rewards are paid in Tether cryptocurrency, with critical vulnerabilities amounting to issues that result in an attacker stealing crypto-assets.

Visit the latest imToken blog post for more info

Visma

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Business software provider Visma wants security researchers to break their domains, with payouts ranging from $100 for low impact bugs to $2,500 for those defined as critical.

Notes: Critical exploits include RCE and SQL injection. Low-rated vulnerabilities such as open redirect or application level denial-of-service also warrant payouts. “Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma,” the company adds.

Visit the Visma bug bounty page at HackerOne for more info

Other bug bounty and VDP news

  • Katie Moussouris, quite possible the Queen of the bug bounty, spoke on the Threatpost podcast about the challenges in implementing successful programs
  • The Hacker News ran an interview with the Open Bug Bounty project, a non-profit that’s demonstrated significant growth over the past year.
  • Bug hunter Alex Chapman published a blog post on his transition from pen tester to full-time bounty hunter.
  • Hyatt expanded its public bug bounty program on its one-year anniversary last month with HackerOne, widening its scope with  higher bounties.
  • Marriott is running a vulnerability disclosure program (unpaid) with HackerOne, as are mobile banking providers bunq, Canadian banking provider Koho, photo video editing app PicsArt, and Belgium-based REM-B Hydraulics.
  • Bugcrowd also saw the SoundCloud bug bounty program increase its rewards last month, now offering a maximum $4,500 for high priority bugs.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line. Read more bug bounty news from The Daily Swig.

RELATED Bug Bounty Radar // January 2020

Source link

The post #hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020 appeared first on National Cyber Security.

View full post on National Cyber Security

Microsoft Patch Tuesday, February 2020 Edition — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

Another flaw fixed this month in Microsoft Exchange 2010 through 2019 may merit special attention. The bug could allow attackers to exploit the Exchange Server and execute arbitrary code just by sending a specially crafted email. This vulnerability (CVE-2020-0688) is rated “important” rather than “critical,” but Liska says it seems potentially dangerous, as Microsoft identifies this as a vulnerability that is likely to be exploited.

In addition, Redmond addressed a critical issue (CVE-2020-0618) in the way Microsoft SQL Server versions 2012-2016 handle page requests.

After a several-month respite from patches for its Flash Player browser plug-in, Adobe has once again blessed us with a security update for this program (fixes one critical flaw). Thankfully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year.

Other Adobe products for which the company shipped updates today include Experience Manager, Digital Editions, Framemaker and Acrobat/Reader (17 flaws). Security experts at Qualys note that on January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.

“While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed,” said Qualys’s Jimmy Graham.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.



Tags: Alan Liska, CVE-2019-1280, CVE-2020-0618, CVE-2020-0674, CVE-2020-0688, Jimmy Graham, Microsoft Patch Tuesday February 2020, Qualys, Recorded Future

The source of this story comes from click here!

The post Microsoft Patch Tuesday, February 2020 Edition — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

Men Beware, Reports Dr. Bonnie: The Highest Cheating Day for Women, Reported by Ashley Madison Is February 15th, the Day After a Disappointing Valentine’s Day

Men should beware of the day after Valentine’s Day says relationship and adultery expert, Dr. Bonnie Eaker Weil. Ashley Madison, a website designed for “discreet encounters” reports that February 15th sees the highest rate of enrollment for women. It’s the day after what’s often a disappointing Valentine’s Day. When their husbands let them down with little or no romance magic on what should be the most romantic day of the year, women turn elsewhere. Dr. Bonnie cautions and advises men to remember and honor their wives on February 14th. Read More….

The post Men Beware, Reports Dr. Bonnie: The Highest Cheating Day for Women, Reported by Ashley Madison Is February 15th, the Day After a Disappointing Valentine’s Day appeared first on Dating Scams 101.

View full post on Dating Scams 101

Internet Dating Jobs Listing Update – February 2016

OPW – Feb 12 – The new Internet dating jobs listing is live on the Internet Dating Jobs blog. Below see a couple of this month’s most interesting offers: Read More….

The post Internet Dating Jobs Listing Update – February 2016 appeared first on Dating Scams 101.

View full post on Dating Scams 101

February 15, 2015-Kaspersky SAS – National Cyber Security

nationalcybersecurity.com – The Kaspersky Security Analyst Summit (SAS) is an annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research com…

View full post on Hi-Tech Crime Solutions Weekly